DFIR Tools
Digital Forensics and Incident Response (DFIR) is a critical aspect of cybersecurity that involves the investigation of cyber incidents, collection of digital evidence, and response to threats. Here is a list of essential tools used by DFIR professionals to enhance their capabilities in dealing with security incidents:
tip
If you are accessing from your laptop/desktop , click on the right sidebar → for accessing each section easily →→→→→
Threat Intel
| WEBSITE | DESCRIPTION |
|---|---|
| PhishTool | Forensic email analysis & incident response |
| OTX Endpoint Security™ | OTX Endpoint Security™ is a free threat-scanning service in OTX. It allows you to quickly identify malware and other threats by scanning your endpoints for the presence of IOCs catalogued in OTX. It’s free and simple to get started. |
| Abuse.ch | abuse.ch's main goal is to identify and track cyber threats, with a strong focus on malware and botnets. We not only publish actionable threat intelligence data on cyber threats but also develop and operate platforms for IT security researchers and experts enabling them sharing relevant threat intel data with the community. |
| Parse a User Agent | Parse a User Agent String |
| urlscan.io | A sandbox for the web |
| File Scan | FileScan.IO is a free malware analysis service that offers rapid in-depth file assessments, threat intelligence and indicator of compromise (IOCs) extraction for a wide range of executable files, documents and scripts. |
| Jotti's malware scan | Jotti's malware scan is a free service that lets you scan suspicious files with several anti-virus programs. You can submit up to 5 files at the same time. There is a 250MB limit per file. Please be aware that no security solution offers 100% protection, not even when it uses several anti-virus engines. All files are shared with anti-virus companies so detection accuracy of their anti-virus products can be improved. |
| USB ID DATABASE | Search for USB devices with Vendor ID, Product ID and/or Name |
| BlackList Alert | We just offer this free lookup service to you. We can not remove you from any list. |
| IBM XForce | IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence |
| PaloAlto URL check | Test A Site |
| Aliienvault IP Lookup | The World’s First Truly Open Threat Intelligence Community |
| DNS Analytics | The ultimate online investigation tool |
| AbuseDP | making the internet safer, one IP at a time |
| BrightCloud Threat Intelligence | Enter a URL or IP address to view threat, content and reputation analysis. |
| Cisco Talos Blog | Cisco Talos Blog |
Frameworks Toolkits and VM
| TOOLS | DESCRIPTION |
|---|---|
| SANS SIFTWorkstation | The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings |
| SOF-ELK VM (Network Analysis) | SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel |
| REMnux VM (Malware Analysis) | REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software |
| Kali Linux | Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering. |
| Slingshot | Slingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond |
| Forensic Toolkit FTK | FTK® Forensic Toolkit. The Gold Standard in Digital Forensics For Over 15 Years |
| The Sleuth Kit & Autopsy | Open Source Digital Forensics |
| EnCase | Close cases quickly with reliable digital forensic investigation results |
| C.A.I.N.E (Computer Aided INvestigative Environment) | CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project |
| CyberTriage | Cyber Triage is automated Digital Forensics and Incident Response (DFIR) software that allows cybersecurity professionals like you to quickly answer intrusion questions related to Malware,Ransomware and Account Takeover |
| Belkasoft Evidence Center | Belkasoft X (Belkasoft Evidence Center X) is a flagship tool by Belkasoft for computer, mobile and cloud forensics. |
| Nirsoft Forensics Tool List | list of NirSoft utilities which have the ability to extract data and information from external hard-drive, and with a small explanation about how to use them with external drive. |
| Eric Zimmerman Tool List | Tools from Eric Zimmerman |
| Bento Portable Forensics toolkit | Bento is a portable toolkit designed for live forensics and incident response activities. |
| Nirsoft Portable Forensics toolkit | NirLauncher is a package of more than 200 portable freeware utilities for Windows, all of them developed for NirSoft Web site during the last few years. |
| SANS Free Tool Lists (PDF) | SANS Instructors have built more than 150 open source tools that support your work and help you implement better security. Search the lists on the following pages for the free tools that will help you get the job done. |
| Sysinternal tools download | Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications. |
| Malware Tools & Resources | Malware, IR - Tools & Resources |
| OS Forensics | Extract forensic data from computers, quicker and easier than ever. |
Network Analysis Tools
| TOOLS | DESCRIPTION |
|---|---|
| Wireshark | Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the standard across many commercial and non-profit enterprises, government agencies, and educational institutions |
| Network Miner | NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. |
| Packet Total | Simple,Free ,High-quality PCAP analysis tool |
Powershell IR Tools
| TOOLS | DESCRIPTION |
|---|---|
| DeepBlueCLI | DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs |
| Kansa | A modular incident response framework in Powershell. |
| ARTHIR | ATT&CK Remote Threat Hunting Incident Response |
Logs Analysis Tools
| TOOLS | DESCRIPTION |
|---|---|
| Event Log Explorer | Event Log Explorer is an effective software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs. Event Log Explorer greatly simplifies and speeds up the analysis of event logs (security, application, system, setup, directory service, DNS and others). |
| Log Parser | Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. |
| Evtx Explorer/EvtxECmd | Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more! |
Forensics Analysis Tools
| TOOLS | DESCRIPTION |
|---|---|
| DensityScout - Density check | DensityScout calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine. |
| Exiftool | ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. |
| PEscan | pescan is a command line tool to scan portable executable (PE) files to identify how they were constructed |
| Sigcheck | Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning. |
| Log2Timeline | Plaso or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines. |
| LOG-MD | The Log and Malicious Discovery tool (LOG-MD) created for Information Security and IT professionals, Active Defenders, Incident Responders, Forensics Investigators and Auditors to assess, effectively enable and configure logs, hash file and compare to the file system and registry all to discover malicious activity on Windows based systems |
| Cyber Chef | CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. |
| tzworks | Below are various tools that cover a wide range of Windows digital computer forensic analysis. |
Other Tools
| TOOLS | DESCRIPTION |
|---|---|
| Draw Network Diagram Online | Web app to draw network diagrams |
| Check MAC Address | MAC Address Finder |
| Traceroute | Traceroute Test |
| Last Activity View - Nirsoft | LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. |
| Browser History view | BrowsingHistoryView is a utility that reads the history data of different Web browsers (Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera) and displays the browsing history of all these Web browsers in one table |
| My Last Search | MyLastSearch utility scans the cache and history files of your Web browser, and locate all search queries that you made with the most popular search engines (Google, Yahoo and MSN) and with popular social networking sites (Twitter, Facebook, MySpace) |
| Nmap | Nmap: Discover your network |
| SSL Server Test | his free online service performs a deep analysis of the configuration of any SSL web server on the public Internet |
Virus / Malware Lookup
| TOOLS | DESCRIPTION |
|---|---|
| VirusTotal | Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community. |
| Hybrid-analysis | Hybrid Analysis is a file analysis approach that combines runtime data with memory dump analysis to extract all possible execution pathways even for the most evasive malware. All data extracted from the Hybrid Analysis engine is processed automatically and integrated into the malware analysis reports. |
| Any.Run | Malware hunting with live access to the heart of an incident |
| OPSWAT | We protect against data breaches, ransom attacks and much more by offering a comprehensive set of technologies under one cloud platform, which is accessible and easy to integrate with. |
Browser History Analysis Tools
| TOOLS | DESCRIPTION |
|---|---|
| Visual Browser History - Chrome | Web Historian is a browser extension that helps you visualize the web browsing history that is already on your computer in a way you’ve never seen before. You can see what you’ve been looking for online and how you navigate through the web using interactive visuals. |
| DB Browser for SQLite | DB Browser for SQLite (DB4S) is a high quality, visual, open source tool to create, design, and edit database files compatible with SQLite. |
| Nirsoft Web Browsers Tools | unique Web browser tools for both Internet Explorer and Mozilla browsers (including Firefox) that extract cookies, history data and cache information from the Web browser. |
| Browser History Viewer | Free tool to view web browser history |
Processes And Memory Acquire-Analysis Tools
| TOOLS | DESCRIPTION |
|---|---|
| Volatility - Memory Forensics (GUI) | Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. |
| memoryze | Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. |
| Redline | Redline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile |
| Magnet Process Capture | MAGNET Process Capture is a free tool that allows you to capture memory from individual running processes. |
| Magnet RAM Capture | MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory. |
| Volatility - Memory Forensics | The Volatility Framework is open source and written in Python |
| Winpmem - Memory acquisition tools | This is the official site of the Pmem memory acquisition tools. These include WinPmem, OSXPmem and LinPmem. |
Windows Evidence Collection Tools
| TOOLS | DESCRIPTION |
|---|---|
| Kroll Artifact Parser And Extractor (KAPE) | KAPE helps forensic teams to collect and process forensically useful artifacts within minutes. |
| FTK Imager | Quickly assess electronic evidence by obtaining forensic images of computer data, without making changes to the original evidence, all with FTK® Imager! |
| Crowdresponse | Static Host Data Collection Tool |
| Bulk Extractor | bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. |
| LastActivityView | LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer |
| Digital Forensic Tools | Digital Forensic Tools |
Registry Analysis Tools
| TOOLS | DESCRIPTION |
|---|---|
| Registry Explorer | Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files |
| RegRipper 2.8 | RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis |
| ShellBags Explorer | GUI for browsing shellbags data. Handles locked files |
| AmcacheParser | Amcache.hve parser with lots of extra features. Handles locked files |
| AppCompatCacheParser | AppCompatCache aka ShimCache parser. Handles locked files |
| Jump List parser | Jump List parser |
| JumpList Explorer | GUI based Jump List viewer |
| RecentFileCacheParser | RecentFileCache parser |
Malware Blocklist
| WEBSITE | DESCRIPTION |
|---|---|
| Malware Bazaar | MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers. |
| FeodoTracker | Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with Dridex, Emotet (aka Heodo), TrickBot, QakBot (aka QuakBot / Qbot) and BazarLoader (aka BazarBackdoor). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo. |
| SSL Blacklist | The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer. |
| URLhaus | URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. |
| Zeltser Blocklists | Free Blocklists of Suspected Malicious IPs and URLs |
| Spootle Blacklist | Pi-Hole optimized ad, tracking and malware blocklist. |
| Threatshub | Cyber Threat Analysis & Cloud Security |
Files Analysis Tools
| TOOLS | DESCRIPTION |
|---|---|
| MFTExplorer ($MFT) | Graphical $MFT viewer |
| MFTECmd | $MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files |
| INDXParse | NDX files are features of the Windows NTFS file system. |
| UsnJrnl2Csv | [The journal is a log of changes to files on an NTFS volume. |