From e42e2ecec38bdbb97201f6448735235623dd5771 Mon Sep 17 00:00:00 2001 From: Meir Wahnon Date: Mon, 18 Jul 2016 19:50:48 +0300 Subject: [PATCH 01/46] Adding Zentral Adding Zentral to All in one Tools --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6df8796..c3f4f41 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Redline](https://www.fireeye.com/services/freeware/redline.html) - provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile * [The Sleuth Kit & Autopsy](http://www.sleuthkit.org) - The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things * [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis +* [Zentral](https://github.com/zentralopensource/zentral) - combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients. ### Books From 662dbd99047d5a3292f9a2ee453ab5f89a180d77 Mon Sep 17 00:00:00 2001 From: "Keith J. Jones" Date: Wed, 31 Aug 2016 10:37:53 -0400 Subject: [PATCH 02/46] Added two keithjjones tools. --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index c3f4f41..86c9277 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,9 @@ A curated list of tools and resources for security incident response, aimed to h * [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic * [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg * [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - A Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors +* [hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host +* [fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash + ### Playbooks From 07b81326dd8744e32d6c2c3d231dad320368872f Mon Sep 17 00:00:00 2001 From: "Keith J. Jones" Date: Wed, 31 Aug 2016 10:44:50 -0400 Subject: [PATCH 03/46] Alphabetized and capitalized. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 86c9277..2a47ea1 100644 --- a/README.md +++ b/README.md @@ -124,7 +124,9 @@ A curated list of tools and resources for security incident response, aimed to h * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database * [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI +* [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium +* [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host * [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell * [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X * [RaQet](https://raqet.github.io/) - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system @@ -133,8 +135,6 @@ A curated list of tools and resources for security incident response, aimed to h * [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic * [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg * [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - A Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors -* [hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host -* [fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash ### Playbooks From 3e462aac5ea370a21cc8dfbc220816f0304354b4 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Tue, 27 Sep 2016 23:27:29 -0400 Subject: [PATCH 04/46] Added Cyber Triage. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c3f4f41..e7a9cbb 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Belkasoft Evidence Center](https://belkasoft.com/ec) - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps * [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows * [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes +* [Cyber Triage](http://www.cybertriage.com) - Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further. * [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response * [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness * [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location From 518772feb649c3b45a30416158d215d37087ead3 Mon Sep 17 00:00:00 2001 From: "Keith J. Jones" Date: Tue, 4 Oct 2016 16:10:39 -0400 Subject: [PATCH 05/46] Added cuckoo-modified-api --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2a47ea1..5c7b7d4 100644 --- a/README.md +++ b/README.md @@ -151,6 +151,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool * [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - Heavily modified Cuckoo fork developed by community +* [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python library to control a cuckoo-modified sandbox * [Hybrid-Analysis](https://www.hybrid-analysis.com/) - Hybrid-Analysis is a free powerful online sandbox by Payload Security * [Malwr](https://malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox * [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats From 7743a82fa6e4054602ed6871dfff28be95c6b1d0 Mon Sep 17 00:00:00 2001 From: "Keith J. Jones" Date: Sun, 23 Oct 2016 14:46:05 -0400 Subject: [PATCH 06/46] Added Visualize_Logs. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5c7b7d4..b1fa120 100644 --- a/README.md +++ b/README.md @@ -157,6 +157,8 @@ A curated list of tools and resources for security incident response, aimed to h * [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats * [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA * [Virustotal](https://www.virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners +* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source + visualization library and command line tools for logs. (Procmon, more to come...) ### Timeline tools From bc1c24d75494f00db42e0558ff2e30cc5881874c Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 10 Nov 2016 01:20:25 +0100 Subject: [PATCH 07/46] Add TheHive --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9340084..f1083dd 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Osquery](https://osquery.io/) - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the *incident-response pack* help you detect and respond to breaches * [Redline](https://www.fireeye.com/services/freeware/redline.html) - provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile * [The Sleuth Kit & Autopsy](http://www.sleuthkit.org) - The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things +* [TheHive](https://thehive-project.org/) - TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. * [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis * [Zentral](https://github.com/zentralopensource/zentral) - combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients. From ccb093b0b17baf1df5bfe5c9383928554a2018ce Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sun, 21 Aug 2016 16:15:00 +0200 Subject: [PATCH 08/46] Add VolatilityBot --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f1083dd..64ce097 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Rekall](http://www.rekall-forensic.com/) - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples * [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO is the industry standard physical memory and automated malware analysis solution * [Volatility](https://github.com/volatilityfoundation/volatility) - An advanced memory forensics framework +* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. * [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory ### Memory Imaging Tools From c22a83df11230a84c71516eb31983ee4b8c43525 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 26 Aug 2016 18:31:00 +0200 Subject: [PATCH 09/46] Add LMG --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 64ce097..1c1a02f 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Memory Imaging Tools * [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system +* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - A script for dumping Linux memory and creating Volatility profiles. * [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows * [OSForensics](http://www.osforensics.com/) - OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done From cda1ca8605ad5d3a147a693de9b1df66561beab8 Mon Sep 17 00:00:00 2001 From: "Keith J. Jones" Date: Sat, 12 Nov 2016 11:44:17 -0500 Subject: [PATCH 10/46] Added cuckoo log to project description. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b1fa120..0ed1c36 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA * [Virustotal](https://www.virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source - visualization library and command line tools for logs. (Procmon, more to come...) + visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) ### Timeline tools From 4f7352617b581b5e54d8d0374294ecfebf6853e7 Mon Sep 17 00:00:00 2001 From: chumstick Date: Wed, 16 Nov 2016 13:54:42 -0500 Subject: [PATCH 11/46] Added "Fidelis ThreatScanner" to Windows tools --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 340dc05..cafb65b 100644 --- a/README.md +++ b/README.md @@ -184,6 +184,7 @@ A curated list of tools and resources for security incident response, aimed to h * [FECT](https://github.com/jipegit/FECT) - Fast Evidence Collector Toolkit (FECT) is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler * [Fibratus](https://github.com/rabbitstack/fibratus) - tool for exploration and tracing of the Windows kernel * [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only +* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only. * [LOKI](https://github.com/Neo23x0/Loki) - Loki is a free IR scanner for scanning endpoint with yara rules and other indicators(IOCs) * [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell * [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally From c71116c3c577d56991dba35bf139e2e935aae9cd Mon Sep 17 00:00:00 2001 From: chumstick Date: Wed, 16 Nov 2016 13:57:21 -0500 Subject: [PATCH 12/46] Fixed Formatting to Conform to Guidelines --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cafb65b..f62a8bf 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,7 @@ A curated list of tools and resources for security incident response, aimed to h * [FECT](https://github.com/jipegit/FECT) - Fast Evidence Collector Toolkit (FECT) is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler * [Fibratus](https://github.com/rabbitstack/fibratus) - tool for exploration and tracing of the Windows kernel * [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only -* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only. +* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only. * [LOKI](https://github.com/Neo23x0/Loki) - Loki is a free IR scanner for scanning endpoint with yara rules and other indicators(IOCs) * [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell * [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally From f79dc0c08d9e87e12e3b63c9df388b93fb5d6a0c Mon Sep 17 00:00:00 2001 From: ktwo/ShaneK2 Date: Fri, 20 Jan 2017 18:57:32 -0800 Subject: [PATCH 13/46] Added inVtero.net Link to my new memory analysis platform ;) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f62a8bf..06d4af6 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Memory Analysis Tools * [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework +* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - Advanced memory analysis for Windows x64 with nested hypervisor support * [KnTList](http://www.gmgsystemsinc.com/knttools/) - Computer memory analysis tools * [LiME](https://github.com/504ensicsLabs/LiME) - LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices * [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - Memoryze by Mandiant is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis From 5ffcbf346fd584c6aba513d8b827f5265f169a6b Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sat, 21 Jan 2017 09:42:28 +0100 Subject: [PATCH 14/46] Add PagerDuty Incident Response Documentation --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f62a8bf..7e5eeaf 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbooks collection * [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download +* [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs). ### Process Dump Tools From b8906e9fab6e9d1ed56b752e16f9bd0554e9cb0b Mon Sep 17 00:00:00 2001 From: Saad Kadhi Date: Sat, 4 Feb 2017 18:16:58 +0100 Subject: [PATCH 15/46] add Cortex from TheHive Project --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ce1f37e..0d42777 100644 --- a/README.md +++ b/README.md @@ -127,6 +127,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Other Tools +* [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database * [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash From e41ab7de89f975e1d3a2c05fdb7baabff0cb5e47 Mon Sep 17 00:00:00 2001 From: Diogo Fernandes Date: Sat, 11 Feb 2017 23:30:48 +0100 Subject: [PATCH 16/46] Added ir-rescue --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0d42777..0b66e84 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,7 @@ A curated list of tools and resources for security incident response, aimed to h * [bulk_extractor](https://github.com/simsong/bulk_extractor) - bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness * [Cold Disk Quick Response](https://github.com/rough007/CDQR) - uses a streamlined list of parsers to quickly analyze a forenisic image file (dd, E01, .vmdk, etc) and output nine reports +* [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response. * [Live Response Collection](https://www.brimorlabs.com/tools/) - The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and *nix based operating systems ### Incident Management From 3e688c6405fd44e65314aec40eafed20082c5a66 Mon Sep 17 00:00:00 2001 From: PolluxAvenger Date: Sat, 18 Feb 2017 21:13:14 +0800 Subject: [PATCH 17/46] =?UTF-8?q?=E5=BA=94=E6=80=A5=E5=93=8D=E5=BA=94?= =?UTF-8?q?=E5=A4=A7=E5=90=88=E9=9B=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit awesome 应急响应项目 --- README_ch.md | 196 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 README_ch.md diff --git a/README_ch.md b/README_ch.md new file mode 100644 index 0000000..de60f04 --- /dev/null +++ b/README_ch.md @@ -0,0 +1,196 @@ +# awesome-incident-response +A curated list of tools and resources for security incident response, aimed to help security analysts and [DFIR](http://www.acronymfinder.com/Digital-Forensics%2c-Incident-Response-(DFIR).html) teams. + +[![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome) + +- [All in one tools](#all-in-one-tools) +- [Books](#books) +- [Communities](#communities) +- [Disk Image Creation Tools](#disk-image-creation-tools) +- [Evidence Collection](#evidence-collection) +- [Incident Management](#incident-management) +- [Linux Distributions](#linux-distributions) +- [Linux Evidence Collection](#linux-evidence-collection) +- [Log Analysis Tools](#log-analysis-tools) +- [Memory Analysis Tools](#memory-analysis-tools) +- [Memory Imaging Tools](#memory-imaging-tools) +- [OSX Evidence Collection](#osx-evidence-collection) +- [Other tools](#other-tools) +- [Playbooks](#playbooks) +- [Process Dump Tools](#process-dump-tools) +- [Sandboxing/reversing tools](#sandboxingreversing-tools) +- [Timeline tools](#timeline-tools) +- [Videos](#videos) +- [Windows Evidence Collection](#windows-evidence-collection) + +## IR tools Collection + +### All in one Tools + +* [Belkasoft Evidence Center](https://belkasoft.com/ec) - 该工具包通过分析硬件驱动、驱动镜像、内存转储、iOS、黑莓与安卓系统备份、UFED、JTAG 与 chip-off 转储来快速从多个源提取数字证据 +* [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows +* [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes +* [Cyber Triage](http://www.cybertriage.com) - Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further. +* [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response +* [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness +* [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location +* [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality. +* [FIDO](https://github.com/Netflix/Fido) - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them +* [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent +* [Kolide](https://github.com/mephux/kolide) - Kolide is an agentless osquery web interface and remote api server. Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. It replaces Envdb +* [Limacharlie](https://github.com/refractionpoint/limacharlie) - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality +* [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security +* [MozDef](https://github.com/mozilla/MozDef) - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers +* [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections. +* [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data +* [Osquery](https://osquery.io/) - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the *incident-response pack* help you detect and respond to breaches +* [Redline](https://www.fireeye.com/services/freeware/redline.html) - 为用户提供主机调查工具,通过内存与文件分析来找到恶意行为的活动迹象,包括对威胁评估配置文件的开发 +* [The Sleuth Kit & Autopsy](http://www.sleuthkit.org) - Sleuth Kit 是基于 Unix 和 Windows 的工具,可以帮助计算机取证分析,其中包含各种协助取证的工具,比如分析磁盘镜像、文件系统深度分析等 +* [TheHive](https://thehive-project.org/) - TheHive 是一个可扩展的三个一开源解决方案,旨在让 SOC、CSIRT、CERT 或其他任何信息安全从业人员方便的进行安全事件调查 +* [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways 是一个用于磁盘克隆、镜像的工具,可以查找已经删除的文件并进行磁盘分析 +* [Zentral](https://github.com/zentralopensource/zentral) - 与 osquery 强大的端点清单保护能力相结合,通知与行动都灵活的框架,可以快速对 OS X 与 Linux 客户机上的更改做出识别与响应 + +### Books + +* [Dfir intro](http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) - By Scott J. Roberts +* [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - Richard Bejtlich's book on IR + +### Communities + +* [Sans DFIR mailing list](https://lists.sans.org/mailman/listinfo/dfir) - Mailing list by SANS for DFIR +* [Slack DFIR channel](https://dfircommunity.slack.com) - Slack DFIR Communitiy channel - [Signup here](https://rishi28.typeform.com/to/sTbTI8) + +### 磁盘镜像创建工具 + +* [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems +* [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats +* [Guymager](http://guymager.sourceforge.net) - Guymager is a free forensic imager for media acquisition on Linux +* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems. + +### 证据收集 + +* [bulk_extractor](https://github.com/simsong/bulk_extractor) - bulk_extractor 是一个计算机取证工具,可以扫描磁盘映像、文件、文件目录,并在不解析文件系统或文件系统结构的情况下提取有用的信息,由于其忽略了文件系统结构,程序在速度和深入程度上都有了很大的提高 +* [Cold Disk Quick Response](https://github.com/rough007/CDQR) - uses a streamlined list of parsers to quickly analyze a forenisic image file (dd, E01, .vmdk, etc) and output nine reports +* [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response. +* [Live Response Collection](https://www.brimorlabs.com/tools/) - The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and *nix based operating systems + +### Incident Management + +* [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike +* [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker +* [SCOT](http://getscot.sandia.gov/) - Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user +* [threat_note](https://github.com/defpoint/threat_note) - A lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research + +### Linux Distributions + +* [ADIA](https://forensics.cert.org/#ADIA) - The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available. +* [CAINE](http://www.caine-live.net/index.html) - The Computer Aided Investigative Environment (CAINE) contains numerous tools that help investigators during their analysis, including forensic evidence collection +* [DEFT](http://www.deftlinux.net/) - The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection +* [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional +* [PALADIN](https://sumuri.com/software/paladin/) - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included +* [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Security Onion is a special Linux distro aimed at network security monitoring featuring advanced analysis tools +* [SIFT Workstation](http://digital-forensics.sans.org/community/downloads) - The SANS Investigative Forensic Toolkit (SIFT) Workstation demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated + +### Linux 证据收集 + +* [FastIR Collector Linux](https://github.com/SekoiaLab/Fastir_Collector_Linux) - FastIR for Linux collects different artefacts on live Linux and records the results in csv files + +### 日志分析工具 + +* [Lorg](https://github.com/jensvoid/lorg) - a tool for advanced HTTPD logfile security analysis and forensics + +### 内存分析工具 + +* [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework +* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - Advanced memory analysis for Windows x64 with nested hypervisor support +* [KnTList](http://www.gmgsystemsinc.com/knttools/) - Computer memory analysis tools +* [LiME](https://github.com/504ensicsLabs/LiME) - LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices +* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - Memoryze by Mandiant is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis +* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze-for-the-mac.html) - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however +* [Rekall](http://www.rekall-forensic.com/) - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples +* [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO is the industry standard physical memory and automated malware analysis solution +* [Volatility](https://github.com/volatilityfoundation/volatility) - An advanced memory forensics framework +* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. +* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory + +### 内存镜像工具 + +* [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system +* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - A script for dumping Linux memory and creating Volatility profiles. +* [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows +* [OSForensics](http://www.osforensics.com/) - OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done + +### OSX 证据收集 + +* [Knockknock](https://github.com/synack/knockknock) - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX +* [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor is a free Mac OS X computer forensics tool +* [OSX Collector](https://github.com/yelp/osxcollector) - An OSX Auditor offshoot for live response + +### Other Tools + +* [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. +* [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database +* [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI +* [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash +* [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium +* [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host +* [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell +* [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X +* [RaQet](https://raqet.github.io/) - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system +* [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur +* [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - a commandline utility to acquire forensic data from cloud services +* [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic +* [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg +* [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - A Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors + + +### Playbooks + +* [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbooks collection +* [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download +* [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs). + +### 进程 Dump 工具 + +* [Microsoft User Mode Process Dumper](http://www.microsoft.com/en-us/download/details.aspx?id=4060) - The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image on the fly +* [PMDump](http://www.ntsecurity.nu/toolbox/pmdump/) - PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process + +### Sandboxing/reversing tools + +* [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool +* [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - Heavily modified Cuckoo fork developed by community +* [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python library to control a cuckoo-modified sandbox +* [Hybrid-Analysis](https://www.hybrid-analysis.com/) - Hybrid-Analysis is a free powerful online sandbox by Payload Security +* [Malwr](https://malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox +* [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats +* [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA +* [Virustotal](https://www.virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners +* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source + visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) + +### Timeline tools + +* [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise +* [Plaso](https://github.com/log2timeline/plaso) - a Python-based backend engine for the tool log2timeline +* [Timesketch](https://github.com/google/timesketch) - open source tool for collaborative forensic timeline analysis + +### Videos + +* [Demisto IR video resources](https://www.demisto.com/category/videos/) - Video Resources for Incident Response and Forensics Tools +* [The Future of Incident Response](https://www.youtube.com/watch?v=bDcx4UNpKNc) - Presented by Bruce Schneier at OWASP AppSecUSA 2015 + +### Windows Evidence Collection + +* [AChoir](https://github.com/OMENScan/AChoir) - Achoir is a framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows +* [Binaryforay](http://binaryforay.blogspot.co.il/p/software.html) - list of free tools for win forensics (http://binaryforay.blogspot.co.il/) +* [Crowd Response](http://www.crowdstrike.com/community-tools/) - Crowd Response by CrowdStrike is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats +* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - FastIR Collector is a tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected +* [FECT](https://github.com/jipegit/FECT) - Fast Evidence Collector Toolkit (FECT) is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler +* [Fibratus](https://github.com/rabbitstack/fibratus) - tool for exploration and tracing of the Windows kernel +* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only +* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only. +* [LOKI](https://github.com/Neo23x0/Loki) - Loki is a free IR scanner for scanning endpoint with yara rules and other indicators(IOCs) +* [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell +* [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally +* [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Regripper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis +* [TRIAGE-IR](https://code.google.com/p/triage-ir/) - Triage-IR is a IR collector for Windows \ No newline at end of file From a8008ebde5c4f6af25c3751d6775bc0eef34ce80 Mon Sep 17 00:00:00 2001 From: PolluxAvenger Date: Mon, 20 Feb 2017 16:37:04 +0800 Subject: [PATCH 18/46] =?UTF-8?q?=E5=BA=94=E6=80=A5=E5=93=8D=E5=BA=94?= =?UTF-8?q?=E5=A4=A7=E5=90=88=E9=9B=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit awesome 应急响应项目 --- README_ch.md | 159 +++++++++++++++++++++++++-------------------------- 1 file changed, 79 insertions(+), 80 deletions(-) diff --git a/README_ch.md b/README_ch.md index de60f04..7f32474 100644 --- a/README_ch.md +++ b/README_ch.md @@ -34,13 +34,13 @@ A curated list of tools and resources for security incident response, aimed to h * [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response * [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness * [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location -* [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality. +* [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator 是由 CrowdStrike 提供的一个基于 Windows 可扩展的应用程序,提供工作流自动化、案例管理与安全应急响应等功能 * [FIDO](https://github.com/Netflix/Fido) - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them -* [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent +* [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response 是一个用来远程现场取证的应急响应框架,其带有一个可以管理客户端的 Python 编写的服务器 * [Kolide](https://github.com/mephux/kolide) - Kolide is an agentless osquery web interface and remote api server. Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. It replaces Envdb * [Limacharlie](https://github.com/refractionpoint/limacharlie) - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality * [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security -* [MozDef](https://github.com/mozilla/MozDef) - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers +* [MozDef](https://github.com/mozilla/MozDef) - Mozilla Defense Platform (MozDef) 旨在帮助安全事件处理自动化,并促进事件的实时处理 * [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections. * [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data * [Osquery](https://osquery.io/) - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the *incident-response pack* help you detect and respond to breaches @@ -52,8 +52,8 @@ A curated list of tools and resources for security incident response, aimed to h ### Books -* [Dfir intro](http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) - By Scott J. Roberts -* [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - Richard Bejtlich's book on IR +* [Dfir intro](http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) - 作者:Scott J. Roberts +* [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - 作者:Richard Bejtlich ### Communities @@ -74,123 +74,122 @@ A curated list of tools and resources for security incident response, aimed to h * [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response. * [Live Response Collection](https://www.brimorlabs.com/tools/) - The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and *nix based operating systems -### Incident Management +### 应急管理 -* [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike -* [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker +* [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) 是一个网络安全应急管理平台,在设计时考虑了敏捷性与速度。其可以轻松创建、跟踪、报告网络安全应急事件并用于 CSIRT、CERT 与 SOC 等人员 +* [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) 对于安全团队来说是首要的开源应急处理系统,其与世界各地的十多个 CERT 与 CSIRT 合作,帮助处理不断增加的事件报告,RTIR 包含 Request Tracker 的全部功能 * [SCOT](http://getscot.sandia.gov/) - Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user -* [threat_note](https://github.com/defpoint/threat_note) - A lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research +* [threat_note](https://github.com/defpoint/threat_note) - 一个轻量级的调查笔记,允许安全研究人员注册、检索他们需要的 IOC 数据 -### Linux Distributions +### Linux 发行版 * [ADIA](https://forensics.cert.org/#ADIA) - The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available. -* [CAINE](http://www.caine-live.net/index.html) - The Computer Aided Investigative Environment (CAINE) contains numerous tools that help investigators during their analysis, including forensic evidence collection +* [CAINE](http://www.caine-live.net/index.html) - Computer Aided Investigative Environment (CAINE) 包含许多帮助调查人员进行分析的工具,包括取证工具 * [DEFT](http://www.deftlinux.net/) - The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection * [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional * [PALADIN](https://sumuri.com/software/paladin/) - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included -* [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Security Onion is a special Linux distro aimed at network security monitoring featuring advanced analysis tools +* [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Security Onion 是一个特殊的 Linux 发行版,旨在利用高级的分析工具进行网络安全监控 * [SIFT Workstation](http://digital-forensics.sans.org/community/downloads) - The SANS Investigative Forensic Toolkit (SIFT) Workstation demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated ### Linux 证据收集 -* [FastIR Collector Linux](https://github.com/SekoiaLab/Fastir_Collector_Linux) - FastIR for Linux collects different artefacts on live Linux and records the results in csv files +* [FastIR Collector Linux](https://github.com/SekoiaLab/Fastir_Collector_Linux) - FastIR 在 Linux 系统上收集不同的信息并将结果存入 CSV 文件 ### 日志分析工具 -* [Lorg](https://github.com/jensvoid/lorg) - a tool for advanced HTTPD logfile security analysis and forensics +* [Lorg](https://github.com/jensvoid/lorg) - 一个用 HTTPD 日志进行高级安全分析与取证的工具 ### 内存分析工具 -* [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework -* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - Advanced memory analysis for Windows x64 with nested hypervisor support -* [KnTList](http://www.gmgsystemsinc.com/knttools/) - Computer memory analysis tools -* [LiME](https://github.com/504ensicsLabs/LiME) - LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices -* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - Memoryze by Mandiant is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis -* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze-for-the-mac.html) - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however -* [Rekall](http://www.rekall-forensic.com/) - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples -* [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO is the industry standard physical memory and automated malware analysis solution -* [Volatility](https://github.com/volatilityfoundation/volatility) - An advanced memory forensics framework -* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. -* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory +* [Evolve](https://github.com/JamesHabben/evolve) - Volatility 内存取证框架的 Web 界面 +* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - 支持 hypervisor 的 Windows x64 高级内存分析 +* [KnTList](http://www.gmgsystemsinc.com/knttools/) - 计算机内存分析工具 +* [LiME](https://github.com/504ensicsLabs/LiME) - LiME 是 Loadable Kernel Module (LKM),可以从 Linux 以及基于 Linux 的设备采集易失性内存数据 +* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - 由 Mandiant 开发的 Memoryze 是一个免费的内存取证软件,可以帮助应急响应人员在内存中定位恶意部位, Memoryze 也可以分析内存镜像或者装成带有许多分析插件的系统 +* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze-for-the-mac.html) - Memoryze for Mac 是 Memoryze 但仅限于 Mac,且功能较少 +* [Rekall](http://www.rekall-forensic.com/) - 用于从 RAM 中提取样本的开源工具 +* [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO 是一个工业级的物理内存及自动化恶意软件分析解决方案 +* [Volatility](https://github.com/volatilityfoundation/volatility) - 高级内存取证框架 +* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot 是一个自动化工具,帮助研究员减少在二进制程序提取解析阶段的手动任务,或者帮助研究人员进行内存分析调查的第一步 +* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - 一个用来分析易失性内存的取证与逆向工程工具,被用于对恶意软件进行逆向分析,提供了分析 Windows 内核\驱动程序\DLL\虚拟与物理内存的功能 ### 内存镜像工具 -* [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system -* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - A script for dumping Linux memory and creating Volatility profiles. -* [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows -* [OSForensics](http://www.osforensics.com/) - OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done +* [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - 轻量级取证工具,即使有反调试\反转储的系统保护下也可以方便地提取全部易失性内存的内容 +* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - 用于 dump Linux 内存并创建 Volatility 配置文件的脚本 +* [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture 是一个免费的镜像工具,可以捕获可疑计算机中的物理内存,支持最新版的 Windows +* [OSForensics](http://www.osforensics.com/) - OSForensics 可以获取 32/64 位系统的实时内存,可以将每个独立进程的内存空间 dump 下来 ### OSX 证据收集 -* [Knockknock](https://github.com/synack/knockknock) - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX -* [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor is a free Mac OS X computer forensics tool -* [OSX Collector](https://github.com/yelp/osxcollector) - An OSX Auditor offshoot for live response +* [Knockknock](https://github.com/synack/knockknock) - 显示那些在 OSX 上被设置为自动执行的那些脚本、命令、程序等 +* [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor 是一个面向 Mac OS X 的免费计算机取证工具 +* [OSX Collector](https://github.com/yelp/osxcollector) - OSX Auditor 的实时响应版 -### Other Tools +### 其他工具 -* [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. -* [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database -* [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI -* [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash -* [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium -* [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host -* [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell -* [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X -* [RaQet](https://raqet.github.io/) - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system -* [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur -* [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - a commandline utility to acquire forensic data from cloud services +* [Cortex](https://thehive-project.org) - Cortex 可以通过 Web 界面逐个或批量对 IP 地址\邮件地址\URL\域名\文件哈希的分析,还可以使用 REST API 来自动执行这些操作 +* [Crits](https://crits.github.io/) - 一个将分析引擎与网络威胁数据库相结合且带有 Web 界面的工具 +* [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir 是一个简单的 IOC 扫描器,可以在纯 bash 中扫描任意 Linux/Unix/OSX 系统,由 THOR 与 LOKI 的开发者创作 +* [Fileintel](https://github.com/keithjjones/fileintel) - 为每个文件哈希值提供情报 +* [Hindsight](https://github.com/obsidianforensics/hindsight) - Google Chrome/Chromium 的互联网 +* [Hostintel](https://github.com/keithjjones/hostintel) - 为每个主机提供情报 +* [Kansa](https://github.com/davehull/Kansa/) - Kansa 是一个 PowerShell 的模块化应急响应框架 +* [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - 使用 YARA 在 Windows、Linux 与 OS X 上扫描硬盘或内存 +* [RaQet](https://raqet.github.io/) - RaQet 是一个非常规的远程采集与分类工具,允许对那些为取证构建的操作系统进行远端计算机的遴选 +* [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - 收集关于 MySQL 的取证数据 +* [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - 从云服务中获取取证数据的命令行程序 * [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic * [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg -* [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - A Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors +* [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - 一个用来向反病毒厂商提供样本的 Windows 实用工具(几乎不再维护) ### Playbooks -* [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbooks collection +* [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbook 收集 * [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download * [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs). ### 进程 Dump 工具 -* [Microsoft User Mode Process Dumper](http://www.microsoft.com/en-us/download/details.aspx?id=4060) - The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image on the fly -* [PMDump](http://www.ntsecurity.nu/toolbox/pmdump/) - PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process +* [Microsoft User Mode Process Dumper](http://www.microsoft.com/en-us/download/details.aspx?id=4060) - 用户模式下的进程 dump 工具,可以 dump 任意正在运行的 Win32 进程内存映像 +* [PMDump](http://www.ntsecurity.nu/toolbox/pmdump/) - PMDump 是一个可以在不停止进程的情况下将进程的内存内容 dump 到文件中的工具 -### Sandboxing/reversing tools +### 沙盒/逆向工具 -* [Cuckoo](https://github.com/cuckoobox) - Open Source Highly configurable sandboxing tool -* [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - Heavily modified Cuckoo fork developed by community -* [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python library to control a cuckoo-modified sandbox -* [Hybrid-Analysis](https://www.hybrid-analysis.com/) - Hybrid-Analysis is a free powerful online sandbox by Payload Security -* [Malwr](https://malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox -* [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats -* [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA -* [Virustotal](https://www.virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners -* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source - visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) +* [Cuckoo](https://github.com/cuckoobox) - 开源沙盒工具 +* [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - 社区基于 Cuckoo 的大修版 +* [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - 一个用来控制 Cuckoo 沙盒设置的 Python 库 +* [Hybrid-Analysis](https://www.hybrid-analysis.com/) - Hybrid-Analysis 是一个由 Payload Security 提供的免费在线沙盒 +* [Malwr](https://malwr.com) - Malwr 是由 Cuckoo 沙盒提供支持的一个免费在线恶意软件分析服务 +* [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF 是一个静态分析框架,可以自动化的从多种文件格式中提取关键特征 +* [Viper](https://github.com/viper-framework/viper) - Viper 是一个基于 Python 的二进制程序分析及管理框架,支持 Cuckoo 与 YARA +* [Virustotal](https://www.virustotal.com) - Virustotal, Google 的子公司,一个免费在线分析文件/URL的厂商,可以分析病毒\蠕虫\木马以及其他类型被反病毒引擎或网站扫描器识别的恶意内容 +* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Cuckoo、Procmon等日志的开源可视化库 -### Timeline tools +### 时间线工具 -* [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise -* [Plaso](https://github.com/log2timeline/plaso) - a Python-based backend engine for the tool log2timeline -* [Timesketch](https://github.com/google/timesketch) - open source tool for collaborative forensic timeline analysis +* [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Fire/Mandiant 开发的免费工具,用来分析日志/文本文件,可以对某些关键字或短语进行高亮显示,有助于时间线的整理 +* [Plaso](https://github.com/log2timeline/plaso) - 一个基于 Python 用于 log2timeline 的后端引擎 +* [Timesketch](https://github.com/google/timesketch) - 协作取证时间线分析的开源工具 -### Videos +### 视频 -* [Demisto IR video resources](https://www.demisto.com/category/videos/) - Video Resources for Incident Response and Forensics Tools -* [The Future of Incident Response](https://www.youtube.com/watch?v=bDcx4UNpKNc) - Presented by Bruce Schneier at OWASP AppSecUSA 2015 +* [Demisto IR video resources](https://www.demisto.com/category/videos/) - 应急响应与取证分析的视频资源 +* [The Future of Incident Response](https://www.youtube.com/watch?v=bDcx4UNpKNc) - Bruce Schneier 在 OWASP AppSecUSA 2015 上的分享 -### Windows Evidence Collection +### Windows 证据收集 -* [AChoir](https://github.com/OMENScan/AChoir) - Achoir is a framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows -* [Binaryforay](http://binaryforay.blogspot.co.il/p/software.html) - list of free tools for win forensics (http://binaryforay.blogspot.co.il/) -* [Crowd Response](http://www.crowdstrike.com/community-tools/) - Crowd Response by CrowdStrike is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats -* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - FastIR Collector is a tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected -* [FECT](https://github.com/jipegit/FECT) - Fast Evidence Collector Toolkit (FECT) is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler -* [Fibratus](https://github.com/rabbitstack/fibratus) - tool for exploration and tracing of the Windows kernel -* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only -* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only. -* [LOKI](https://github.com/Neo23x0/Loki) - Loki is a free IR scanner for scanning endpoint with yara rules and other indicators(IOCs) -* [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell -* [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally -* [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Regripper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis -* [TRIAGE-IR](https://code.google.com/p/triage-ir/) - Triage-IR is a IR collector for Windows \ No newline at end of file +* [AChoir](https://github.com/OMENScan/AChoir) - Achoir 是一个将对 Windows 的实时采集工具脚本化变得更标准与简单的框架 +* [Binaryforay](http://binaryforay.blogspot.co.il/p/software.html) - 一个 Windows 取证的免费工具列表 (http://binaryforay.blogspot.co.il/) +* [Crowd Response](http://www.crowdstrike.com/community-tools/) - 由 CrowdStrike 开发的 Crowd Response 是一个轻量级 Windows 终端应用,旨在收集用于应急响应与安全操作的系统信息,其包含许多模块与输出格式 +* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - FastIR Collector 在 Windows 系统中实时收集各种信息并将结果记录在 CSV 文件中,通过对这些信息的分析,我们可以发现早期的入侵痕迹 +* [FECT](https://github.com/jipegit/FECT) - Fast Evidence Collector Toolkit (FECT) 是一个轻量级的应急响应工具集,用于在可疑的 Windows 计算机上取证,它可以让非技术调查人员更专业的进行应急处理 +* [Fibratus](https://github.com/rabbitstack/fibratus) - 利用与跟踪 Windows 内核的工具 +* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder 是由 Mandiant 开发的免费工具,用来收集主机数据并报告存在危险的 IOC +* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Fidelis ThreatScanner 是一个由 Fidelis Cybersecurity 开发的免费工具,使用 OpenIOC 和 YARA 来报告终端设备的安全状态,ThreatScanner 衡量系统的运行状态后会出具匹配情况的报告,仅限 Windows +* [LOKI](https://github.com/Neo23x0/Loki) - Loki 是一个使用 YARA 与其他 IOC 对终端进行扫描的免费 IR 扫描器 +* [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - PowerShell 开发的实时硬盘取证框架 +* [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon 使用 PowerShell 在远程 Windows 主机上提取/整理数据,并将数据发送到安全团队,数据可以通过邮件来传送数据或者在本地留存 +* [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Regripper 是用 Perl 编写的开源工具,可以从注册表中提取/解析数据(键\值\数据)提供分析 +* [TRIAGE-IR](https://code.google.com/p/triage-ir/) - Triage-IR 是一个 Windows 下的 IR 收集工具 \ No newline at end of file From a43995872de3d21dc49dcb0f206843b28e4e6225 Mon Sep 17 00:00:00 2001 From: PolluxAvenger Date: Tue, 21 Feb 2017 13:23:46 +0800 Subject: [PATCH 19/46] =?UTF-8?q?=E5=BA=94=E6=80=A5=E5=93=8D=E5=BA=94?= =?UTF-8?q?=E5=A4=A7=E5=90=88=E9=9B=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit awesome 应急响应项目 --- README_ch.md | 108 +++++++++++++++++++++++++-------------------------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/README_ch.md b/README_ch.md index 7f32474..75a8905 100644 --- a/README_ch.md +++ b/README_ch.md @@ -1,95 +1,95 @@ -# awesome-incident-response -A curated list of tools and resources for security incident response, aimed to help security analysts and [DFIR](http://www.acronymfinder.com/Digital-Forensics%2c-Incident-Response-(DFIR).html) teams. +# 应急响应大合集 +用于安全事件响应的工具与资源的列表,旨在帮助安全分析师与 [DFIR](http://www.acronymfinder.com/Digital-Forensics%2c-Incident-Response-(DFIR).html) 团队 [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome) -- [All in one tools](#all-in-one-tools) -- [Books](#books) -- [Communities](#communities) -- [Disk Image Creation Tools](#disk-image-creation-tools) -- [Evidence Collection](#evidence-collection) -- [Incident Management](#incident-management) -- [Linux Distributions](#linux-distributions) -- [Linux Evidence Collection](#linux-evidence-collection) -- [Log Analysis Tools](#log-analysis-tools) -- [Memory Analysis Tools](#memory-analysis-tools) -- [Memory Imaging Tools](#memory-imaging-tools) -- [OSX Evidence Collection](#osx-evidence-collection) -- [Other tools](#other-tools) +- [工具集](#工具集) +- [书籍](#书籍) +- [社区](#社区) +- [磁盘镜像创建工具](#磁盘镜像创建工具) +- [证据收集](#证据收集) +- [应急管理](#应急管理) +- [Linux 发行版](#Linux发行版) +- [Linux 证据收集](#Linux证据收集) +- [日志分析工具](#日志分析工具) +- [内存分析工具](#内存分析工具) +- [内存镜像工具](#内存镜像工具) +- [OSX 证据收集](#osx证据收集) +- [其他工具](#其他工具) - [Playbooks](#playbooks) -- [Process Dump Tools](#process-dump-tools) -- [Sandboxing/reversing tools](#sandboxingreversing-tools) -- [Timeline tools](#timeline-tools) -- [Videos](#videos) -- [Windows Evidence Collection](#windows-evidence-collection) +- [进程 Dump 工具](#进程Dump工具) +- [沙盒 / 逆向工具](#沙盒/逆向工具) +- [时间线工具](#时间线工具) +- [视频](#视频) +- [Windows 证据收集](#Windows证据收集) -## IR tools Collection +## IR 工具收集 -### All in one Tools +### 工具集 * [Belkasoft Evidence Center](https://belkasoft.com/ec) - 该工具包通过分析硬件驱动、驱动镜像、内存转储、iOS、黑莓与安卓系统备份、UFED、JTAG 与 chip-off 转储来快速从多个源提取数字证据 -* [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows -* [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes -* [Cyber Triage](http://www.cybertriage.com) - Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further. -* [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response -* [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness -* [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location +* [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep 是一套基于 CIM/WMI 的工具,能够在所有版本的 Windows 上执行远程事件响应 +* [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit 不仅是一个工具集合,更是一个框架,帮助在事件响应与取证调查过程中统一 +* [Cyber Triage](http://www.cybertriage.com) - Cyber Triage 远程收集\分析终端数据,以帮助确定计算机是否被入侵.其专注易用性与自动化,采用无代理方法使公司在没有重大基础设施\没有取证专家团队的情况下做出响应,其结果用于决定是否应该被擦除或者进行进一步调查 +* [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF 是一个建立在专用 API 之上的开源计算机取证框架,DFF 提出了一种替代目前老旧的数字取证解决方案,其设计简单\更加自动化,通过 DFF 接口可以帮助用户进行数字调查取证的主要步骤,专业与非专业人员都可以快速的进行数字取证并执行事件响应 +* [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman 是一个 osquery 的管理平台,可以远程管理节点的 osquery 配置.它利用 osquery 的 TLS 配置\记录器\分布式读写等优势为管理员提供最小开销的管理 +* [Envdb](https://github.com/mephux/envdb) - Envdb 将你的生产\开发\云等环境变成数据库集群,你可以使用 osquery 作为基础搜索,它可以和集群中心节点包装 osquery 的查询过程 * [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator 是由 CrowdStrike 提供的一个基于 Windows 可扩展的应用程序,提供工作流自动化、案例管理与安全应急响应等功能 -* [FIDO](https://github.com/Netflix/Fido) - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them +* [FIDO](https://github.com/Netflix/Fido) - Netflix 开发的 Fully Integrated Defense Operation (FIDO) 用于自动化评估\响应恶意软件入侵响应过程,FIDO 的主要目的是协助处理大量的手动工作来评估对安全堆栈的威胁与生成的大量警报 * [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response 是一个用来远程现场取证的应急响应框架,其带有一个可以管理客户端的 Python 编写的服务器 -* [Kolide](https://github.com/mephux/kolide) - Kolide is an agentless osquery web interface and remote api server. Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. It replaces Envdb -* [Limacharlie](https://github.com/refractionpoint/limacharlie) - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality -* [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security +* [Kolide](https://github.com/mephux/kolide) - Kolide 是一个无代理的 osquery Web 接口与远程 API 服务器,Kolide 作为 Envdb 替代品的设计理念就是极度便携(仅有一个可执行程序),在保持代码简单的情况下保持性能 +* [Limacharlie](https://github.com/refractionpoint/limacharlie) - 一个终端安全平台,它本身是一个小项目的集合,并提供了一个跨平台的低级环境,你可以管理并推送附加功能进入内存给程序扩展功能 +* [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) 是一个在远程终端执行调查的平台,它可以在大量系统中并行获取数据,从而加速事故调查与保证日常业务安全 * [MozDef](https://github.com/mozilla/MozDef) - Mozilla Defense Platform (MozDef) 旨在帮助安全事件处理自动化,并促进事件的实时处理 -* [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections. -* [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data -* [Osquery](https://osquery.io/) - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the *incident-response pack* help you detect and respond to breaches +* [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - nightHawk Response Platform 是一个以 ElasticSearch 为后台的异步取证数据呈现的应用程序,设计与 Redline 配合调查 +* [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Open Computer Forensics Architecture (OCFA) 是另一个分布式开源计算机取证框架,这个框架建立在 Linux 平台上,并使用 postgreSQL 数据库来存储数据 +* [Osquery](https://osquery.io/) - osquery 可以找到 Linux 与 OSX 基础设施的问题,无论你是要入侵检测还是基础架构可靠性检查 osquery 都能够帮助你提高公司内部的安全组织能力, *incident-response pack* 可以帮助你进行检测\响应活动 * [Redline](https://www.fireeye.com/services/freeware/redline.html) - 为用户提供主机调查工具,通过内存与文件分析来找到恶意行为的活动迹象,包括对威胁评估配置文件的开发 * [The Sleuth Kit & Autopsy](http://www.sleuthkit.org) - Sleuth Kit 是基于 Unix 和 Windows 的工具,可以帮助计算机取证分析,其中包含各种协助取证的工具,比如分析磁盘镜像、文件系统深度分析等 * [TheHive](https://thehive-project.org/) - TheHive 是一个可扩展的三个一开源解决方案,旨在让 SOC、CSIRT、CERT 或其他任何信息安全从业人员方便的进行安全事件调查 * [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways 是一个用于磁盘克隆、镜像的工具,可以查找已经删除的文件并进行磁盘分析 * [Zentral](https://github.com/zentralopensource/zentral) - 与 osquery 强大的端点清单保护能力相结合,通知与行动都灵活的框架,可以快速对 OS X 与 Linux 客户机上的更改做出识别与响应 -### Books +### 书籍 * [Dfir intro](http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) - 作者:Scott J. Roberts * [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - 作者:Richard Bejtlich -### Communities +### 社区 * [Sans DFIR mailing list](https://lists.sans.org/mailman/listinfo/dfir) - Mailing list by SANS for DFIR * [Slack DFIR channel](https://dfircommunity.slack.com) - Slack DFIR Communitiy channel - [Signup here](https://rishi28.typeform.com/to/sTbTI8) ### 磁盘镜像创建工具 -* [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems -* [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats -* [Guymager](http://guymager.sourceforge.net) - Guymager is a free forensic imager for media acquisition on Linux -* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems. +* [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager 是一个从任何类型的磁盘中预览可恢复数据的取证工具,FTK Imager 可以在 32\64 位系统上实时采集内存与页面文件 +* [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager 是一个基于 Windows 程序,将常见的文件格式进行获取\转换\验证取证 +* [Guymager](http://guymager.sourceforge.net) - Guymager 是一个用于 Linux 上媒体采集的免费镜像取证器 +* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - Magnet Forensics 开发的 ACQUIRE 可以在不同类型的磁盘上执行取证,包括 Windows\Linux\OS X 与移动操作系统 ### 证据收集 * [bulk_extractor](https://github.com/simsong/bulk_extractor) - bulk_extractor 是一个计算机取证工具,可以扫描磁盘映像、文件、文件目录,并在不解析文件系统或文件系统结构的情况下提取有用的信息,由于其忽略了文件系统结构,程序在速度和深入程度上都有了很大的提高 -* [Cold Disk Quick Response](https://github.com/rough007/CDQR) - uses a streamlined list of parsers to quickly analyze a forenisic image file (dd, E01, .vmdk, etc) and output nine reports -* [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response. -* [Live Response Collection](https://www.brimorlabs.com/tools/) - The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and *nix based operating systems +* [Cold Disk Quick Response](https://github.com/rough007/CDQR) - 使用精简的解析器列表来快速分析取证镜像文件(dd, E01, .vmdk, etc)并输出报告 +* [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* 是一个 Windows 批处理脚本与一个 Unix Bash 脚本,用于在事件响应期在主机全面收集证据 +* [Live Response Collection](https://www.brimorlabs.com/tools/) - BriMor 开发的 Live Response collection 是一个用于从各种操作系统中收集易失性数据的自动化工具 ### 应急管理 * [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) 是一个网络安全应急管理平台,在设计时考虑了敏捷性与速度。其可以轻松创建、跟踪、报告网络安全应急事件并用于 CSIRT、CERT 与 SOC 等人员 * [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) 对于安全团队来说是首要的开源应急处理系统,其与世界各地的十多个 CERT 与 CSIRT 合作,帮助处理不断增加的事件报告,RTIR 包含 Request Tracker 的全部功能 -* [SCOT](http://getscot.sandia.gov/) - Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user +* [SCOT](http://getscot.sandia.gov/) - Sandia Cyber Omni Tracker (SCOT) 是一个应急响应协作与知识获取工具,为事件响应的过程在不给用户带来负担的情况下增加价值 * [threat_note](https://github.com/defpoint/threat_note) - 一个轻量级的调查笔记,允许安全研究人员注册、检索他们需要的 IOC 数据 ### Linux 发行版 -* [ADIA](https://forensics.cert.org/#ADIA) - The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available. +* [ADIA](https://forensics.cert.org/#ADIA) - Appliance for Digital Investigation and Analysis (ADIA) 是一个基于 VMware 的应用程序,用于进行数字取证.其完全由公开软件构建,包含的工具有 Autopsy\Sleuth Kit\Digital Forensics Framework\log2timeline\Xplico\Wireshark 大多数系统维护使用 Webmin.可在各种系统下进行使用 * [CAINE](http://www.caine-live.net/index.html) - Computer Aided Investigative Environment (CAINE) 包含许多帮助调查人员进行分析的工具,包括取证工具 -* [DEFT](http://www.deftlinux.net/) - The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection -* [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional -* [PALADIN](https://sumuri.com/software/paladin/) - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included +* [DEFT](http://www.deftlinux.net/) - Digital Evidence & Forensics Toolkit (DEFT) 是一个用于计算机取证的 Linux 发行版,它与 Windows 上的 Digital Advanced Response Toolkit (DART) 捆绑在一起.DEFT 的轻量版被成为 DEFT Zero +* [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - 包括大量的优秀开源网络安全应用程序的 Linux 发行版 +* [PALADIN](https://sumuri.com/software/paladin/) - PALADIN 是一个附带许多开源取证工具的改 Linux 发行版,用于在法庭上以正确的方式执行取证任务 * [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Security Onion 是一个特殊的 Linux 发行版,旨在利用高级的分析工具进行网络安全监控 -* [SIFT Workstation](http://digital-forensics.sans.org/community/downloads) - The SANS Investigative Forensic Toolkit (SIFT) Workstation demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated +* [SIFT Workstation](http://digital-forensics.sans.org/community/downloads) - SANS Investigative Forensic Toolkit (SIFT) 使用优秀开源工具以实现高级事件响应与入侵深度数字取证,这些功能免费提供,并且经常更新 ### Linux 证据收集 @@ -139,16 +139,16 @@ A curated list of tools and resources for security incident response, aimed to h * [RaQet](https://raqet.github.io/) - RaQet 是一个非常规的远程采集与分类工具,允许对那些为取证构建的操作系统进行远端计算机的遴选 * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - 收集关于 MySQL 的取证数据 * [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - 从云服务中获取取证数据的命令行程序 -* [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic -* [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg +* [Stenographer](https://github.com/google/stenographer) - Stenographer 是一个数据包捕获解决方案,旨在快速将全部数据包转储到磁盘中,然后提供对这些数据包的快速访问.它存储尽可能多的历史记录并且管理磁盘的使用情况,在磁盘受限被触发时执行既定策略,非常适合在事件发生前与发生中捕获流量,而不是显式存储所有流量 +* [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - 由 Computer Emergency Responce Center Luxembourg 开发的 traceroute-circl 是一个增强型的 traceroute 来帮助 CSIRT\CERT 的工作人员,通常 CSIRT 团队必须根据收到的 IP 地址处理事件 * [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - 一个用来向反病毒厂商提供样本的 Windows 实用工具(几乎不再维护) ### Playbooks * [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbook 收集 -* [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download -* [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs). +* [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - 不同的通用事件响应工作流程,例如恶意软件爆发\数据窃取\未经授权的访问等,每个工作流程都有七个步骤:准备\检测\分析\遏制\根除\恢复\事后处理 +* [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - 描述 PagerDuty 应急响应过程的文档,不仅提供了关于事件准备的信息,还提供了在此前与之后要做什么工作,源在 [GitHub](https://github.com/PagerDuty/incident-response-docs) 上 ### 进程 Dump 工具 From 31f72656fe00917929392ca71fdda7f533b4a8c4 Mon Sep 17 00:00:00 2001 From: Meir Wahnon Date: Sat, 18 Mar 2017 14:00:33 +0200 Subject: [PATCH 20/46] Add Demisto to incident mgmt section Add Demisto free edition to incident mgmt section --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 0b66e84..0063d9c 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,8 @@ A curated list of tools and resources for security incident response, aimed to h ### Incident Management + +* [Demisto](https://www.demisto.com/product/) - Demisto community edition(free) offers full Incident lifecycle management, Incident Closure Reports, team assignments and collaboration, and many integrations to enhance automations (like Active Directory, PagerDuty, Jira and much more...) * [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike * [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker * [SCOT](http://getscot.sandia.gov/) - Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user From 441c4f717fc1bcfeb51287e7cf1a0a1b5edd4088 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sat, 25 Mar 2017 18:33:33 +0100 Subject: [PATCH 21/46] Add augmentd --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0063d9c..9e79ec7 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Communities +* [augmentd](https://augmentd.co/) - Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools. * [Sans DFIR mailing list](https://lists.sans.org/mailman/listinfo/dfir) - Mailing list by SANS for DFIR * [Slack DFIR channel](https://dfircommunity.slack.com) - Slack DFIR Communitiy channel - [Signup here](https://rishi28.typeform.com/to/sTbTI8) From de396576b3220df7987d38ae151e56284db31830 Mon Sep 17 00:00:00 2001 From: Diogo Fernandes Date: Wed, 29 Mar 2017 18:36:13 +0200 Subject: [PATCH 22/46] Added domfind --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9e79ec7..5fe7df8 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database +* [domfind](https://github.com/diogo-fernan/domfind) - *domfind* is a Python DNS crawler for finding identical domain names under different TLDs. * [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium From f1959c15d67fbc6f510e9100482e1e5f39e63124 Mon Sep 17 00:00:00 2001 From: Meir Wahnon Date: Sat, 1 Apr 2017 11:12:13 +0300 Subject: [PATCH 23/46] Add Contents header Add Contents header --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5fe7df8..46c60df 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,8 @@ A curated list of tools and resources for security incident response, aimed to h [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome) +## Contents + - [All in one tools](#all-in-one-tools) - [Books](#books) - [Communities](#communities) From 1cb26921a4c54af6cc058d160144f1f346890135 Mon Sep 17 00:00:00 2001 From: Meir Wahnon Date: Tue, 4 Apr 2017 11:51:51 +0300 Subject: [PATCH 24/46] Adding IRM Adding IRM --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 46c60df..5bd9ed6 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Playbooks * [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbooks collection +* [IRM](https://github.com/certsocietegenerale/IRM) - Incident Response Methodologies by CERT Societe Generale * [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download * [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs). From c879934de2f67ba6270a622fde6d1533a1aaa078 Mon Sep 17 00:00:00 2001 From: Meir Wahnon Date: Fri, 12 May 2017 16:37:01 +0300 Subject: [PATCH 25/46] add VolDiff add VolDiff to memory --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5bd9ed6..3494e93 100644 --- a/README.md +++ b/README.md @@ -115,7 +115,8 @@ A curated list of tools and resources for security incident response, aimed to h * [Rekall](http://www.rekall-forensic.com/) - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples * [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO is the industry standard physical memory and automated malware analysis solution * [Volatility](https://github.com/volatilityfoundation/volatility) - An advanced memory forensics framework -* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. +* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation +* [VolDiff](https://github.com/aim4r/VolDiff) - Malware Memory Footprint Analysis based on Volatility * [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory ### Memory Imaging Tools From cf07ef546a49b6470d1e576c37292a6e4ce0d1b9 Mon Sep 17 00:00:00 2001 From: Meir Wahnon Date: Sat, 20 May 2017 10:27:24 -0700 Subject: [PATCH 26/46] adding Panorama adding Panorama --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 3494e93..cd70aff 100644 --- a/README.md +++ b/README.md @@ -198,6 +198,7 @@ A curated list of tools and resources for security incident response, aimed to h * [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only * [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only. * [LOKI](https://github.com/Neo23x0/Loki) - Loki is a free IR scanner for scanning endpoint with yara rules and other indicators(IOCs) +* [Panorama](https://github.com/AlmCo/Panorama) - Fast incident overview on live Windows systems * [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell * [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally * [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Regripper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis From 0472cd5c942afcc0f21b77b59fe16063bdfa1be5 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sat, 20 May 2017 22:22:43 +0200 Subject: [PATCH 27/46] Add Cyphon --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cd70aff..a1e7e68 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Incident Management - +* [Cyphon](https://www.cyphon.io/) - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents. * [Demisto](https://www.demisto.com/product/) - Demisto community edition(free) offers full Incident lifecycle management, Incident Closure Reports, team assignments and collaboration, and many integrations to enhance automations (like Active Directory, PagerDuty, Jira and much more...) * [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike * [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker From 418e88965a53f0ca4a8677aa28238702bbe960f7 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sun, 28 May 2017 13:35:11 +0200 Subject: [PATCH 28/46] Add imagemounter --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a1e7e68..4d8d058 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium * [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host +* [imagemounter](https://github.com/ralphje/imagemounter) - Command line utility and Python package to ease the (un)mounting of forensic disk images * [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell * [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X * [RaQet](https://raqet.github.io/) - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system From 8972536973756357cb931364bf1b76162ae3db53 Mon Sep 17 00:00:00 2001 From: Adel Ka Date: Wed, 28 Jun 2017 15:07:55 +1000 Subject: [PATCH 29/46] sqhunter tool added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4d8d058..1c7beb2 100644 --- a/README.md +++ b/README.md @@ -134,6 +134,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Other Tools +* [sqhunter](https://github.com/0x4d31/sqhunter) - a threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources. * [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database * [domfind](https://github.com/diogo-fernan/domfind) - *domfind* is a Python DNS crawler for finding identical domain names under different TLDs. From a2fa9c460ca7fb1d65e8107aebeef1954161cbac Mon Sep 17 00:00:00 2001 From: Tomas Hertus Date: Wed, 28 Jun 2017 10:11:41 -0700 Subject: [PATCH 30/46] Add Metadefender Cloud --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1c7beb2..3982c46 100644 --- a/README.md +++ b/README.md @@ -173,6 +173,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Hybrid-Analysis](https://www.hybrid-analysis.com/) - Hybrid-Analysis is a free powerful online sandbox by Payload Security * [Malwr](https://malwr.com) - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox * [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats +* [Metadefender Cloud](https://www.metadefender.com) - Metadefender is a free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files * [Viper](https://github.com/viper-framework/viper) - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA * [Virustotal](https://www.virustotal.com) - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source From a4d0fc12169feb1bf8a20d42bd9f81d129f63cc1 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 19 Oct 2017 08:16:07 +0200 Subject: [PATCH 31/46] Add Kolide Fleet Removed the old, out-dated Kolide entry --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3982c46..2e8222e 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality. * [FIDO](https://github.com/Netflix/Fido) - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them * [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent -* [Kolide](https://github.com/mephux/kolide) - Kolide is an agentless osquery web interface and remote api server. Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. It replaces Envdb +* [Kolide Fleet](https://kolide.com/fleet) - Kolide Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Kolide delivers fast answers to big questions. * [Limacharlie](https://github.com/refractionpoint/limacharlie) - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality * [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security * [MozDef](https://github.com/mozilla/MozDef) - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers From 56e4f3bcc56a64bb748604664cb87d291f0d1c3b Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 20 Oct 2017 14:27:00 +0200 Subject: [PATCH 32/46] Add DumpsterFire And move sqhunter to turn the list into alphabetical order again --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e8222e..9a0e17a 100644 --- a/README.md +++ b/README.md @@ -134,10 +134,10 @@ A curated list of tools and resources for security incident response, aimed to h ### Other Tools -* [sqhunter](https://github.com/0x4d31/sqhunter) - a threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources. * [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database * [domfind](https://github.com/diogo-fernan/domfind) - *domfind* is a Python DNS crawler for finding identical domain names under different TLDs. +* [DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire) - The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. * [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium @@ -149,6 +149,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur * [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - a commandline utility to acquire forensic data from cloud services * [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic +* [sqhunter](https://github.com/0x4d31/sqhunter) - a threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources. * [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg * [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - A Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors From 2a5218dade4aba08abaad28a02a5e931900b19e9 Mon Sep 17 00:00:00 2001 From: Brie Carranza Date: Tue, 24 Oct 2017 17:02:40 -0400 Subject: [PATCH 33/46] Add morgue by etsy --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9a0e17a..2bbff29 100644 --- a/README.md +++ b/README.md @@ -183,6 +183,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Timeline tools * [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise +* [Morgue](https://github.com/etsy/morgue) - A PHP Web app by Etsy for managing postmortems. * [Plaso](https://github.com/log2timeline/plaso) - a Python-based backend engine for the tool log2timeline * [Timesketch](https://github.com/google/timesketch) - open source tool for collaborative forensic timeline analysis From 5ed90e27586106ae388098823203209d56a965d0 Mon Sep 17 00:00:00 2001 From: sabandosoleda <25098792+sabandosoleda@users.noreply.github.com> Date: Sat, 4 Nov 2017 16:52:43 +0100 Subject: [PATCH 34/46] Add Bitscout Please add Bitscout as a trustable remote forensics and acquisition livecd builder tool! Thank you --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2bbff29..3105fff 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ A curated list of tools and resources for security incident response, aimed to h * [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats * [Guymager](http://guymager.sourceforge.net) - Guymager is a free forensic imager for media acquisition on Linux * [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems. +* [Bitscout](https://github.com/vitaly-kamluk/bitscout) - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact. ### Evidence Collection From 8fedf97fa65d7ac6247c99e0d7a60c51527d101e Mon Sep 17 00:00:00 2001 From: sabandosoleda <25098792+sabandosoleda@users.noreply.github.com> Date: Sat, 4 Nov 2017 18:35:36 +0100 Subject: [PATCH 35/46] fixed alphabetical order --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3105fff..fe7c0ff 100644 --- a/README.md +++ b/README.md @@ -66,10 +66,10 @@ A curated list of tools and resources for security incident response, aimed to h ### Disk Image Creation Tools * [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems +* [Bitscout](https://github.com/vitaly-kamluk/bitscout) - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact. * [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats * [Guymager](http://guymager.sourceforge.net) - Guymager is a free forensic imager for media acquisition on Linux * [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems. -* [Bitscout](https://github.com/vitaly-kamluk/bitscout) - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact. ### Evidence Collection From 4d615bbeaf0b4f82027f5e789b56df6b24e1ef40 Mon Sep 17 00:00:00 2001 From: Theta Gamma Date: Wed, 15 Nov 2017 11:36:12 +0100 Subject: [PATCH 36/46] Update README.md FIDO is deprecated at Netflix and this repository is no longer maintained. -> removed added CCF-VM to linux-distributions --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fe7c0ff..49221d3 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,6 @@ A curated list of tools and resources for security incident response, aimed to h * [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness * [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location * [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality. -* [FIDO](https://github.com/Netflix/Fido) - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them * [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent * [Kolide Fleet](https://kolide.com/fleet) - Kolide Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Kolide delivers fast answers to big questions. * [Limacharlie](https://github.com/refractionpoint/limacharlie) - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality @@ -91,6 +90,7 @@ A curated list of tools and resources for security incident response, aimed to h * [ADIA](https://forensics.cert.org/#ADIA) - The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available. * [CAINE](http://www.caine-live.net/index.html) - The Computer Aided Investigative Environment (CAINE) contains numerous tools that help investigators during their analysis, including forensic evidence collection +* [CCF-VM](https://github.com/rough007/CCF-VM) CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously * [DEFT](http://www.deftlinux.net/) - The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection * [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional * [PALADIN](https://sumuri.com/software/paladin/) - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included @@ -188,6 +188,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Plaso](https://github.com/log2timeline/plaso) - a Python-based backend engine for the tool log2timeline * [Timesketch](https://github.com/google/timesketch) - open source tool for collaborative forensic timeline analysis + ### Videos * [Demisto IR video resources](https://www.demisto.com/category/videos/) - Video Resources for Incident Response and Forensics Tools From 2bed4f7cb2fc4f496cf5b675003562f9caddbcee Mon Sep 17 00:00:00 2001 From: Theta Gamma Date: Wed, 15 Nov 2017 11:40:55 +0100 Subject: [PATCH 37/46] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 49221d3..85fcb43 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ A curated list of tools and resources for security incident response, aimed to h * [ADIA](https://forensics.cert.org/#ADIA) - The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available. * [CAINE](http://www.caine-live.net/index.html) - The Computer Aided Investigative Environment (CAINE) contains numerous tools that help investigators during their analysis, including forensic evidence collection -* [CCF-VM](https://github.com/rough007/CCF-VM) CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously +* [CCF-VM](https://github.com/rough007/CCF-VM) - CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously * [DEFT](http://www.deftlinux.net/) - The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection * [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional * [PALADIN](https://sumuri.com/software/paladin/) - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included From e5637704ba6eff28157016358a36ae8857683810 Mon Sep 17 00:00:00 2001 From: "Yogesh Khatri (@swiftforensics)" Date: Sun, 7 Jan 2018 00:11:05 -0500 Subject: [PATCH 38/46] Added mac_apt under OSX category --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 85fcb43..6170212 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,7 @@ A curated list of tools and resources for security incident response, aimed to h ### OSX Evidence Collection * [Knockknock](https://github.com/synack/knockknock) - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX +* [mac_apt - macOS Artifact Parsing Tool](https://github.com/ydkhatri/mac_apt) - Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files * [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor is a free Mac OS X computer forensics tool * [OSX Collector](https://github.com/yelp/osxcollector) - An OSX Auditor offshoot for live response From ba892960f303bf2febb1df7b2978542d23cee703 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Sun, 14 Jan 2018 17:36:48 +0100 Subject: [PATCH 39/46] API list Hope that is good enough for the awesome list. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6170212..8ff3b35 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Other Tools +* [Various APIs](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. * [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database * [domfind](https://github.com/diogo-fernan/domfind) - *domfind* is a Python DNS crawler for finding identical domain names under different TLDs. From 69977b1bf4c7a27615fb0c52d06394043e90a52a Mon Sep 17 00:00:00 2001 From: Alexander J Date: Sun, 14 Jan 2018 17:38:06 +0100 Subject: [PATCH 40/46] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ff3b35..a00ac0e 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Other Tools -* [Various APIs](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. +* [APIs (various)](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. * [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database * [domfind](https://github.com/diogo-fernan/domfind) - *domfind* is a Python DNS crawler for finding identical domain names under different TLDs. From 8be7413c8cf2d649f30f3ad7ed091a2e4f84e6a2 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Tue, 16 Jan 2018 13:11:00 +0100 Subject: [PATCH 41/46] Update README.md --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a00ac0e..72725a9 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,11 @@ A curated list of tools and resources for security incident response, aimed to h * [Lorg](https://github.com/jensvoid/lorg) - a tool for advanced HTTPD logfile security analysis and forensics +### Lists / Awesome Lists + +* [APIs (various)](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. + + ### Memory Analysis Tools * [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework @@ -136,7 +141,6 @@ A curated list of tools and resources for security incident response, aimed to h ### Other Tools -* [APIs (various)](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. * [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. * [Crits](https://crits.github.io/) - a web-based tool which combines an analytic engine with a cyber threat database * [domfind](https://github.com/diogo-fernan/domfind) - *domfind* is a Python DNS crawler for finding identical domain names under different TLDs. From 17d24c69deea3f6260a87517e4a6f0274cb6a8d1 Mon Sep 17 00:00:00 2001 From: Meir Wahnon Date: Wed, 17 Jan 2018 17:56:55 +0200 Subject: [PATCH 42/46] adding helk adding helk --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6170212..bbe7cdb 100644 --- a/README.md +++ b/README.md @@ -142,6 +142,7 @@ A curated list of tools and resources for security incident response, aimed to h * [DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire) - The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. * [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash +* [HELK](https://github.com/Cyb3rWard0g/HELK) - Threat Hunting platform * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium * [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host * [imagemounter](https://github.com/ralphje/imagemounter) - Command line utility and Python package to ease the (un)mounting of forensic disk images From d88c1b898f53a0ecd663becb89258c9aa22f1052 Mon Sep 17 00:00:00 2001 From: chadmando Date: Mon, 19 Feb 2018 09:56:16 -0600 Subject: [PATCH 43/46] Fix Books section DFIR Intro link Scott Roberts DFIR Intro link is broken, pointed to his Medium post on the same topic --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bbe7cdb..812c399 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Books -* [Dfir intro](http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) - By Scott J. Roberts +* [Dfir intro](https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/) - By Scott J. Roberts * [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - Richard Bejtlich's book on IR ### Communities From cbe381c8f50f96f1350e6f349ad6b6d01ab4179b Mon Sep 17 00:00:00 2001 From: Alexander J Date: Tue, 20 Feb 2018 21:13:47 +0100 Subject: [PATCH 44/46] Update README.md updated --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 72725a9..ab1dd26 100644 --- a/README.md +++ b/README.md @@ -105,9 +105,9 @@ A curated list of tools and resources for security incident response, aimed to h * [Lorg](https://github.com/jensvoid/lorg) - a tool for advanced HTTPD logfile security analysis and forensics -### Lists / Awesome Lists +### Other Lists / Other Awesome Lists -* [APIs (various)](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. +* [List of various Security APIs](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. ### Memory Analysis Tools From 700ed12699860701b59d297fc45954dbf68ab753 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Tue, 20 Feb 2018 22:24:07 +0100 Subject: [PATCH 45/46] Update README.md --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ab1dd26..2cde0eb 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ A curated list of tools and resources for security incident response, aimed to h - [Memory Analysis Tools](#memory-analysis-tools) - [Memory Imaging Tools](#memory-imaging-tools) - [OSX Evidence Collection](#osx-evidence-collection) +- [Other lists](#other-lists) - [Other tools](#other-tools) - [Playbooks](#playbooks) - [Process Dump Tools](#process-dump-tools) @@ -105,11 +106,6 @@ A curated list of tools and resources for security incident response, aimed to h * [Lorg](https://github.com/jensvoid/lorg) - a tool for advanced HTTPD logfile security analysis and forensics -### Other Lists / Other Awesome Lists - -* [List of various Security APIs](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. - - ### Memory Analysis Tools * [Evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework @@ -139,6 +135,10 @@ A curated list of tools and resources for security incident response, aimed to h * [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor is a free Mac OS X computer forensics tool * [OSX Collector](https://github.com/yelp/osxcollector) - An OSX Auditor offshoot for live response +### Other Lists + +* [List of various Security APIs](https://github.com/deralexxx/security-apis) - A collective list of public JSON APIs for use in security. + ### Other Tools * [Cortex](https://thehive-project.org) - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API. From 214aaeec303eaf0f5c7027d62ad37a2183203a40 Mon Sep 17 00:00:00 2001 From: TenphyX Date: Sun, 18 Mar 2018 00:17:07 +0800 Subject: [PATCH 46/46] Update as per the lastest EN version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update Chinese version as per the latest English version. Replace "," with ",“ --- README_ch.md | 178 +++++++++++++++++++++++++++++---------------------- 1 file changed, 101 insertions(+), 77 deletions(-) diff --git a/README_ch.md b/README_ch.md index 75a8905..3827f48 100644 --- a/README_ch.md +++ b/README_ch.md @@ -1,20 +1,23 @@ -# 应急响应大合集 -用于安全事件响应的工具与资源的列表,旨在帮助安全分析师与 [DFIR](http://www.acronymfinder.com/Digital-Forensics%2c-Incident-Response-(DFIR).html) 团队 +# 应急响应大合集 +用于安全事件响应的工具与资源的列表,旨在帮助安全分析师与 [DFIR](http://www.acronymfinder.com/Digital-Forensics%2c-Incident-Response-(DFIR).html) 团队。 [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome) +## 目录 + - [工具集](#工具集) - [书籍](#书籍) - [社区](#社区) - [磁盘镜像创建工具](#磁盘镜像创建工具) - [证据收集](#证据收集) -- [应急管理](#应急管理) +- [事件管理](#事件管理) - [Linux 发行版](#Linux发行版) - [Linux 证据收集](#Linux证据收集) - [日志分析工具](#日志分析工具) - [内存分析工具](#内存分析工具) - [内存镜像工具](#内存镜像工具) - [OSX 证据收集](#osx证据收集) +- [其它清单](#其它清单) - [其他工具](#其他工具) - [Playbooks](#playbooks) - [进程 Dump 工具](#进程Dump工具) @@ -27,69 +30,73 @@ ### 工具集 -* [Belkasoft Evidence Center](https://belkasoft.com/ec) - 该工具包通过分析硬件驱动、驱动镜像、内存转储、iOS、黑莓与安卓系统备份、UFED、JTAG 与 chip-off 转储来快速从多个源提取数字证据 -* [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep 是一套基于 CIM/WMI 的工具,能够在所有版本的 Windows 上执行远程事件响应 -* [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit 不仅是一个工具集合,更是一个框架,帮助在事件响应与取证调查过程中统一 -* [Cyber Triage](http://www.cybertriage.com) - Cyber Triage 远程收集\分析终端数据,以帮助确定计算机是否被入侵.其专注易用性与自动化,采用无代理方法使公司在没有重大基础设施\没有取证专家团队的情况下做出响应,其结果用于决定是否应该被擦除或者进行进一步调查 -* [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF 是一个建立在专用 API 之上的开源计算机取证框架,DFF 提出了一种替代目前老旧的数字取证解决方案,其设计简单\更加自动化,通过 DFF 接口可以帮助用户进行数字调查取证的主要步骤,专业与非专业人员都可以快速的进行数字取证并执行事件响应 -* [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman 是一个 osquery 的管理平台,可以远程管理节点的 osquery 配置.它利用 osquery 的 TLS 配置\记录器\分布式读写等优势为管理员提供最小开销的管理 -* [Envdb](https://github.com/mephux/envdb) - Envdb 将你的生产\开发\云等环境变成数据库集群,你可以使用 osquery 作为基础搜索,它可以和集群中心节点包装 osquery 的查询过程 -* [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator 是由 CrowdStrike 提供的一个基于 Windows 可扩展的应用程序,提供工作流自动化、案例管理与安全应急响应等功能 -* [FIDO](https://github.com/Netflix/Fido) - Netflix 开发的 Fully Integrated Defense Operation (FIDO) 用于自动化评估\响应恶意软件入侵响应过程,FIDO 的主要目的是协助处理大量的手动工作来评估对安全堆栈的威胁与生成的大量警报 -* [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response 是一个用来远程现场取证的应急响应框架,其带有一个可以管理客户端的 Python 编写的服务器 -* [Kolide](https://github.com/mephux/kolide) - Kolide 是一个无代理的 osquery Web 接口与远程 API 服务器,Kolide 作为 Envdb 替代品的设计理念就是极度便携(仅有一个可执行程序),在保持代码简单的情况下保持性能 -* [Limacharlie](https://github.com/refractionpoint/limacharlie) - 一个终端安全平台,它本身是一个小项目的集合,并提供了一个跨平台的低级环境,你可以管理并推送附加功能进入内存给程序扩展功能 -* [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) 是一个在远程终端执行调查的平台,它可以在大量系统中并行获取数据,从而加速事故调查与保证日常业务安全 -* [MozDef](https://github.com/mozilla/MozDef) - Mozilla Defense Platform (MozDef) 旨在帮助安全事件处理自动化,并促进事件的实时处理 -* [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - nightHawk Response Platform 是一个以 ElasticSearch 为后台的异步取证数据呈现的应用程序,设计与 Redline 配合调查 -* [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Open Computer Forensics Architecture (OCFA) 是另一个分布式开源计算机取证框架,这个框架建立在 Linux 平台上,并使用 postgreSQL 数据库来存储数据 -* [Osquery](https://osquery.io/) - osquery 可以找到 Linux 与 OSX 基础设施的问题,无论你是要入侵检测还是基础架构可靠性检查 osquery 都能够帮助你提高公司内部的安全组织能力, *incident-response pack* 可以帮助你进行检测\响应活动 +* [Belkasoft Evidence Center](https://belkasoft.com/ec) - 该工具包可以快速从多个数据源提取电子证据,包括硬盘、硬盘镜像、内存转储、iOS、黑莓与安卓系统备份、UFED、JTAG 与 chip-off 转储。 +* [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep 是一套基于 CIM/WMI 的工具,提供在所有版本的 Windows 上执行远程事件响应和追踪。 +* [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit 不仅是一个工具集合,更是一个框架,统筹事件响应与取证调查的进程。 +* [Cyber Triage](http://www.cybertriage.com) - Cyber Triage 远程收集分析终端数据,以帮助确定计算机是否被入侵。其专注易用性与自动化,采用无代理的部署方法使公司在没有重大基础设施及取证专家团队的情况下做出响应。其分析结果用于决定该终端是否应该被擦除或者进行进一步调查。 +* [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF 是一个建立在专用 API 之上的开源计算机取证平台,DFF 提出了一种替代目前老旧的数字取证解决方案。其设计简单、更加易于自动化。DFF 接口可以帮助用户进行数字调查取证的主要步骤,专业与非专业人员都可以快速的进行数字取证并执行事件响应。 +* [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman 是一个 osquery 的管理平台,可以远程管理节点的 osquery 配置。它利用 osquery 的 TLS 配置\记录器\分布式读写等优势仅以最小开销和侵入性为管理员提供一组设备的管理可见性。 +* [Envdb](https://github.com/mephux/envdb) - Envdb 将你的生产\开发\云等环境变成数据库集群,你可以使用 osquery 作为基础搜索。它将 osquery 的查询进程和一个agent打包在一起向一个集中位置发送。 +* [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator 是由 CrowdStrike 提供的一个基于 Windows 可扩展的应用程序,提供工作流自动化、案例管理与安全应急响应等功能。 +* [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response 是一个用来远程现场实时取证的应急响应框架,其带有一个python客户端安装在目标系统以及一个可以管理客户端的 Python 编写的服务器。 +* [Kolide Fleet](https://kolide.com/fleet) - Kolide Fleet 是一个为安全专家定制的先进的主机监控平台。通过利用Facebook经过实战检验的 osquery 项目,Kolide 能够快速回答复杂问题。 +* [Limacharlie](https://github.com/refractionpoint/limacharlie) - 一个终端安全平台,它本身是一个小项目的集合,并提供了一个跨操作系统的低级环境,你可以管理并推送附加功能进入内存给程序扩展功能。 +* [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) 是一个在远程终端执行调查的平台,它可以在大量系统中并行获取数据,从而加速事故调查与日常业务安全 +* [MozDef](https://github.com/mozilla/MozDef) - Mozilla Defense Platform (MozDef) 旨在帮助安全事件处理自动化,并促进事件的实时处理。 +* [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - nightHawk Response Platform 是一个以 ElasticSearch 为后台的异步取证数据呈现的应用程序,设计与 Redline 配合调查。 +* [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Open Computer Forensics Architecture (OCFA) 是另一个分布式开源计算机取证框架,这个框架建立在 Linux 平台上,并使用 postgreSQL 数据库来存储数据。 +* [Osquery](https://osquery.io/) - osquery 可以找到 Linux 与 OSX 基础设施的问题,无论你是要入侵检测、基础架构可靠性检查或者合规性检查,osquery 都能够帮助你提高公司内部的安全组织能力, *incident-response pack* 可以帮助你进行检测\响应活动。 * [Redline](https://www.fireeye.com/services/freeware/redline.html) - 为用户提供主机调查工具,通过内存与文件分析来找到恶意行为的活动迹象,包括对威胁评估配置文件的开发 * [The Sleuth Kit & Autopsy](http://www.sleuthkit.org) - Sleuth Kit 是基于 Unix 和 Windows 的工具,可以帮助计算机取证分析,其中包含各种协助取证的工具,比如分析磁盘镜像、文件系统深度分析等 -* [TheHive](https://thehive-project.org/) - TheHive 是一个可扩展的三个一开源解决方案,旨在让 SOC、CSIRT、CERT 或其他任何信息安全从业人员方便的进行安全事件调查 -* [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways 是一个用于磁盘克隆、镜像的工具,可以查找已经删除的文件并进行磁盘分析 -* [Zentral](https://github.com/zentralopensource/zentral) - 与 osquery 强大的端点清单保护能力相结合,通知与行动都灵活的框架,可以快速对 OS X 与 Linux 客户机上的更改做出识别与响应 +* [TheHive](https://thehive-project.org/) - TheHive 是一个可扩展的三合一开源解决方案,旨在让 SOC、CSIRT、CERT 或其他任何信息安全从业人员快速地进行安全事件调查。 +* [X-Ways Forensics](http://www.x-ways.net/forensics/) - X-Ways 是一个用于磁盘克隆、镜像的工具,可以查找已经删除的文件并进行磁盘分析。 +* [Zentral](https://github.com/zentralopensource/zentral) - 与 osquery 强大的端点清单保护能力相结合,通知与行动都灵活的框架,可以快速对 OS X 与 Linux 客户机上的更改做出识别与响应。 ### 书籍 -* [Dfir intro](http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) - 作者:Scott J. Roberts +* [Dfir intro](https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/)) - 作者:Scott J. Roberts * [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - 作者:Richard Bejtlich ### 社区 +* [augmentd](https://augmentd.co/) - 这是一家社区驱动的网站,上面提供了一个可通过不同的常用安全工具部署执行的搜索清单 * [Sans DFIR mailing list](https://lists.sans.org/mailman/listinfo/dfir) - Mailing list by SANS for DFIR * [Slack DFIR channel](https://dfircommunity.slack.com) - Slack DFIR Communitiy channel - [Signup here](https://rishi28.typeform.com/to/sTbTI8) ### 磁盘镜像创建工具 -* [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager 是一个从任何类型的磁盘中预览可恢复数据的取证工具,FTK Imager 可以在 32\64 位系统上实时采集内存与页面文件 -* [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager 是一个基于 Windows 程序,将常见的文件格式进行获取\转换\验证取证 -* [Guymager](http://guymager.sourceforge.net) - Guymager 是一个用于 Linux 上媒体采集的免费镜像取证器 -* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - Magnet Forensics 开发的 ACQUIRE 可以在不同类型的磁盘上执行取证,包括 Windows\Linux\OS X 与移动操作系统 +* [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager 是一个从任何类型的磁盘中预览可恢复数据的取证工具,FTK Imager 可以在 32\64 位系统上实时采集内存与页面文件。 +* [Bitscout](https://github.com/vitaly-kamluk/bitscout) - Vitaly Kamluk 开发的 Bitscout 可以帮助你定制一个完全可信的 LiveCD/LiveUSB 镜像以供远程数字取证使用(或者你需要的其它任务)。它对系统所有者透明且可被监控,同时可用于法庭质证、可定制且紧凑。 +* [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager 是一个基于 Windows 程序,将常见的镜像文件格式进行获取\转换\验证取证 +* [Guymager](http://guymager.sourceforge.net) - Guymager 是一个用于 Linux 上媒体采集的免费镜像取证器。 +* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - Magnet Forensics 开发的 ACQUIRE 可以在不同类型的磁盘上执行取证,包括 Windows\Linux\OS X 与移动操作系统。 ### 证据收集 -* [bulk_extractor](https://github.com/simsong/bulk_extractor) - bulk_extractor 是一个计算机取证工具,可以扫描磁盘映像、文件、文件目录,并在不解析文件系统或文件系统结构的情况下提取有用的信息,由于其忽略了文件系统结构,程序在速度和深入程度上都有了很大的提高 -* [Cold Disk Quick Response](https://github.com/rough007/CDQR) - 使用精简的解析器列表来快速分析取证镜像文件(dd, E01, .vmdk, etc)并输出报告 -* [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* 是一个 Windows 批处理脚本与一个 Unix Bash 脚本,用于在事件响应期在主机全面收集证据 -* [Live Response Collection](https://www.brimorlabs.com/tools/) - BriMor 开发的 Live Response collection 是一个用于从各种操作系统中收集易失性数据的自动化工具 +* [bulk_extractor](https://github.com/simsong/bulk_extractor) - bulk_extractor 是一个计算机取证工具,可以扫描磁盘镜像、文件、文件目录,并在不解析文件系统或文件系统结构的情况下提取有用的信息,由于其忽略了文件系统结构,程序在速度和深入程度上都相比其它工具有了很大的提高。 +* [Cold Disk Quick Response](https://github.com/rough007/CDQR) - 使用精简的解析器列表来快速分析取证镜像文件(dd, E01, .vmdk, etc)并输出报告。 +* [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* 是一个 Windows 批处理脚本与一个 Unix Bash 脚本,用于在事件响应期在主机全面收集证据。 +* [Live Response Collection](https://www.brimorlabs.com/tools/) - BriMor 开发的 Live Response collection 是一个用于从 Windows、OSX、*nix 等操作系统中收集易失性数据的自动化工具。 -### 应急管理 +### 事件管理 -* [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) 是一个网络安全应急管理平台,在设计时考虑了敏捷性与速度。其可以轻松创建、跟踪、报告网络安全应急事件并用于 CSIRT、CERT 与 SOC 等人员 -* [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) 对于安全团队来说是首要的开源应急处理系统,其与世界各地的十多个 CERT 与 CSIRT 合作,帮助处理不断增加的事件报告,RTIR 包含 Request Tracker 的全部功能 -* [SCOT](http://getscot.sandia.gov/) - Sandia Cyber Omni Tracker (SCOT) 是一个应急响应协作与知识获取工具,为事件响应的过程在不给用户带来负担的情况下增加价值 -* [threat_note](https://github.com/defpoint/threat_note) - 一个轻量级的调查笔记,允许安全研究人员注册、检索他们需要的 IOC 数据 +* [Cyphon](https://www.cyphon.io/) - Cyphon 通过一个单一的平台来组织一系列相关联的工作消除了事件管理的开销。它对事件进行收集、处理、分类。 +* [Demisto](https://www.demisto.com/product/) - Demisto 免费的社区版提供全事件生命周期的管理,事件披露报告,团队任务分配与协作,以及众多增强自动化的系统集成(如 Active Directory, PagerDuty, Jira 等)。 +* [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) 是一个网络安全事件管理平台,在设计时考虑了敏捷性与速度。其可以轻松创建、跟踪、报告网络安全应急事件并用于 CSIRT、CERT 与 SOC 等人员。 +* [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) 对于安全团队来说是首要的开源事件处理系统,其与世界各地的十多个 CERT 与 CSIRT 合作,帮助处理不断增加的事件报告,RTIR 包含 Request Tracker 的全部功能。 +* [SCOT](http://getscot.sandia.gov/) - Sandia Cyber Omni Tracker (SCOT) 是一个应急响应协作与知识获取工具,为事件响应的过程在不给用户带来负担的情况下增加价值。 +* [threat_note](https://github.com/defpoint/threat_note) - 一个轻量级的调查笔记,允许安全研究人员注册、检索他们需要的 IOC 数据。 ### Linux 发行版 -* [ADIA](https://forensics.cert.org/#ADIA) - Appliance for Digital Investigation and Analysis (ADIA) 是一个基于 VMware 的应用程序,用于进行数字取证.其完全由公开软件构建,包含的工具有 Autopsy\Sleuth Kit\Digital Forensics Framework\log2timeline\Xplico\Wireshark 大多数系统维护使用 Webmin.可在各种系统下进行使用 -* [CAINE](http://www.caine-live.net/index.html) - Computer Aided Investigative Environment (CAINE) 包含许多帮助调查人员进行分析的工具,包括取证工具 -* [DEFT](http://www.deftlinux.net/) - Digital Evidence & Forensics Toolkit (DEFT) 是一个用于计算机取证的 Linux 发行版,它与 Windows 上的 Digital Advanced Response Toolkit (DART) 捆绑在一起.DEFT 的轻量版被成为 DEFT Zero +* [ADIA](https://forensics.cert.org/#ADIA) - Appliance for Digital Investigation and Analysis (ADIA) 是一个基于 VMware 的应用程序,用于进行数字取证。其完全由公开软件构建,包含的工具有 Autopsy\Sleuth Kit\Digital Forensics Framework\log2timeline\Xplico\Wireshark。大多数系统维护使用 Webmin。它为中小规模的数字取证设计,可在 Linux、Windows 及 Mac OS 下使用。 +* [CAINE](http://www.caine-live.net/index.html) - Computer Aided Investigative Environment (CAINE) 包含许多帮助调查人员进行分析的工具,包括取证工具。 +* [CCF-VM](https://github.com/rough007/CCF-VM) - CyLR CDQR Forensics Virtual Machine (CCF-VM): 一款多合一的解决方案,能够解析收集的数据,将它转化得易于使用內建的常见搜索,也可并行搜索一个或多个主机。 +* [DEFT](http://www.deftlinux.net/) - Digital Evidence & Forensics Toolkit (DEFT) 是一个用于计算机取证的 Linux 发行版,它与 Windows 上的 Digital Advanced Response Toolkit (DART) 捆绑在一起。DEFT 的轻量版被成为 DEFT Zero,主要关注可用于法庭质证的取证环节。 * [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - 包括大量的优秀开源网络安全应用程序的 Linux 发行版 -* [PALADIN](https://sumuri.com/software/paladin/) - PALADIN 是一个附带许多开源取证工具的改 Linux 发行版,用于在法庭上以正确的方式执行取证任务 -* [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Security Onion 是一个特殊的 Linux 发行版,旨在利用高级的分析工具进行网络安全监控 -* [SIFT Workstation](http://digital-forensics.sans.org/community/downloads) - SANS Investigative Forensic Toolkit (SIFT) 使用优秀开源工具以实现高级事件响应与入侵深度数字取证,这些功能免费提供,并且经常更新 +* [PALADIN](https://sumuri.com/software/paladin/) - PALADIN 是一个附带许多开源取证工具的改 Linux 发行版,用于以可被法庭质证的方式执行取证任务 +* [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Security Onion 是一个特殊的 Linux 发行版,旨在利用高级的分析工具进行网络安全监控 +* [SIFT Workstation](http://digital-forensics.sans.org/community/downloads) - SANS Investigative Forensic Toolkit (SIFT) 使用前沿的优秀开源工具以实现高级事件响应与入侵深度数字取证,这些功能免费提供并且经常更新。 ### Linux 证据收集 @@ -104,74 +111,90 @@ * [Evolve](https://github.com/JamesHabben/evolve) - Volatility 内存取证框架的 Web 界面 * [inVtero.net](https://github.com/ShaneK2/inVtero.net) - 支持 hypervisor 的 Windows x64 高级内存分析 * [KnTList](http://www.gmgsystemsinc.com/knttools/) - 计算机内存分析工具 -* [LiME](https://github.com/504ensicsLabs/LiME) - LiME 是 Loadable Kernel Module (LKM),可以从 Linux 以及基于 Linux 的设备采集易失性内存数据 -* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - 由 Mandiant 开发的 Memoryze 是一个免费的内存取证软件,可以帮助应急响应人员在内存中定位恶意部位, Memoryze 也可以分析内存镜像或者装成带有许多分析插件的系统 -* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze-for-the-mac.html) - Memoryze for Mac 是 Memoryze 但仅限于 Mac,且功能较少 +* [LiME](https://github.com/504ensicsLabs/LiME) - LiME 是 Loadable Kernel Module (LKM),可以从 Linux 以及基于 Linux 的设备采集易失性内存数据。 +* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - 由 Mandiant 开发的 Memoryze 是一个免费的内存取证软件,可以帮助应急响应人员在内存中定位恶意部位, Memoryze 也可以分析内存镜像或者在正在运行的系统上把页面文件加入它的分析。 +* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze-for-the-mac.html) - Memoryze for Mac 是 Memoryze 但仅限于 Mac,且功能较少。 * [Rekall](http://www.rekall-forensic.com/) - 用于从 RAM 中提取样本的开源工具 * [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO 是一个工业级的物理内存及自动化恶意软件分析解决方案 * [Volatility](https://github.com/volatilityfoundation/volatility) - 高级内存取证框架 -* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot 是一个自动化工具,帮助研究员减少在二进制程序提取解析阶段的手动任务,或者帮助研究人员进行内存分析调查的第一步 -* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - 一个用来分析易失性内存的取证与逆向工程工具,被用于对恶意软件进行逆向分析,提供了分析 Windows 内核\驱动程序\DLL\虚拟与物理内存的功能 +* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot 是一个自动化工具,帮助研究员减少在二进制程序提取解析阶段的手动任务,或者帮助研究人员进行内存分析调查的第一步 +* [VolDiff](https://github.com/aim4r/VolDiff) - 基于 Volatility 的 恶意软件足迹分析 +* [WindowsSCOPE](http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=35&category_id=3&option=com_virtuemart) - 一个用来分析易失性内存的取证与逆向工程工具,被用于对恶意软件进行逆向分析,提供了分析 Windows 内核\驱动程序\DLL\虚拟与物理内存的功能。 ### 内存镜像工具 -* [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - 轻量级取证工具,即使有反调试\反转储的系统保护下也可以方便地提取全部易失性内存的内容 -* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - 用于 dump Linux 内存并创建 Volatility 配置文件的脚本 -* [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture 是一个免费的镜像工具,可以捕获可疑计算机中的物理内存,支持最新版的 Windows -* [OSForensics](http://www.osforensics.com/) - OSForensics 可以获取 32/64 位系统的实时内存,可以将每个独立进程的内存空间 dump 下来 +* [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - 轻量级取证工具,即使有反调试\反转储的系统保护下也可以方便地提取全部易失性内存的内容。 +* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - 用于 dump Linux 内存并创建 Volatility 配置文件的脚本。 +* [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture 是一个免费的镜像工具,可以捕获可疑计算机中的物理内存,支持最新版的 Windows。 +* [OSForensics](http://www.osforensics.com/) - OSForensics 可以获取 32/64 位系统的实时内存,可以将每个独立进程的内存空间 dump 下来。 ### OSX 证据收集 -* [Knockknock](https://github.com/synack/knockknock) - 显示那些在 OSX 上被设置为自动执行的那些脚本、命令、程序等 -* [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor 是一个面向 Mac OS X 的免费计算机取证工具 -* [OSX Collector](https://github.com/yelp/osxcollector) - OSX Auditor 的实时响应版 +* [Knockknock](https://github.com/synack/knockknock) - 显示那些在 OSX 上被设置为自动执行的那些脚本、命令、程序等。 +* [mac_apt - macOS Artifact Parsing Tool](https://github.com/ydkhatri/mac_apt) - 基于插件的取证框架,可以对正在运行的系统、硬盘镜像或者单个文件。 +* [OSX Auditor](https://github.com/jipegit/OSXAuditor) - OSX Auditor 是一个面向 Mac OS X 的免费计算机取证工具。 +* [OSX Collector](https://github.com/yelp/osxcollector) - OSX Auditor 的实时响应版。 + +### 其它清单 + +* [List of various Security APIs](https://github.com/deralexxx/security-apis) - 一个包括了在安全领域使用的公开 JSON API 的汇总清单. ### 其他工具 * [Cortex](https://thehive-project.org) - Cortex 可以通过 Web 界面逐个或批量对 IP 地址\邮件地址\URL\域名\文件哈希的分析,还可以使用 REST API 来自动执行这些操作 * [Crits](https://crits.github.io/) - 一个将分析引擎与网络威胁数据库相结合且带有 Web 界面的工具 +* [domfind](https://github.com/diogo-fernan/domfind) - *domfind* 一个用 Python 编写的 DNS 爬虫,它可以找到在不同顶级域名下面的相同域名. +* [DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire) - DumsterFire 工具集是一个模块化的、基于菜单的、跨平台的工具,它可以创建可重复的、可延时的、分布式的安全事件,可以很轻松地给攻防演练中的蓝方创建定制的事件链和传感器/告警的对应关系。红方可以创建诱骗的事件、分散注意力的事以及鱼饵来支撑、扩展他们的行动。 * [Fenrir](https://github.com/Neo23x0/Fenrir) - Fenrir 是一个简单的 IOC 扫描器,可以在纯 bash 中扫描任意 Linux/Unix/OSX 系统,由 THOR 与 LOKI 的开发者创作 * [Fileintel](https://github.com/keithjjones/fileintel) - 为每个文件哈希值提供情报 -* [Hindsight](https://github.com/obsidianforensics/hindsight) - Google Chrome/Chromium 的互联网 +* [HELK](https://github.com/Cyb3rWard0g/HELK) - 威胁捕捉 +* [Hindsight](https://github.com/obsidianforensics/hindsight) - 针对 Google Chrome/Chromium 中浏览历史的数字取证 * [Hostintel](https://github.com/keithjjones/hostintel) - 为每个主机提供情报 +* [imagemounter](https://github.com/ralphje/imagemounter) - 命令行工具及 Python 包,可以简单地 mount/unmount 数字取证的硬盘镜像 * [Kansa](https://github.com/davehull/Kansa/) - Kansa 是一个 PowerShell 的模块化应急响应框架 * [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - 使用 YARA 在 Windows、Linux 与 OS X 上扫描硬盘或内存 -* [RaQet](https://raqet.github.io/) - RaQet 是一个非常规的远程采集与分类工具,允许对那些为取证构建的操作系统进行远端计算机的遴选 +* [RaQet](https://raqet.github.io/) - RaQet 是一个非常规的远程采集与分类工具,允许对那些为取证构建的操作系统进行远端计算机的遴选 * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - 收集关于 MySQL 的取证数据 * [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - 从云服务中获取取证数据的命令行程序 -* [Stenographer](https://github.com/google/stenographer) - Stenographer 是一个数据包捕获解决方案,旨在快速将全部数据包转储到磁盘中,然后提供对这些数据包的快速访问.它存储尽可能多的历史记录并且管理磁盘的使用情况,在磁盘受限被触发时执行既定策略,非常适合在事件发生前与发生中捕获流量,而不是显式存储所有流量 -* [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - 由 Computer Emergency Responce Center Luxembourg 开发的 traceroute-circl 是一个增强型的 traceroute 来帮助 CSIRT\CERT 的工作人员,通常 CSIRT 团队必须根据收到的 IP 地址处理事件 +* [Stenographer](https://github.com/google/stenographer) - Stenographer 是一个数据包捕获解决方案,旨在快速将全部数据包转储到磁盘中,然后提供对这些数据包的快速访问。它存储尽可能多的历史记录并且管理磁盘的使用情况,在大小达到设定的上限时删除记录,非常适合在事件发生前与发生中捕获流量,而不是显式存储所有流量。 +* [sqhunter](https://github.com/0x4d31/sqhunter) - 一个基于 osquery 和 Salt Open (SaltStack) 的威胁捕捉工具,它无需 osquery 的 tls 插件就能发出临时的或者分布式的查询。 sqhunter 也可以查询开放的 sockets,并将它们与威胁情报进行比对。 +* [traceroute-circl](https://github.com/CIRCL/traceroute-circl) - 由 Computer Emergency Responce Center Luxembourg 开发的 traceroute-circl 是一个增强型的 traceroute 来帮助 CSIRT\CERT 的工作人员,通常 CSIRT 团队必须根据收到的 IP 地址处理事件 * [X-Ray 2.0](https://www.raymond.cc/blog/xray/) - 一个用来向反病毒厂商提供样本的 Windows 实用工具(几乎不再维护) ### Playbooks -* [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbook 收集 -* [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - 不同的通用事件响应工作流程,例如恶意软件爆发\数据窃取\未经授权的访问等,每个工作流程都有七个步骤:准备\检测\分析\遏制\根除\恢复\事后处理 -* [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - 描述 PagerDuty 应急响应过程的文档,不仅提供了关于事件准备的信息,还提供了在此前与之后要做什么工作,源在 [GitHub](https://github.com/PagerDuty/incident-response-docs) 上 +* [Demisto Playbooks Collection](https://www.demisto.com/category/playbooks/) - Playbook 集锦 +* [IRM](https://github.com/certsocietegenerale/IRM) - CERT Societe Generale 开发的事件响应方法论 +* [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - 不同的通用事件响应工作流程,例如恶意软件爆发、数据窃取、未经授权的访问等,每个工作流程都有七个步骤:准备、检测、分析、遏制、根除、恢复、事后处理。 +* [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - 描述 PagerDuty 应急响应过程的文档,不仅提供了关于事件准备的信息,还提供了在此前与之后要做什么工作,源在 [GitHub](https://github.com/PagerDuty/incident-response-docs) 上。 ### 进程 Dump 工具 -* [Microsoft User Mode Process Dumper](http://www.microsoft.com/en-us/download/details.aspx?id=4060) - 用户模式下的进程 dump 工具,可以 dump 任意正在运行的 Win32 进程内存映像 +* [Microsoft User Mode Process Dumper](http://www.microsoft.com/en-us/download/details.aspx?id=4060) - 用户模式下的进程 dump 工具,可以 dump 任意正在运行的 Win32 进程内存映像 * [PMDump](http://www.ntsecurity.nu/toolbox/pmdump/) - PMDump 是一个可以在不停止进程的情况下将进程的内存内容 dump 到文件中的工具 ### 沙盒/逆向工具 -* [Cuckoo](https://github.com/cuckoobox) - 开源沙盒工具 +* [Cuckoo](https://github.com/cuckoobox) - 开源沙盒工具,高度可定制化 * [Cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) - 社区基于 Cuckoo 的大修版 * [Cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - 一个用来控制 Cuckoo 沙盒设置的 Python 库 * [Hybrid-Analysis](https://www.hybrid-analysis.com/) - Hybrid-Analysis 是一个由 Payload Security 提供的免费在线沙盒 * [Malwr](https://malwr.com) - Malwr 是由 Cuckoo 沙盒提供支持的一个免费在线恶意软件分析服务 -* [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF 是一个静态分析框架,可以自动化的从多种文件格式中提取关键特征 -* [Viper](https://github.com/viper-framework/viper) - Viper 是一个基于 Python 的二进制程序分析及管理框架,支持 Cuckoo 与 YARA -* [Virustotal](https://www.virustotal.com) - Virustotal, Google 的子公司,一个免费在线分析文件/URL的厂商,可以分析病毒\蠕虫\木马以及其他类型被反病毒引擎或网站扫描器识别的恶意内容 +* [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - MASTIFF 是一个静态分析框架,可以自动化的从多种文件格式中提取关键特征。 +* [Metadefender Cloud](https://www.metadefender.com) - Metadefender 是一个免费的威胁情报平台,提供多点扫描、数据清理以及对文件的脆弱性分析 +* [Viper](https://github.com/viper-framework/viper) - Viper 是一个基于 Python 的二进制程序分析及管理框架,支持 Cuckoo 与 YARA +* [Virustotal](https://www.virustotal.com) - Virustotal, Google 的子公司,一个免费在线分析文件/URL的厂商,可以分析病毒\蠕虫\木马以及其他类型被反病毒引擎或网站扫描器识别的恶意内容 * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Cuckoo、Procmon等日志的开源可视化库 + ### 时间线工具 -* [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Fire/Mandiant 开发的免费工具,用来分析日志/文本文件,可以对某些关键字或短语进行高亮显示,有助于时间线的整理 +* [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Fire/Mandiant 开发的免费工具,来分析日志/文本文件,可以对某些关键字或短语进行高亮显示,有助于时间线的整理 +* [Morgue](https://github.com/etsy/morgue) - 一个 Etsy 开发的 PHP Web 应用,可用于管理事后处理 * [Plaso](https://github.com/log2timeline/plaso) - 一个基于 Python 用于 log2timeline 的后端引擎 -* [Timesketch](https://github.com/google/timesketch) - 协作取证时间线分析的开源工具 +* [Timesketch](https://github.com/google/timesketch) - 用于协作取证时间线分析的开源工具 + ### 视频 @@ -182,14 +205,15 @@ * [AChoir](https://github.com/OMENScan/AChoir) - Achoir 是一个将对 Windows 的实时采集工具脚本化变得更标准与简单的框架 * [Binaryforay](http://binaryforay.blogspot.co.il/p/software.html) - 一个 Windows 取证的免费工具列表 (http://binaryforay.blogspot.co.il/) -* [Crowd Response](http://www.crowdstrike.com/community-tools/) - 由 CrowdStrike 开发的 Crowd Response 是一个轻量级 Windows 终端应用,旨在收集用于应急响应与安全操作的系统信息,其包含许多模块与输出格式 -* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - FastIR Collector 在 Windows 系统中实时收集各种信息并将结果记录在 CSV 文件中,通过对这些信息的分析,我们可以发现早期的入侵痕迹 -* [FECT](https://github.com/jipegit/FECT) - Fast Evidence Collector Toolkit (FECT) 是一个轻量级的应急响应工具集,用于在可疑的 Windows 计算机上取证,它可以让非技术调查人员更专业的进行应急处理 -* [Fibratus](https://github.com/rabbitstack/fibratus) - 利用与跟踪 Windows 内核的工具 -* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder 是由 Mandiant 开发的免费工具,用来收集主机数据并报告存在危险的 IOC -* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Fidelis ThreatScanner 是一个由 Fidelis Cybersecurity 开发的免费工具,使用 OpenIOC 和 YARA 来报告终端设备的安全状态,ThreatScanner 衡量系统的运行状态后会出具匹配情况的报告,仅限 Windows +* [Crowd Response](http://www.crowdstrike.com/community-tools/) - 由 CrowdStrike 开发的 Crowd Response 是一个轻量级 Windows 终端应用,旨在收集用于应急响应与安全操作的系统信息,其包含许多模块与输出格式。 +* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - FastIR Collector 在 Windows 系统中实时收集各种信息并将结果记录在 CSV 文件中,通过对这些信息的分析,我们可以发现早期的入侵痕迹 +* [FECT](https://github.com/jipegit/FECT) - Fast Evidence Collector Toolkit (FECT) 是一个轻量级的应急响应工具集,用于在可疑的 Windows 计算机上取证,它可以让非技术调查人员更专业的进行应急处理。 +* [Fibratus](https://github.com/rabbitstack/fibratus) - 探索与跟踪 Windows 内核的工具。 +* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - IOC Finder 是由 Mandiant 开发的免费工具,用来收集主机数据并报告存在危险的 IOC,仅支持 Windows。 +* [Fidelis ThreatScanner](https://www.fidelissecurity.com/resources/fidelis-threatscanner) - Fidelis ThreatScanner 是一个由 Fidelis Cybersecurity 开发的免费工具,使用 OpenIOC 和 YARA 来报告终端设备的安全状态,ThreatScanner 衡量系统的运行状态后会出具匹配情况的报告,仅限 Windows。 * [LOKI](https://github.com/Neo23x0/Loki) - Loki 是一个使用 YARA 与其他 IOC 对终端进行扫描的免费 IR 扫描器 +* [Panorama](https://github.com/AlmCo/Panorama) - Windows 系统运行时的快速事件概览 * [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - PowerShell 开发的实时硬盘取证框架 -* [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon 使用 PowerShell 在远程 Windows 主机上提取/整理数据,并将数据发送到安全团队,数据可以通过邮件来传送数据或者在本地留存 -* [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Regripper 是用 Perl 编写的开源工具,可以从注册表中提取/解析数据(键\值\数据)提供分析 +* [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon 使用 PowerShell 在远程 Windows 主机上提取/整理数据,并将数据发送到安全团队,数据可以通过邮件来传送数据或者在本地留存 +* [RegRipper](https://code.google.com/p/regripper/wiki/RegRipper) - Regripper 是用 Perl 编写的开源工具,可以从注册表中提取/解析数据(键\值\数据)提供分析 * [TRIAGE-IR](https://code.google.com/p/triage-ir/) - Triage-IR 是一个 Windows 下的 IR 收集工具 \ No newline at end of file