awesome-incident-response/README.md
John Troony ada6c7fa7e Add DumpIt and Redline
DumpIt is a Windows memory imaging tool. It makes use of win32dd and win64dd. Redline on the other hand, is a all in one tool that can assist in development of a threat assessment profile.
2015-11-25 12:57:21 +00:00

9.7 KiB
Raw Blame History

awesome-incident-response

A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.

Awesome

IR tools Collection

Disk Image Creation Tools

  • GetData Forensic Imager - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats
  • Guymager - Guymager is a free forensic imager for media acquisition on Linux
  • AccessData FTK Imager - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems

Memory Analysis Tools

  • Volatility - An advanced memory forensics framework
  • Evolve - Web interface for the Volatility Memory Forensics Framework
  • WindowsSCOPE - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory
  • Responder PRO - Responder PRO is the industry standard physical memory and automated malware analysis solution
  • KnTList - Computer memory analysis tools
  • Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples

Memory Imaging Tools

  • OSForensics - OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual processs memory space or physical memory dump can be done
  • Belkasoft Live RAM Capturer - A tiny free forensic tool to reliably extract the entire content of the computers volatile memory even if protected by an active anti-debugging or anti-dumping system
  • DumpIt - MoonSols DumpIt is a fusion of win32dd and win64dd in one executable, it can generate a copy of the physical memory in the current working directory.

Process Dump Tools

  • PMDump - PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process
  • Microsoft User Mode Process Dumper - The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image on the fly

Timeline tools

  • Plaso - a Python-based backend engine for the tool log2timeline
  • Timesketch -open source tool for collaborative forensic timeline analysis

All in one Tools

  • X-Ways Forensics - X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis
  • The Sleuth Kit & Autopsy - The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things
  • Open Computer Forensics Architecture - Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data
  • Digital Forensics Framework - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response
  • Osquery - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the incident-response pack help you detect and respond to breaches.
  • MozDef - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
  • GRR Rapid Response - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent.
  • MIG - Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security.
  • FIDO - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDOs primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them.
  • Redline - provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Incident Management

  • FIR - Fast Incident Response (FIR) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.
  • SCOT - Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.
  • RTIR - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.

Windows Evidence Collection

  • FECT - Fast Evidence Collector Toolkit (FECT) is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler.
  • PSRecon - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
  • FastIR Collector - FastIR Collector is a tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected.
  • DumpIt - DumpIt is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
  • AChoir - Achoir is a framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.

Other Tools

  • Hindsight - Internet history forensics for Google Chrome/Chromium
  • Kansa - Kansa is a modular incident response framework in Powershell.
  • Stalk - Collect forensic data about MySQL when problems occur.

Videos