Digital Forensics and Incident Response

LiME is a Linux Memory Extractor tool for acquiring volatile memory from Linux and Linux-based devices, including Android, with features like full memory captures and minimal process footprint.

A de-obfuscator for M/o/Vfuscator, a notorious obfuscator, designed to reverse the effects of M/o/Vfuscator's obfuscation.

A freeware suite of tools for PE editing and process viewing, including CFF Explorer and Resource Editor.

Procmon for Linux is a reimagining of the classic Procmon tool from Windows, allowing Linux developers to trace syscall activity efficiently.

CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.

In-depth threat intelligence reports and services providing insights into real-world intrusions, malware analysis, and threat briefs.

Custom built application for asynchronous forensic data presentation on an Elasticsearch backend, with upcoming features like Docker-based installation and new UI rewrite in React.

Yaraprocessor allows for scanning data streams in unique ways and dynamic scanning of payloads from network packet captures.

Powerful tool for searching and hunting through Windows forensic artefacts with support for Sigma detection rules and custom Chainsaw detection rules.

Tool for fingerprinting malware HTTP requests.

A yara module for searching strings inside zip files

A forensics toolkit for collecting digital evidence from Google Cloud Platform, Microsoft Azure, and Amazon Web Services during incident response investigations.

YARA is a tool for identifying and classifying malware samples based on textual or binary patterns.

pcapfex is a forensic tool that extracts files from packet capture data by analyzing network traffic and identifying embedded file content.

Andrew Case's personal page for research, software projects, and speaking events

A digital forensics tool that extracts and exports location database contents from iOS and macOS devices in KML or CSV formats.

Zui is a desktop application for data exploration and analysis that provides drag-and-drop data ingestion, automatic format detection, and interactive querying capabilities for structured and semi-structured data.

NotRuler is a tool for Exchange Admins to detect client-side Outlook rules and VBScript enabled forms, aiding in the detection of attacks created through Ruler.

Sysmon for Linux is a tool that monitors and logs system activity with advanced filtering to identify malicious activity.

Netcap efficiently converts network packets into structured audit records for machine learning algorithms, using Protocol Buffers for encoding.

A digital forensic tool for creating forensic images of computer hard drives and analyzing digital evidence.

Automated tool for parsing Windows registry hives and extracting valuable information for forensic analysis.

dynStruct is a tool for monitoring memory accesses of an ELF binary and recovering structures of the original code.

A command-line utility to show and change EXIF information in JPEG files