From 39374aa51a1ae74292491587f14512dae3219b9e Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sun, 19 Jun 2016 10:46:00 +0200 Subject: [PATCH 1/8] Added nightHawk --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fa84742..463e19f 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Limacharlie](https://github.com/refractionpoint/limacharlie) - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality * [MIG](http://mig.mozilla.org/) - Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security * [MozDef](https://github.com/mozilla/MozDef) - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers +* [nightHawk](https://github.com/biggiesmallsAG/nightHawkResponse) - the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections. * [Open Computer Forensics Architecture](http://sourceforge.net/projects/ocfa/) - Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data * [Osquery](https://osquery.io/) - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the *incident-response pack* help you detect and respond to breaches * [Redline](https://www.fireeye.com/services/freeware/redline.html) - provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile From b589680044eeae0cfe0b9e19583ff313a8c6f364 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Mon, 20 Jun 2016 09:46:00 +0200 Subject: [PATCH 2/8] Added CimSweep --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 463e19f..a9e41b2 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ A curated list of tools and resources for security incident response, aimed to h ### All in one Tools * [Belkasoft Evidence Center](https://belkasoft.com/ec) - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps +* [CimSweep](https://github.com/PowerShellMafia/CimSweep) - CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows * [CIRTkit](https://github.com/byt3smith/CIRTKit) - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes * [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response * [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness From abb133510d7995a2b86f3ebbde092f97db62c1d3 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 22 Jun 2016 08:56:00 +0200 Subject: [PATCH 3/8] Added RaQet --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a9e41b2..9061631 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium * [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell * [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X +* [RaQet](https://raqet.github.io/) - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system. * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur * [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - a commandline utility to acquire forensic data from cloud services * [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic From 3a4fff66179319fd550811697c583fc41b98f960 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 21 Jun 2016 07:46:00 +0200 Subject: [PATCH 4/8] Added Falcon Orchestrator --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9061631..7de1333 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Digital Forensics Framework](http://www.arxsys.fr/discover/) - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response * [Doorman](https://github.com/mwielgoszewski/doorman) - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness * [Envdb](https://github.com/mephux/envdb) - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location +* [Falcon Orchestrator](https://github.com/CrowdStrike/falcon-orchestrator) - Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality. * [FIDO](https://github.com/Netflix/Fido) - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them * [GRR Rapid Response](https://github.com/google/grr) - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent * [Kolide](https://github.com/mephux/kolide) - Kolide is an agentless osquery web interface and remote api server. Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. It replaces Envdb From 8567ec5e9703e768b20af3f890fce618e915c10b Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 23 Jun 2016 08:46:00 +0200 Subject: [PATCH 5/8] Added ACQUIRE --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7de1333..1fc8df7 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ A curated list of tools and resources for security incident response, aimed to h * [AccessData FTK Imager](http://accessdata.com/product-download/?/support/adownloads#FTKImager) - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems * [GetData Forensic Imager](http://www.forensicimager.com/) - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats * [Guymager](http://guymager.sourceforge.net) - Guymager is a free forensic imager for media acquisition on Linux +* [Magnet ACQUIRE](https://www.magnetforensics.com/magnet-acquire/) - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems. ### Evidence Collection From 9e767898bd10832b72ebe3b02fdd61cdf1f362dd Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 24 Jun 2016 08:41:00 +0200 Subject: [PATCH 6/8] Added Magnet RAM Capture --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1fc8df7..5ef1dfe 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,7 @@ A curated list of tools and resources for security incident response, aimed to h ### Memory Imaging Tools * [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system +* [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows * [OSForensics](http://www.osforensics.com/) - OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done ### OSX Evidence Collection From f249e0dbf472acef70003ec760734845d4fa14b9 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 24 Jun 2016 08:41:00 +0200 Subject: [PATCH 7/8] PALADIN added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5ef1dfe..af9b6de 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,7 @@ A curated list of tools and resources for security incident response, aimed to h * [CAINE](http://www.caine-live.net/index.html) - The Computer Aided Investigative Environment (CAINE) contains numerous tools that help investigators during their analysis, including forensic evidence collection * [DEFT](http://www.deftlinux.net/) - The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection * [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional +* [PALADIN](https://sumuri.com/software/paladin/) - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included * [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Security Onion is a special Linux distro aimed at network security monitoring featuring advanced analysis tools * [SIFT Workstation](http://digital-forensics.sans.org/community/downloads) - The SANS Investigative Forensic Toolkit (SIFT) Workstation demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated From a5ebd3e29119e943672c1c84509f1333314a48bd Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 24 Jun 2016 08:42:00 +0200 Subject: [PATCH 8/8] Remove period --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index af9b6de..6df8796 100644 --- a/README.md +++ b/README.md @@ -126,7 +126,7 @@ A curated list of tools and resources for security incident response, aimed to h * [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium * [Kansa](https://github.com/davehull/Kansa/) - Kansa is a modular incident response framework in Powershell * [rastrea2r](https://github.com/aboutsecurity/rastrea2r) - allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X -* [RaQet](https://raqet.github.io/) - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system. +* [RaQet](https://raqet.github.io/) - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system * [Stalk](https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html) - Collect forensic data about MySQL when problems occur * [SearchGiant](https://github.com/jadacyrus/searchgiant_cli) - a commandline utility to acquire forensic data from cloud services * [Stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic