User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Incident Response

A curated list of tools for incident response

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: None

Thank you meirwah & contributors
View Topic on GitHub:
meirwah/awesome-incident-response

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Adversary Emulation

A toolset to make a system look as if it was the victim of an APT attack

1.31K
280
2y 8m
MIT

Small and highly portable detection tests based on MITRE's ATT&CK.

4.3K
1.48K
14d
MIT

Automated Tactics Techniques & Procedures

215
59
1y 113d
n/a

Scalable Automated Adversary Emulation Platform

2.41K
482
13d
Apache-2.0

"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

767
138
9m
MIT

An information security preparedness tool to do adversarial simulation.

863
125
2y 8m
MIT

A utility to generate malicious network traffic and evaluate controls

522
95
1y 40d
n/a
768
161
1y 10m
n/a

Virtual Machine for Adversary Emulation and Threat Hunting

975
154
7m
BSD-3-Clause

Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.

All in one Tools

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

555
140
3y 5m
BSD-3-Clause

Tools for the Computer Incident Response Team

122
25
3y 10m
MIT

an osquery fleet manager

564
94
2y 59d
MIT

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities

156
52
2y 1d
AGPL-3.0

The premier osquery fleet manager.

148
26
40d
n/a

GRR Rapid Response: remote live forensics for incident response

3.72K
669
16d
Apache-2.0

MozDef: Mozilla Enterprise Defense Platform

2.08K
331
37d
MPL-2.0

Incident Response Forensic Framework

571
132
1y 105d
n/a

Zentral is an open-source solution for infrastructure monitoring and endpoint event stream processing. It provides build-in orchestration of macOS security components (Santa, Osquery, et-al.), event correlation and event management. It consolidates its features with various data store backends (ElasticStack, Azure Log Analytics, Splunk, et-al.).

508
63
13d
Apache-2.0

The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.

Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. Itโ€™s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.

Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.

osquery is an instrumentation framework that expose the operating system as a high-performance relational database.

Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.

Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.

Books

Communities

Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools.

Disk Image Creation Tools

Remote forensics meta tool

354
77
4m
GPL-2.0

Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.

Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.

Free forensic imager for media acquisition on Linux.

ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Evidence Collection

This is the development tree. For downloads please see:

496
117
4m
n/a

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices

292
43
1y 69d
GPL-3.0

CyLR - Live Response Collection Tool

332
57
29d
GPL-3.0

๐Ÿšจ The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

55
7
13d
MIT

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

309
76
80d
n/a

Remote Memory Acquisition Tool

168
34
2y 8m
MIT

UAC (Unix-like Artifacts Collector) is a command line shell script that makes use of built-in tools to automate the collection of Unix-like systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements. Supported systems: AIX, BSD, Linux, macOS and Solaris.

33
7
4m
Apache-2.0

Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.

Incident Management

DFIRTrack - The Incident Response Tracking Application

229
52
44d
n/a

Fast Incident Response

1.27K
433
27d
GPL-3.0

Sandia Cyber Omni Tracker (SCOT)

203
44
4m
n/a

DPS' Lightweight Investigation Notebook

382
89
4y 6m
Apache-2.0

Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.

Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow โ€” aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.

A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.

Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.

Linux Distributions

Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux

402
61
27d
GPL-3.0

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

2.88K
517
23d
n/a

VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.

Contains numerous tools that help investigators during their analysis, including forensic evidence collection.

Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.

Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.

Modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.

Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Linux Evidence Collection

Log Analysis Tools

"Evolving AppCompat/AmCache data analysis beyond grep"

133
21
8m
Apache-2.0

Apache Logfile Security Analyzer

186
47
2y 11d
GPL-2.0

CLI utility and Python module for analyzing log files and other data.

84
12
24d
MIT

Generic Signature Format for SIEM Systems

3.25K
912
14d
n/a

StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.

2.46K
303
22d
Apache-2.0

Investigate suspicious activity by visualizing Sysmon's event log

297
45
10m
n/a

Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.

Memory Analysis Tools

Web interface for the Volatility Memory Forensics Framework

239
39
3y 104d
n/a

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

237
53
3y 99d
AGPL-3.0

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

1.11K
235
29d
GPL-2.0

Volatility plugin for extracts configuration data of known malware

324
55
74d
n/a

An advanced memory forensics framework

4.3K
917
83d
GPL-2.0

VolatilityBot โ€“ An automated memory analyzer for malware samples and memory dumps

227
55
4y 4m
n/a

VolDiff: Malware Memory Footprint Analysis based on Volatility

177
49
3y 5m
BSD-2-Clause

Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

Memory analysis framework,

Responder PRO is the industry standard physical memory and automated malware analysis solution.

Memory Imaging Tools

Script for automating Linux memory capture and analysis

205
43
1y 32d
n/a

Tiny free forensic tool to reliably extract the entire content of the computerโ€™s volatile memory โ€“ even if protected by an active anti-debugging or anti-dumping system.

Free imaging tool designed to capture the physical memory of a suspectโ€™s computer. Supports recent versions of Windows.

Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual processโ€™s memory space or physical memory dump can be done.

OSX Evidence Collection

macOS Artifact Parsing Tool

323
56
21d
MIT

OS X Auditor is a free Mac OS X computer forensics tool

3.09K
307
7m
n/a

A forensic evidence collection & analysis toolkit for OS X

1.77K
242
1y 8m
n/a

See what's persistently installed on your Mac.

Other Lists

A collective list of public JSON APIs for use in security. Contributions welcome

502
90
31d
MIT

An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.

Other Tools

Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.

551
55
11m
Apache-2.0

A Python DNS crawler to find identical domain names under different TLDs.

15
2
1y 9m
n/a

Simple Bash IOC Scanner

283
62
14d
MIT

A modular Python application to pull intelligence about malicious files

97
21
90d
n/a

The Hunting ELK

2.75K
534
28d
GPL-3.0

Web browser forensics for Google Chrome/Chromium

587
101
28d
Apache-2.0

A modular Python application to collect intelligence for malicious hosts.

211
46
1y 2d
n/a

Command line utility and Python package to ease the (un)mounting of forensic disk images

80
23
9m
MIT

A Powershell incident response framework

1.06K
220
7m
Apache-2.0

Online hash checker for Virustotal and other services

518
98
22d
Apache-2.0

PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.

27
7
57d
MIT

A simple many-rules to many-files YARA scanner for incident response or malware zoos.

17
3
2y 9m
Apache-2.0

Collecting & Hunting for IOCs with gusto and style

168
43
10m
MIT

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]

1.58K
193
101d
Apache-2.0

A simple threat hunting tool based on osquery, Salt Open and Cymon API

58
12
3y 8m
MIT

Traceroute improved wrapper for CSIRT and CERT operators

36
8
9y 9m
GPL-3.0

Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.

Collaborative Research Into Threats, a

Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.

Collect forensic data about MySQL when problems occur.

Security tool that lets Amazon Web Services administrators assess their environment's security posture.

Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.

Playbooks

Incident Response Methodologies

753
163
4y 10m
n/a

Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download.

Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on GitHub.

Process Dump Tools

Tool that lets you dump the memory contents of a process to a file without stopping the process.

Sandboxing/reversing tools

Malware Configuration And Payload Extraction

291
78
4m
GPL-3.0

Cuckoo Sandbox is an automated dynamic malware analysis system

4.47K
1.52K
4m
GPL-3.0

Modified edition of cuckoo

374
170
3y 10m
n/a

A Python library to interface with a cuckoo-modified instance

15
3
4y 4m
n/a

Free and Open Source Reverse Engineering Platform powered by rizin

8.95K
709
13d
GPL-3.0

Malware static analysis framework

140
41
5y 5m
n/a

UNIX-like reverse engineering framework and command-line toolset

13.97K
2.41K
13d
LGPL-3.0

A machine learning tool that ranks strings based on their relevance for malware analysis.

462
80
92d
Apache-2.0

Binary analysis and management framework

1.39K
363
28d
n/a

A Python library and command line tools to provide interactive log visualization.

128
34
4y 113d
n/a

Android Malware Analysis as a Service, executed in a native Android environment.

Online interactive sandbox.

Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.

Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.

Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files.

Alternative domain for the Hybrid-Analysis tool proivided by CrowdStrike.

Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.

Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.

Timeline tools

post mortem tracker

963
122
1y 9m
MIT

Super timeline all the things

1.04K
245
16d
Apache-2.0

Collaborative forensic timeline analysis

1.5K
341
14d
Apache-2.0

Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.

Videos

Presented by Bruce Schneier at OWASP AppSecUSA 2015.

Windows Evidence Collection

Windows Live Artifacts Acquisition Script

144
27
61d
GPL-2.0
422
130
2y 5m
GPL-3.0

A modern tool for the Windows kernel exploration and tracing

1.1K
128
13d
n/a

Invoke-LiveResponse

115
25
6m
MIT

Incident Response Triage - Windows Evidence Collection for Forensic Analysis

67
17
4y 10m
n/a

Loki - Simple IOC and Incident Response Scanner

1.85K
426
37d
GPL-3.0

A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.

284
61
53d
GPL-3.0

Fast incident overview

27
6
4y 22d
n/a

PowerForensics provides an all in one platform for live disk forensic analysis

1.05K
250
2y 10m
MIT

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

411
104
3y 7m
Apache-2.0

RegRipper3.0

59
14
4m
n/a

Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.

DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub.

All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.

Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only.