Loading...
capa is a free Digital Forensics and Incident Response tool. Security professionals most commonly compare it with . All 504 alternatives are matched by shared capabilities, tags, and NIST CSF 2.0 coverage.
A closer look at the 8 most relevant alternatives and competitors to capa, including their key features and shared capabilities.
CAPA is a static analysis tool that detects and reports capabilities in executable files across multiple formats, mapping findings to MITRE ATT&CK tactics and techniques.
Shares 5 capabilities with capa: Pe File, Threat Analysis, Elf, Shellcode +1 more
Cloud-based bare-metal malware analysis lab for SOC, CERT & CIRT teams.
Shares 3 capabilities with capa: Threat Analysis, Sandbox, Dynamic Analysis
Malware analysis platform for detecting and analyzing threats via sandbox
Plugin that decompiles malware PE files into readable C code using hybrid analysis.
Agentic AI tool for automated malware reverse engineering & phishing analysis.
AI-powered malware analysis & threat research platform with chat interface.
A static analysis tool for PE files that identifies potential malicious indicators through compiler detection, packing analysis, signature matching, and suspicious string identification.
A process scanning tool that detects and dumps malicious implants, shellcodes, hooks, and memory patches in running processes.
CAPA is a static analysis tool that detects and reports capabilities in executable files across multiple formats, mapping findings to MITRE ATT&CK tactics and techniques.
Cloud-based bare-metal malware analysis lab for SOC, CERT & CIRT teams.
Malware analysis platform for detecting and analyzing threats via sandbox
Plugin that decompiles malware PE files into readable C code using hybrid analysis.
Agentic AI tool for automated malware reverse engineering & phishing analysis.
AI-powered malware analysis & threat research platform with chat interface.
A static analysis tool for PE files that identifies potential malicious indicators through compiler detection, packing analysis, signature matching, and suspicious string identification.
A process scanning tool that detects and dumps malicious implants, shellcodes, hooks, and memory patches in running processes.
PLASMA is an interactive disassembler that generates readable assembly code with colored syntax for reverse engineering binary files across multiple architectures and formats.
A command-line tool for analyzing and extracting detailed information from Windows Portable Executable (PE) files.
Malware analysis platform for SOC teams with binary analysis and threat detection
Deep learning-based malware analysis & threat contextualization platform.
AI-driven autonomous security investigation agent by Legion Security.
Advanced threat prevention and detection platform leveraging Deep CDR, Multiscanning, and Sandbox technologies to protect against data breaches and ransom attacks.
MetaDefender Cloud offers advanced threat prevention using technologies like Multiscanning, Deep CDR, and Sandbox.
A .NET assembly debugger and editor that enables reverse engineering and dynamic analysis of compiled .NET applications without source code access.
A sandbox for quickly sandboxing known or unknown families of Android Malware
dynStruct is a tool for monitoring memory accesses of an ELF binary and recovering structures of the original code.
A Python wrapper for the Libemu library that enables shellcode analysis and malicious code examination through programmatic interfaces.
PINT is a PIN tool that enables Lua scripting for Intel's PIN dynamic instrumentation framework, allowing researchers to inject custom code during binary analysis processes.
A Python tool for in-depth PDF analysis and modification.
Drltrace is a dynamic API calls tracer for Windows and Linux applications.
Binkit is a binary analysis tool that merged with DarunGrim and incorporates its analysis algorithms, currently in internal testing before official release.
Holistic malware analysis platform with interactive sandbox, static analyzer, and emulation capabilities.
Collaborative case management platform for incident response and investigation
Digital incident response plan built on SANS 504-B framework
Digital forensics service for incident analysis and APT response
Malware scanning tool for DFIR using 40+ engines from ReversingLabs
Forensic imaging tool for disk acquisition, iOS collection, and encryption
Digital forensics suite for processing, analyzing & reporting computer/mobile data
Website malware removal service with WAF, monitoring, and cleanup support
Incident management platform for tracking and responding to security incidents
Remote access and IT support tool for workstation management and diagnostics
Incident response platform for alert management, collaboration, and remediation
Proactive service scanning systems for signs of past/ongoing breaches & malware
Investigation and case management system for cybersecurity incidents
Out-of-band incident response platform for cyber incident lifecycle management
Incident response platform for cyber crisis management and collaboration
Browser session recording & forensics for incident investigation & analysis
Network forensics platform with packet capture and analytics capabilities
AI-powered data breach response platform for identifying PI/PHI and notifications
Unified platform for incident detection, investigation, containment & remediation
Platform for cyber crisis readiness, response management, and recovery
Cyber crisis management platform for incident response and preparedness
DFIR platform for endpoint triage & investigation with EDR telemetry import
EDR investigation platform that ingests and analyzes endpoint data
Blockchain analytics platform for crypto compliance and investigations
SaaS platform for managing cybersecurity incident and data breach response
Automated digital forensics tool for real-time data activity monitoring and IR.
Managed DFIR service with proprietary tools for forensics & IR.
Cloud backend for SNOW platform: telemetry storage, ML anomaly detection & IR.
Managed service to detect active/recent threat actors in org networks.
Agentless ransomware detection and containment via behavioral analysis.
File integrity monitoring suite for breach detection, remediation & compliance.
AI-augmented platform for SOC investigations, threat hunting & IR.
Incident investigation tool for info risks, user activity, and file exposure.
Automated network packet recording and breach investigation tool for IR teams.
Distributed GPU-accelerated password recovery for 300+ file/encryption formats.
Mobile forensic bundle for physical, logical & OTA acquisition of iOS/Android/cloud.
Recovers/removes passwords and restrictions from encrypted PDF files.
Password recovery tool for MS Office, WordPerfect, Lotus & other office docs.
Decrypts EFS-protected files on NTFS volumes across Windows versions.
Password recovery tool for encrypted ZIP, 7Zip, and RAR archives.
Accredited forensic cell site geolocation analysis for criminal investigations.
Professional e-discovery service for ESI identification, collection & review.
Professional digital forensics service for legal & criminal investigations.
Email forensic tool for analyzing email headers, body, and attachments.
Windows-based email forensics tool for evidence recovery and analysis.
Email forensics tool for analyzing MIME header fields across 20+ formats.
Forensic email analysis tool for detecting spam, phishing, and email threats.
Decrypts S/MIME & OpenPGP emails from PST/OST/EDB for forensic analysis.
Email-focused digital forensics tool for evidence acquisition, analysis & reporting.
Professional digital forensics service covering breaches, fraud, and OSINT.
Inter-company CERT service offering DFIR & CTI for orgs of all sizes.
AI-powered data lake for structured/unstructured data discovery & analysis.
FIM and config change monitoring tool with baseline deviation detection.
Professional digital forensics services covering computers, mobile, and media.
OSINT-driven link analysis tool for mapping entity relationships visually.
OSINT tool for digital identity investigation across 600+ public sources.
AI-powered file analysis platform delivering malware verdicts in natural language.
OSINT tool for investigating cybercrime activity on Telegram.
Suite of data forensics, migration, backup, and cybersecurity tools/services.
Cybersecurity & digital forensics software for malware detection and DFIR.
AI-native DFIR platform cutting breach recovery time by 75% via automation.
AI platform for continuous detection rule validation, optimization & governance.
Automated DFIR platform for rapid incident investigation and endpoint triage
StegSolve is a steganography analysis tool with image analysis features.
A comprehensive incident response tool for Windows computers, providing advanced memory forensics and access to locked systems.
Intezer is a cloud-based malware analysis platform that detects and classifies malware using genetic code analysis.
An open source .NET deobfuscator and unpacker that restores packed and obfuscated assemblies by reversing various obfuscation techniques.
Binwalk is a firmware analysis tool that enables reverse engineering and extraction of embedded file systems and archives from firmware images.
ZAT is a Python package that processes and analyzes Zeek network security data using machine learning libraries like Pandas, scikit-learn, Kafka, and Spark.
A versatile steganography tool with various installation options and detailed usage instructions.
Incident Response Documentation tool for tracking findings and tasks.
Detects steganography-hidden data in PNG and BMP image files
Online tool that provides automated behavioral analysis of PCAP files
A utility package that monitors hard drive health through SMART technology to detect and prevent disk failures before data loss occurs.
A reverse engineering tool that extracts and organizes Samsung ODIN3 protocol messages from USB packet captures into human-readable files.
OCyara performs OCR on images and PDF files to extract text content and scan it against Yara rules for malware detection.
A software utility with forensic tools for smartphones, offering powerful data extraction and decoding capabilities.
A collection of structured incident response playbook battle cards providing prescriptive guidance and countermeasures for cybersecurity incident response operations.
A forensic toolkit for analyzing Android and iOS devices to detect potential spyware infections and security compromises using indicators of compromise.
A read-only FUSE driver that enables Linux systems to mount and access Apple File System (APFS) volumes, including encrypted and fusion drives.
A Windows context menu integration tool that scans files and folders for malware patterns, crypto signatures, and malicious documents using Yara rules and PEID signatures.
Steghide is a steganography program for hiding data in image and audio files.
A network forensics toolkit that transforms network traffic data into graph-based representations for interactive analysis and visualization through a web interface.
A forensic analysis tool that extracts and parses logs, notifications, and system information from iOS/iPadOS devices and backups.
An open-source incident response case management tool
Standalone DFIR data collector for Windows systems with adaptive collection
Fast disassembler producing reassemblable assembly code using Datalog
HexPrism is a fast, privacy-first hex editor built for CTFs and digital forensics.
A command-line tool for creating hex dumps, converting between binary and human-readable representations, and patching binary files.
A library and set of tools for accessing and analyzing storage media devices and partitions for forensic analysis and investigation.
VX-Underground is a vast online repository of malware samples, featuring various collections for cybersecurity professionals and researchers to analyze and combat cyber threats.
libevt is a library to access and parse Windows Event Log (EVT) files.
Stegextract is a Bash script that extracts hidden files and strings from images, supporting PNG, JPG, and GIF formats.
A digital artifact extraction framework for extracting data from volatile memory (RAM) samples, providing visibility into the runtime state of a system.
A community-driven public malware repository providing access to malware samples, tools, and resources for the cybersecurity community.
A library to access and parse Windows XML Event Log (EVTX) format, useful for digital forensics and incident response.
A PowerShell-based incident response and live forensic data acquisition tool for Windows hosts.
A library for read-only access to QEMU Copy-On-Write (QCOW) image files, supporting multiple versions and compression formats for digital forensics analysis.
In-depth threat intelligence reports and services providing insights into real-world intrusions, malware analysis, and threat briefs.
A static analysis framework for extracting key characteristics from various file formats
A free endpoint security tool for host investigative capabilities to find signs of malicious activity through memory and file analysis.
Unfurl is a URL analysis tool that extracts and visualizes data from URLs, breaking them down into components and presenting the information visually.
A library for accessing and parsing Microsoft Internet Explorer cache files (index.dat) to extract URLs, timestamps, and cached content for digital forensic analysis.
A library to access and manipulate RAW image files.
Falcon Sandbox is a malware analysis framework that provides in-depth static and dynamic analysis of files, offering hybrid analysis, behavior indicators, and integrations with various security tools.
A library for accessing and parsing Extensible Storage Engine (ESE) Database Files used by Microsoft applications like Windows Search, Exchange, and Active Directory for forensic analysis purposes.
Free software for extracting Microsoft cabinet files, supporting all features and formats of Microsoft cabinet files and Windows CE installation files.
A library for accessing and parsing Windows NT Registry File (REGF) format files, designed for digital forensics and registry analysis applications.
A digital forensics tool that provides read-only access to file-system objects from various storage media types and file formats.
A binary analysis and management framework for organizing and analyzing malware and exploit samples, and creating plugins.
A library to access the Windows New Technology File System (NTFS) format with read-only support for NTFS versions 3.0 and 3.1.
A free, fast, and flexible multi-platform IOC and YARA scanner for Windows, Linux, and macOS.
A tool that extracts and deobfuscates strings from malware binaries using advanced static analysis techniques.
A digital archive of the internet, allowing users to capture and browse archived web pages.
TestDisk is a free data recovery software that can recover lost partitions and undelete files from various file systems.
A library to access FileVault Drive Encryption (FVDE) encrypted volumes on Mac OS X systems.
An open source format for storing digital evidence and data, with a C/C++ library for creating, reading, and manipulating AFF4 images.
A library for accessing and parsing OLE 2 Compound File (OLECF) format files, including Microsoft Office documents and thumbs.db files.
A tool that collects and displays user activity and system events on a Windows system.
Request Tracker for Incident Response (RTIR) is a tool for incident response teams to manage incident reports, correlate data, and facilitate communication.
A library for working with Windows NT data types, providing access and manipulation functions.
Autopsy is a GUI-based digital forensics platform for analyzing hard drives and smart phones, with a plug-in architecture for custom modules.
A software that collects forensic artifacts on systems for forensic investigations.
A Bluetooth 5 and 4.x sniffer using TI CC1352/CC26x2 hardware with advanced features and Python-based host-side software.
A free, open-source file data recovery software that can recover lost files from hard disks, CD-ROMs, and digital camera memory.
A command-line tool that extracts detailed technical information, metadata, and checksums from JPEG image files with support for multiple output formats.
A cross-platform registry hive editor for forensic analysis with advanced features like hex viewer and reporting engine.
A library to access and parse Windows Shortcut File (LNK) format.
A Windows Registry hive extraction library that provides C API access for reading and writing registry binary files with XML export capabilities.
Highlighter is a FireEye Market app that integrates with FireEye products to provide enhanced cybersecurity capabilities.
A digital forensic tool for creating forensic images of computer hard drives and analyzing digital evidence.
A library and tools to access and manipulate VMware Virtual Disk (VMDK) files.
A library to access the Expert Witness Compression Format (EWF) for digital forensics and incident response.
A library and tools for accessing and analyzing Linux Logical Volume Manager (LVM) volume system format.
Comprehensive digital forensics and incident response platform for law enforcement, corporate, and academic institutions.
No More Ransom is a collaborative project to combat ransomware attacks by providing decryption tools and prevention advice.
Check if an IP address was used as a Tor relay on a given date.
A file search and query tool for ops and security experts.
A library and tools to access and analyze APFS file systems
Incident response and case management solution for efficient incident response and management.
A command-line utility for extracting human-readable text from binary files.
XMLStarlet offers a suite of command line utilities for manipulating and querying XML documents.
dc3dd is a patch to the GNU dd program, tailored for forensic acquisition with features like hashing and file verification.
Valkyrie is a sophisticated file verdict system that enhances malware detection through behavioral analysis and extensive file feature examination.
edb is a powerful debugger for Linux binaries, enhancing reverse engineering efforts with a user-friendly interface and extensible plugins.
Magnet ACQUIRE offers robust data extraction capabilities for digital forensics investigations, supporting a wide range of devices.
A tool to remove malicious artifacts from Microsoft Office documents, preventing malware infections and data breaches.
A comprehensive malware-analysis tool that utilizes external AV scanners to identify malicious elements in binary files.
A script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files or live network traffic.
A program to manage yara ruleset in a database with support for different databases and configuration options.
LiME is a Linux Memory Extractor tool for acquiring volatile memory from Linux and Linux-based devices, including Android, with features like full memory captures and minimal process footprint.
Extract local data storage of an Android application in one click.
Automated collection tool for incident response triage in Windows systems.
A collaborative malware analysis framework with various features for automated analysis tasks.
Generate comprehensive reports about Windows systems with detailed system, security, networking, and USB information.
Scan files or process memory for Cobalt Strike beacons and parse their configuration.
yextend extends Yara's functionality by automatically handling archived and compressed content inflation, enabling pattern matching on files buried within multiple layers of archives.
QIRA is a competitor to strace and gdb with MIT license, supporting Ubuntu and Docker for wider compatibility.
Python 3 tool for parsing Yara rules with ongoing development.
A Python-based forensic tool for extracting and analyzing browser artifacts from Firefox, Iceweasel, and Seamonkey browsers on Unix and Windows systems.
An open source tool that generates YARA rules from installed software on running operating systems for efficient software identification in digital forensic investigations.
Normalize, index, enrich, and visualize network capture data using Potiron.
An extended traceroute tool for CSIRT operators with advanced features.
A tool for validating and repairing Yara rules
CrowdFMS is a CrowdStrike framework that automates malware sample collection from VirusTotal using YARA rule-based notifications and the Private API system.
RABCDAsm is a collection of utilities for ActionScript 3 assembly/disassembly and SWF file manipulation.
DFIR ORC Documentation provides detailed instructions for setting up the build environment and deploying the tool.
A digital investigation platform for parsing, searching, and visualizing evidences with advanced analytics capabilities.
A collection of YARA rules designed to identify files containing sensitive information such as usernames, passwords, and credit card numbers for penetration testing and forensic analysis.
A Docker-based steganography analysis toolkit containing pre-installed tools and automated scripts for detecting and extracting hidden data from files, primarily designed for CTF challenges.
wxHexEditor is a free cross-platform hex editor and disk editor for editing binary files, disk devices, and logical drives with data manipulation and checksum calculation features.
FSF is a modular, recursive file scanning solution that enables analysts to extend the utility of Yara signatures and define actionable intelligence within a file.
A command-line string extraction utility for digital forensics that supports ASCII and Unicode string extraction from files and directories with pattern matching and filtering capabilities.
Exiv2 is a C++ library and command-line utility for reading, writing, deleting, and modifying Exif, IPTC, XMP, and ICC metadata in image files.
iOSForensic is a Python tool for forensic analysis on iOS devices, extracting files, logs, SQLite3 databases, and .plist files into XML.
A community-sourced repository of digital forensic artifacts in YAML format.
Documentation project for Digital Forensics Artifact Repository
A Yara ruleset designed to detect PHP shells and other webserver malware for malware analysis and threat detection.
PowerForensics is a PowerShell digital forensics framework for hard drive forensic analysis.
Investigate malicious logons by visualizing and analyzing Windows Active Directory event logs with LogonTracer.
MalConfScan is a Volatility plugin for extracting configuration data of known malware and analyzing memory images.
Web interface for the Volatility Memory Forensics Framework
Dynamic binary analysis library with various analysis and emulation capabilities.
Orochi is a collaborative forensic memory dump analysis framework.
DMG2IMG converts Apple compressed DMG archives to standard HFS+ image files supporting zlib, bzip2, and LZFSE compression formats.
Yaraprocessor allows for scanning data streams in unique ways and dynamic scanning of payloads from network packet captures.
A tool for creating compact Linux memory dumps compatible with popular debugging tools.
Tool used for dumping memory from Android devices with root access requirement and forensic soundness considerations.
Ghidra is an NSA-developed software reverse engineering framework that provides disassembly, decompilation, and analysis tools for examining compiled code across multiple platforms and processor architectures.
Fnord is a pattern extraction tool that analyzes obfuscated code using sliding window techniques to identify frequent byte sequences and generate experimental YARA rules for malware analysis.
A deprecated digital forensics tool by Netflix that helped investigators scope compromises across AWS cloud instances by identifying behavioral differences and outliers during security incidents.
A Go library for manipulating YARA rulesets with the ability to programatically change metadata, rule names, and more.
Use FindYara, an IDA python plugin, to scan your binary with yara rules and quickly jump to matches.
A framework/scripting tool to standardize and simplify the process of scripting favorite Live Acquisition utilities for Incident Responders.
A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.
A Forensic Framework for Skype with various investigative options.
Steganography brute-force utility with performance issues, deprecated in favor of stegseek.
Browse and analyze iPhone/iPad backups with detailed file properties and various viewers.
Python script to parse the NTFS USN Change Journal.
CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.
A tool for signature analysis of RTF files to detect potentially unique parts and malicious documents.
A Hadoop library for reading and querying PCAP files
Tool for live forensics acquisition on Windows systems, collecting artefacts for early compromise detection.
A command-line tool for extracting data from iOS mobile device backups created by iTunes on macOS systems.
A script for extracting common Windows artifacts from source images and VSCs with detailed dependencies and usage instructions.
A network forensics tool for visualizing packet captures as network diagrams with detailed analysis.
Procmon for Linux is a reimagining of the classic Procmon tool from Windows, allowing Linux developers to trace syscall activity efficiently.
Sysmon for Linux is a tool that monitors and logs system activity with advanced filtering to identify malicious activity.
A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.
UDcide is an Android malware analysis tool that detects and removes specific malicious behaviors from malware samples while preserving the binary for investigation purposes.
An extensible network forensic analysis framework with deep packet analysis and plugin support.
An OCaml Ctypes wrapper for the YARA matching engine that enables malware identification capabilities in OCaml applications.
A collection of YARA rules specifically designed for forensic investigations and malware analysis, providing pattern matching capabilities for files and memory dumps.
A tool for restoring defocused and blurred images with various deconvolution techniques and fast processing capabilities.
A semi-automatic tool to generate YARA rules from virus samples.
Windows Event Log Analyzer with logon timeline generator and noise reduction for fast forensics.
Windows event log fast forensics timeline generator and threat hunting tool.
OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
A tool for parsing and extracting information from the Master File Table of NTFS file systems.
Tool for analyzing Windows Recycle Bin INFO2 file
A cybersecurity tool for collecting and analyzing forensic artifacts on live systems.
ALEAPP is a Python-based forensic tool for parsing Android logs, events, and protobuf data with both CLI and GUI interfaces.
A Mac OS X forensic utility for ensuring correct forensic procedures during disk imaging.
A tool for tracking, scanning, and filtering yara files with distributed scanning capabilities.
A portable forensic tool that detects encrypted containers like Truecrypt and Veracrypt by analyzing file headers, block cipher patterns, and entropy without external dependencies.
A modified version of GNU dd with added features like hashing and fast disk wiping.
BinaryAlert is an open-source serverless AWS pipeline that automatically scans files uploaded to S3 buckets with YARA rules and generates immediate alerts when malware is detected.
A .Net wrapper library for the native Yara library with interoperability and portability features.
RegRippy is a modern Python 3 alternative to RegRipper for extracting data from Windows registry hives.
Timeliner is a digital forensics tool that rewrites mactime with an advanced expression engine for complex timeline filtering using BPF syntax.
Steganographic Swiss army knife for encoding and decoding data into images.
A Python script for scanning data within an IDB using Yara
ShadowCopy Analyzer is a tool for cybersecurity researchers to analyze and utilize the ShadowCopy technology for file recovery and system restoration.
A disassembly framework with support for multiple hardware architectures and clean API.
Open Source computer forensics platform with modular design for easy automation and scripting.
Largest open collection of Android malware samples, with 298 samples and contributions welcome.
A framework for accumulating, describing, and classifying actionable Incident Response techniques
RetDec is an LLVM-based decompiler that converts machine code from various architectures and file formats back into readable C-like source code for reverse engineering and malware analysis.
Yaramod is a library for parsing YARA rules into AST and building new YARA rulesets with C++ programming interface.
Template-based incident response runbooks for AWS environments following NIST guidelines to help organizations handle common cloud security incidents.
AfterGlow Cloud is a Django-based web application that allows users to upload data and generate graph visualizations through a browser interface.
Custom built application for asynchronous forensic data presentation on an Elasticsearch backend, with upcoming features like Docker-based installation and new UI rewrite in React.
A GNU Emacs editor mode that provides syntax highlighting, indentation, and language server integration for editing YARA rule files.
A tool for processing compiled YARA rules in IDA.
Chaosreader is a tool for ripping files from network sniffing dumps and replaying various protocols and file transfers.
Zui is a desktop application for data exploration and analysis that provides drag-and-drop data ingestion, automatic format detection, and interactive querying capabilities for structured and semi-structured data.
CIRTKit is a DFIR console built on the Viper Framework that integrates various forensic tools and provides modules for packet analysis, memory analysis, and automated incident response workflows.
A System for Abuse- and Incident Handling with log file analysis capabilities.
FIR is a Python-based cybersecurity incident management platform designed for CSIRTs, CERTs, and SOCs to create, track, and report security incidents.
TestDisk checks disk partitions and recovers lost partitions, while PhotoRec specializes in recovering lost pictures from digital camera memory or hard disks.
CHIPSEC is a cross-platform framework for analyzing PC platform security, including hardware, BIOS/UEFI firmware, and low-level system components.
A robust and flexible hunt and incident response tool for investigating AzureAD, Azure, and M365 environments.
A new age tool for binary analysis that uses statistical visualizations to help find patterns in large amounts of binary data.
SwishDbgExt is a Microsoft WinDbg debugging extension that enhances debugging capabilities for kernel developers, troubleshooters, and security experts.
Powerful tool for searching and hunting through Windows forensic artefacts with support for Sigma detection rules and custom Chainsaw detection rules.
A modular incident response framework in Powershell that uses Powershell Remoting to collect data for incident response and breach hunts.
Scan files with Yara, match findings to VirusTotal comments.
High-performance remote packet capture and collection tool used for forensic analysis in cloud workloads.
COPS is a YAML-based schema standard for creating collaborative DFIR playbooks that provide structured guidance for incident response processes.
A web collaborative platform for incident responders to share technical details during investigations, shipped in Docker containers for easy installation and upgrades.
DFIRTrack is an open source web application focused on incident response for handling major incidents with many affected systems, tracking system status, tasks, and artifacts.
A set of scripts for collecting forensic data from Windows and Unix systems respecting the order of volatility.
A C library that enables cross-platform execution of functions from stripped binaries using file names, offsets, and function signatures.
Toolkit for post-mortem analysis of Docker runtime environments using forensic HDD copies.
A command-line tool that allows SQL queries to be executed directly on PCAP files for network traffic analysis with support for multiple output formats.
Netcap efficiently converts network packets into structured audit records for machine learning algorithms, using Protocol Buffers for encoding.
Accessing databases stored on a machine by the Chrome browser and dumping URLs found.
GrokEVT is a tool for reading Windows event log files and converting them to a human-readable format.
OCaml bindings to the YARA scanning engine for integrating YARA scanning capabilities into OCaml projects
A malware processing and analytics tool that utilizes Pig, Django, and Elasticsearch to analyze and visualize malware data.
A PHP based web application for managing postmortems with pluggable features.
FLARE-VM is a Windows virtual machine setup tool that automates the installation and configuration of reverse engineering and malware analysis software using Chocolatey and Boxstarter technologies.
StringSifter is a machine learning tool that automatically ranks strings extracted from malware samples based on their relevance for analysis.
A DFVFS backed viewer project with a WxPython GUI, aiming to enhance file extraction and viewing capabilities.
A tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container, aiding in digital forensic triage.
Dissect is a digital forensics & incident response framework that simplifies the analysis of forensic artefacts from various disk and file formats.
A minimal library to generate YARA rules from JAVA with maven support.
POFR is a Linux forensic data collection system that captures process execution, file access, and network activity for incident response and compliance analysis.
A forensics toolkit for collecting digital evidence from Google Cloud Platform, Microsoft Azure, and Amazon Web Services during incident response investigations.
Docker Explorer is a forensic tool that enables investigators to explore and analyze offline Docker container filesystems by reconstructing layered filesystem structures.
Incident response framework focused on remote live forensics
Rekall is a discontinued project that aimed to improve memory analysis methodology but faced challenges due to the nature of in-memory structure and increasing security measures.
Stenographer is a high-performance full-packet-capture utility for intrusion detection and incident response purposes.
A collaborative forensic timeline analysis tool for organizing and analyzing data with rich annotations and comments.
Turbinia is an open-source framework for automating the running of common forensic processing tools to help with processing evidence in the Cloud.
VxSig is a Google-developed tool that automatically generates antivirus byte signatures from similar binaries for Yara and ClamAV detection engines.
YARA module for supporting DCSO format bloom filters with hashlookup capabilities.
Analyse a forensic target to find and report files found and not found in hashlookup CIRCL public service.
A Python 3 tool for analyzing XOR-encrypted data that can guess key lengths and decrypt XOR ciphers based on character frequency analysis.
Go bindings for YARA with installation and build instructions.
A tool for sorting YARA rules based on metadata.
A collection of Yara rules licensed under the DRL 1.1 License.
A collection of tools to debug and inspect Kubernetes resources and applications, managing eBPF programs execution and mapping kernel primitives to Kubernetes resources.
A discontinued disk imaging utility originally developed by Intel that used block map files for efficient disk image copying operations.
Easy-to-use live forensics toolbox for Linux endpoints with various capabilities such as process inspection, memory analysis, and YARA scanning.
AMExtractor is an Android memory acquisition tool that dumps physical device memory using /dev/kmem without requiring kernel source code.
A module for loading Bro logs as tables in Osquery
A tool for recovering files by scanning block devices and extracting them based on 'magic bytes' in file contents.
A tool for advanced HTTPD logfile security analysis and forensics, implementing various techniques to detect attacks against web applications.
Toolkit for performing acquisitions on iOS devices with logical and filesystem acquisition support.
Automatic YARA rule generator based on Koodous reports with limited false positives.
A Mac OS X computer forensics tool for analyzing system artifacts, user files, and logs with reputation verification and log aggregation capabilities.
A command-line tool that parses Google Protobuf encoded data without schema definitions and displays the content in a readable, colored format.
A library for checking potentially malicious files and archives using YARA and making a decision about their harmfulness.
Recreates the File/Directory tree structure from an extracted $MFT file with detailed record mapping and analysis capabilities.
A declarative language for describing binary data structures that compiles into parsers for multiple programming languages.
Python module for fast packet parsing with TCP/IP protocol definitions.
Python tool for remotely or locally dumping RAM of a Linux client for digital forensics analysis.
Create checkpoint snapshots of the state of running pods for later off-line analysis.
MFT and USN parser for direct extraction in filesystem timeline format with YARA rule support.
Web interface for the Volatility Memory Analysis framework with advanced features.
Automated tool for parsing Windows registry hives and extracting valuable information for forensic analysis.
A tool that reads IP packets from the network or a tcpdump save file and writes an ASCII summary of the packet data.
A suite of console tools for working with timestamps in Windows with 100-nanosecond precision.
Laika BOSS is a scalable object scanner and intrusion detection system that extracts child objects, applies security flags, and generates metadata from files for security analysis.
A framework for orchestrating forensic collection, processing, and data export.
A Python-based engine for automatic creation of timelines in digital forensic analysis
A tool for deep analysis of malicious files using ClamAV and YARA rules, with features like scoring suspect files, building visual tree graphs, and extracting specific patterns.
A package for hiding data inside jpeg files using steganography techniques.
A malware/botnet analysis framework with a focus on network analysis and process comparison.
A digital forensics tool that extracts and exports location database contents from iOS and macOS devices in KML or CSV formats.
Dump iOS Frequent Locations from StateModel#.archive files.
Python script to parse macOS MRU plist files into human-friendly format
A simple framework for extracting actionable data from Android malware
FLOSS is a static analysis tool that automatically extracts and deobfuscates hidden strings from malware binaries using advanced analysis techniques.
A digital forensics tool that extracts and analyzes Windows AppCompat and AmCache registry data for enterprise-scale forensic investigations.
A command-line tool that visually displays YARA rule matches, regex matches, and hex patterns in binary data with colored output and configurable context bytes.
A portable Rust-based tool for acquiring volatile memory from Linux systems without requiring prior knowledge of the target OS distribution or kernel.
A .NET wrapper for libyara that provides a simplified API for developing tools in C# and PowerShell.
A file analysis framework that automates the evaluation of files by running a suite of tools and aggregating the output.
VolatilityBot automates memory dump analysis by extracting executables, detecting code injections, and performing automated malware scanning using YARA and ClamAV.
IE10Analyzer can parse and recover records from WebCacheV01.dat, providing detailed information and conversion capabilities.
WinSearchDBAnalyzer can parse and recover records in Windows.edb, providing detailed insights into various data types.
Generate Yara rules from function basic blocks in x64dbg.
Hoarder is a tool to collect and parse windows artifacts.
A Python 2.x tool for memory analysis on Mac OS X systems with support for various OS versions and memory image export capabilities.
A decentralized network panic button that triggers emergency system shutdowns across networked machines via UDP broadcasts and HTTP to prevent cold boot attacks.
A multithreaded YARA scanner for incident response or malware zoos.
Porting GNU/Linux userland tools to the bionic/Linux userland of Android to provide access to the audit stream for Android applications with minimal overhead.
YARA plugin for Sublime Text with syntax highlighting and snippets.
Hindsight is a free tool for analyzing web artifacts from Google Chrome/Chromium browsers and presenting the data in a timeline for forensic analysis.
Network Forensic Analysis Tool for deep network traffic inspection and analysis.
CapTipper is a python tool to analyze, explore, and revive HTTP malicious traffic.
A shell script for basic forensic collection of various artefacts from UNIX systems.
CyLR is a Live Response Collection tool for quickly and securely collecting forensic artifacts from hosts with NTFS file systems.
Interactive incremental disassembler with data/control flow analysis capabilities.
A user-friendly and fast Forensic Analysis tool with features like tagging files and generating preview reports.
A utility for splitting packet traces along TCP connection boundaries.
An IDA Pro plugin that uses YARA rules to automatically detect cryptographic constants and patterns in binary files during reverse engineering analysis.
BARF is an open source binary analysis framework for supporting various binary code analysis tasks in information security.
A collection of Mac OS X and iOS forensics resources with a focus on artifact collection and collaboration.
A modern tool for Windows kernel exploration and observability with a focus on security.
A command-line utility and Python package for mounting and unmounting various disk image formats with support for different volume systems and filesystems.
ELAT (Event Log Analysis Tool) is a tool that helps in analyzing Windows event logs for malware detection.
Automatic analysis of malware behavior using machine learning.
A tool that enables Yara rule execution against compressed malware samples, supporting GZip, BZip2, and LZMA formats without manual decompression.
A native Python cross-version decompiler and fragment decompiler.
A free, open source collection of tools for forensic artifact and image analysis.
A tool that uses Plaso to parse forensic artifacts and disk images, creating custom reports for easier analysis.
A wrapper around jNetPcap for packet capturing with Clojure, available for Linux and Windows.
A Vim syntax-highlighting plugin for YARA rules that supports versions up to v4.3 and provides enhanced code readability for malware analysts.
A C-based steganographic tool that hides files within WAV audio files using least significant bit encoding techniques.
Recoverjpeg is a tool for recovering JPEG images from damaged storage media.
Container of 200 Windows EVTX samples for testing detection scripts and training on DFIR.
A container of PCAP captures mapped to the relevant attack tactic
A PowerShell-based DFIR automation tool that streamlines artifact and evidence collection from Windows machines for digital forensic investigations.
A multiplatform C++ library for capturing, parsing, and crafting network packets with support for various network protocols.
NotRuler is a tool for Exchange Admins to detect client-side Outlook rules and VBScript enabled forms, aiding in the detection of attacks created through Ruler.
An open source digital forensic tool for processing and analyzing digital evidence with high performance and multiplatform support.
A bash script for automating Linux swap analysis for post-exploitation or forensics purposes.
A high-performance digital forensics exploitation tool for extracting structured information from various inputs without parsing file system structures.
TCPFLOW is a tool for capturing data transmitted over TCP connections.
A command-line forensics tool for tracking and analyzing USB device artifacts and connection history on Linux systems.
A Golang application that stores and queries NIST NSRL Reference Data Set for MD5 and SHA1 hash lookups using Bolt database technology.
replayproxy allows you to 're-live' a HTTP session captured in a .pcap file, parsing HTTP streams, caching them, and starting a HTTP proxy to reply to requests with matching responses.
A simple, self-contained modular host-based IOC scanner for incident responders.
Passive SSL client fingerprinting tool using handshake analysis.
C# wrapper around Yara pattern matching library with Loki and Yara signature support.
A yara module for searching strings inside zip files
Android Loadable Kernel Modules for reversing and debugging on controlled systems/emulators.
A collection of Python scripts that automate tasks and extend IDA Pro disassembler functionality for reverse engineering workflows.
PowerGRR is a PowerShell API client library that automates GRR (Google Rapid Response) operations for digital forensics and incident response across multiple operating systems.
DECAF++ is a fast whole-system dynamic taint analysis framework with improved performance and elasticity.
Hide data in images while maintaining perceptual similarity and extract it from printed and photographed images.
Halogen automates the creation of YARA rules based on image files embedded in malicious documents to assist in threat detection and identification.
Strelka is a real-time, container-based file scanning system that performs file extraction and metadata collection at enterprise scale for threat hunting, detection, and incident response.
A Live Response collection script for Incident Response that automates the collection of artifacts from various Unix-like operating systems.
SIFT is a digital forensics toolkit that provides installation management, task execution, and machine image building capabilities for forensic investigations on Ubuntu systems.
Open source security auditing tool to search and dump system configuration.
Compact C framework for analyzing suspected malware documents and detecting exploits and embedded executables.
View physical memory as files in a virtual file system for easy memory analysis and artifact access.
Emulates browser functionality to detect exploits targeting browser vulnerabilities.
Malscan is a tool to scan process memory for YARA matches and execute Python scripts.
Web-based tool for incident response with easy local installation using Docker.
Open Backup Extractor is an open source program for extracting data from iPhone and iPad backups.
pcapfex is a forensic tool that extracts files from packet capture data by analyzing network traffic and identifying embedded file content.
Binary analysis and management framework for organizing malware and exploit samples.
Bitscout is a Bash-based live OS constructor tool for building customizable forensic environments used in remote system triage, malware hunting, and digital forensics investigations.
Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for Linux, XML or JSONL/NDJSON Logs.
YARA syntax highlighting for Gtk-based text editors
Recover event log entries from an image by heuristically looking for record structures.
A pure Python parser for Windows Event Log (.evtx) files that enables cross-platform forensic analysis of Windows system events.
An open-source binary debugger for Windows with a comprehensive plugin system for malware analysis and reverse engineering.
A collection of Yara signatures for identifying malware and other threats
Incident response and digital forensics tool for transforming data sources and logs into graphs.
A tool for fixing acquired .evt Windows Event Log files in digital forensics.
Syntax, indent, and filetype detection for YARA rule files with auto-indenting and error display in quickfix window.
mac_apt is a versatile DFIR tool for processing Mac and iOS images, offering extensive artifact extraction capabilities and cross-platform support.
A Python-based modular incident response tool for AWS environments that enables automated security actions across EC2, IAM, VPC, and other AWS resources.
A proof of concept for using the SSM Agent in Fargate for incident response
AWS IR is a Python command line utility for automated incident response and mitigation of instance and key compromises in Amazon Web Services environments.
An AWS incident response framework that uses Athena to analyze CloudTrail events and EventBridge for notifications to investigate API activity and detect security misconfigurations.
A Python tool that analyzes AWS CloudTrail data to summarize IAM principal activities, API calls, regions, IP addresses, and user agents with configurable timeframes and visualization options.
Margarita Shotgun is a Python tool that enables remote memory acquisition from target systems through command line interface, supporting Linux distributions and other operating systems via Docker containers.
A Python module for orchestrating remote forensic data acquisition and analysis from Linux instances using Amazon SSM.
Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.
A collection of Android Fakebank and Tizi samples for analyzing spyware on Android devices.
Andrew Case's personal page for research, software projects, and speaking events
A utility for recovering deleted files from ext3 or ext4 partitions.
A console program for file recovery through data carving.
Statistical renaming, Type inference, and Deobfuscation tool for JavaScript code.
Studying Android malware behaviors through Information Flow monitoring techniques.
A command-line utility to show and change EXIF information in JPEG files
HxD is a freeware hex editor and disk editor with advanced features for editing files, memory, and disks.
Network Dump data Displayer and Editor framework for tcpdump trace files manipulation.
netsniff-ng is a free Linux networking toolkit with zero-copy mechanisms for network development, analysis, and auditing.
A javascript malware analysis tool with backend code execution.
A super-simple, modern framework for organizing and automating cybersecurity tasks.
Tool for parsing NTFS journal files, $Logfile, and $MFT.
A textmode sniffer for tracking tcp streams and capturing data in various modes.
A tool for extracting files from network traffic based on file signatures with support for various file formats and scalable search algorithm.
Encode or encrypt strings to various hashes and formats, including MD5, SHA1, SHA256, URL encoding, Base64, and Base85.
A standardized framework for describing and classifying cybersecurity incidents
A PE/COFF file viewer that displays header, section, directory, import table, export table, and resource information within various file types.
A scalable python framework for security research and development teams.
Java decompiler for modern Java features up to Java 14.
Free tools for the CrowdStrike customer community to support their use of the Falcon platform.
Forensic imaging program with full hash authentication and various acquisition options.
A collection of binary tools for various purposes including linking, assembling, profiling, and more.
Revelo is an experimental Javascript deobfuscator tool with features to analyze and deobfuscate Javascript code.
A tool to verify the integrity of PNG, JNG, and MNG files and extract detailed information about the image.
Independent software vendor specializing in network security tools and network forensics.
Extracts resources (bitmaps, icons, cursors, AVI movies, HTML files, and more) from dll files
A freeware suite of tools for PE editing and process viewing, including CFF Explorer and Resource Editor.
Digital investigation tool for extracting forensic data from computers and managing investigations.
SWFTools is a collection of utilities for working with Adobe Flash files, including tools for converting PDFs, images, audio, and video files to SWF format.
A forensic tool to find hidden processes and TCP/UDP ports by rootkits or other hidden techniques.
Powerful debugging tool with extensive features and extensions for memory dump analysis and crash dump analysis.
GUI-based memory forensic capture tool for cyber forensics and cyber crime investigation.
Universal hexadecimal editor for computer forensics, data recovery, and IT security.
Advanced computer forensics software with efficient features.
A tool for analyzing TCP packet traces with color support.
Online platform for image steganography analysis
A service that analyzes and visualizes security data to investigate potential security issues.
Belkasoft offers cybersecurity solutions, training, and tools for businesses, law enforcement, and academia.
A reliable end-to-end DFIR solution for boosting cyber incident response and forensics capacity.
Modern digital forensics and incident response platform with comprehensive tools.
Binary Ninja is an interactive decompiler, disassembler, debugger, and binary analysis platform with a focus on automation and a clean GUI.
A powerful tool for analyzing and visualizing system activity timelines.
A command-line tool for managing and analyzing Microsoft Forefront TMG and UAG configurations.
A toolkit for forensic analysis of network appliances with YARA decoding options and frame extraction capabilities.
Analyzing WiFiConfigStore.xml file for digital forensics on Android devices.
Detect signed malware and track stolen code-signing certificates using osquery.
A report on detecting lateral movement through tracking event logs, updated to include analysis of various tools and commands used by attackers.
An HTTP proxy, monitor, and reverse proxy tool for viewing HTTP and SSL/HTTPS traffic.
A comprehensive Linux log analysis tool that streamlines the investigation of security incidents by extracting and organizing critical details from supported log files.
A tool that recovers passwords from pixelized screenshots
A simple tool to take screenshots of HTTPS websites
A reverse engineering framework with a focus on usability and code cleanliness
A binary analysis platform for analyzing binary programs
Common questions security professionals ask when evaluating alternatives and competitors to capa.
The most popular alternatives to capa include CAPA, Joe Security Joe Lab, Seqrite Malware Analysis Platform, Joe Sandbox DEC, and Joe Security Joe Reverser. These Digital Forensics and Incident Response tools offer similar capabilities and are frequently compared by security professionals evaluating their options.
