User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Incident Response

A curated list of tools for incident response

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: None

Thank you meirwah & contributors
View Topic on GitHub:
meirwah/awesome-incident-response

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Adversary Emulation

A toolset to make a system look as if it was the victim of an APT attack

1.31K
280
3y 4m
MIT

Small and highly portable detection tests based on MITRE's ATT&CK.

4.3K
1.48K
8m
MIT

Automated Tactics Techniques & Procedures

215
59
1y 11m
n/a

Scalable Automated Adversary Emulation Platform

2.41K
482
8m
Apache-2.0

"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

767
138
1y 5m
MIT

An information security preparedness tool to do adversarial simulation.

863
125
3y 4m
MIT

A utility to generate malicious network traffic and evaluate controls

522
95
1y 9m
n/a
768
161
2y 6m
n/a

Virtual Machine for Adversary Emulation and Threat Hunting

975
154
1y 106d
BSD-3-Clause

Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.

All-In-One Tools

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

555
140
4y 40d
BSD-3-Clause

Tools for the Computer Incident Response Team

122
25
4y 6m
MIT

an osquery fleet manager

564
94
2y 9m
MIT

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities

156
52
2y 7m
AGPL-3.0
2.21K
378
1y 96d
Apache-2.0

The premier osquery fleet manager.

148
26
9m
n/a

GRR Rapid Response: remote live forensics for incident response

3.72K
669
8m
Apache-2.0

Digital Forensics Investigation Platform

331
57
111d
GPL-3.0

MozDef: Mozilla Enterprise Defense Platform

2.08K
331
9m
MPL-2.0

Incident Response Forensic Framework

571
132
1y 11m
n/a

Digging Deeper....

909
156
34d
n/a

Zentral is an open-source solution for infrastructure monitoring and endpoint event stream processing. It provides build-in orchestration of macOS security components (Santa, Osquery, et-al.), event correlation and event management. It consolidates its features with various data store backends (ElasticStack, Azure Log Analytics, Splunk, et-al.).

508
63
8m
Apache-2.0

The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.

Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. Itโ€™s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.

Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.

osquery is an instrumentation framework that expose the operating system as a high-performance relational database.

Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.

Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.

Books

Communities

Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools.

Disk Image Creation Tools

Remote forensics meta tool

354
77
1y 14d
GPL-2.0

Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.

Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.

Free forensic imager for media acquisition on Linux.

ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Evidence Collection

๐Ÿšจ The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

55
7
8m
MIT

This is the development tree. For downloads please see:

496
117
1y 9d
n/a

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices

292
43
1y 10m
GPL-3.0

CyLR - Live Response Collection Tool

332
57
8m
GPL-3.0

Digital Forensics Artifact Repository

625
150
102d
Apache-2.0

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

309
76
10m
n/a

Remote Memory Acquisition Tool

168
34
3y 4m
MIT

UAC (Unix-like Artifacts Collector) is a command line shell script that makes use of built-in tools to automate the collection of Unix-like systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements. Supported systems: AIX, BSD, Linux, macOS and Solaris.

33
7
1y 9d
Apache-2.0

Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.

Incident Management

A framework for orchestrating forensic collection, processing and data export

160
50
35d
Apache-2.0

DFIRTrack - The Incident Response Tracking Application

269
62
4m
n/a

Fast Incident Response

1.27K
433
8m
GPL-3.0

Sandia Cyber Omni Tracker (SCOT)

203
44
1y 21d
n/a

Shuffle: A general purpose security automation platform. Our focus is on collaboration and resource sharing.

580
108
34d
AGPL-3.0

DPS' Lightweight Investigation Notebook

382
89
5y 74d
Apache-2.0

Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.

Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow โ€” aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.

Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.

Knowledge Bases

Digital Forensics Artifacts Knowledge Base

22
5
6m
Apache-2.0

Windows Events Attack Samples

1.46K
265
65d
GPL-3.0

Windows Registry Knowledge Base

73
17
4m
Apache-2.0

Linux Distributions

Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux

402
61
8m
GPL-3.0

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

2.88K
517
8m
n/a

VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.

Contains numerous tools that help investigators during their analysis, including forensic evidence collection.

Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.

Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.

Modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.

Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Linux Evidence Collection

Log Analysis Tools

"Evolving AppCompat/AmCache data analysis beyond grep"

133
21
1y 4m
Apache-2.0

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

362
66
4m
GPL-3.0

Apache Logfile Security Analyzer

186
47
2y 8m
GPL-2.0

CLI utility and Python module for analyzing log files and other data.

84
12
8m
MIT

Investigate malicious Windows logon by visualizing and analyzing Windows event log

1.66K
331
8m
n/a

Generic Signature Format for SIEM Systems

4.12K
1.2K
34d
n/a

StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.

2.46K
303
8m
Apache-2.0

Investigate suspicious activity by visualizing Sysmon's event log

297
45
1y 6m
n/a

A standalone SIGMA-based detection tool for EVTX.

110
13
4m
n/a

Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.

Memory Analysis Tools

AVML - Acquire Volatile Memory for Linux

394
40
5m
MIT

Web interface for the Volatility Memory Forensics Framework

239
39
3y 11m
n/a

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

237
53
3y 11m
AGPL-3.0

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

1.11K
235
8m
GPL-2.0

Volatility plugin for extracts configuration data of known malware

324
55
10m
n/a

An advanced memory forensics framework

4.3K
917
10m
GPL-2.0

Volatility 3.0 development

622
130
38d
n/a

VolatilityBot โ€“ An automated memory analyzer for malware samples and memory dumps

227
55
5y 19d
n/a

VolDiff: Malware Memory Footprint Analysis based on Volatility

177
49
4y 46d
BSD-2-Clause

Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

Memory analysis framework,

Responder PRO is the industry standard physical memory and automated malware analysis solution.

Memory Imaging Tools

Script for automating Linux memory capture and analysis

205
43
1y 8m
n/a

Tiny free forensic tool to reliably extract the entire content of the computerโ€™s volatile memory โ€“ even if protected by an active anti-debugging or anti-dumping system.

Free imaging tool designed to capture the physical memory of a suspectโ€™s computer. Supports recent versions of Windows.

Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual processโ€™s memory space or physical memory dump can be done.

OSX Evidence Collection

macOS Artifact Parsing Tool

323
56
8m
MIT

OS X Auditor is a free Mac OS X computer forensics tool

3.09K
307
1y 92d
n/a

A forensic evidence collection & analysis toolkit for OS X

1.77K
242
2y 4m
n/a

See what's persistently installed on your Mac.

Other Lists

A curated list of awesome forensic analysis tools and resources

1.67K
356
34d
CC0-1.0

Please no pull requests for this repository. Thanks!

1K
315
36d
n/a

A collective list of public JSON APIs for use in security. Contributions welcome

502
90
8m
MIT

An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.

Other Tools

Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.

551
55
1y 7m
Apache-2.0

A Python DNS crawler to find identical domain names under different TLDs.

15
2
2y 5m
n/a

A modular Python application to pull intelligence about malicious files

97
21
10m
n/a

The Hunting ELK

2.75K
534
8m
GPL-3.0

Web browser forensics for Google Chrome/Chromium

587
101
8m
Apache-2.0

A modular Python application to collect intelligence for malicious hosts.

211
46
1y 7m
n/a

Command line utility and Python package to ease the (un)mounting of forensic disk images

80
23
1y 5m
MIT

A Powershell incident response framework

1.06K
220
1y 84d
Apache-2.0

$MFT directory tree reconstruction & record info

87
8
16d
GPL-3.0

Online hash checker for Virustotal and other services

518
98
8m
Apache-2.0

PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.

27
7
9m
MIT

A simple many-rules to many-files YARA scanner for incident response or malware zoos.

17
3
3y 4m
Apache-2.0

Collecting & Hunting for IOCs with gusto and style

168
43
1y 5m
MIT

A Simple Ransomware Vaccine

749
93
93d
Unlicense

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]

1.58K
193
11m
Apache-2.0

A simple threat hunting tool based on osquery, Salt Open and Cymon API

58
12
4y 4m
MIT

Sysmon configuration file template with default high-quality event tracing

3.14K
1.14K
43d
n/a

A repository of sysmon configuration modules

1.51K
315
61d
MIT

Traceroute improved wrapper for CSIRT and CERT operators

36
8
10y 5m
GPL-3.0

Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.

Collaborative Research Into Threats, a

Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.

Collect forensic data about MySQL when problems occur.

Security tool that lets Amazon Web Services administrators assess their environment's security posture.

Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.

Playbooks

A concise, directive, specific, flexible, and free incident response plan template

125
43
9m
n/a

Cyber Incident Response Team Playbook Battle Cards

40
13
4m
MIT

Incident Response Methodologies

753
163
5y 6m
n/a

Phantom Community Playbooks

278
130
5m
n/a

A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.

2.77K
639
5m
GPL-3.0

Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download.

Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on GitHub.

Process Dump Tools

Tool that lets you dump the memory contents of a process to a file without stopping the process.

Sandboxing/Reversing Tools

Malware Configuration And Payload Extraction

291
78
12m
GPL-3.0

Cuckoo Sandbox is an automated dynamic malware analysis system

4.47K
1.52K
12m
GPL-3.0

Modified edition of cuckoo

374
170
4y 6m
n/a

A Python library to interface with a cuckoo-modified instance

15
3
4y 12m
n/a

Free and Open Source Reverse Engineering Platform powered by rizin

8.95K
709
8m
GPL-3.0

Ghidra is a software reverse engineering (SRE) framework

24.85K
3.35K
8m
Apache-2.0

Malware static analysis framework

140
41
6y 36d
n/a

UNIX-like reverse engineering framework and command-line toolset

13.97K
2.41K
8m
LGPL-3.0

UNIX-like reverse engineering framework and command-line toolset.

1.03K
114
34d
LGPL-3.0

A machine learning tool that ranks strings based on their relevance for malware analysis.

462
80
10m
Apache-2.0

Binary analysis and management framework

1.39K
363
8m
n/a

A Python library and command line tools to provide interactive log visualization.

128
34
4y 11m
n/a

Android Malware Analysis as a Service, executed in a native Android environment.

Online interactive sandbox.

Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.

Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.

Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files.

Alternative domain for the Hybrid-Analysis tool proivided by CrowdStrike.

Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.

Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.

Scanner Tools

Simple Bash IOC Scanner

283
62
8m
MIT

Loki - Simple IOC and Incident Response Scanner

1.85K
426
9m
GPL-3.0

simple YARA-based IOC scanner

100
20
34d
LGPL-3.0

Timeline Tools

Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders

206
25
4m
Apache-2.0

post mortem tracker

963
122
2y 5m
MIT

Super timeline all the things

1.04K
245
8m
Apache-2.0

Collaborative forensic timeline analysis

1.5K
341
8m
Apache-2.0

Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.

Videos

Presented by Bruce Schneier at OWASP AppSecUSA 2015.

Windows Evidence Collection

Windows Live Artifacts Acquisition Script

144
27
9m
GPL-2.0
422
130
3y 25d
GPL-3.0

A modern tool for the Windows kernel exploration and tracing

1.1K
128
8m
n/a

This script is made to collect the most valiable artifacts for foreniscs or incident reponse investigation rather than imaging the whole har drive.

98
13
1y 8d
GPL-3.0

Invoke-LiveResponse

115
25
1y 58d
MIT

Incident Response Triage - Windows Evidence Collection for Forensic Analysis

67
17
5y 6m
n/a

Loki - Simple IOC and Incident Response Scanner

1.85K
426
9m
GPL-3.0

A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.

284
61
9m
GPL-3.0

Fast incident overview

27
6
4y 8m
n/a

PowerForensics provides an all in one platform for live disk forensic analysis

1.05K
250
3y 6m
MIT

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

411
104
4y 91d
Apache-2.0

RegRipper3.0

59
14
1y 1d
n/a

Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.

DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub.

All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.

Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only.