File Analysis
Explore 201 curated tools and resources
LATEST ADDITIONS
A GitHub repository for fuzzing and testing file formats
A command-line program for finding secrets and sensitive information in textual data and Git history.
A deserialization payload generator for .NET formatters
A security tool to identify interesting files in AWS S3 buckets
A collection of tools for extracting and analyzing information from .git repositories
A free, open-source tool that uncovers persistently installed software on macOS, helping to generically reveal malware.
A comprehensive malware-analysis tool that utilizes external AV scanners to identify malicious elements in binary files.
A collection of Yara rules for identifying malicious PEs with unique or suspicious PDB paths.
Embeddable Yara library for Java with support for loading rules and scanning data.
Yara rule generator using VirusTotal code similarity feature code-similar-to.
A modified version of GNU dd with added features like hashing and fast disk wiping.
Copy executables with execute, but no read permission on Unix systems.
YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware.
A threat intelligence domain/IP/hash threat feeds checker that checks IPVoid, URLVoid, Virustotal, and Cymon.
HxD is a freeware hex editor and disk editor with advanced features for editing files, memory, and disks.
A tool that scans a corpus of malware and builds a YARA rule to detect similar code sections.
A Python library for loading and executing Beacon Object Files (BOFs) in-memory.
A tool for analyzing Android applications in local storage with various functionalities.
A tool for triaging crash files with various output formats and debugging engine options.
A project providing open-source YARA rules for malware and malicious file detection
Stealing Signatures and Making One Invalid Signature at a Time.
Comprehensive suite for advanced file analysis and software supply chain security.
Verify scripts and executables to mitigate chain of supply attacks.
MetaDefender Cloud offers advanced threat prevention using technologies like Multiscanning, Deep CDR, and Sandbox.
Generates shellcode that loads Windows payloads from memory and runs them with parameters.
Online platform for image steganography analysis
Ropper is a tool for analyzing binary files and searching for gadgets to build rop chains for different architectures.
A command-line tool for creating hex dumps, converting between binary and human-readable representations, and patching binary files.
Online Java decompiler tool with support for modern Java features.
A tool for signature analysis of RTF files to detect potentially unique parts and malicious documents.
A Docker image with tools for solving Steganography challenges and screening scripts for analyzing files.
CapTipper is a python tool to analyze, explore, and revive HTTP malicious traffic.
Tool to bypass endpoint solutions blocking known 'malicious' signed applications by obtaining valid signed files with different hashes.
A software reverse engineering framework with full-featured analysis tools and support for multiple platforms, instruction sets, and executable formats.
Python script to parse the NTFS USN Change Journal.
Binwalk is a tool for analyzing, reverse engineering, and extracting firmware images with security and Python 2.7 deprecation notices.
A forensics tool for tracking USB device artifacts on Linux machines.
A library to access and parse Windows NT Registry File (REGF) format.
Joe Sandbox Community provides automated cloud-based malware analysis across multiple OS platforms.
Yara mode for GNU Emacs to edit Yara related files
A collection of YARA rules for public use, built from intelligence profiles and file work.
A file search and query tool for ops and security experts.
PLASMA is an interactive disassembler with support for various architectures and formats, offering a Python API for scripting.
A modified version of Cuckoo Sandbox with enhanced features and capabilities.
Visually inspect regex matches in binary data/text with YARA and regular expressions, displaying matched bytes and surrounding context.
UDcide provides an alternative approach to dealing with Android malware by targeting specific behaviors for removal.
SWFTools is a collection of utilities for working with Adobe Flash files, including tools for converting PDFs, images, audio, and video files to SWF format.
Exiv2 is a C++ library and command-line utility for image metadata manipulation.
A portable volatile memory acquisition tool for Linux.
A report on detecting lateral movement through tracking event logs, updated to include analysis of various tools and commands used by attackers.
A tool for xor analysis to guess key length and key based on most frequent characters.
VxSig is a tool to automatically generate AV byte signatures from similar binaries.
A honeypot for malware that spreads via USB storage devices, detecting infections without further information.
IE10Analyzer can parse and recover records from WebCacheV01.dat, providing detailed information and conversion capabilities.
AMExtractor is an Android Memory Extractor tool.
Search engine for Windows executable files and hashes, providing insights into file prevalence, behavior, and security information.
A Mac OS X computer forensics tool for analyzing system artifacts, user files, and logs with reputation verification and log aggregation capabilities.
Java code implementing the AutoYara algorithm for automatic Yara rule generation from input samples.
yarAnalyzer creates statistics on a yara rule set and files in a sample directory, generating tables and CSV files, including an inventory feature.
Microservice for scanning files with Yara
A tool that executes programs in memory from various sources
A high-performance digital forensics exploitation tool for extracting structured information from various inputs without parsing file system structures.
steg86 is a format-agnostic steganographic tool for x86 and AMD64 binaries.
A Windows Registry hive extraction library that reads and writes Windows Registry 'hive' binary files.
FOCA is a tool used to find metadata and hidden information in scanned documents, with capabilities to analyze various file types and extract EXIF information.
A versatile steganography tool with various installation options and detailed usage instructions.
A collection of binary tools for various purposes including linking, assembling, profiling, and more.
Fnord is a pattern extractor for obfuscated code that extracts byte sequences and creates statistics, as well as generates experimental YARA rules.
Enhances the reading experience of smali code in Emacs.
Cybersecurity tool merging DarunGrim's analysis algorithms, currently in internal testing for official release.
An open source format for storing digital evidence and data, with a C/C++ library for creating, reading, and manipulating AFF4 images.
A serverless, real-time, and retroactive malware detection tool that scans files with YARA rules and alerts incident response teams.
Python forensic tool for extracting and analyzing information from Firefox, Iceweasel, and Seamonkey browsers.
A library and tools to access and manipulate VMware Virtual Disk (VMDK) files.
A library to access and parse OLE 2 Compound File (OLECF) format files.
Holistic malware analysis platform with interactive sandbox, static analyzer, and emulation capabilities.
Detects and handles potential malware in Microsoft Exchange 2019 messages with various techniques and third-party libraries.
A command-line utility and Python package for mounting and unmounting various disk image formats with support for different volume systems and filesystems.
A tool designed to extract additional value from enterprise-wide AppCompat / AmCache data
A tool to verify the integrity of PNG, JNG, and MNG files and extract detailed information about the image.
A tool for extracting IOCs from various input sources and converting them into JSON format.
A parsing tool for Yara Scan Service's JSON output file to help maximize benefits and automate parsing of Yara Scan Service results.
PLCinject is a tool for injecting and patching blocks on PLCs with a call instruction.
Analyse a forensic target to find and report files found and not found in hashlookup CIRCL public service.
Collection of Windows oneliners for executing arbitrary code and downloading remote payloads.
A library to access and parse the Microsoft Internet Explorer Cache File format.
A tool for breaking crypto and identifying weak cryptosystems, with a humorous name and a separate library called Cryptanalib.
A tool for recovering files by scanning block devices and extracting them based on 'magic bytes' in file contents.
Charlotte is an undetected C++ shellcode launcher for executing shellcode with stealth.
Tool for decompressing malware samples to run Yara rules against them.
A tool to extract indicators of compromise from security reports in PDF format.
FSquaDRA is a tool for detection of repackaged Android applications based on Jaccard similarity computation over digests of files.
A set of YARA rules for identifying files containing sensitive information
Collection of Yara rules for file identification and classification
ShadowCopy Analyzer is a tool for cybersecurity researchers to analyze and utilize the ShadowCopy technology for file recovery and system restoration.
SauronEye helps in identifying files containing sensitive data such as passwords through targeted directory searches.
A user-friendly and fast Forensic Analysis tool with features like tagging files and generating preview reports.
Analyzing WiFiConfigStore.xml file for digital forensics on Android devices.
Recover event log entries from an image by heuristically looking for record structures.
Malware sandbox for executing malicious files in an isolated environment with advanced features.
A simple IOC scanner bash script for Linux/Unix/OSX systems
A library for checking potentially malicious files and archives using YARA and making a decision about their harmfulness.
A network-based panic button to overwrite LUKS header and shutdown the computer in emergencies, making data recovery impossible.
iOS Mobile Backup Xtractor tool for extracting iOS backups.
A command-line tool for extracting detailed information from JPEG files, including image dimensions, compression, and metadata.
Real-time, container-based file scanning system for threat hunting and incident response.
Vim syntax-highlighting plugin for YARA rules with support up to v4.3.
Hoarder is a tool to collect and parse windows artifacts.
A freeware suite of tools for PE editing and process viewing, including CFF Explorer and Resource Editor.
A yara module for searching strings inside zip files
Comprehensive cheat sheet for SQLite SQL injection techniques and payloads.
YARA is a tool for identifying and classifying malware samples based on textual or binary patterns.
A tool for extracting files from packet capture files with ease of use and extensibility for Python developers.
A command-line utility to show and change EXIF information in JPEG files
A command-line tool for searching and extracting strings from files with various options like ASCII and Unicode string search.
Object scanning system with scalable and flexible architecture for intrusion detection.
Web-based tool for browsing mobile applications sandbox and previewing SQLite databases.
A pure Python parser for Windows Event Log files with access to File and Chunk headers, record templates, and event entries.
FSF is a modular, recursive file scanning solution that enables analysts to extend the utility of Yara signatures and define actionable intelligence within a file.
A tool for building and installing PhoneyC with optional Python version configuration and root privileges.
A command line tool for running SQL queries on PCAP files with various output options and a simplistic web-server.
A VMware image for penetration testing purposes
A full python tool for analyzing Android files with various functionalities.
A new age tool for binary analysis that uses statistical visualizations to help find patterns in large amounts of binary data.
A static analysis framework for extracting key characteristics from various file formats
A tool for reading Portable Executable (PE) files with detailed information about the file structure.
A tool for parsing Google Protobuf encoded blobs without the accompanying definition, providing a colored representation of the contents.
A tool for creating compact Linux memory dumps compatible with popular debugging tools.
Official repository of YARA rules for threat detection and hunting
A tool for reverse engineering Android apk files.
Bmaptool is a project no longer maintained by Intel, users are advised to create their own fork for ongoing use.
A static analysis tool for PE files that detects malicious behavior and provides information for manual analysis.
Yara pattern matching tool for forensic investigations with predefined rules for magic headers in files and raw images.
A modular tool for collecting intelligence sources for files and outputting in CSV format.
A PE/COFF file viewer that displays header, section, directory, import table, export table, and resource information within various file types.
A static code analysis tool for parsing common data formats to detect hardcoded credentials and dangerous functions.
LOKI is a simple IOC and YARA Scanner for Indicators of Compromise Detection.
UPX is a high-performance executable packer for various executable formats.
A PowerShell module for interacting with VirusTotal to analyze suspicious files and URLs.
A tool for deep analysis of malicious files using ClamAV and YARA rules, with features like scoring suspect files, building visual tree graphs, and extracting specific patterns.
Checksec is a bash script to check the properties of executables like PIE, RELRO, Canaries, ASLR, Fortify Source.
A collection of Yara rules for the Burp Yara-Scanner extension to identify malicious software on websites.
StringSifter is a machine learning tool for automatically ranking strings for malware analysis.
A PoC tool for generating Excel files with embedded macros without using Excel.
A Rust-based command-line tool for analyzing .apk files to detect vulnerabilities.
TestDisk checks disk partitions and recovers lost partitions, while PhotoRec specializes in recovering lost pictures from digital camera memory or hard disks.
Krakatau provides an assembler and disassembler for Java bytecode, supporting conversion, creation, examination, comparison, and decompilation of Java binaries.
A tool to locally check for signs of a rootkit with various checks and tests.
A command-line utility for examining Objective-C runtime information in Mach-O files and generating class declarations.
Tool for analyzing Windows Recycle Bin INFO2 file
Standalone graphical utility for viewing Java source codes from ".class" files.
Falcon Sandbox is a malware analysis framework that provides in-depth static and dynamic analysis of files, offering hybrid analysis, behavior indicators, and integrations with various security tools.
A free endpoint security tool for host investigative capabilities to find signs of malicious activity through memory and file analysis.
Valkyrie is a sophisticated file verdict system that enhances malware detection through behavioral analysis and extensive file feature examination.
A console program for file recovery through data carving.
Scans running processes for potentially malicious implants and dumps them.
A library to access and read QEMU Copy-On-Write (QCOW) image file formats with support for zlib compression and AES-CBC encryption.
RetDec is a versatile machine-code decompiler with support for various file formats and architectures.
Advanced threat prevention and detection platform leveraging Deep CDR, Multiscanning, and Sandbox technologies to protect against data breaches and ransom attacks.
A library and tools for accessing and analyzing Linux Logical Volume Manager (LVM) volume system format.
A command-line utility for extracting human-readable text from binary files.
A tool for malware analysts to search through base64-encoded samples and generate yara rules.
An Open Source solution for management of Threat Intelligence at scale, integrating multiple analyzers and malware analysis tools.
A tool for detecting capabilities in executable files, providing insights into a program's behavior and potential malicious activities.
Inceptor is a template-driven framework for evading Anti-Virus and Endpoint Detection and Response solutions, allowing users to create custom evasion techniques and test their security controls.
Kaitai Struct is a declarative language for describing binary data structures.
Red October is a software-based two-man rule style encryption and decryption server.
A medium interaction printer honeypot that simulates a standard networked printer
Emulates browser functionality to detect exploits targeting browser vulnerabilities.
Truehunter is a tool designed to detect encrypted containers with a focus on Truecrypt and Veracrypt, utilizing a fast and memory efficient approach.
Generate a variety of suspect actions detected by Falco rulesets.
A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.
Leading open source automated malware analysis system.
Steganography brute-force utility with performance issues, deprecated in favor of stegseek.
Open source tool for generating YARA rules about installed software from a running OS.
Detect and warn about potential malicious behaviors in Android applications through static analysis.
Automatically create yara rules based on images embedded in office documents.
Compact C framework for analyzing suspected malware documents and detecting exploits and embedded executables.
WinSearchDBAnalyzer can parse and recover records in Windows.edb, providing detailed insights into various data types.
FLARE Obfuscated String Solver (FLOSS) automatically extracts and deobfuscates strings from malware binaries using advanced static analysis techniques.
A file analysis framework that automates the evaluation of files by running a suite of tools and aggregating the output.
Fernflower is an analytical decompiler for Java with command-line options and support for external classes.
wxHexEditor is a free hex editor / disk editor with various data manipulation operations and visualization functionalities.
de4dot is a .NET deobfuscator and unpacker with the ability to restore packed and obfuscated assemblies to their original form.
Repository of TRISIS/TRITON/HatMan malware samples and decompiled sources targeting ICS Triconex SIS controllers.
Blazingly fast Yara queries for malware analysts with an analyst-friendly web GUI.
Browse and analyze iPhone/iPad backups with detailed file properties and various viewers.
Universal hexadecimal editor for computer forensics, data recovery, and IT security.
Extracts resources (bitmaps, icons, cursors, AVI movies, HTML files, and more) from dll files
A tool designed to handle archive file data and augment Yara's capabilities.
PinCTF is a tool for using Intel's Pin Tool to instrument reverse engineering binaries and count instructions.
DumpsterDiver is a tool for analyzing big volumes of data to find hardcoded secrets like keys and passwords.
Tool for parsing NTFS journal files, $Logfile, and $MFT.
Chaosreader is a tool for ripping files from network sniffing dumps and replaying various protocols and file transfers.
Open Source Intelligence solution for threat intelligence data enrichment and quick analysis of suspicious files or malware.
Detect capabilities in executable files and identify potential behaviors.
PINNED
Fabric Platform by BlackStork
Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.
Free
Security Operations
Mandos Brief Newsletter
Stay ahead in cybersecurity. Get the week's top cybersecurity news and insights in 8 minutes or less.
Free
Blogs and News
Wiz
Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.
Commercial
Cloud Security
Adversa AI
Adversa AI is a cybersecurity company that provides solutions for securing and hardening machine learning, artificial intelligence, and large language models against adversarial attacks, privacy issues, and safety incidents across various industries.
Commercial
AI Security