Digital Forensics and Incident Response Tools
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Browse 511 digital forensics and incident response tools
FEATURED
USE CASES
FIR is a Python-based cybersecurity incident management platform designed for CSIRTs, CERTs, and SOCs to create, track, and report security incidents.
A System for Abuse- and Incident Handling with log file analysis capabilities.
CIRTKit is a DFIR console built on the Viper Framework that integrates various forensic tools and provides modules for packet analysis, memory analysis, and automated incident response workflows.
A Python wrapper for the Libemu library that enables shellcode analysis and malicious code examination through programmatic interfaces.
Zui is a desktop application for data exploration and analysis that provides drag-and-drop data ingestion, automatic format detection, and interactive querying capabilities for structured and semi-structured data.
Chaosreader is a tool for ripping files from network sniffing dumps and replaying various protocols and file transfers.
A tool for processing compiled YARA rules in IDA.
A GNU Emacs editor mode that provides syntax highlighting, indentation, and language server integration for editing YARA rule files.
Custom built application for asynchronous forensic data presentation on an Elasticsearch backend, with upcoming features like Docker-based installation and new UI rewrite in React.
AfterGlow Cloud is a Django-based web application that allows users to upload data and generate graph visualizations through a browser interface.
Template-based incident response runbooks for AWS environments following NIST guidelines to help organizations handle common cloud security incidents.
Yaramod is a library for parsing YARA rules into AST and building new YARA rulesets with C++ programming interface.
RetDec is an LLVM-based decompiler that converts machine code from various architectures and file formats back into readable C-like source code for reverse engineering and malware analysis.
A framework for accumulating, describing, and classifying actionable Incident Response techniques
Largest open collection of Android malware samples, with 298 samples and contributions welcome.
Open Source computer forensics platform with modular design for easy automation and scripting.
A disassembly framework with support for multiple hardware architectures and clean API.
dynStruct is a tool for monitoring memory accesses of an ELF binary and recovering structures of the original code.
ShadowCopy Analyzer is a tool for cybersecurity researchers to analyze and utilize the ShadowCopy technology for file recovery and system restoration.
A Python script for scanning data within an IDB using Yara
Steganographic Swiss army knife for encoding and decoding data into images.
Timeliner is a digital forensics tool that rewrites mactime with an advanced expression engine for complex timeline filtering using BPF syntax.
RegRippy is a modern Python 3 alternative to RegRipper for extracting data from Windows registry hives.
Digital Forensics and Incident Response Tools FAQ
Common questions about Digital Forensics and Incident Response tools, selection guides, pricing, and comparisons.
Essential DFIR tools include: disk imaging and analysis (for examining file systems, deleted files, and artifacts), memory forensics (analyzing RAM for malware, credentials, and running processes), network forensics (capturing and analyzing packet data), log analysis and timeline reconstruction, and malware analysis (static and dynamic analysis of malicious files). Many investigators also use cloud-specific forensics tools for AWS/Azure/GCP.
