From d6a8e61bd840c2bdb9e09d874aa7cde6a272ab28 Mon Sep 17 00:00:00 2001 From: mikesxrs Date: Wed, 25 Nov 2015 15:19:43 -0500 Subject: [PATCH 1/3] Adding multiple sections Added misc information I have found useful -Highlighter from Fire/Mandiant -RegRipper Registry tool for win forensics -OSX Evidence Section -Sandboxing/reversing tools (both local and online) -Etherpad For document collaboration -Kibana for Big data visualization -Elastic Search for Big Data searching (think log analysis) -Book Section with Amazon link (feel free to change) --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 91ddf2a..069de0e 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,11 @@ A curated list of tools and resources for security incident response, aimed to h - [All in one tools](#all-in-one-tools) - [Incident Management](#incident-management) - [Windows Evidence Collection](#windows-evidence-collection) +- [OSX Evidence Collection](#osx-evidence-collection) +- [Sandboxing/reversing tools](#sandboxingreversing-tools) - [Other tools](#other-tools) - [Videos](#videos) +- [Books](#books) ## IR tools Collection @@ -41,6 +44,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Timeline tools * [Plaso](https://github.com/log2timeline/plaso) - a Python-based backend engine for the tool log2timeline * [Timesketch](https://github.com/google/timesketch) -open source tool for collaborative forensic timeline analysis +* [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise. ### All in one Tools * [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis @@ -64,13 +68,29 @@ A curated list of tools and resources for security incident response, aimed to h * [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - FastIR Collector is a tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected. * [DumpIt](http://www.moonsols.com/resources/) - DumpIt is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines. * [AChoir](https://github.com/OMENScan/AChoir) - Achoir is a framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows. +* [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Regripper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis. +### OSX Evidence Collection +* [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor is a free Mac OS X computer forensics tool + +### Sandboxing/reversing tools +* [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool +* [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats. +* [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA. +* [Virustotal](Virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners +* [Malwr](malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox ### Other Tools * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium * [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell. * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur. +* [Etherpad](https://github.com/ether/etherpad-lite) - Good collaboration tool, similar to google doc but doesnt store data in the cloud. +* [Kibana](https://github.com/elastic/kibana) - Big Data analytics and visualization platform +* [Elastic Search](https://github.com/elastic/elasticsearch) - Big Data solution for Real-time searching and analytics ### Videos * [Demisto IR video resources](https://www.demisto.com/category/videos/) - Video Resources for Incident Response and Forensics Tools * [The Future of Incident Response](https://www.youtube.com/watch?v=bDcx4UNpKNc) - Presented by Bruce Schneier at OWASP AppSecUSA 2015. + +### Books + * [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - Richard Bejtlich's book on IR From 0cdb45e3775cb87795a1bdf8bbad0918749bebfa Mon Sep 17 00:00:00 2001 From: mikesxrs Date: Wed, 25 Nov 2015 17:16:00 -0500 Subject: [PATCH 2/3] Update README.md --- README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 069de0e..7ad3c6e 100644 --- a/README.md +++ b/README.md @@ -77,16 +77,13 @@ A curated list of tools and resources for security incident response, aimed to h * [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool * [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats. * [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA. -* [Virustotal](Virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners -* [Malwr](malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox +* [Virustotal](https://irustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners +* [Malwr](https://malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox ### Other Tools * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium * [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell. * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur. -* [Etherpad](https://github.com/ether/etherpad-lite) - Good collaboration tool, similar to google doc but doesnt store data in the cloud. -* [Kibana](https://github.com/elastic/kibana) - Big Data analytics and visualization platform -* [Elastic Search](https://github.com/elastic/elasticsearch) - Big Data solution for Real-time searching and analytics ### Videos * [Demisto IR video resources](https://www.demisto.com/category/videos/) - Video Resources for Incident Response and Forensics Tools From 9d4088fbb457608fc5122010a8ebc232c60ca4a6 Mon Sep 17 00:00:00 2001 From: Mike Worth Date: Wed, 25 Nov 2015 18:01:35 -0500 Subject: [PATCH 3/3] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7ad3c6e..f4d13bf 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool * [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats. * [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA. -* [Virustotal](https://irustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners +* [Virustotal](https://virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners * [Malwr](https://malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox ### Other Tools