Awesome Incident Response

Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.

The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.

Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.

Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.

osquery is an instrumentation framework that expose the operating system as a high-performance relational database.

Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.

Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.

By Scott J. Roberts.

Richard Bejtlich's book on IR.

Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools.

Mailing list by SANS for DFIR.

Slack DFIR Communitiy channel - Signup here.

Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.

Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.

Free forensic imager for media acquisition on Linux.

ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.

Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.

Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.

A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.

Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.

VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.

Contains numerous tools that help investigators during their analysis, including forensic evidence collection.

Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.

Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.

Modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.

Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.

Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

Memory analysis framework,

Responder PRO is the industry standard physical memory and automated malware analysis solution.

Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.

Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.

Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done.

See what's persistently installed on your Mac.

An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.

Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.

Collaborative Research Into Threats, a

Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.

Collect forensic data about MySQL when problems occur.

Security tool that lets Amazon Web Services administrators assess their environment's security posture.

Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.

Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download.

Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on GitHub.

Tool that lets you dump the memory contents of a process to a file without stopping the process.

Android Malware Analysis as a Service, executed in a native Android environment.

Online interactive sandbox.

Online malware

Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.

Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.

Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files.

Alternative domain for the Hybrid-Analysis tool proivided by CrowdStrike.

Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.

Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.

Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.

Presented by Bruce Schneier at OWASP AppSecUSA 2015.

Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.

DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub.

All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.

Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only.