Swap digger swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.
Ir RescueA Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
RecuperabitA tool for forensic file system reconstruction.
Security OnionSecurity Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
DetectionlabelkDetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
LolbasLiving Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
AttackdatamapA datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
KuiperDigital Forensics Investigation Platform
ThreatpinchlookupDocumentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension
YobiYara Based Detection Engine for web browsers
VanillaWindowsReferenceA repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.
minerchkBash script to Check for malicious Cryptomining
hashlookup-forensic-analyserAnalyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service - https://circl.lu/services/hashlookup/
factual-rules-generatorFactual-rules-generator is an open source project which aims to generate YARA rules about installed software from a machine.
WindowsDFIRRepository for different Windows DFIR related CMDs, PowerShell CMDlets, etc, plus workshops that I did for different conferences or events.
decwindbxA sort of a toolkit to decrypt Dropbox Windows DBX files
fastfinderIncident Response - Fast suspicious file finder
artifactcollector🚨 The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
DFIRRegexA repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.
calamityA script to assist in processing forensic RAM captures for malware triage
catalystCatalyst is an open source SOAR system that helps to automate alert handling and incident response processes
LevelDBDumperDumps all of the Key/Value pairs from a LevelDB database
Get-NetworkConnectionEdited version of Lee Christensen's Get-NetworkConnection which includes timestamp for each network connection
yara-validatorValidates yara rules and tries to repair the broken ones.
pftriagePython tool and library to help analyze files during malware triage and analysis.
WELAWELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)
DDTTXDDTTX Tabletop Trainings
EventTranscriptParserPython based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)
MemProcFS-AnalyzerMemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
EvilizeParses Windows event logs files based on SANS Poster
PSTraceTrace ScriptBlock execution for powershell v2
DFIR-O365RCPowerShell module for Office 365 and Azure log collection
ad-privileged-auditProvides various Windows Server Active Directory (AD) security-focused reports.
uacUAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
CDIRCDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library
AUCRAnalyst Unknown Cyber Range - a micro web service framework
Splunk-ETWA Splunk Technology Add-on to forward filtered ETW events.
MindMaps#ThreatHunting #DFIR #Malware #Detection Mind Maps
dnslogMinimalistic DNS logging tool
INDXRipperCarve file metadata from NTFS index ($I30) attributes
hayabusaHayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
MEATThis toolkit aims to help forensicators perform different kinds of acquisitions on iOS devices
RdpCacheStitcherRdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
BlueCloudCyber Range including Velociraptor + HELK system with a Windows VM for security testing and R&D. Azure and AWS terraform support.