User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Incident Response

A curated list of tools for incident response

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 1, 2020, 6:05 a.m.

Thank you meirwah & contributors
View Topic on GitHub:
meirwah/awesome-incident-response

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Adversary Emulation

A toolset to make a system look as if it was the victim of an APT attack

1.27K
273
2y 5m
MIT

Small and highly portable detection tests based on MITRE's ATT&CK.

4K
1.37K
3d
MIT

Automated Tactics Techniques & Procedures

211
58
1y 20d
n/a

Scalable Automated Adversary Emulation Platform

2.21K
445
7d
Apache-2.0

"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

749
138
6m
MIT

An information security preparedness tool to do adversarial simulation.

842
124
2y 5m
MIT

A utility to generate malicious network traffic and evaluate controls

503
93
10m
n/a
768
161
1y 7m
n/a

Virtual Machine for Adversary Emulation and Threat Hunting

947
150
4m
BSD-3-Clause

Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.

All in one Tools

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

547
136
3y 75d
BSD-3-Clause

Tools for the Computer Incident Response Team

120
24
3y 7m
MIT

an osquery fleet manager

556
93
1y 11m
MIT

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities

157
52
1y 9m
AGPL-3.0

GRR Rapid Response: remote live forensics for incident response

3.64K
663
6d
Apache-2.0

MozDef: Mozilla Enterprise Defense Platform

2.05K
327
15d
MPL-2.0

Incident Response Forensic Framework

569
132
1y 12d
n/a

Zentral is an open-source solution for infrastructure monitoring and endpoint event stream processing. It provides build-in orchestration of macOS security components (Santa, Osquery, et-al.), event correlation and event management. It consolidates its features with various data store backends (ElasticStack, Azure Log Analytics, Splunk, et-al.).

492
57
4d
Apache-2.0

The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.

Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. Itโ€™s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.

State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Kolide delivers fast answers to big questions.

Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.

osquery is an instrumentation framework that expose the operating system as a high-performance relational database.

Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.

Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.

Books

Communities

Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools.

Disk Image Creation Tools

Remote forensics meta tool

350
79
49d
GPL-2.0

Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.

Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.

Free forensic imager for media acquisition on Linux.

ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Evidence Collection

This is the development tree. For downloads please see:

469
114
44d
n/a

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices

285
42
11m
GPL-3.0

CyLR - Live Response Collection Tool

320
54
4m
GPL-3.0

๐Ÿšจ The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

45
7
30d
MIT

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

297
71
1y 5m
n/a

Remote Memory Acquisition Tool

164
33
2y 5m
MIT

UAC (Unix-like Artifacts Collector) is a command line shell script that makes use of built-in tools to automate the collection of Unix-like systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements. Supported systems: AIX, BSD, Linux, macOS and Solaris.

33
7
44d
Apache-2.0

Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.

Incident Management

DFIRTrack - The Incident Response Tracking Application

220
51
4d
n/a

Fast Incident Response

1.24K
424
88d
GPL-3.0

Sandia Cyber Omni Tracker (SCOT)

203
44
56d
n/a

DPS' Lightweight Investigation Notebook

378
88
4y 109d
Apache-2.0

Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.

Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow โ€” aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.

A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.

Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.

Linux Distributions

Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux

393
59
1y 49d
GPL-3.0

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

2.8K
500
29d
n/a

VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.

Contains numerous tools that help investigators during their analysis, including forensic evidence collection.

Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.

Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.

Modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.

Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Linux Evidence Collection

Log Analysis Tools

"Evolving AppCompat/AmCache data analysis beyond grep"

124
21
5m
Apache-2.0

Apache Logfile Security Analyzer

185
47
1y 9m
GPL-2.0

CLI utility and Python module for analyzing log files and other data.

80
11
9m
MIT

Generic Signature Format for SIEM Systems

3.04K
863
5d
n/a

StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.

2.41K
301
57d
Apache-2.0

Investigate suspicious activity by visualizing Sysmon's event log

281
45
7m
n/a

Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.

Memory Analysis Tools

Web interface for the Volatility Memory Forensics Framework

236
38
3y 11d
n/a

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

227
54
3y 6d
AGPL-3.0

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

1.07K
225
114d
GPL-2.0

Volatility plugin for extracts configuration data of known malware

299
47
55d
n/a

An advanced memory forensics framework

4.13K
877
107d
GPL-2.0

VolatilityBot โ€“ An automated memory analyzer for malware samples and memory dumps

227
54
4y 54d
n/a

VolDiff: Malware Memory Footprint Analysis based on Volatility

175
49
3y 81d
BSD-2-Clause

Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

Memory analysis framework,

Responder PRO is the industry standard physical memory and automated malware analysis solution.

Memory Imaging Tools

Script for automating Linux memory capture and analysis

205
43
10m
n/a

Tiny free forensic tool to reliably extract the entire content of the computerโ€™s volatile memory โ€“ even if protected by an active anti-debugging or anti-dumping system.

Free imaging tool designed to capture the physical memory of a suspectโ€™s computer. Supports recent versions of Windows.

Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual processโ€™s memory space or physical memory dump can be done.

OSX Evidence Collection

macOS Artifact Parsing Tool

291
51
8d
MIT

OS X Auditor is a free Mac OS X computer forensics tool

3.09K
307
4m
n/a

A forensic evidence collection & analysis toolkit for OS X

1.76K
239
1y 5m
n/a

See what's persistently installed on your Mac.

Other Lists

A collective list of public JSON APIs for use in security. Contributions welcome

480
87
15d
MIT

An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.

Other Tools

Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.

538
54
8m
Apache-2.0

A Python DNS crawler to find identical domain names under different TLDs.

13
2
1y 6m
n/a

Simple Bash IOC Scanner

259
58
6m
MIT

A modular Python application to pull intelligence about malicious files

94
20
62d
n/a

The Hunting ELK

2.6K
507
13d
GPL-3.0

Web browser forensics for Google Chrome/Chromium

551
98
6d
Apache-2.0

A modular Python application to collect intelligence for malicious hosts.

205
45
9m
n/a

Command line utility and Python package to ease the (un)mounting of forensic disk images

78
23
6m
MIT

A Powershell incident response framework

1.01K
206
119d
Apache-2.0

Online hash checker for Virustotal and other services

468
92
4m
Apache-2.0

PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.

26
5
10m
MIT

A simple many-rules to many-files YARA scanner for incident response or malware zoos.

17
3
2y 6m
Apache-2.0

Collecting & Hunting for IOCs with gusto and style

163
41
7m
MIT

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]

1.55K
189
59d
Apache-2.0

A simple threat hunting tool based on osquery, Salt Open and Cymon API

58
12
3y 5m
MIT

Traceroute improved wrapper for CSIRT and CERT operators

36
8
9y 6m
GPL-3.0

Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.

Collaborative Research Into Threats, a

Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.

Collect forensic data about MySQL when problems occur.

Security tool that lets Amazon Web Services administrators assess their environment's security posture.

Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.

Playbooks

Incident Response Methodologies

722
151
4y 7m
n/a

Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download.

Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on GitHub.

Process Dump Tools

Tool that lets you dump the memory contents of a process to a file without stopping the process.

Sandboxing/reversing tools

Malware Configuration And Payload Extraction

291
78
34d
GPL-3.0

Cuckoo Sandbox is an automated dynamic malware analysis system

4.47K
1.52K
34d
GPL-3.0

Modified edition of cuckoo

368
170
3y 7m
n/a

A Python library to interface with a cuckoo-modified instance

15
3
4y 32d
n/a

Free and Open Source Reverse Engineering Platform powered by radare2

8.59K
689
6d
GPL-3.0

Malware static analysis framework

141
41
5y 71d
n/a

UNIX-like reverse engineering framework and command-line toolset

13.48K
2.35K
6d
LGPL-3.0

A machine learning tool that ranks strings based on their relevance for malware analysis.

428
70
8d
Apache-2.0

Binary analysis and management framework

1.36K
358
5m
n/a

A Python library and command line tools to provide interactive log visualization.

123
33
4y 20d
n/a

Android Malware Analysis as a Service, executed in a native Android environment.

Online interactive sandbox.

Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.

Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.

Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files.

Alternative domain for the Hybrid-Analysis tool proivided by CrowdStrike.

Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.

Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.

Timeline tools

post mortem tracker

945
122
1y 6m
MIT

Super timeline all the things

1K
241
3d
Apache-2.0

Collaborative forensic timeline analysis

1.42K
323
4d
Apache-2.0

Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.

Videos

Presented by Bruce Schneier at OWASP AppSecUSA 2015.

Windows Evidence Collection

Windows Live Artifacts Acquisition Script

140
27
115d
GPL-2.0
422
130
2y 60d
GPL-3.0

Tool for exploration and tracing of the Windows kernel

534
96
5d
n/a

Invoke-LiveResponse

112
24
93d
MIT

Incident Response Triage - Windows Evidence Collection for Forensic Analysis

64
16
4y 7m
n/a

Loki - Simple IOC and Incident Response Scanner

1.74K
404
43d
GPL-3.0

A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.

276
57
8d
GPL-3.0

Fast incident overview

26
5
3y 9m
n/a

PowerForensics provides an all in one platform for live disk forensic analysis

1.03K
248
2y 7m
MIT

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

407
103
3y 4m
Apache-2.0

RegRipper3.0

59
14
36d
n/a

Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.

DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub.

All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.

Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only.