Digital Forensics and Incident Response Tools
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Browse 511 digital forensics and incident response tools
FEATURED
USE CASES
A collection of Python scripts that automate tasks and extend IDA Pro disassembler functionality for reverse engineering workflows.
Android Loadable Kernel Modules for reversing and debugging on controlled systems/emulators.
A yara module for searching strings inside zip files
C# wrapper around Yara pattern matching library with Loki and Yara signature support.
Passive SSL client fingerprinting tool using handshake analysis.
A simple, self-contained modular host-based IOC scanner for incident responders.
replayproxy allows you to 're-live' a HTTP session captured in a .pcap file, parsing HTTP streams, caching them, and starting a HTTP proxy to reply to requests with matching responses.
A Golang application that stores and queries NIST NSRL Reference Data Set for MD5 and SHA1 hash lookups using Bolt database technology.
A command-line forensics tool for tracking and analyzing USB device artifacts and connection history on Linux systems.
TCPFLOW is a tool for capturing data transmitted over TCP connections.
A high-performance digital forensics exploitation tool for extracting structured information from various inputs without parsing file system structures.
A bash script for automating Linux swap analysis for post-exploitation or forensics purposes.
An open source digital forensic tool for processing and analyzing digital evidence with high performance and multiplatform support.
NotRuler is a tool for Exchange Admins to detect client-side Outlook rules and VBScript enabled forms, aiding in the detection of attacks created through Ruler.
A multiplatform C++ library for capturing, parsing, and crafting network packets with support for various network protocols.
A PowerShell-based DFIR automation tool that streamlines artifact and evidence collection from Windows machines for digital forensic investigations.
A container of PCAP captures mapped to the relevant attack tactic
Container of 200 Windows EVTX samples for testing detection scripts and training on DFIR.
Recoverjpeg is a tool for recovering JPEG images from damaged storage media.
A C-based steganographic tool that hides files within WAV audio files using least significant bit encoding techniques.
A Vim syntax-highlighting plugin for YARA rules that supports versions up to v4.3 and provides enhanced code readability for malware analysts.
A wrapper around jNetPcap for packet capturing with Clojure, available for Linux and Windows.
A tool that uses Plaso to parse forensic artifacts and disk images, creating custom reports for easier analysis.
A free, open source collection of tools for forensic artifact and image analysis.
Digital Forensics and Incident Response Tools FAQ
Common questions about Digital Forensics and Incident Response tools, selection guides, pricing, and comparisons.
Essential DFIR tools include: disk imaging and analysis (for examining file systems, deleted files, and artifacts), memory forensics (analyzing RAM for malware, credentials, and running processes), network forensics (capturing and analyzing packet data), log analysis and timeline reconstruction, and malware analysis (static and dynamic analysis of malicious files). Many investigators also use cloud-specific forensics tools for AWS/Azure/GCP.
