Top 127 dfir open source projects

swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.

Documentation of TheHive

macOS Artifact Parsing Tool

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

Defanged Indicator of Compromise (IOC) Extractor.

A tool for forensic file system reconstruction.

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework

Digital Forensics Investigation Platform

Documentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension

Yara Based Detection Engine for web browsers

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.

Yara rules written by me, for free use.

Recon Hunt Queries

This repository contains all the config files and scripts used for our Open Source Endpoint monitoring project.

Bash script to Check for malicious Cryptomining

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service - https://circl.lu/services/hashlookup/

Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a machine.

Repository for different Windows DFIR related CMDs, PowerShell CMDlets, etc, plus workshops that I did for different conferences or events.

A sort of a toolkit to decrypt Dropbox Windows DBX files

Truehunter

Incident Response - Fast suspicious file finder

Incident Response Scripts

incident response scripts

🚨 The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.

A script to assist in processing forensic RAM captures for malware triage

Catalyst is an open source SOAR system that helps to automate alert handling and incident response processes

Dumps all of the Key/Value pairs from a LevelDB database

Edited version of Lee Christensen's Get-NetworkConnection which includes timestamp for each network connection

Validates yara rules and tries to repair the broken ones.

System Management RAM analysis tool

Python tool and library to help analyze files during malware triage and analysis.

WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅（ウェラ）

DDTTX Tabletop Trainings

Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

Virustotal Data to Timesketch

Parses Windows event logs files based on SANS Poster

Trace ScriptBlock execution for powershell v2

PowerShell module for Office 365 and Azure log collection

Docker configurations for TheHive, Cortex and 3rd party tools

Provides various Windows Server Active Directory (AD) security-focused reports.

Python 3 Script to parse out iTunes backups

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.

CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library

Analyst Unknown Cyber Range - a micro web service framework

A Splunk Technology Add-on to forward filtered ETW events.

#ThreatHunting #DFIR #Malware #Detection Mind Maps

Minimalistic DNS logging tool

Carve file metadata from NTFS index ($I30) attributes

SQLite queries

You didn't think I'd go and leave the blue team out, right?

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

This toolkit aims to help forensicators perform different kinds of acquisitions on iOS devices

An Incident Response tool to extract console command history and screen output buffer

RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.

Cyber Range including Velociraptor + HELK system with a Windows VM for security testing and R&D. Azure and AWS terraform support.