Digital Forensics and Incident Response

Syntax, indent, and filetype detection for YARA rule files with auto-indenting and error display in quickfix window.

A new age tool for binary analysis that uses statistical visualizations to help find patterns in large amounts of binary data.

Open source security auditing tool to search and dump system configuration.

A Hadoop library for reading and querying PCAP files

A static analysis framework for extracting key characteristics from various file formats

Go bindings for YARA with installation and build instructions.

A command-line tool for analyzing and extracting detailed information from Windows Portable Executable (PE) files.

A digital artifact extraction framework for extracting data from volatile memory (RAM) samples, providing visibility into the runtime state of a system.

A command-line tool that parses Google Protobuf encoded data without schema definitions and displays the content in a readable, colored format.

POFR is a Linux forensic data collection system that captures process execution, file access, and network activity for incident response and compliance analysis.

A tool for creating compact Linux memory dumps compatible with popular debugging tools.

A tool to remove malicious artifacts from Microsoft Office documents, preventing malware infections and data breaches.

A forensic tool to find hidden processes and TCP/UDP ports by rootkits or other hidden techniques.

A Python wrapper for the Libemu library that enables shellcode analysis and malicious code examination through programmatic interfaces.

FIR is a Python-based cybersecurity incident management platform designed for CSIRTs, CERTs, and SOCs to create, track, and report security incidents.

Open source Python library for NTFS analysis

A tool that generates Yara rules for strings and their XOR encoded versions, as well as base64-encoded variations with different padding possibilities.

A discontinued disk imaging utility originally developed by Intel that used block map files for efficient disk image copying operations.

A static analysis tool for PE files that identifies potential malicious indicators through compiler detection, packing analysis, signature matching, and suspicious string identification.

A Windows context menu integration tool that scans files and folders for malware patterns, crypto signatures, and malicious documents using Yara rules and PEID signatures.

A collection of YARA rules specifically designed for forensic investigations and malware analysis, providing pattern matching capabilities for files and memory dumps.

CIRTKit is a DFIR console built on the Viper Framework that integrates various forensic tools and provides modules for packet analysis, memory analysis, and automated incident response workflows.

A PE/COFF file viewer that displays header, section, directory, import table, export table, and resource information within various file types.

A library to access FileVault Drive Encryption (FVDE) encrypted volumes on Mac OS X systems.