Top Alternatives to Docker Explorer
Security OperationsDocker Explorer is a forensic tool that enables investigators to explore and analyze offline Docker container filesystems by reconstructing layered filesystem structures.
613 Alternatives to Docker Explorer
A comprehensive incident response tool for Windows computers, providing advanced memory forensics and access to locked systems.
Intezer is a cloud-based malware analysis platform that detects and classifies malware using genetic code analysis.
ENISA Training Resources offers online training material for cybersecurity specialists, covering technical areas such as artefact handling and analysis.
Binwalk is a firmware analysis tool that enables reverse engineering and extraction of embedded file systems and archives from firmware images.
ZAT is a Python package that processes and analyzes Zeek network security data using machine learning libraries like Pandas, scikit-learn, Kafka, and Spark.
A versatile steganography tool with various installation options and detailed usage instructions.
Incident Response Documentation tool for tracking findings and tasks.
A de-obfuscator for M/o/Vfuscator, a notorious obfuscator, designed to reverse the effects of M/o/Vfuscator's obfuscation.
StegSolve is a steganography analysis tool with image analysis features.
Interactive malware hunting service with live access to the heart of an incident.
Red Hand Analyzer is an online tool that provides automated behavioral analysis of PCAP files to detect malicious network activities and security vulnerabilities without decrypting traffic content.
A utility package that monitors hard drive health through SMART technology to detect and prevent disk failures before data loss occurs.
A reverse engineering tool that extracts and organizes Samsung ODIN3 protocol messages from USB packet captures into human-readable files.
OCyara performs OCR on images and PDF files to extract text content and scan it against Yara rules for malware detection.
A software utility with forensic tools for smartphones, offering powerful data extraction and decoding capabilities.
A collection of structured incident response playbook battle cards providing prescriptive guidance and countermeasures for cybersecurity incident response operations.
A forensic toolkit for analyzing Android and iOS devices to detect potential spyware infections and security compromises using indicators of compromise.
A read-only FUSE driver that enables Linux systems to mount and access Apple File System (APFS) volumes, including encrypted and fusion drives.
A Windows context menu integration tool that scans files and folders for malware patterns, crypto signatures, and malicious documents using Yara rules and PEID signatures.
Steghide is a steganography program for hiding data in image and audio files.
A network forensics toolkit that transforms network traffic data into graph-based representations for interactive analysis and visualization through a web interface.
A forensic analysis tool that extracts and parses logs, notifications, and system information from iOS/iPadOS devices and backups.
AI-powered investigative analytics platform for eDiscovery, data privacy & fraud
AI-powered cyber incident response platform for training, orchestration & mgmt
An open-source incident response case management tool that provides visualization, threat intelligence lookups, and security framework mapping in a unified workspace.
Malware analysis platform for detecting and analyzing threats via sandbox
Digital forensics service for incident analysis and APT response
Standalone DFIR data collector for Windows systems with adaptive collection
Malware scanning tool for DFIR using 40+ engines from ReversingLabs
Forensic imaging tool for disk acquisition, iOS collection, and encryption
Digital forensics suite for processing, analyzing & reporting computer/mobile data
AI-powered data management system for forensics, e-discovery, and privacy
24/7 breach response and digital forensics service for incident handling
Ransomware preparedness & response service with playbooks and negotiation
Website malware removal service with WAF, monitoring, and cleanup support
Fast disassembler producing reassemblable assembly code using Datalog
Incident management platform for tracking and responding to security incidents
Digital forensics & investigation platform for analyzing evidence & cases
Data processing & analysis platform for eDiscovery, investigations & forensics
eDiscovery workflow automation platform for legal hold to review processes
Data analysis platform for transforming data into actionable intelligence
Data collection tool for eDiscovery, investigations, and forensics
NIST-aligned DFIR platform for incident containment, investigation, and recovery
Incident response & management service for detecting, containing & recovering
Remote access and IT support tool for workstation management and diagnostics
AI-assisted case management software for investigations and incident response
Digital forensics & incident response services for cyber incident investigation
Incident response platform for alert management, collaboration, and remediation
Proactive service scanning systems for signs of past/ongoing breaches & malware
Malware analysis platform for SOC teams with binary analysis and threat detection
Investigation platform for digital forensics and incident analysis
Investigation and case management system for cybersecurity incidents
Incident management tool for automating response workflows in Grafana Cloud
Out-of-band incident response platform for cyber incident lifecycle management
Incident response platform for preparation, practice, response, and reporting
DFIR service with unlimited incident response and threat suppression
DFIR services with PCI SSC certified lab for cybercrime investigation
DFIR services for cyber incident investigation and remediation
Centralized IR platform for threat visibility, detection, and rapid deployment
Automates initial incident assessment and forensics gathering via host sweeps.
Automates memory and MFT dumps at scale for forensic analysis on Windows hosts
Browser session recording & forensics for incident investigation & analysis
Network forensics platform with packet capture and analytics capabilities
AI-powered data breach response platform for identifying PI/PHI and notifications
DFIR service for breach investigation, containment, and remediation
Unified platform for incident detection, investigation, containment & remediation
Real-time endpoint threat investigation and incident response platform
Platform for cyber crisis readiness, response management, and recovery
AI-powered compromise assessment with APT detection and digital forensics
Rapid breach verification service to confirm suspected cyber incidents
DFIR platform for endpoint triage & investigation with EDR telemetry import
Digital forensic investigation services for evidence collection and analysis
Cybercrime and fraud investigation services with digital forensics
Blockchain analytics platform for crypto compliance and investigations
SaaS platform for managing cybersecurity incident and data breach response
24/7 cyber incident response service with forensics, legal, and recovery support
Incident response and forensics service for cyber attack investigation
DFIR service for breach investigation, evidence preservation, and recovery.
HexPrism is a fast, privacy-first hex editor built for CTFs and digital forensics.
Automated digital forensics tool for real-time data activity monitoring and IR.
Cloud backend for SNOW platform: telemetry storage, ML anomaly detection & IR.
Real-time intrusion detection and forensic analysis service powered by SNOW.
Cloud & on-premise video security cameras and VMS with AI analytics.
Managed service to detect active/recent threat actors in org networks.
Agentless ransomware detection and containment via behavioral analysis.
Hardware write-blockers & forensic tools for secure digital evidence handling.
File integrity monitoring suite for breach detection, remediation & compliance.
AI-augmented platform for SOC investigations, threat hunting & IR.
Incident investigation tool for info risks, user activity, and file exposure.
IR and digital forensics services for breach response and incident readiness.
Automated network packet recording and breach investigation tool for IR teams.
Managed eDiscovery service for ESI collection and review after cyber breaches.
Distributed GPU-accelerated password recovery for 300+ file/encryption formats.
Mobile forensic bundle for physical, logical & OTA acquisition of iOS/Android/cloud.
Recovers/removes passwords and restrictions from encrypted PDF files.
Password recovery tool for MS Office, WordPerfect, Lotus & other office docs.
Decrypts EFS-protected files on NTFS volumes across Windows versions.
Password recovery tool for encrypted ZIP, 7Zip, and RAR archives.
Always-on network packet capture for forensics, IR, and compliance.
FIM tool monitoring critical files for unauthorized changes across OS platforms.
Purpose-built status page platform for targeted incident communications.
Out-of-band IR planning platform with tabletop drills for MSPs & enterprises.
Process-driven IR platform for IR firms managing breached client incidents.
End-to-end incident management platform for IR teams, MSPs, and enterprises.
IR planning platform for MSPs/MSSPs with templates, tabletops & multi-tenancy.
Automatic binary reverse-engineering tool for library ID across architectures.
Deep learning-based malware analysis & threat contextualization platform.
File malware analysis portal for end users using deep learning detection.
Expert digital forensics investigation service for criminal, civil & corporate cases.
Accredited forensic cell site geolocation analysis for criminal investigations.
Professional e-discovery service for ESI identification, collection & review.
Professional digital forensics service for legal & criminal investigations.
Cloud-based bare-metal malware analysis lab for SOC, CERT & CIRT teams.
Plugin that decompiles malware PE files into readable C code using hybrid analysis.
Agentic AI tool for automated malware reverse engineering & phishing analysis.
Network packet capture & forensics tool for security incident investigations.
High-speed network packet capture & forensics appliance for NetOps & SecOps.
Email forensic tool for analyzing email headers, body, and attachments.
Windows-based email forensics tool for evidence recovery and analysis.
Email forensics tool that detects objectionable images via skin tone analysis.
EnCase plugin to export forensic email records to PST without Outlook.
Email forensics tool for analyzing MIME header fields across 20+ formats.
Decrypts S/MIME & OpenPGP emails from PST/OST/EDB for forensic analysis.
Email-focused digital forensics tool for evidence acquisition, analysis & reporting.
Automated malware analysis via hypervisor-level sandbox & static analysis.
Multi-OS malware analysis platform with sandbox, static analysis & URL scanning.
Manual malware analysis lab with CSI module for in-depth threat inspection.
Professional digital forensics service covering breaches, fraud, and OSINT.
Inter-enterprise CERT service offering 24/7 DFIR & CTI for orgs of all sizes.
Expert witness & digital forensics service for legal proceedings.
Professional digital forensics service for evidence collection, analysis & legal support.
AI-powered data lake for structured/unstructured data discovery & analysis.
Managed DFIR service for investigating and responding to cyber incidents.
FIM and config change monitoring tool with baseline deviation detection.
Professional digital forensics services covering computers, mobile, and media.
OSINT-driven link analysis tool for mapping entity relationships visually.
OSINT tool for digital identity investigation across 600+ public sources.
Digital forensics service for data recovery, analysis, and incident investigation.
AI-powered file analysis platform delivering malware verdicts in natural language.
Turns a single IOC or hash into a full malware campaign investigation view.
Expands a single malware hash into full family visibility via structural analysis.
OSINT tool for investigating cybercrime activity on Telegram.
Suite of data forensics, migration, backup, and cybersecurity tools/services.
AI-powered malware analysis & threat research platform with chat interface.
Cybersecurity & digital forensics software for malware detection and DFIR.
Digital fraud prevention & detection platform for finance and e-commerce.
A command-line tool for creating hex dumps, converting between binary and human-readable representations, and patching binary files.
A library and set of tools for accessing and analyzing storage media devices and partitions for forensic analysis and investigation.
VX-Underground is a vast online repository of malware samples, featuring various collections for cybersecurity professionals and researchers to analyze and combat cyber threats.
Stegextract is a Bash script that extracts hidden files and strings from images, supporting PNG, JPG, and GIF formats.
A digital artifact extraction framework for extracting data from volatile memory (RAM) samples, providing visibility into the runtime state of a system.
A community-driven public malware repository providing access to malware samples, tools, and resources for the cybersecurity community.
A library to access and parse Windows XML Event Log (EVTX) format, useful for digital forensics and incident response.
A PowerShell-based incident response and live forensic data acquisition tool for Windows hosts.
A library for read-only access to QEMU Copy-On-Write (QCOW) image files, supporting multiple versions and compression formats for digital forensics analysis.
In-depth threat intelligence reports and services providing insights into real-world intrusions, malware analysis, and threat briefs.
A static analysis framework for extracting key characteristics from various file formats
A free endpoint security tool for host investigative capabilities to find signs of malicious activity through memory and file analysis.
Unfurl is a URL analysis tool that extracts and visualizes data from URLs, breaking them down into components and presenting the information visually.
A library for accessing and parsing Microsoft Internet Explorer cache files (index.dat) to extract URLs, timestamps, and cached content for digital forensic analysis.
Falcon Sandbox is a malware analysis framework that provides in-depth static and dynamic analysis of files, offering hybrid analysis, behavior indicators, and integrations with various security tools.
A practical guide to enhancing digital investigations with cutting-edge memory forensics techniques, covering fundamental concepts, tools, and techniques for memory forensics.
CAPA is a static analysis tool that detects and reports capabilities in executable files across multiple formats, mapping findings to MITRE ATT&CK tactics and techniques.
A library for accessing and parsing Extensible Storage Engine (ESE) Database Files used by Microsoft applications like Windows Search, Exchange, and Active Directory for forensic analysis purposes.
Free software for extracting Microsoft cabinet files, supporting all features and formats of Microsoft cabinet files and Windows CE installation files.
A library for accessing and parsing Windows NT Registry File (REGF) format files, designed for digital forensics and registry analysis applications.
A digital forensics tool that provides read-only access to file-system objects from various storage media types and file formats.
A binary analysis and management framework for organizing and analyzing malware and exploit samples, and creating plugins.
Automated DFIR platform for rapid incident investigation and endpoint triage
A library to access the Windows New Technology File System (NTFS) format with read-only support for NTFS versions 3.0 and 3.1.
A free, fast, and flexible multi-platform IOC and YARA scanner for Windows, Linux, and macOS.
A tool that extracts and deobfuscates strings from malware binaries using advanced static analysis techniques.
A digital archive of the internet, allowing users to capture and browse archived web pages.
TestDisk is a free data recovery software that can recover lost partitions and undelete files from various file systems.
A library to access FileVault Drive Encryption (FVDE) encrypted volumes on Mac OS X systems.
An open source format for storing digital evidence and data, with a C/C++ library for creating, reading, and manipulating AFF4 images.
Search engine for Windows executable files and hashes, providing insights into file prevalence, behavior, and security information.
A library for accessing and parsing OLE 2 Compound File (OLECF) format files, including Microsoft Office documents and thumbs.db files.
A tool that collects and displays user activity and system events on a Windows system.
A static analysis tool for PE files that identifies potential malicious indicators through compiler detection, packing analysis, signature matching, and suspicious string identification.
Request Tracker for Incident Response (RTIR) is a tool for incident response teams to manage incident reports, correlate data, and facilitate communication.
A library for working with Windows NT data types, providing access and manipulation functions.
Autopsy is a GUI-based digital forensics platform for analyzing hard drives and smart phones, with a plug-in architecture for custom modules.
A software that collects forensic artifacts on systems for forensic investigations.
A Bluetooth 5 and 4.x sniffer using TI CC1352/CC26x2 hardware with advanced features and Python-based host-side software.
A free, open-source file data recovery software that can recover lost files from hard disks, CD-ROMs, and digital camera memory.
A command-line tool that extracts detailed technical information, metadata, and checksums from JPEG image files with support for multiple output formats.
A cross-platform registry hive editor for forensic analysis with advanced features like hex viewer and reporting engine.
A Windows Registry hive extraction library that provides C API access for reading and writing registry binary files with XML export capabilities.
A comprehensive guide to memory forensics, covering tools, techniques, and procedures for analyzing volatile memory.
A digital forensic tool for creating forensic images of computer hard drives and analyzing digital evidence.
A library and tools to access and manipulate VMware Virtual Disk (VMDK) files.
A library to access the Expert Witness Compression Format (EWF) for digital forensics and incident response.
A library and tools for accessing and analyzing Linux Logical Volume Manager (LVM) volume system format.
Comprehensive digital forensics and incident response platform for law enforcement, corporate, and academic institutions.
No More Ransom is a collaborative project to combat ransomware attacks by providing decryption tools and prevention advice.
Advanced threat prevention and detection platform leveraging Deep CDR, Multiscanning, and Sandbox technologies to protect against data breaches and ransom attacks.
Incident response and case management solution for efficient incident response and management.
A command-line utility for extracting human-readable text from binary files.
XMLStarlet offers a suite of command line utilities for manipulating and querying XML documents.
MetaDefender Cloud offers advanced threat prevention using technologies like Multiscanning, Deep CDR, and Sandbox.
dc3dd is a patch to the GNU dd program, tailored for forensic acquisition with features like hashing and file verification.
Valkyrie is a sophisticated file verdict system that enhances malware detection through behavioral analysis and extensive file feature examination.
edb is a powerful debugger for Linux binaries, enhancing reverse engineering efforts with a user-friendly interface and extensible plugins.
Magnet ACQUIRE offers robust data extraction capabilities for digital forensics investigations, supporting a wide range of devices.
SauronEye helps in identifying files containing sensitive data such as passwords through targeted directory searches.
A tool to remove malicious artifacts from Microsoft Office documents, preventing malware infections and data breaches.
A comprehensive malware-analysis tool that utilizes external AV scanners to identify malicious elements in binary files.
A script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files or live network traffic.
An open source .NET deobfuscator and unpacker that restores packed and obfuscated assemblies by reversing various obfuscation techniques.
A .NET assembly debugger and editor that enables reverse engineering and dynamic analysis of compiled .NET applications without source code access.
A program to manage yara ruleset in a database with support for different databases and configuration options.
LiME is a Linux Memory Extractor tool for acquiring volatile memory from Linux and Linux-based devices, including Android, with features like full memory captures and minimal process footprint.
Extract local data storage of an Android application in one click.
Automated collection tool for incident response triage in Windows systems.
A collaborative malware analysis framework with various features for automated analysis tasks.
Generate comprehensive reports about Windows systems with detailed system, security, networking, and USB information.
Scan files or process memory for Cobalt Strike beacons and parse their configuration.
A sandbox for quickly sandboxing known or unknown families of Android Malware
yextend extends Yara's functionality by automatically handling archived and compressed content inflation, enabling pattern matching on files buried within multiple layers of archives.
QIRA is a competitor to strace and gdb with MIT license, supporting Ubuntu and Docker for wider compatibility.
A Python-based forensic tool for extracting and analyzing browser artifacts from Firefox, Iceweasel, and Seamonkey browsers on Unix and Windows systems.
Blazingly fast Yara queries for malware analysts with an analyst-friendly web GUI.
An open source tool that generates YARA rules from installed software on running operating systems for efficient software identification in digital forensic investigations.
Normalize, index, enrich, and visualize network capture data using Potiron.
An extended traceroute tool for CSIRT operators with advanced features.
PinCTF is a Python wrapper tool that uses Intel's Pin framework to instrument binaries and count instructions for reverse engineering analysis.
CrowdFMS is a CrowdStrike framework that automates malware sample collection from VirusTotal using YARA rule-based notifications and the Private API system.
A collection of YARA rules for public use, built from intelligence profiles and file work.
RABCDAsm is a collection of utilities for ActionScript 3 assembly/disassembly and SWF file manipulation.
DFIR ORC Documentation provides detailed instructions for setting up the build environment and deploying the tool.
A digital investigation platform for parsing, searching, and visualizing evidences with advanced analytics capabilities.
A collection of YARA rules designed to identify files containing sensitive information such as usernames, passwords, and credit card numbers for penetration testing and forensic analysis.
A tool that generates YARA rules to search for specific terms within base64-encoded malware samples by enumerating all possible encoding variations.
A Docker-based steganography analysis toolkit containing pre-installed tools and automated scripts for detecting and extracting hidden data from files, primarily designed for CTF challenges.
wxHexEditor is a free cross-platform hex editor and disk editor for editing binary files, disk devices, and logical drives with data manipulation and checksum calculation features.
FSF is a modular, recursive file scanning solution that enables analysts to extend the utility of Yara signatures and define actionable intelligence within a file.
A command-line string extraction utility for digital forensics that supports ASCII and Unicode string extraction from files and directories with pattern matching and filtering capabilities.
Exiv2 is a C++ library and command-line utility for reading, writing, deleting, and modifying Exif, IPTC, XMP, and ICC metadata in image files.
Collects Yara rules from over 150 free resources, a free alternative to Valhalla.
iOSForensic is a Python tool for forensic analysis on iOS devices, extracting files, logs, SQLite3 databases, and .plist files into XML.
A community-sourced repository of digital forensic artifacts in YAML format.
Documentation project for Digital Forensics Artifact Repository
A Yara ruleset designed to detect PHP shells and other webserver malware for malware analysis and threat detection.
PowerForensics is a PowerShell digital forensics framework for hard drive forensic analysis.
Investigate malicious logons by visualizing and analyzing Windows Active Directory event logs with LogonTracer.
MalConfScan is a Volatility plugin for extracting configuration data of known malware and analyzing memory images.
Web interface for the Volatility Memory Forensics Framework
Dynamic binary analysis library with various analysis and emulation capabilities.
DMG2IMG converts Apple compressed DMG archives to standard HFS+ image files supporting zlib, bzip2, and LZFSE compression formats.
Yaraprocessor allows for scanning data streams in unique ways and dynamic scanning of payloads from network packet captures.
A tool for creating compact Linux memory dumps compatible with popular debugging tools.
Collection of Yara rules for file identification and classification
Tool used for dumping memory from Android devices with root access requirement and forensic soundness considerations.
Ghidra is an NSA-developed software reverse engineering framework that provides disassembly, decompilation, and analysis tools for examining compiled code across multiple platforms and processor architectures.
Fnord is a pattern extraction tool that analyzes obfuscated code using sliding window techniques to identify frequent byte sequences and generate experimental YARA rules for malware analysis.
yarAnalyzer creates statistics on a yara rule set and files in a sample directory, generating tables and CSV files, including an inventory feature.
A generator for YARA rules that creates rules from strings found in malware files while removing strings from goodware files.
A deprecated digital forensics tool by Netflix that helped investigators scope compromises across AWS cloud instances by identifying behavioral differences and outliers during security incidents.
AutoYara is a Java tool that automatically generates YARA rules from malware samples using biclustering algorithms to help analysts create detection rules for malware families.
A Go library for manipulating YARA rulesets with the ability to programatically change metadata, rule names, and more.
Use FindYara, an IDA python plugin, to scan your binary with yara rules and quickly jump to matches.
A framework/scripting tool to standardize and simplify the process of scripting favorite Live Acquisition utilities for Incident Responders.
A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.
Steganography brute-force utility with performance issues, deprecated in favor of stegseek.
Browse and analyze iPhone/iPad backups with detailed file properties and various viewers.
CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.
A tool for signature analysis of RTF files to detect potentially unique parts and malicious documents.
Tool for live forensics acquisition on Windows systems, collecting artefacts for early compromise detection.
A strings statistics calculator for YARA rules to aid malware research.
A parsing tool for Yara Scan Service's JSON output file to help maximize benefits and automate parsing of Yara Scan Service results.
A command-line tool for extracting data from iOS mobile device backups created by iTunes on macOS systems.
A script for extracting common Windows artifacts from source images and VSCs with detailed dependencies and usage instructions.
A network forensics tool for visualizing packet captures as network diagrams with detailed analysis.
A project providing open-source YARA rules for malware and malicious file detection
Procmon for Linux is a reimagining of the classic Procmon tool from Windows, allowing Linux developers to trace syscall activity efficiently.
Sysmon for Linux is a tool that monitors and logs system activity with advanced filtering to identify malicious activity.
A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.
UDcide is an Android malware analysis tool that detects and removes specific malicious behaviors from malware samples while preserving the binary for investigation purposes.
An extensible network forensic analysis framework with deep packet analysis and plugin support.
An OCaml Ctypes wrapper for the YARA matching engine that enables malware identification capabilities in OCaml applications.
A tool for quick and effective Yara rule creation to isolate malware families and malicious objects.
A collection of YARA rules specifically designed for forensic investigations and malware analysis, providing pattern matching capabilities for files and memory dumps.
A tool for restoring defocused and blurred images with various deconvolution techniques and fast processing capabilities.
A semi-automatic tool to generate YARA rules from virus samples.
Windows Event Log Analyzer with logon timeline generator and noise reduction for fast forensics.
Windows event log fast forensics timeline generator and threat hunting tool.
A repository of Yara signatures under the GNU-GPLv2 license for the cybersecurity community.
OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
A tool for parsing and extracting information from the Master File Table of NTFS file systems.
A cybersecurity tool for collecting and analyzing forensic artifacts on live systems.
ALEAPP is a Python-based forensic tool for parsing Android logs, events, and protobuf data with both CLI and GUI interfaces.
A Mac OS X forensic utility for ensuring correct forensic procedures during disk imaging.
A tool for tracking, scanning, and filtering yara files with distributed scanning capabilities.
A portable forensic tool that detects encrypted containers like Truecrypt and Veracrypt by analyzing file headers, block cipher patterns, and entropy without external dependencies.
A modified version of GNU dd with added features like hashing and fast disk wiping.
BinaryAlert is an open-source serverless AWS pipeline that automatically scans files uploaded to S3 buckets with YARA rules and generates immediate alerts when malware is detected.
A .Net wrapper library for the native Yara library with interoperability and portability features.
RegRippy is a modern Python 3 alternative to RegRipper for extracting data from Windows registry hives.
Timeliner is a digital forensics tool that rewrites mactime with an advanced expression engine for complex timeline filtering using BPF syntax.
Steganographic Swiss army knife for encoding and decoding data into images.
ShadowCopy Analyzer is a tool for cybersecurity researchers to analyze and utilize the ShadowCopy technology for file recovery and system restoration.
dynStruct is a tool for monitoring memory accesses of an ELF binary and recovering structures of the original code.
A community-maintained repository of YARA rules for detecting and classifying malware based on patterns and characteristics.
A disassembly framework with support for multiple hardware architectures and clean API.
Open Source computer forensics platform with modular design for easy automation and scripting.
Largest open collection of Android malware samples, with 298 samples and contributions welcome.
A framework for accumulating, describing, and classifying actionable Incident Response techniques
RetDec is an LLVM-based decompiler that converts machine code from various architectures and file formats back into readable C-like source code for reverse engineering and malware analysis.
Yaramod is a library for parsing YARA rules into AST and building new YARA rulesets with C++ programming interface.
A YARA interactive debugger for the YARA language written in Rust, providing features like function calls, constant evaluation, and string matching.
Template-based incident response runbooks for AWS environments following NIST guidelines to help organizations handle common cloud security incidents.
AfterGlow Cloud is a Django-based web application that allows users to upload data and generate graph visualizations through a browser interface.
Custom built application for asynchronous forensic data presentation on an Elasticsearch backend, with upcoming features like Docker-based installation and new UI rewrite in React.
A GNU Emacs editor mode that provides syntax highlighting, indentation, and language server integration for editing YARA rule files.
Chaosreader is a tool for ripping files from network sniffing dumps and replaying various protocols and file transfers.
Zui is a desktop application for data exploration and analysis that provides drag-and-drop data ingestion, automatic format detection, and interactive querying capabilities for structured and semi-structured data.
A Python wrapper for the Libemu library that enables shellcode analysis and malicious code examination through programmatic interfaces.
CIRTKit is a DFIR console built on the Viper Framework that integrates various forensic tools and provides modules for packet analysis, memory analysis, and automated incident response workflows.
A System for Abuse- and Incident Handling with log file analysis capabilities.
FIR is a Python-based cybersecurity incident management platform designed for CSIRTs, CERTs, and SOCs to create, track, and report security incidents.
TestDisk checks disk partitions and recovers lost partitions, while PhotoRec specializes in recovering lost pictures from digital camera memory or hard disks.
CHIPSEC is a cross-platform framework for analyzing PC platform security, including hardware, BIOS/UEFI firmware, and low-level system components.
A robust and flexible hunt and incident response tool for investigating AzureAD, Azure, and M365 environments.
A new age tool for binary analysis that uses statistical visualizations to help find patterns in large amounts of binary data.
SwishDbgExt is a Microsoft WinDbg debugging extension that enhances debugging capabilities for kernel developers, troubleshooters, and security experts.
Powerful tool for searching and hunting through Windows forensic artefacts with support for Sigma detection rules and custom Chainsaw detection rules.
A tool that generates Yara rules for strings and their XOR encoded versions, as well as base64-encoded variations with different padding possibilities.
A modular incident response framework in Powershell that uses Powershell Remoting to collect data for incident response and breach hunts.
Collection of YARA signatures from recent malware research.
Scan files with Yara, match findings to VirusTotal comments.
High-performance remote packet capture and collection tool used for forensic analysis in cloud workloads.
YaraHunter scans container images, running Docker containers, and filesystems using YARA rules to detect malware indicators and signs of compromise.
COPS is a YAML-based schema standard for creating collaborative DFIR playbooks that provide structured guidance for incident response processes.
A web collaborative platform for incident responders to share technical details during investigations, shipped in Docker containers for easy installation and upgrades.
DFIRTrack is an open source web application focused on incident response for handling major incidents with many affected systems, tracking system status, tasks, and artifacts.
A set of scripts for collecting forensic data from Windows and Unix systems respecting the order of volatility.
A C library that enables cross-platform execution of functions from stripped binaries using file names, offsets, and function signatures.
Toolkit for post-mortem analysis of Docker runtime environments using forensic HDD copies.
A command-line tool that allows SQL queries to be executed directly on PCAP files for network traffic analysis with support for multiple output formats.
Netcap efficiently converts network packets into structured audit records for machine learning algorithms, using Protocol Buffers for encoding.
Accessing databases stored on a machine by the Chrome browser and dumping URLs found.
GrokEVT is a tool for reading Windows event log files and converting them to a human-readable format.
OCaml bindings to the YARA scanning engine for integrating YARA scanning capabilities into OCaml projects
A malware processing and analytics tool that utilizes Pig, Django, and Elasticsearch to analyze and visualize malware data.
A PHP based web application for managing postmortems with pluggable features.
Capa is a malware analysis tool that detects capabilities in executable files by analyzing PE, ELF, .NET modules, shellcode, and sandbox reports to identify potential malicious behaviors with ATT&CK framework mapping.
FLARE-VM is a Windows virtual machine setup tool that automates the installation and configuration of reverse engineering and malware analysis software using Chocolatey and Boxstarter technologies.
StringSifter is a machine learning tool that automatically ranks strings extracted from malware samples based on their relevance for analysis.
A DFVFS backed viewer project with a WxPython GUI, aiming to enhance file extraction and viewing capabilities.
A tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container, aiding in digital forensic triage.
Dissect is a digital forensics & incident response framework that simplifies the analysis of forensic artefacts from various disk and file formats.
Automate the process of writing YARA rules based on executable code within malware.
A collection of Yara rules for detecting malware evasion techniques
A minimal library to generate YARA rules from JAVA with maven support.
POFR is a Linux forensic data collection system that captures process execution, file access, and network activity for incident response and compliance analysis.
A forensics toolkit for collecting digital evidence from Google Cloud Platform, Microsoft Azure, and Amazon Web Services during incident response investigations.
Incident response framework focused on remote live forensics
Rekall is a discontinued project that aimed to improve memory analysis methodology but faced challenges due to the nature of in-memory structure and increasing security measures.
Stenographer is a high-performance full-packet-capture utility for intrusion detection and incident response purposes.
A collaborative forensic timeline analysis tool for organizing and analyzing data with rich annotations and comments.
Turbinia is an open-source framework for automating the running of common forensic processing tools to help with processing evidence in the Cloud.
VxSig is a Google-developed tool that automatically generates antivirus byte signatures from similar binaries for Yara and ClamAV detection engines.
A process scanning tool that detects and dumps malicious implants, shellcodes, hooks, and memory patches in running processes.
YARA module for supporting DCSO format bloom filters with hashlookup capabilities.
Analyse a forensic target to find and report files found and not found in hashlookup CIRCL public service.
VMCloak is a tool for creating and preparing Virtual Machines for Cuckoo Sandbox.
A Python 3 tool for analyzing XOR-encrypted data that can guess key lengths and decrypt XOR ciphers based on character frequency analysis.
PINT is a PIN tool that enables Lua scripting for Intel's PIN dynamic instrumentation framework, allowing researchers to inject custom code during binary analysis processes.
Hyara is a plugin that simplifies writing YARA rules with various convenient features.
IDAPython plugin for generating Yara rules/patterns from x86/x86-64 code through parameterization.
A collection of Yara rules licensed under the DRL 1.1 License.
A collection of tools to debug and inspect Kubernetes resources and applications, managing eBPF programs execution and mapping kernel primitives to Kubernetes resources.
A discontinued disk imaging utility originally developed by Intel that used block map files for efficient disk image copying operations.
Easy-to-use live forensics toolbox for Linux endpoints with various capabilities such as process inspection, memory analysis, and YARA scanning.
A powerful tool for detecting and identifying malware using a rule-based system.
AMExtractor is an Android memory acquisition tool that dumps physical device memory using /dev/kmem without requiring kernel source code.
A tool for recovering files by scanning block devices and extracting them based on 'magic bytes' in file contents.
A collection of public YARA signatures for various malware families.
A tool for advanced HTTPD logfile security analysis and forensics, implementing various techniques to detect attacks against web applications.
Toolkit for performing acquisitions on iOS devices with logical and filesystem acquisition support.
Automatic YARA rule generator based on Koodous reports with limited false positives.
A Mac OS X computer forensics tool for analyzing system artifacts, user files, and logs with reputation verification and log aggregation capabilities.
A command-line tool that parses Google Protobuf encoded data without schema definitions and displays the content in a readable, colored format.
PLASMA is an interactive disassembler that generates readable assembly code with colored syntax for reverse engineering binary files across multiple architectures and formats.
A library for checking potentially malicious files and archives using YARA and making a decision about their harmfulness.
Recreates the File/Directory tree structure from an extracted $MFT file with detailed record mapping and analysis capabilities.
A declarative language for describing binary data structures that compiles into parsers for multiple programming languages.
Binsequencer automatically generates YARA detection rules by analyzing collections of similar malware samples and identifying common x86 instruction sequences across the corpus.
Python tool for remotely or locally dumping RAM of a Linux client for digital forensics analysis.
Create checkpoint snapshots of the state of running pods for later off-line analysis.
A Python library to interface with a cuckoo-modified instance.
MFT and USN parser for direct extraction in filesystem timeline format with YARA rule support.
Malware sandbox for executing malicious files in an isolated environment with advanced features.
Web interface for the Volatility Memory Analysis framework with advanced features.
Automated tool for parsing Windows registry hives and extracting valuable information for forensic analysis.
A tool that reads IP packets from the network or a tcpdump save file and writes an ASCII summary of the packet data.
A suite of console tools for working with timestamps in Windows with 100-nanosecond precision.
Laika BOSS is a scalable object scanner and intrusion detection system that extracts child objects, applies security flags, and generates metadata from files for security analysis.
A framework for orchestrating forensic collection, processing, and data export.
A Python-based engine for automatic creation of timelines in digital forensic analysis
A tool for deep analysis of malicious files using ClamAV and YARA rules, with features like scoring suspect files, building visual tree graphs, and extracting specific patterns.
A package for hiding data inside jpeg files using steganography techniques.
A malware/botnet analysis framework with a focus on network analysis and process comparison.
A digital forensics tool that extracts and exports location database contents from iOS and macOS devices in KML or CSV formats.
Dump iOS Frequent Locations from StateModel#.archive files.
Python script to parse macOS MRU plist files into human-friendly format
A simple framework for extracting actionable data from Android malware
Repository of automatically generated YARA rules from Malpedia's YARA-Signator with detailed statistics.
FLOSS is a static analysis tool that automatically extracts and deobfuscates hidden strings from malware binaries using advanced analysis techniques.
A digital forensics tool that extracts and analyzes Windows AppCompat and AmCache registry data for enterprise-scale forensic investigations.
A command-line tool for analyzing and extracting detailed information from Windows Portable Executable (PE) files.
A command-line tool that visually displays YARA rule matches, regex matches, and hex patterns in binary data with colored output and configurable context bytes.
A portable Rust-based tool for acquiring volatile memory from Linux systems without requiring prior knowledge of the target OS distribution or kernel.
A .NET wrapper for libyara that provides a simplified API for developing tools in C# and PowerShell.
A file analysis framework that automates the evaluation of files by running a suite of tools and aggregating the output.
VolatilityBot automates memory dump analysis by extracting executables, detecting code injections, and performing automated malware scanning using YARA and ClamAV.
IE10Analyzer can parse and recover records from WebCacheV01.dat, providing detailed information and conversion capabilities.
WinSearchDBAnalyzer can parse and recover records in Windows.edb, providing detailed insights into various data types.
Generate Yara rules from function basic blocks in x64dbg.
Drltrace is a dynamic API calls tracer for Windows and Linux applications.
A Python 2.x tool for memory analysis on Mac OS X systems with support for various OS versions and memory image export capabilities.
A decentralized network panic button that triggers emergency system shutdowns across networked machines via UDP broadcasts and HTTP to prevent cold boot attacks.
A multithreaded YARA scanner for incident response or malware zoos.
Porting GNU/Linux userland tools to the bionic/Linux userland of Android to provide access to the audit stream for Android applications with minimal overhead.
YARA plugin for Sublime Text with syntax highlighting and snippets.
Hindsight is a free tool for analyzing web artifacts from Google Chrome/Chromium browsers and presenting the data in a timeline for forensic analysis.
Network Forensic Analysis Tool for deep network traffic inspection and analysis.
Binkit is a binary analysis tool that merged with DarunGrim and incorporates its analysis algorithms, currently in internal testing before official release.
CapTipper is a python tool to analyze, explore, and revive HTTP malicious traffic.
A shell script for basic forensic collection of various artefacts from UNIX systems.
CyLR is a Live Response Collection tool for quickly and securely collecting forensic artifacts from hosts with NTFS file systems.
Embeddable Yara library for Java with support for loading rules and scanning data.
Interactive incremental disassembler with data/control flow analysis capabilities.
A user-friendly and fast Forensic Analysis tool with features like tagging files and generating preview reports.
A utility for splitting packet traces along TCP connection boundaries.
An IDA Pro plugin that uses YARA rules to automatically detect cryptographic constants and patterns in binary files during reverse engineering analysis.
BARF is an open source binary analysis framework for supporting various binary code analysis tasks in information security.
A collection of Mac OS X and iOS forensics resources with a focus on artifact collection and collaboration.
Pwndbg is a GDB plug-in that enhances the debugging experience for low-level software developers, hardware hackers, reverse-engineers, and exploit developers.
A modern tool for Windows kernel exploration and observability with a focus on security.
A command-line utility and Python package for mounting and unmounting various disk image formats with support for different volume systems and filesystems.
ELAT (Event Log Analysis Tool) is a tool that helps in analyzing Windows event logs for malware detection.
mXtract is a Linux-based tool for memory analysis and dumping with regex pattern search capabilities.
A tool that enables Yara rule execution against compressed malware samples, supporting GZip, BZip2, and LZMA formats without manual decompression.
A free, open source collection of tools for forensic artifact and image analysis.
A tool that uses Plaso to parse forensic artifacts and disk images, creating custom reports for easier analysis.
A wrapper around jNetPcap for packet capturing with Clojure, available for Linux and Windows.
A Vim syntax-highlighting plugin for YARA rules that supports versions up to v4.3 and provides enhanced code readability for malware analysts.
A C-based steganographic tool that hides files within WAV audio files using least significant bit encoding techniques.
Recoverjpeg is a tool for recovering JPEG images from damaged storage media.
Container of 200 Windows EVTX samples for testing detection scripts and training on DFIR.
A PowerShell-based DFIR automation tool that streamlines artifact and evidence collection from Windows machines for digital forensic investigations.
A multiplatform C++ library for capturing, parsing, and crafting network packets with support for various network protocols.
NotRuler is a tool for Exchange Admins to detect client-side Outlook rules and VBScript enabled forms, aiding in the detection of attacks created through Ruler.
An open source digital forensic tool for processing and analyzing digital evidence with high performance and multiplatform support.
A bash script for automating Linux swap analysis for post-exploitation or forensics purposes.
A high-performance digital forensics exploitation tool for extracting structured information from various inputs without parsing file system structures.
TCPFLOW is a tool for capturing data transmitted over TCP connections.
A command-line forensics tool for tracking and analyzing USB device artifacts and connection history on Linux systems.
A Golang application that stores and queries NIST NSRL Reference Data Set for MD5 and SHA1 hash lookups using Bolt database technology.
replayproxy allows you to 're-live' a HTTP session captured in a .pcap file, parsing HTTP streams, caching them, and starting a HTTP proxy to reply to requests with matching responses.
A modified version of Cuckoo Sandbox with enhanced features and capabilities.
A simple, self-contained modular host-based IOC scanner for incident responders.
C# wrapper around Yara pattern matching library with Loki and Yara signature support.
Android Loadable Kernel Modules for reversing and debugging on controlled systems/emulators.
MemLabs provides CTF-styled memory forensics challenges designed to teach students and security researchers how to analyze memory dumps using tools like Volatility.
ConventionEngine is a Yara rule collection that analyzes PE files by examining PDB paths for suspicious keywords, terms, and anomalies that may indicate malicious software.
A collection of Python scripts that automate tasks and extend IDA Pro disassembler functionality for reverse engineering workflows.
PowerGRR is a PowerShell API client library that automates GRR (Google Rapid Response) operations for digital forensics and incident response across multiple operating systems.
DECAF++ is a fast whole-system dynamic taint analysis framework with improved performance and elasticity.
Hide data in images while maintaining perceptual similarity and extract it from printed and photographed images.
Halogen automates the creation of YARA rules based on image files embedded in malicious documents to assist in threat detection and identification.
Strelka is a real-time, container-based file scanning system that performs file extraction and metadata collection at enterprise scale for threat hunting, detection, and incident response.
A Live Response collection script for Incident Response that automates the collection of artifacts from various Unix-like operating systems.
SIFT is a digital forensics toolkit that provides installation management, task execution, and machine image building capabilities for forensic investigations on Ubuntu systems.
A repository of YARA rules for identifying and classifying malware through pattern-based detection.
Open source security auditing tool to search and dump system configuration.
Compact C framework for analyzing suspected malware documents and detecting exploits and embedded executables.
View physical memory as files in a virtual file system for easy memory analysis and artifact access.
Emulates browser functionality to detect exploits targeting browser vulnerabilities.
Malscan is a tool to scan process memory for YARA matches and execute Python scripts.
Web-based tool for incident response with easy local installation using Docker.
Open Backup Extractor is an open source program for extracting data from iPhone and iPad backups.
pcapfex is a forensic tool that extracts files from packet capture data by analyzing network traffic and identifying embedded file content.
Binary analysis and management framework for organizing malware and exploit samples.
YARA is a tool for identifying and classifying malware samples based on textual or binary patterns.
Bitscout is a Bash-based live OS constructor tool for building customizable forensic environments used in remote system triage, malware hunting, and digital forensics investigations.
Recover event log entries from an image by heuristically looking for record structures.
An IDAPython script that generates YARA rules for basic blocks of the current function in IDA Pro, with automatic masking of relocation bytes and optional validation against file segments.
A pure Python parser for Windows Event Log (.evtx) files that enables cross-platform forensic analysis of Windows system events.
An open-source binary debugger for Windows with a comprehensive plugin system for malware analysis and reverse engineering.
A collection of Yara signatures for identifying malware and other threats
Incident response and digital forensics tool for transforming data sources and logs into graphs.
A tool for fixing acquired .evt Windows Event Log files in digital forensics.
Syntax, indent, and filetype detection for YARA rule files with auto-indenting and error display in quickfix window.
mac_apt is a versatile DFIR tool for processing Mac and iOS images, offering extensive artifact extraction capabilities and cross-platform support.
A Python-based modular incident response tool for AWS environments that enables automated security actions across EC2, IAM, VPC, and other AWS resources.
A proof of concept for using the SSM Agent in Fargate for incident response
AWS IR is a Python command line utility for automated incident response and mitigation of instance and key compromises in Amazon Web Services environments.
An AWS incident response framework that uses Athena to analyze CloudTrail events and EventBridge for notifications to investigate API activity and detect security misconfigurations.
A Python tool that analyzes AWS CloudTrail data to summarize IAM principal activities, API calls, regions, IP addresses, and user agents with configurable timeframes and visualization options.
Margarita Shotgun is a Python tool that enables remote memory acquisition from target systems through command line interface, supporting Linux distributions and other operating systems via Docker containers.
A Python module for orchestrating remote forensic data acquisition and analysis from Linux instances using Amazon SSM.
Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.
A collection of Android Fakebank and Tizi samples for analyzing spyware on Android devices.
Andrew Case's personal page for research, software projects, and speaking events
A utility for recovering deleted files from ext3 or ext4 partitions.
Statistical renaming, Type inference, and Deobfuscation tool for JavaScript code.
Studying Android malware behaviors through Information Flow monitoring techniques.
HxD is a freeware hex editor and disk editor with advanced features for editing files, memory, and disks.
Network Dump data Displayer and Editor framework for tcpdump trace files manipulation.
netsniff-ng is a free Linux networking toolkit with zero-copy mechanisms for network development, analysis, and auditing.
A super-simple, modern framework for organizing and automating cybersecurity tasks.
A textmode sniffer for tracking tcp streams and capturing data in various modes.
A tool for extracting files from network traffic based on file signatures with support for various file formats and scalable search algorithm.
Encode or encrypt strings to various hashes and formats, including MD5, SHA1, SHA256, URL encoding, Base64, and Base85.
A standardized framework for describing and classifying cybersecurity incidents
A PE/COFF file viewer that displays header, section, directory, import table, export table, and resource information within various file types.
A scalable python framework for security research and development teams.
Free tools for the CrowdStrike customer community to support their use of the Falcon platform.
Forensic imaging program with full hash authentication and various acquisition options.
A collection of binary tools for various purposes including linking, assembling, profiling, and more.
Revelo is an experimental Javascript deobfuscator tool with features to analyze and deobfuscate Javascript code.
A tool to verify the integrity of PNG, JNG, and MNG files and extract detailed information about the image.
Independent software vendor specializing in network security tools and network forensics.
Extracts resources (bitmaps, icons, cursors, AVI movies, HTML files, and more) from dll files
A freeware suite of tools for PE editing and process viewing, including CFF Explorer and Resource Editor.
A 32-bit assembler level analyzing debugger for Microsoft Windows.
Digital investigation tool for extracting forensic data from computers and managing investigations.
SWFTools is a collection of utilities for working with Adobe Flash files, including tools for converting PDFs, images, audio, and video files to SWF format.
A forensic tool to find hidden processes and TCP/UDP ports by rootkits or other hidden techniques.
Powerful debugging tool with extensive features and extensions for memory dump analysis and crash dump analysis.
GUI-based memory forensic capture tool for cyber forensics and cyber crime investigation.
Universal hexadecimal editor for computer forensics, data recovery, and IT security.
Advanced computer forensics software with efficient features.
Explores malware interaction with Windows API and methods for detection and prevention.
Holistic malware analysis platform with interactive sandbox, static analyzer, and emulation capabilities.
A service that analyzes and visualizes security data to investigate potential security issues.
Belkasoft offers cybersecurity solutions, training, and tools for businesses, law enforcement, and academia.
A reliable end-to-end DFIR solution for boosting cyber incident response and forensics capacity.
Modern digital forensics and incident response platform with comprehensive tools.
Binary Ninja is an interactive decompiler, disassembler, debugger, and binary analysis platform with a focus on automation and a clean GUI.
A powerful tool for analyzing and visualizing system activity timelines.
A command-line tool for managing and analyzing Microsoft Forefront TMG and UAG configurations.
A toolkit for forensic analysis of network appliances with YARA decoding options and frame extraction capabilities.
Analyzing WiFiConfigStore.xml file for digital forensics on Android devices.
Detect signed malware and track stolen code-signing certificates using osquery.
A report on detecting lateral movement through tracking event logs, updated to include analysis of various tools and commands used by attackers.
An HTTP proxy, monitor, and reverse proxy tool for viewing HTTP and SSL/HTTPS traffic.
A comprehensive Linux log analysis tool that streamlines the investigation of security incidents by extracting and organizing critical details from supported log files.
A reverse engineering framework with a focus on usability and code cleanliness
A binary analysis platform for analyzing binary programs
