Digital Forensics and Incident Response Tools
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Browse 511 digital forensics and incident response tools
FEATURED
USE CASES
Web interface for the Volatility Memory Forensics Framework
MalConfScan is a Volatility plugin for extracting configuration data of known malware and analyzing memory images.
Investigate malicious logons by visualizing and analyzing Windows Active Directory event logs with LogonTracer.
PowerForensics is a PowerShell digital forensics framework for hard drive forensic analysis.
A Yara ruleset designed to detect PHP shells and other webserver malware for malware analysis and threat detection.
Documentation project for Digital Forensics Artifact Repository
A community-sourced repository of digital forensic artifacts in YAML format.
iOSForensic is a Python tool for forensic analysis on iOS devices, extracting files, logs, SQLite3 databases, and .plist files into XML.
Exiv2 is a C++ library and command-line utility for reading, writing, deleting, and modifying Exif, IPTC, XMP, and ICC metadata in image files.
A command-line string extraction utility for digital forensics that supports ASCII and Unicode string extraction from files and directories with pattern matching and filtering capabilities.
FSF is a modular, recursive file scanning solution that enables analysts to extend the utility of Yara signatures and define actionable intelligence within a file.
wxHexEditor is a free cross-platform hex editor and disk editor for editing binary files, disk devices, and logical drives with data manipulation and checksum calculation features.
A Docker-based steganography analysis toolkit containing pre-installed tools and automated scripts for detecting and extracting hidden data from files, primarily designed for CTF challenges.
A collection of YARA rules designed to identify files containing sensitive information such as usernames, passwords, and credit card numbers for penetration testing and forensic analysis.
A digital investigation platform for parsing, searching, and visualizing evidences with advanced analytics capabilities.
DFIR ORC Documentation provides detailed instructions for setting up the build environment and deploying the tool.
RABCDAsm is a collection of utilities for ActionScript 3 assembly/disassembly and SWF file manipulation.
CrowdFMS is a CrowdStrike framework that automates malware sample collection from VirusTotal using YARA rule-based notifications and the Private API system.
A tool for validating and repairing Yara rules
An extended traceroute tool for CSIRT operators with advanced features.
Normalize, index, enrich, and visualize network capture data using Potiron.
An open source tool that generates YARA rules from installed software on running operating systems for efficient software identification in digital forensic investigations.
Digital Forensics and Incident Response Tools FAQ
Common questions about Digital Forensics and Incident Response tools, selection guides, pricing, and comparisons.
Essential DFIR tools include: disk imaging and analysis (for examining file systems, deleted files, and artifacts), memory forensics (analyzing RAM for malware, credentials, and running processes), network forensics (capturing and analyzing packet data), log analysis and timeline reconstruction, and malware analysis (static and dynamic analysis of malicious files). Many investigators also use cloud-specific forensics tools for AWS/Azure/GCP.
