From 3e462aac5ea370a21cc8dfbc220816f0304354b4 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Tue, 27 Sep 2016 23:27:29 -0400 Subject: [PATCH 1/4] Added Cyber Triage. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c3f4f41..e7a9cbb 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Belkasoft Evidence Center](https://belkasoft.com/ec) - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps * [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows * [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes +* [Cyber Triage](http://www.cybertriage.com) - Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further. * [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response * [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness * [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location From bc1c24d75494f00db42e0558ff2e30cc5881874c Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 10 Nov 2016 01:20:25 +0100 Subject: [PATCH 2/4] Add TheHive --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9340084..f1083dd 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Osquery](https://osquery.io/) - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the *incident-response pack* help you detect and respond to breaches * [Redline](https://www.fireeye.com/services/freeware/redline.html) - provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile * [The Sleuth Kit & Autopsy](http://www.sleuthkit.org) - The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things +* [TheHive](https://thehive-project.org/) - TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. * [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis * [Zentral](https://github.com/zentralopensource/zentral) - combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients. From ccb093b0b17baf1df5bfe5c9383928554a2018ce Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sun, 21 Aug 2016 16:15:00 +0200 Subject: [PATCH 3/4] Add VolatilityBot --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f1083dd..64ce097 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Rekall](http://www.rekall-forensic.com/) - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples * [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO is the industry standard physical memory and automated malware analysis solution * [Volatility](https://github.com/volatilityfoundation/volatility) - An advanced memory forensics framework +* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. * [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory ### Memory Imaging Tools From c22a83df11230a84c71516eb31983ee4b8c43525 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 26 Aug 2016 18:31:00 +0200 Subject: [PATCH 4/4] Add LMG --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 64ce097..1c1a02f 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Memory Imaging Tools * [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system +* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - A script for dumping Linux memory and creating Volatility profiles. * [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows * [OSForensics](http://www.osforensics.com/) - OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done