Skip to main content

DFIR Tools

Digital Forensics and Incident Response (DFIR) is a critical aspect of cybersecurity that involves the investigation of cyber incidents, collection of digital evidence, and response to threats. Here is a list of essential tools used by DFIR professionals to enhance their capabilities in dealing with security incidents:

tip

If you are accessing from your laptop/desktop , click on the right sidebar → for accessing each section easily →→→→→

Threat Intel

WEBSITEDESCRIPTION
PhishToolForensic email analysis & incident response
OTX Endpoint Security™ OTX Endpoint Security™ is a free threat-scanning service in OTX. It allows you to quickly identify malware and other threats by scanning your endpoints for the presence of IOCs catalogued in OTX. It’s free and simple to get started.
Abuse.chabuse.ch's main goal is to identify and track cyber threats, with a strong focus on malware and botnets. We not only publish actionable threat intelligence data on cyber threats but also develop and operate platforms for IT security researchers and experts enabling them sharing relevant threat intel data with the community.
Parse a User AgentParse a User Agent String
urlscan.ioA sandbox for the web
File ScanFileScan.IO is a free malware analysis service that offers rapid in-depth file assessments, threat intelligence and indicator of compromise (IOCs) extraction for a wide range of executable files, documents and scripts.
Jotti's malware scanJotti's malware scan is a free service that lets you scan suspicious files with several anti-virus programs. You can submit up to 5 files at the same time. There is a 250MB limit per file. Please be aware that no security solution offers 100% protection, not even when it uses several anti-virus engines. All files are shared with anti-virus companies so detection accuracy of their anti-virus products can be improved.
USB ID DATABASESearch for USB devices with Vendor ID, Product ID and/or Name
BlackList AlertWe just offer this free lookup service to you. We can not remove you from any list.
IBM XForceIBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence
PaloAlto URL checkTest A Site
Aliienvault IP LookupThe World’s First Truly Open Threat Intelligence Community
DNS AnalyticsThe ultimate online investigation tool
AbuseDPmaking the internet safer, one IP at a time
BrightCloud Threat IntelligenceEnter a URL or IP address to view threat, content and reputation analysis.
Cisco Talos BlogCisco Talos Blog

Frameworks Toolkits and VM

TOOLSDESCRIPTION
SANS SIFTWorkstationThe SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings
SOF-ELK VM (Network Analysis)SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel
REMnux VM (Malware Analysis)REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software
Kali LinuxKali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering.
SlingshotSlingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond
Forensic Toolkit FTKFTK® Forensic Toolkit. The Gold Standard in Digital Forensics For Over 15 Years
The Sleuth Kit & AutopsyOpen Source Digital Forensics
EnCaseClose cases quickly with reliable digital forensic investigation results
C.A.I.N.E (Computer Aided INvestigative Environment)CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project
CyberTriageCyber Triage is automated Digital Forensics and Incident Response (DFIR) software that allows cybersecurity professionals like you to quickly answer intrusion questions related to Malware,Ransomware and Account Takeover
Belkasoft Evidence CenterBelkasoft X (Belkasoft Evidence Center X) is a flagship tool by Belkasoft for computer, mobile and cloud forensics.
Nirsoft Forensics Tool Listlist of NirSoft utilities which have the ability to extract data and information from external hard-drive, and with a small explanation about how to use them with external drive.
Eric Zimmerman Tool ListTools from Eric Zimmerman
Bento Portable Forensics toolkitBento is a portable toolkit designed for live forensics and incident response activities.
Nirsoft Portable Forensics toolkitNirLauncher is a package of more than 200 portable freeware utilities for Windows, all of them developed for NirSoft Web site during the last few years.
SANS Free Tool Lists (PDF)SANS Instructors have built more than 150 open source tools that support your work and help you implement better security. Search the lists on the following pages for the free tools that will help you get the job done.
Sysinternal tools downloadWhether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
Malware Tools & ResourcesMalware, IR - Tools & Resources
OS ForensicsExtract forensic data from computers, quicker and easier than ever.

Network Analysis Tools

TOOLSDESCRIPTION
WiresharkWireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the standard across many commercial and non-profit enterprises, government agencies, and educational institutions
Network MinerNetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
Packet TotalSimple,Free ,High-quality PCAP analysis tool

Powershell IR Tools

TOOLSDESCRIPTION
DeepBlueCLIDeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
KansaA modular incident response framework in Powershell.
ARTHIRATT&CK Remote Threat Hunting Incident Response

Logs Analysis Tools

TOOLSDESCRIPTION
Event Log ExplorerEvent Log Explorer is an effective software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs. Event Log Explorer greatly simplifies and speeds up the analysis of event logs (security, application, system, setup, directory service, DNS and others).
Log ParserLog parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.
Evtx Explorer/EvtxECmdEvent log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!

Forensics Analysis Tools

TOOLSDESCRIPTION
DensityScout - Density checkDensityScout calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine.
ExiftoolExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.
PEscanpescan is a command line tool to scan portable executable (PE) files to identify how they were constructed
SigcheckSigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
Log2TimelinePlaso or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.
LOG-MDThe Log and Malicious Discovery tool (LOG-MD) created for Information Security and IT professionals, Active Defenders, Incident Responders, Forensics Investigators and Auditors to assess, effectively enable and configure logs, hash file and compare to the file system and registry all to discover malicious activity on Windows based systems
Cyber ChefCyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser.
tzworksBelow are various tools that cover a wide range of Windows digital computer forensic analysis.

Other Tools

TOOLSDESCRIPTION
Draw Network Diagram OnlineWeb app to draw network diagrams
Check MAC AddressMAC Address Finder
TracerouteTraceroute Test
Last Activity View - NirsoftLastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
Browser History viewBrowsingHistoryView is a utility that reads the history data of different Web browsers (Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera) and displays the browsing history of all these Web browsers in one table
My Last SearchMyLastSearch utility scans the cache and history files of your Web browser, and locate all search queries that you made with the most popular search engines (Google, Yahoo and MSN) and with popular social networking sites (Twitter, Facebook, MySpace)
NmapNmap: Discover your network
SSL Server Testhis free online service performs a deep analysis of the configuration of any SSL web server on the public Internet

Virus / Malware Lookup

TOOLSDESCRIPTION
VirusTotalAnalyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
Hybrid-analysisHybrid Analysis is a file analysis approach that combines runtime data with memory dump analysis to extract all possible execution pathways even for the most evasive malware. All data extracted from the Hybrid Analysis engine is processed automatically and integrated into the malware analysis reports.
Any.RunMalware hunting with live access to the heart of an incident
OPSWATWe protect against data breaches, ransom attacks and much more by offering a comprehensive set of technologies under one cloud platform, which is accessible and easy to integrate with.

Browser History Analysis Tools

TOOLSDESCRIPTION
Visual Browser History - ChromeWeb Historian is a browser extension that helps you visualize the web browsing history that is already on your computer in a way you’ve never seen before. You can see what you’ve been looking for online and how you navigate through the web using interactive visuals.
DB Browser for SQLiteDB Browser for SQLite (DB4S) is a high quality, visual, open source tool to create, design, and edit database files compatible with SQLite.
Nirsoft Web Browsers Toolsunique Web browser tools for both Internet Explorer and Mozilla browsers (including Firefox) that extract cookies, history data and cache information from the Web browser.
Browser History ViewerFree tool to view web browser history

Processes And Memory Acquire-Analysis Tools

TOOLSDESCRIPTION
Volatility - Memory Forensics (GUI)Volatility Workbench is a graphical user interface (GUI) for the Volatility tool.
memoryzeMemoryze™ is free memory forensic software that helps incident responders find evil in live memory.
RedlineRedline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile
Magnet Process CaptureMAGNET Process Capture is a free tool that allows you to capture memory from individual running processes.
Magnet RAM CaptureMAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.
Volatility - Memory ForensicsThe Volatility Framework is open source and written in Python
Winpmem - Memory acquisition toolsThis is the official site of the Pmem memory acquisition tools. These include WinPmem, OSXPmem and LinPmem.

Windows Evidence Collection Tools

TOOLSDESCRIPTION
Kroll Artifact Parser And Extractor (KAPE)KAPE helps forensic teams to collect and process forensically useful artifacts within minutes.
FTK ImagerQuickly assess electronic evidence by obtaining forensic images of computer data, without making changes to the original evidence, all with FTK® Imager!
CrowdresponseStatic Host Data Collection Tool
Bulk Extractorbulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
LastActivityViewLastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer
Digital Forensic ToolsDigital Forensic Tools

Registry Analysis Tools

TOOLSDESCRIPTION
Registry ExplorerRegistry viewer with searching, multi-hive support, plugins, and more. Handles locked files
RegRipper 2.8RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis
ShellBags ExplorerGUI for browsing shellbags data. Handles locked files
AmcacheParserAmcache.hve parser with lots of extra features. Handles locked files
AppCompatCacheParserAppCompatCache aka ShimCache parser. Handles locked files
Jump List parserJump List parser
JumpList ExplorerGUI based Jump List viewer
RecentFileCacheParserRecentFileCache parser

Malware Blocklist

WEBSITEDESCRIPTION
Malware BazaarMalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
FeodoTrackerFeodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with Dridex, Emotet (aka Heodo), TrickBot, QakBot (aka QuakBot / Qbot) and BazarLoader (aka BazarBackdoor). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo.
SSL BlacklistThe SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.
URLhausURLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
Zeltser BlocklistsFree Blocklists of Suspected Malicious IPs and URLs
Spootle BlacklistPi-Hole optimized ad, tracking and malware blocklist.
ThreatshubCyber Threat Analysis & Cloud Security

Files Analysis Tools

TOOLSDESCRIPTION
MFTExplorer ($MFT)Graphical $MFT viewer
MFTECmd$MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files
INDXParseNDX files are features of the Windows NTFS file system.
UsnJrnl2Csv[The journal is a log of changes to files on an NTFS volume.