Your first time on this page? Allow me to give some explanations.
Awesome Incident Response
A curated list of tools for incident response
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you meirwah & contributors
View Topic on GitHub:
meirwah/awesome-incident-response
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Adversary Emulation
A toolset to make a system look as if it was the victim of an APT attack
Small and highly portable detection tests based on MITRE's ATT&CK.
Automated Tactics Techniques & Procedures
Scalable Automated Adversary Emulation Platform
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
An information security preparedness tool to do adversarial simulation.
A utility to generate malicious network traffic and evaluate controls
Virtual Machine for Adversary Emulation and Threat Hunting
Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
All in one Tools
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
Tools for the Computer Incident Response Team
an osquery fleet manager
CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
The premier osquery fleet manager.
GRR Rapid Response: remote live forensics for incident response
MozDef: Mozilla Enterprise Defense Platform
Incident Response Forensic Framework
Zentral is an open-source solution for infrastructure monitoring and endpoint event stream processing. It provides build-in orchestration of macOS security components (Santa, Osquery, et-al.), event correlation and event management. It consolidates its features with various data store backends (ElasticStack, Azure Log Analytics, Splunk, et-al.).
The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.
Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
osquery is an instrumentation framework that expose the operating system as a high-performance relational database.
Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.
Books
Communities
Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools.
Disk Image Creation Tools
Remote forensics meta tool
Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.
Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.
Evidence Collection
This is the development tree. For downloads please see:
The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
CyLR - Live Response Collection Tool
🚨 The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Remote Memory Acquisition Tool
UAC (Unix-like Artifacts Collector) is a command line shell script that makes use of built-in tools to automate the collection of Unix-like systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements. Supported systems: AIX, BSD, Linux, macOS and Solaris.
Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.
Incident Management
DFIRTrack - The Incident Response Tracking Application
Fast Incident Response
Sandia Cyber Omni Tracker (SCOT)
DPS' Lightweight Investigation Notebook
Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.
Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.
Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
Linux Distributions
Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux
Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
Contains numerous tools that help investigators during their analysis, including forensic evidence collection.
Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.
Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
Modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.
Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
Linux Evidence Collection
Log Analysis Tools
"Evolving AppCompat/AmCache data analysis beyond grep"
Apache Logfile Security Analyzer
CLI utility and Python module for analyzing log files and other data.
Generic Signature Format for SIEM Systems
StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
Investigate suspicious activity by visualizing Sysmon's event log
Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.
Memory Analysis Tools
Web interface for the Volatility Memory Forensics Framework
inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
Volatility plugin for extracts configuration data of known malware
An advanced memory forensics framework
VolatilityBot – An automated memory analyzer for malware samples and memory dumps
VolDiff: Malware Memory Footprint Analysis based on Volatility
Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
Responder PRO is the industry standard physical memory and automated malware analysis solution.
Memory Imaging Tools
Script for automating Linux memory capture and analysis
Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done.
OSX Evidence Collection
macOS Artifact Parsing Tool
OS X Auditor is a free Mac OS X computer forensics tool
A forensic evidence collection & analysis toolkit for OS X
See what's persistently installed on your Mac.
Other Lists
A collective list of public JSON APIs for use in security. Contributions welcome
An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.
Other Tools
Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.
A Python DNS crawler to find identical domain names under different TLDs.
Simple Bash IOC Scanner
A modular Python application to pull intelligence about malicious files
The Hunting ELK
Web browser forensics for Google Chrome/Chromium
A modular Python application to collect intelligence for malicious hosts.
Command line utility and Python package to ease the (un)mounting of forensic disk images
A Powershell incident response framework
Online hash checker for Virustotal and other services
PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.
A simple many-rules to many-files YARA scanner for incident response or malware zoos.
Collecting & Hunting for IOCs with gusto and style
Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]
A simple threat hunting tool based on osquery, Salt Open and Cymon API
Traceroute improved wrapper for CSIRT and CERT operators
Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.
Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.
Collect forensic data about MySQL when problems occur.
Security tool that lets Amazon Web Services administrators assess their environment's security posture.
Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.
Playbooks
Incident Response Methodologies
Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download.
Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on GitHub.
Process Dump Tools
Tool that lets you dump the memory contents of a process to a file without stopping the process.
Sandboxing/reversing tools
Malware Configuration And Payload Extraction
Cuckoo Sandbox is an automated dynamic malware analysis system
Modified edition of cuckoo
A Python library to interface with a cuckoo-modified instance
Free and Open Source Reverse Engineering Platform powered by rizin
Malware static analysis framework
UNIX-like reverse engineering framework and command-line toolset
A machine learning tool that ranks strings based on their relevance for malware analysis.
Binary analysis and management framework
A Python library and command line tools to provide interactive log visualization.
Android Malware Analysis as a Service, executed in a native Android environment.
Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.
Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.
Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files.
Alternative domain for the Hybrid-Analysis tool proivided by CrowdStrike.
Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.
Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.
Timeline tools
post mortem tracker
Super timeline all the things
Collaborative forensic timeline analysis
Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.
Videos
Presented by Bruce Schneier at OWASP AppSecUSA 2015.
Windows Evidence Collection
Windows Live Artifacts Acquisition Script
A modern tool for the Windows kernel exploration and tracing
Invoke-LiveResponse
Incident Response Triage - Windows Evidence Collection for Forensic Analysis
Loki - Simple IOC and Incident Response Scanner
A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
Fast incident overview
PowerForensics provides an all in one platform for live disk forensic analysis
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
RegRipper3.0
Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub.
All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.
Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only.