Top Related Projects
A curated list of tools for incident response
11,715
Defund the Police.
A collection of android security related resources
Quick Overview
Awesome-forensics is a curated list of digital forensics tools and resources. It serves as a comprehensive collection of open-source and commercial tools, frameworks, and educational materials for digital forensic investigators, security professionals, and enthusiasts. The repository aims to be a one-stop reference for anyone involved in or interested in digital forensics.
Pros
- Extensive collection of tools and resources covering various aspects of digital forensics
- Regularly updated with new tools and information
- Well-organized into categories, making it easy to find specific resources
- Includes both open-source and commercial tools, providing options for different needs and budgets
Cons
- May be overwhelming for beginners due to the large number of resources
- Some listed tools or resources may become outdated or discontinued over time
- Lacks detailed descriptions or comparisons of the listed tools
- Does not provide hands-on tutorials or guides for using the tools
Note: As this is not a code library, the code example and quick start sections have been omitted as per the instructions.
Competitor Comparisons
A curated list of tools for incident response
Pros of awesome-incident-response
- More focused on incident response tools and resources
- Includes sections on playbooks and standards
- Regularly updated with recent contributions
Cons of awesome-incident-response
- Less comprehensive in forensics-specific tools
- Fewer academic and research resources
- Limited coverage of mobile forensics
Code comparison
Not applicable for these repositories as they are curated lists of resources without significant code content.
Summary
awesome-forensics and awesome-incident-response are both valuable resources for security professionals. awesome-forensics offers a broader range of forensic tools and academic resources, while awesome-incident-response is more tailored to incident response processes and playbooks.
awesome-forensics excels in providing a comprehensive list of forensic tools across various domains, including mobile and network forensics. It also includes more academic and research-oriented resources.
awesome-incident-response, on the other hand, focuses more on practical incident response tools, playbooks, and standards. It is regularly updated and provides a good starting point for professionals specifically interested in incident response processes.
Both repositories serve as excellent curated lists for their respective domains, and security professionals may find value in referencing both depending on their specific needs and areas of focus.
11,715
Defund the Police.
Pros of awesome-malware-analysis
- More comprehensive coverage of malware analysis tools and resources
- Better organization with clear categorization of tools and techniques
- Regularly updated with new contributions and resources
Cons of awesome-malware-analysis
- Less focus on general digital forensics techniques
- May be overwhelming for beginners due to the extensive list of resources
- Some links may be outdated or no longer maintained
Code comparison
While both repositories are primarily curated lists of resources, they don't contain significant code samples. However, here's an example of how they structure their markdown files:
awesome-malware-analysis:
## Online Scanners and Sandboxes
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware samples and URLs
* [Jotti](https://virusscan.jotti.org/en) - Free online multi-engine malware scanner
awesome-forensics:
### Disk image creation tools
* [dc3dd](https://sourceforge.net/projects/dc3dd/) - Improved version of dd
* [dcfldd](http://dcfldd.sourceforge.net/) - Improved version of dd (old)
Both repositories use similar markdown structures, but awesome-malware-analysis tends to have more detailed descriptions for each resource.
A collection of android security related resources
Pros of android-security-awesome
- Focused specifically on Android security, providing a more in-depth resource for this platform
- Includes a wider range of categories, such as books, courses, and podcasts
- Regularly updated with new tools and resources
Cons of android-security-awesome
- Limited to Android platform, lacking coverage of other forensic areas
- May not include as many general-purpose forensic tools
- Less structured organization compared to awesome-forensics
Code comparison
While both repositories are primarily curated lists of resources, they don't contain significant code. However, here's a comparison of their README structures:
awesome-forensics:
# awesome-forensics
A curated list of awesome forensic analysis tools and resources.
- [Awesome Forensics](#awesome-forensics)
- [Collections](#collections)
- [Tools](#tools)
- [Learn Forensics](#learn-forensics)
android-security-awesome:
# android-security-awesome
A collection of android security related resources.
1. [Tools](#tools)
2. [Books](#books)
3. [Courses](#courses)
Both repositories use a similar structure for organizing their content, but android-security-awesome includes more diverse categories beyond just tools and learning resources.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Awesome Forensics 
Curated list of awesome free (mostly open source) forensic analysis tools and resources.
- Awesome Forensics
- Collections
- Tools
- Distributions
- Frameworks
- Live Forensics
- IOC Scanner
- Acquisition
- Imaging
- Carving
- Memory Forensics
- Network Forensics
- Windows Artifacts
- OS X Forensics
- Mobile Forensics
- Docker Forensics
- Internet Artifacts
- Timeline Analysis
- Disk image handling
- Decryption
- Management
- Picture Analysis
- Metadata Forensics
- Steganography
- Learn Forensics
- Resources
- Related Awesome Lists
- Contributing
Collections
- AboutDFIR â The Definitive Compendium Project - Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more
- :star: ForensicArtifacts.com Artifact Repository - Machine-readable knowledge base of forensic artifacts
Tools
Distributions
- bitscout - LiveCD/LiveUSB for remote forensic acquisition and analysis
- Remnux - Distro for reverse-engineering and analyzing malicious software
- SANS Investigative Forensics Toolkit (sift) - Linux distribution for forensic analysis
- Tsurugi Linux - Linux distribution for forensic analysis
- WinFE - Windows Forensics enviroment
Frameworks
- :star:Autopsy - SleuthKit GUI
- dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
- dff - Forensic framework
- Dissect - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
- hashlookup-forensic-analyser - A tool to analyse files from a forensic acquisition to find known/unknown hashes from hashlookup API or using a local Bloom filter.
- IntelMQ - IntelMQ collects and processes security feeds
- Kuiper - Digital Investigation Platform
- Laika BOSS - Laika is an object scanner and intrusion detection system
- OpenRelik - Forensic platform to store file artifacts and run workflows
- PowerForensics - PowerForensics is a framework for live disk forensic analysis
- TAPIR - TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework
- :star: The Sleuth Kit - Tools for low level forensic analysis
- turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
- IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations
- Wombat Forensics - Forensic GUI tool
Live Forensics
- grr - GRR Rapid Response: remote live forensics for incident response
- Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
- mig - Distributed & real time digital forensics at the speed of the cloud
- osquery - SQL powered operating system analytics
- POFR - The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System.
- UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
IOC Scanner
- Fastfinder - Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules
- Fenrir - Simple Bash IOC Scanner
- Loki - Simple IOC and Incident Response Scanner
- Redline - Free endpoint security tool from FireEye
- THOR Lite - Free IOC and YARA Scanner
- recon - Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA.
Acquisition
- Acquire - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
- artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
- ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
- AVML - A portable volatile memory acquisition tool for Linux
- Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
- DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
- FastIR Collector - Collect artifacts on windows
- FireEye Memoryze - A free memory forensic software
- FIT - Forensic acquisition of web pages, emails, social media, etc.
- ForensicMiner - A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines.
- LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
- Magnet RAM Capture / DumpIt - A free imaging tool designed to capture the physical memory
- SPECTR3 - Acquire, triage and investigate remote evidence via portable iSCSI readonly access
- UFADE - Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups.
- unix_collector - A live forensic collection script for UNIX-like systems as a single script.
- Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
- WinTriage - Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive.
Imaging
- dc3dd - Improved version of dd
- dcfldd - Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
- FTK Imager - Free imageing tool for windows
- :star: Guymager - Open source version for disk imageing on linux systems
- 4n6pi - Forensic disk imager, designed to run on a Raspberry Pi, powered by libewf
Carving
- bstrings - Improved strings utility
- bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
- floss - Static analysis tool to automatically deobfuscate strings from malware binaries
- :star: photorec - File carving tool
- swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.
Memory Forensics
- inVtero.net - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support
- KeeFarce - Extract KeePass passwords from memory
- MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
- Rekall - Memory Forensic Framework
- volatility - The memory forensic framework
- VolUtility - Web App for Volatility framework
Network Forensics
- Kismet - A passive wireless sniffer
- NetworkMiner - Network Forensic Analysis Tool
- Squey - Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data.
- :star: WireShark - A network protocol analyzer
Windows Artifacts
- Beagle - Transform data sources and logs into graphs
- Blauhaunt - A tool collection for filtering and visualizing logon events
- FRED - Cross-platform microsoft registry hive editor
- Hayabusa - A a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
- LastActivityView - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
- LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
- PyShadow - A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies
- python-evt - Pure Python parser for classic Windows Event Log files (.evt)
- RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
- RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives
NTFS/MFT Processing
- MFT-Parsers - Comparison of MFT-Parsers
- MFTEcmd - MFT Parser by Eric Zimmerman
- MFTExtractor - MFT-Parser
- MFTMactime - MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.
- NTFS journal parser
- NTFS USN Journal parser
- RecuperaBit - Reconstruct and recover NTFS data
- python-ntfs - NTFS analysis
OS X Forensics
- APFS Fuse - A read-only FUSE driver for the new Apple File System
- mac_apt (macOS Artifact Parsing Tool) - Extracts forensic artifacts from disk images or live machines
- MacLocationsScraper - Dump the contents of the location database files on iOS and macOS
- macMRUParser - Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
- OSXAuditor
- OSX Collect
Mobile Forensics
- Andriller - A software utility with a collection of forensic tools for smartphones
- ALEAPP - An Android Logs Events and Protobuf Parser
- ArtEx - Artifact Examiner for iOS Full File System extractions
- iLEAPP - An iOS Logs, Events, And Plists Parser
- iOS Frequent Locations Dumper - Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
- MEAT - Perform different kinds of acquisitions on iOS devices
- MobSF - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
- OpenBackupExtractor - An app for extracting data from iPhone and iPad backups.
Docker Forensics
- dof (Docker Forensics Toolkit) - Extracts and interprets forensic artifacts from disk images of Docker Host systems
- Docker Explorer Extracts and interprets forensic artifacts from disk images of Docker Host systems
Internet Artifacts
- ChromeCacheView - A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
- chrome-url-dumper - Dump all local stored infromation collected by Chrome
- hindsight - Internet history forensics for Google Chrome/Chromium
- IE10Analyzer - This tool can parse normal records and recover deleted records in WebCacheV01.dat.
- unfurl - Extract and visualize data from URLs
- WinSearchDBAnalyzer - This tool can parse normal records and recover deleted records in Windows.edb.
Timeline Analysis
- DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
- :star: plaso - Extract timestamps from various files and aggregate them
- Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
- timeliner - A rewrite of mactime, a bodyfile reader
- timesketch - Collaborative forensic timeline analysis
Disk image handling
- Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
- imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
- libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
- PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer
- xmount - Convert between different disk image formats
Decryption
- hashcat - Fast password cracker with GPU support
- John the Ripper - Password cracker
Management
- Catalyst - Catalyst is an open source security automation and ticket system
- dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
- Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads
- iris - Collaborative Incident Response platform
Picture Analysis
- Ghiro - A fully automated tool designed to run forensics analysis over a massive amount of images
- sherloq - An open-source digital photographic image forensic toolset
Metadata Forensics
- ExifTool by Phil Harvey
- FOCA - FOCA is a tool used mainly to find metadata and hidden information in the documents
Steganography
- Sonicvisualizer
- Steghide - is a steganography program that hides data in various kinds of image and audio files
- Wavsteg - is a steganography program that hides data in various kinds of image and audio files
- Zsteg - A steganographic coder for WAV files
Learn Forensics
- Forensic challenges - Mindmap of forensic challenges
- OpenLearn - Digital forensic course
CTFs and Challenges
- BelkaCTF - CTFs by Belkasoft
- CyberDefenders
- DefCon CTFs - archive of DEF CON CTF challenges.
- Forensics CTFs
- MagnetForensics CTF Challenge
- MalwareTech Challenges
- MemLabs
- NW3C Chanllenges
- Precision Widgets of North Dakota Intrusion
- ReverseEngineering Challenges
Resources
Web
Blogs
- Netresec
- SANS Forensics Blog
- SecurityAffairs - blog by Pierluigi Paganini
- This Week In 4n6 - Weekly updates for forensics
- Zena Forensics
Books
more at Recommended Readings by Andrew Case
- Network Forensics: Tracking Hackers through Cyberspace - Learn to recognize hackersâ tracks and uncover network-based evidence
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
- The Practice of Network Security Monitoring - Understanding Incident Detection and Response
File System Corpora
- Digital Forensic Challenge Images - Two DFIR challenges with images
- Digital Forensics Tool Testing Images
- The CFReDS Project
Other
- /r/computerforensics/ - Subreddit for computer forensics
- ForensicPosters - Posters of file system structures
- SANS Posters - Free posters provided by SANS
Labs
- BlueTeam.Lab - Blue Team detection lab created with Terraform and Ansible in Azure.
Related Awesome Lists
- Android Security
- AppSec
- CTFs
- Hacking
- Honeypots
- Incident-Response
- Infosec
- Malware Analysis
- Pentesting
- Security
- Social Engineering
- YARA
Contributing
Pull requests and issues with suggestions are welcome!
Top Related Projects
A curated list of tools for incident response
11,715
Defund the Police.
A collection of android security related resources
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot