Digital Forensics and Incident Response Tools
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Browse 511 digital forensics and incident response tools
FEATURED
USE CASES
An open-source binary debugger for Windows with a comprehensive plugin system for malware analysis and reverse engineering.
A pure Python parser for Windows Event Log (.evtx) files that enables cross-platform forensic analysis of Windows system events.
Recover event log entries from an image by heuristically looking for record structures.
YARA syntax highlighting for Gtk-based text editors
Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for Linux, XML or JSONL/NDJSON Logs.
Bitscout is a Bash-based live OS constructor tool for building customizable forensic environments used in remote system triage, malware hunting, and digital forensics investigations.
Binary analysis and management framework for organizing malware and exploit samples.
pcapfex is a forensic tool that extracts files from packet capture data by analyzing network traffic and identifying embedded file content.
Open Backup Extractor is an open source program for extracting data from iPhone and iPad backups.
Web-based tool for incident response with easy local installation using Docker.
Malscan is a tool to scan process memory for YARA matches and execute Python scripts.
Emulates browser functionality to detect exploits targeting browser vulnerabilities.
View physical memory as files in a virtual file system for easy memory analysis and artifact access.
Compact C framework for analyzing suspected malware documents and detecting exploits and embedded executables.
Open source security auditing tool to search and dump system configuration.
SIFT is a digital forensics toolkit that provides installation management, task execution, and machine image building capabilities for forensic investigations on Ubuntu systems.
A Live Response collection script for Incident Response that automates the collection of artifacts from various Unix-like operating systems.
Strelka is a real-time, container-based file scanning system that performs file extraction and metadata collection at enterprise scale for threat hunting, detection, and incident response.
Halogen automates the creation of YARA rules based on image files embedded in malicious documents to assist in threat detection and identification.
Hide data in images while maintaining perceptual similarity and extract it from printed and photographed images.
DECAF++ is a fast whole-system dynamic taint analysis framework with improved performance and elasticity.
PowerGRR is a PowerShell API client library that automates GRR (Google Rapid Response) operations for digital forensics and incident response across multiple operating systems.
Digital Forensics and Incident Response Tools FAQ
Common questions about Digital Forensics and Incident Response tools, selection guides, pricing, and comparisons.
Essential DFIR tools include: disk imaging and analysis (for examining file systems, deleted files, and artifacts), memory forensics (analyzing RAM for malware, credentials, and running processes), network forensics (capturing and analyzing packet data), log analysis and timeline reconstruction, and malware analysis (static and dynamic analysis of malicious files). Many investigators also use cloud-specific forensics tools for AWS/Azure/GCP.
