Digital Forensics and Incident Response Tools
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Browse 511 digital forensics and incident response tools
FEATURED
USE CASES
A .Net wrapper library for the native Yara library with interoperability and portability features.
BinaryAlert is an open-source serverless AWS pipeline that automatically scans files uploaded to S3 buckets with YARA rules and generates immediate alerts when malware is detected.
A modified version of GNU dd with added features like hashing and fast disk wiping.
A portable forensic tool that detects encrypted containers like Truecrypt and Veracrypt by analyzing file headers, block cipher patterns, and entropy without external dependencies.
A tool for tracking, scanning, and filtering yara files with distributed scanning capabilities.
A Mac OS X forensic utility for ensuring correct forensic procedures during disk imaging.
ALEAPP is a Python-based forensic tool for parsing Android logs, events, and protobuf data with both CLI and GUI interfaces.
A cybersecurity tool for collecting and analyzing forensic artifacts on live systems.
Tool for analyzing Windows Recycle Bin INFO2 file
A tool for parsing and extracting information from the Master File Table of NTFS file systems.
OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
Windows event log fast forensics timeline generator and threat hunting tool.
Windows Event Log Analyzer with logon timeline generator and noise reduction for fast forensics.
A semi-automatic tool to generate YARA rules from virus samples.
A tool for restoring defocused and blurred images with various deconvolution techniques and fast processing capabilities.
A collection of YARA rules specifically designed for forensic investigations and malware analysis, providing pattern matching capabilities for files and memory dumps.
An OCaml Ctypes wrapper for the YARA matching engine that enables malware identification capabilities in OCaml applications.
An extensible network forensic analysis framework with deep packet analysis and plugin support.
UDcide is an Android malware analysis tool that detects and removes specific malicious behaviors from malware samples while preserving the binary for investigation purposes.
A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.
Sysmon for Linux is a tool that monitors and logs system activity with advanced filtering to identify malicious activity.
Procmon for Linux is a reimagining of the classic Procmon tool from Windows, allowing Linux developers to trace syscall activity efficiently.
ZAT is a Python package that processes and analyzes Zeek network security data using machine learning libraries like Pandas, scikit-learn, Kafka, and Spark.
A network forensics tool for visualizing packet captures as network diagrams with detailed analysis.
Digital Forensics and Incident Response Tools FAQ
Common questions about Digital Forensics and Incident Response tools, selection guides, pricing, and comparisons.
Essential DFIR tools include: disk imaging and analysis (for examining file systems, deleted files, and artifacts), memory forensics (analyzing RAM for malware, credentials, and running processes), network forensics (capturing and analyzing packet data), log analysis and timeline reconstruction, and malware analysis (static and dynamic analysis of malicious files). Many investigators also use cloud-specific forensics tools for AWS/Azure/GCP.
Based on user ratings and community engagement on CybersecTools, the top-rated Digital Forensics and Incident Response tools are:
