Digital Forensics and Incident Response Tools
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Browse 511 digital forensics and incident response tools
FEATURED
USE CASES
A script for extracting common Windows artifacts from source images and VSCs with detailed dependencies and usage instructions.
A command-line tool for extracting data from iOS mobile device backups created by iTunes on macOS systems.
Tool for live forensics acquisition on Windows systems, collecting artefacts for early compromise detection.
Binwalk is a firmware analysis tool that enables reverse engineering and extraction of embedded file systems and archives from firmware images.
A Hadoop library for reading and querying PCAP files
A tool for signature analysis of RTF files to detect potentially unique parts and malicious documents.
CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.
Python script to parse the NTFS USN Change Journal.
Browse and analyze iPhone/iPad backups with detailed file properties and various viewers.
Steganography brute-force utility with performance issues, deprecated in favor of stegseek.
A Forensic Framework for Skype with various investigative options.
A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.
A framework/scripting tool to standardize and simplify the process of scripting favorite Live Acquisition utilities for Incident Responders.
Use FindYara, an IDA python plugin, to scan your binary with yara rules and quickly jump to matches.
A Go library for manipulating YARA rulesets with the ability to programatically change metadata, rule names, and more.
A deprecated digital forensics tool by Netflix that helped investigators scope compromises across AWS cloud instances by identifying behavioral differences and outliers during security incidents.
Fnord is a pattern extraction tool that analyzes obfuscated code using sliding window techniques to identify frequent byte sequences and generate experimental YARA rules for malware analysis.
Ghidra is an NSA-developed software reverse engineering framework that provides disassembly, decompilation, and analysis tools for examining compiled code across multiple platforms and processor architectures.
Tool used for dumping memory from Android devices with root access requirement and forensic soundness considerations.
A tool for creating compact Linux memory dumps compatible with popular debugging tools.
Yaraprocessor allows for scanning data streams in unique ways and dynamic scanning of payloads from network packet captures.
DMG2IMG converts Apple compressed DMG archives to standard HFS+ image files supporting zlib, bzip2, and LZFSE compression formats.
Orochi is a collaborative forensic memory dump analysis framework.
Dynamic binary analysis library with various analysis and emulation capabilities.
Digital Forensics and Incident Response Tools FAQ
Common questions about Digital Forensics and Incident Response tools, selection guides, pricing, and comparisons.
Essential DFIR tools include: disk imaging and analysis (for examining file systems, deleted files, and artifacts), memory forensics (analyzing RAM for malware, credentials, and running processes), network forensics (capturing and analyzing packet data), log analysis and timeline reconstruction, and malware analysis (static and dynamic analysis of malicious files). Many investigators also use cloud-specific forensics tools for AWS/Azure/GCP.
Based on user ratings and community engagement on CybersecTools, the top-rated Digital Forensics and Incident Response tools are:
