Digital Forensics and Incident Response

Yaramod is a library for parsing YARA rules into AST and building new YARA rulesets with C++ programming interface.

A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.

Yara module for Node.js

RABCDAsm is a collection of utilities for ActionScript 3 assembly/disassembly and SWF file manipulation.

A command-line tool for extracting data from iOS mobile device backups created by iTunes on macOS systems.

Timeliner is a digital forensics tool that rewrites mactime with an advanced expression engine for complex timeline filtering using BPF syntax.

Create checkpoint snapshots of the state of running pods for later off-line analysis.

DFIRTrack is an open source web application focused on incident response for handling major incidents with many affected systems, tracking system status, tasks, and artifacts.

A command-line tool that extracts detailed technical information, metadata, and checksums from JPEG image files with support for multiple output formats.

Web interface for the Volatility Memory Analysis framework with advanced features.

Strelka is a real-time, container-based file scanning system that performs file extraction and metadata collection at enterprise scale for threat hunting, detection, and incident response.

A Vim syntax-highlighting plugin for YARA rules that supports versions up to v4.3 and provides enhanced code readability for malware analysts.

Hoarder is a tool to collect and parse windows artifacts.

YARA module for supporting DCSO format bloom filters with hashlookup capabilities.

LiME is a Linux Memory Extractor tool for acquiring volatile memory from Linux and Linux-based devices, including Android, with features like full memory captures and minimal process footprint.

A de-obfuscator for M/o/Vfuscator, a notorious obfuscator, designed to reverse the effects of M/o/Vfuscator's obfuscation.

A freeware suite of tools for PE editing and process viewing, including CFF Explorer and Resource Editor.

Procmon for Linux is a reimagining of the classic Procmon tool from Windows, allowing Linux developers to trace syscall activity efficiently.

CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.

In-depth threat intelligence reports and services providing insights into real-world intrusions, malware analysis, and threat briefs.

Custom built application for asynchronous forensic data presentation on an Elasticsearch backend, with upcoming features like Docker-based installation and new UI rewrite in React.

Yaraprocessor allows for scanning data streams in unique ways and dynamic scanning of payloads from network packet captures.

Powerful tool for searching and hunting through Windows forensic artefacts with support for Sigma detection rules and custom Chainsaw detection rules.

Tool for fingerprinting malware HTTP requests.