From bedf9f56bf2b0b2599c15356e20596480454a560 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:22:56 +0100 Subject: [PATCH 01/19] Removing Envdb, replaced by Kolide Envdb is replaced by Kolide which is already in the list --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 67b7d7e..8ffee40 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes. * [Cyber Triage](http://www.cybertriage.com) - Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further. * [Doorman](https://github.com/mwielgoszewski/doorman) - osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness. -* [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location. * [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Extendable Windows-based application that provides workflow automation, case management and security response functionality. * [GRR Rapid Response](https://github.com/google/grr) - Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, [PowerGRR](https://github.com/swisscom/PowerGRR) provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting. * [Kolide Fleet](https://kolide.com/fleet) - State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Kolide delivers fast answers to big questions. From 57231dfb48dffd973c3fd69be128e83fc6dce871 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:25:16 +0100 Subject: [PATCH 02/19] Updating LimaCharlie Link Updating link to website since community open source version is no longer maintained --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ffee40..a214bd5 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Extendable Windows-based application that provides workflow automation, case management and security response functionality. * [GRR Rapid Response](https://github.com/google/grr) - Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, [PowerGRR](https://github.com/swisscom/PowerGRR) provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting. * [Kolide Fleet](https://kolide.com/fleet) - State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Kolide delivers fast answers to big questions. -* [Limacharlie](https://github.com/refractionpoint/limacharlie) - Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality. +* [Limacharlie](https://www.limacharlie.io/) - Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality. * [MozDef](https://github.com/mozilla/MozDef) - Automates the security incident handling process and facilitate the real-time activities of incident handlers. * [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - Application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections. * [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data. From ec5a86b752cd54ede7b46fc0fd77ad7e6c9d0c43 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:27:54 +0100 Subject: [PATCH 03/19] Fixing SCOT Link Replacing the unstable gov link with the github repo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a214bd5..1f76222 100644 --- a/README.md +++ b/README.md @@ -103,7 +103,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Fast Incident Response (FIR)](https://github.com/certsocietegenerale/FIR/) - Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike. * [KAPE](https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape) - A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence. * [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker. -* [Sandia Cyber Omni Tracker (SCOT)](http://getscot.sandia.gov/) - Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user. +* [Sandia Cyber Omni Tracker (SCOT)](https://github.com/sandialabs/scot) - Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user. * [threat_note](https://github.com/defpoint/threat_note) - Lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research. ### Linux Distributions From 19cf0b602a52612f11454d33abdd089ab2f741f2 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:31:25 +0100 Subject: [PATCH 04/19] Fixing demisto dead links Removing dead demisto links and updating with the replacement tool XSOAR --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 1f76222..2d601fd 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [CyberCPR](https://www.cybercpr.com) - Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents. * [Cyphon](https://www.cyphon.io/) - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents. -* [Demisto](https://www.demisto.com/product/) - Demisto community edition(free) offers full Incident lifecycle management, Incident Closure Reports, team assignments and collaboration, and many integrations to enhance automations (like Active Directory, PagerDuty, Jira and much more). +* [CORTEX XSOAR](https://www.paloaltonetworks.com/cortex/xsoar) - Paloalto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations. * [DFIRTrack](https://github.com/stuhli/dfirtrack) - Incident Response tracking application handling one major incident with a lot of affected systems as it is often observed in APT cases. * [Fast Incident Response (FIR)](https://github.com/certsocietegenerale/FIR/) - Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike. * [KAPE](https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape) - A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence. @@ -194,7 +194,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an ### Playbooks -* [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbooks collection. * [IRM](https://github.com/certsocietegenerale/IRM) - Incident Response Methodologies by CERT Societe Generale. * [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download. * [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs). @@ -236,7 +235,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an ### Videos -* [Demisto IR video resources](https://www.demisto.com/category/videos/) - Video Resources for Incident Response and Forensics Tools. * [The Future of Incident Response](https://www.youtube.com/watch?v=bDcx4UNpKNc) - Presented by Bruce Schneier at OWASP AppSecUSA 2015. ### Windows Evidence Collection From 583b1f397d85a32bf019cfc1fb0ecd76663e420e Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:34:06 +0100 Subject: [PATCH 05/19] Removing KnTTools , no longer available KnTTools are no longer available. The only left over artifacts are: https://github.com/yuzhangiot/kntTools --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 2d601fd..8e70356 100644 --- a/README.md +++ b/README.md @@ -135,7 +135,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework. * [inVtero.net](https://github.com/ShaneK2/inVtero.net) - Advanced memory analysis for Windows x64 with nested hypervisor support. -* [KnTList](http://www.gmgsystemsinc.com/knttools/) - Computer memory analysis tools. * [LiME](https://github.com/504ensicsLabs/LiME) - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD. * [MalConfScan](https://github.com/JPCERTCC/MalConfScan) - MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers. * [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis. From 3492ba4daa82c7704a3bada5ee437e2616ea7b33 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:36:05 +0100 Subject: [PATCH 06/19] Fixing broken WindowsSCOPE link Fixing broken WindowsSCOPE link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8e70356..eabb8e2 100644 --- a/README.md +++ b/README.md @@ -144,7 +144,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework. * [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. * [VolDiff](https://github.com/aim4r/VolDiff) - Malware Memory Footprint Analysis based on Volatility. -* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory. +* [WindowsSCOPE](http://www.windowsscope.com/windowsscope-cyber-forensics/) - Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory. ### Memory Imaging Tools From d4e625314c46d6cddc7f3c70d7f746e24537512c Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:36:53 +0100 Subject: [PATCH 07/19] Updating old rastrea2r link Updating old rastrea2r link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eabb8e2..2b73e53 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Munin](https://github.com/Neo23x0/munin) - Online hash checker for Virustotal and other services. * [PowerSponse](https://github.com/swisscom/PowerSponse) - PowerSponse is a PowerShell module focused on targeted containment and remediation during security incident response. * [PyaraScanner](https://github.com/nogoodconfig/pyarascanner) - Very simple multithreaded many-rules to many-files YARA scanning Python script for malware zoos and IR. -* [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X. +* [rastrea2r](https://github.com/rastrea2r) - Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X. * [RaQet](https://raqet.github.io/) - Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system. * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur. * [Scout2](https://nccgroup.github.io/Scout2/) - Security tool that lets Amazon Web Services administrators assess their environment's security posture. From 81578c73b2c2bc629535ad27acb514bdc338e49b Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:38:59 +0100 Subject: [PATCH 08/19] Removing searchgiant, no longer available Searchgiant is no longer maintained nor available --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 2b73e53..a1328ff 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [RaQet](https://raqet.github.io/) - Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system. * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur. * [Scout2](https://nccgroup.github.io/Scout2/) - Security tool that lets Amazon Web Services administrators assess their environment's security posture. -* [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - Command-line utility to acquire forensic data from cloud services. * [Stenographer](https://github.com/google/stenographer) - Packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic. * [sqhunter](https://github.com/0x4d31/sqhunter) - Threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources. * [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - Extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg. From 22b39329468c9a505b5570c7785da6dfe6046650 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:40:46 +0100 Subject: [PATCH 09/19] Updating KnockKnock Link, no longer open source Updating KnockKnock Link, no longer open source --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1328ff..1ff5acc 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an ### OSX Evidence Collection -* [Knockknock](https://github.com/synack/knockknock) - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX. +* [Knockknock](https://objective-see.com/products/knockknock.html) - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX. * [macOS Artifact Parsing Tool (mac_apt)](https://github.com/ydkhatri/mac_apt) - Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files. * [OSX Auditor](https://github.com/jipegit/OSXAuditor) - Free Mac OS X computer forensics tool. * [OSX Collector](https://github.com/yelp/osxcollector) - OSX Auditor offshoot for live response. From b5cbb95ece16b395e3b85c71243a4307df269e0b Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:43:10 +0100 Subject: [PATCH 10/19] Replacing User Mode Process Dumper with ProcDump The Microsoft User Mode Process Dumper is no longer available. Alternate Sysinternals Tool would be ProcDump --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1ff5acc..cbbad98 100644 --- a/README.md +++ b/README.md @@ -198,7 +198,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an ### Process Dump Tools -* [Microsoft User Mode Process Dumper](http://www.microsoft.com/en-us/download/details.aspx?id=4060) - Dumps any running Win32 processes memory image on the fly. +* [Microsoft ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) - Dumps any running Win32 processes memory image on the fly. * [PMDump](http://www.ntsecurity.nu/toolbox/pmdump/) - Tool that lets you dump the memory contents of a process to a file without stopping the process. ### Sandboxing/reversing tools From 892d4a694c24c71bceea6e83c7ab4a7cb6da5bde Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:44:01 +0100 Subject: [PATCH 11/19] Updating CAPE with newer Version CAPEv2 Updating CAPE with newer Version CAPEv2 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cbbad98..f9f7301 100644 --- a/README.md +++ b/README.md @@ -205,7 +205,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [AMAaaS](https://amaaas.com/index.php/AMAaaS/dashboard) - Android Malware Analysis as a Service, executed in a native Android environment. * [Any Run](https://app.any.run/) - Interactive online malware analysis service for dynamic and static research of most types of threats using any environment. -* [CAPE](https://github.com/ctxis/CAPE) - Malware Configuration And Payload Extraction. +* [CAPEv2](https://github.com/kevoreilly/CAPEv2) - Malware Configuration And Payload Extraction. * [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool. * [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - Heavily modified Cuckoo fork developed by community. * [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - Python library to control a cuckoo-modified sandbox. From 98b2496fc905eb8b6bc015ba7a56d29ef30a3247 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:44:36 +0100 Subject: [PATCH 12/19] Fixing dead Cuckoo SB Link Fixing dead Cuckoo SB Link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f9f7301..760513a 100644 --- a/README.md +++ b/README.md @@ -206,7 +206,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [AMAaaS](https://amaaas.com/index.php/AMAaaS/dashboard) - Android Malware Analysis as a Service, executed in a native Android environment. * [Any Run](https://app.any.run/) - Interactive online malware analysis service for dynamic and static research of most types of threats using any environment. * [CAPEv2](https://github.com/kevoreilly/CAPEv2) - Malware Configuration And Payload Extraction. -* [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool. +* [Cuckoo](https://github.com/cuckoosandbox) - Open Source Highly configurable sandboxing tool. * [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - Heavily modified Cuckoo fork developed by community. * [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - Python library to control a cuckoo-modified sandbox. * [Cutter](https://github.com/radareorg/cutter) - Reverse engineering platform powered by Radare2. From aa6a76b2fe18f19d941fb4774cb01e7d34b700f3 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:48:58 +0100 Subject: [PATCH 13/19] Removing binforray, no longer available Replaced by https://ericzimmerman.github.io/ --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 760513a..02ba870 100644 --- a/README.md +++ b/README.md @@ -238,7 +238,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an ### Windows Evidence Collection * [AChoir](https://github.com/OMENScan/AChoir) - Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows. -* [Binaryforay](http://binaryforay.blogspot.co.il/p/software.html) - List of free tools for win forensics (http://binaryforay.blogspot.co.il/). * [Crowd Response](http://www.crowdstrike.com/community-tools/) - Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats. * [DFIR ORC](https://dfir-orc.github.io/) - DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on [GitHub](https://github.com/DFIR-ORC/dfir-orc). * [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - Tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected. From cc25ebae59dfe157f2374d3f3a5bea59ec5663ea Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:49:54 +0100 Subject: [PATCH 14/19] Removing FECT, no longer maintained nor running Development status FECT is no longer maintained --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 02ba870..4d49d7c 100644 --- a/README.md +++ b/README.md @@ -241,7 +241,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Crowd Response](http://www.crowdstrike.com/community-tools/) - Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats. * [DFIR ORC](https://dfir-orc.github.io/) - DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on [GitHub](https://github.com/DFIR-ORC/dfir-orc). * [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - Tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected. -* [Fast Evidence Collector Toolkit (FECT)](https://github.com/jipegit/FECT) - Light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler. * [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration and tracing of the Windows kernel. * [IREC](https://binalyze.com/products/irec-free/) - All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use. * [Invoke-LiveResponse](https://github.com/mgreen27/Invoke-LiveResponse) - Invoke-LiveResponse is a live response tool for targeted collection. From 6a69cc8d88addd8af2dc704e8cecd92b25ab93ed Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:51:13 +0100 Subject: [PATCH 15/19] Removing Fidelis TS, no longer available --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 4d49d7c..23f3ef4 100644 --- a/README.md +++ b/README.md @@ -246,7 +246,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Invoke-LiveResponse](https://github.com/mgreen27/Invoke-LiveResponse) - Invoke-LiveResponse is a live response tool for targeted collection. * [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. * [IRTriage](https://github.com/AJMartel/IRTriage) - Incident Response Triage - Windows Evidence Collection for Forensic Analysis. -* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only. * [LOKI](https://github.com/Neo23x0/Loki) - Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs). * [MEERKAT](https://github.com/TonyPhipps/Meerkat) - PowerShell-based triage and threathunting for Windows. * [Panorama](https://github.com/AlmCo/Panorama) - Fast incident overview on live Windows systems. From f925159070e43e8661f1a76e88590d917f4f0802 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:52:14 +0100 Subject: [PATCH 16/19] Updating dead RegRipper Link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 23f3ef4..2627dfd 100644 --- a/README.md +++ b/README.md @@ -251,5 +251,5 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Panorama](https://github.com/AlmCo/Panorama) - Fast incident overview on live Windows systems. * [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell. * [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally. -* [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis. +* [RegRipper](https://github.com/keydet89/RegRipper3.0) - Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis. * [TRIAGE-IR](https://code.google.com/p/triage-ir/) - IR collector for Windows. From ed8a880c4e26e1d569b7813240a461b133a2b03d Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:54:15 +0100 Subject: [PATCH 17/19] Removing TRIAGE-IR, old and unavailable Source code unavailable. Last deployment Nov 9, 2012 --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 2627dfd..e67079e 100644 --- a/README.md +++ b/README.md @@ -252,4 +252,3 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell. * [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally. * [RegRipper](https://github.com/keydet89/RegRipper3.0) - Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis. -* [TRIAGE-IR](https://code.google.com/p/triage-ir/) - IR collector for Windows. From cca8e193cc0043b8f9fa70797eb510dcb69809c5 Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 13:56:26 +0100 Subject: [PATCH 18/19] Updating IOCFinder description, no longer maintained --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e67079e..732d030 100644 --- a/README.md +++ b/README.md @@ -244,7 +244,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration and tracing of the Windows kernel. * [IREC](https://binalyze.com/products/irec-free/) - All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use. * [Invoke-LiveResponse](https://github.com/mgreen27/Invoke-LiveResponse) - Invoke-LiveResponse is a live response tool for targeted collection. -* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. +* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. No longer maintained. Only fully supported up to Windows 7 / Windows Server 2008 R2. * [IRTriage](https://github.com/AJMartel/IRTriage) - Incident Response Triage - Windows Evidence Collection for Forensic Analysis. * [LOKI](https://github.com/Neo23x0/Loki) - Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs). * [MEERKAT](https://github.com/TonyPhipps/Meerkat) - PowerShell-based triage and threathunting for Windows. From 05a18e7b0f1b708b3687240ed43dd6f9de2be62e Mon Sep 17 00:00:00 2001 From: Explie Date: Wed, 28 Oct 2020 16:41:10 +0100 Subject: [PATCH 19/19] Resolving PR comments Resolving Review https://github.com/meirwah/awesome-incident-response/pull/158 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 732d030..16d55db 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [Munin](https://github.com/Neo23x0/munin) - Online hash checker for Virustotal and other services. * [PowerSponse](https://github.com/swisscom/PowerSponse) - PowerSponse is a PowerShell module focused on targeted containment and remediation during security incident response. * [PyaraScanner](https://github.com/nogoodconfig/pyarascanner) - Very simple multithreaded many-rules to many-files YARA scanning Python script for malware zoos and IR. -* [rastrea2r](https://github.com/rastrea2r) - Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X. +* [rastrea2r](https://github.com/rastrea2r/rastrea2r) - Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X. * [RaQet](https://raqet.github.io/) - Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system. * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur. * [Scout2](https://nccgroup.github.io/Scout2/) - Security tool that lets Amazon Web Services administrators assess their environment's security posture. @@ -206,7 +206,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an * [AMAaaS](https://amaaas.com/index.php/AMAaaS/dashboard) - Android Malware Analysis as a Service, executed in a native Android environment. * [Any Run](https://app.any.run/) - Interactive online malware analysis service for dynamic and static research of most types of threats using any environment. * [CAPEv2](https://github.com/kevoreilly/CAPEv2) - Malware Configuration And Payload Extraction. -* [Cuckoo](https://github.com/cuckoosandbox) - Open Source Highly configurable sandboxing tool. +* [Cuckoo](https://github.com/cuckoosandbox/cuckoo) - Open Source Highly configurable sandboxing tool. * [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - Heavily modified Cuckoo fork developed by community. * [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - Python library to control a cuckoo-modified sandbox. * [Cutter](https://github.com/radareorg/cutter) - Reverse engineering platform powered by Radare2.