Digital Forensics and Incident Response Tools
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Browse 511 digital forensics and incident response tools
FEATURED
USE CASES
A tool for extracting files from network traffic based on file signatures with support for various file formats and scalable search algorithm.
A textmode sniffer for tracking tcp streams and capturing data in various modes.
Tool for parsing NTFS journal files, $Logfile, and $MFT.
netsniff-ng is a free Linux networking toolkit with zero-copy mechanisms for network development, analysis, and auditing.
Network Dump data Displayer and Editor framework for tcpdump trace files manipulation.
A command-line utility to show and change EXIF information in JPEG files
Statistical renaming, Type inference, and Deobfuscation tool for JavaScript code.
A console program for file recovery through data carving.
A utility for recovering deleted files from ext3 or ext4 partitions.
Andrew Case's personal page for research, software projects, and speaking events
A collection of Android Fakebank and Tizi samples for analyzing spyware on Android devices.
Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.
A Python module for orchestrating remote forensic data acquisition and analysis from Linux instances using Amazon SSM.
Margarita Shotgun is a Python tool that enables remote memory acquisition from target systems through command line interface, supporting Linux distributions and other operating systems via Docker containers.
A Python tool that analyzes AWS CloudTrail data to summarize IAM principal activities, API calls, regions, IP addresses, and user agents with configurable timeframes and visualization options.
An AWS incident response framework that uses Athena to analyze CloudTrail events and EventBridge for notifications to investigate API activity and detect security misconfigurations.
AWS IR is a Python command line utility for automated incident response and mitigation of instance and key compromises in Amazon Web Services environments.
A proof of concept for using the SSM Agent in Fargate for incident response
A Python-based modular incident response tool for AWS environments that enables automated security actions across EC2, IAM, VPC, and other AWS resources.
mac_apt is a versatile DFIR tool for processing Mac and iOS images, offering extensive artifact extraction capabilities and cross-platform support.
Syntax, indent, and filetype detection for YARA rule files with auto-indenting and error display in quickfix window.
A tool for fixing acquired .evt Windows Event Log files in digital forensics.
Incident response and digital forensics tool for transforming data sources and logs into graphs.
A collection of Yara signatures for identifying malware and other threats
Digital Forensics and Incident Response Tools FAQ
Common questions about Digital Forensics and Incident Response tools, selection guides, pricing, and comparisons.
Essential DFIR tools include: disk imaging and analysis (for examining file systems, deleted files, and artifacts), memory forensics (analyzing RAM for malware, credentials, and running processes), network forensics (capturing and analyzing packet data), log analysis and timeline reconstruction, and malware analysis (static and dynamic analysis of malicious files). Many investigators also use cloud-specific forensics tools for AWS/Azure/GCP.
