Tools

Troubleshooting and monitoring VoIP calls.

Honeypot framework designed to provide a highly secure environment for detecting and analyzing cyber attacks.

Open source security data pipeline engine for structured event data, supporting high-volume telemetry ingestion, compaction, and retrieval; purpose-built for security content execution, guided threat hunting, and large-scale investigation.

An Obfuscation-Neglect Android Malware Scoring System.

Ghidra is a software reverse engineering (SRE) framework

UNIX-like reverse engineering framework and command-line toolset

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs.

AVML - Acquire Volatile Memory for Linux

Super timeline all the things

♂ Collect a dossier on a person by username from 3000+ sites

The most advanced free and open-source browser fingerprinting library

UNIX-like reverse engineering framework and command-line toolset.

Zentral is a high-visibility platform for controlling Apple endpoints in enterprises. It brings great observability to IT and makes tracking & reporting compliance much less manual.

Volatility 3.0 development

Browser forensics tool for Google Chrome (and other Chromium-based browsers)

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashs, litteral/wildcard strings, regular expressions and YARA rules. Can easily be packed to be deployed on any windows / linux host.

macOS (& ios) Artifact Parsing Tool

go-audit is an alternative to the auditd daemon that ships with many distros

High-speed log analysis and forensics tool with multi-format parsing, pattern matching, timeline reconstruction and anomaly detection for incident response.

Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD.

Digital Forensics Artifact Repository

A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing.

GRR Rapid Response: remote live forensics for incident response

Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container. This makes Acquire an excellent tool to, among others, speedup the process of digital forensic triage. It uses Dissect to gather that information from the raw disk, if possible.

Digging Deeper....

The FLARE team's open-source tool to identify capabilities in executable files.

Collaborative forensic timeline analysis

UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

A cloud native data pipeline and transformation toolkit for security teams.