Awesome Forensics

A curated list of awesome free (mostly open source) forensic analysis tools and resources.

• Awesome Forensics
• Collections
• Tools
  • Distributions
  • Frameworks
  • Live forensics
  • Imageing
  • Carving
  • Memory Forensics
  • Network Forensics
  • Windows Artifacts
  • OS X Forensics
  • Internet Artifacts
  • Hex Editors
  • Binary Converter
  • File Grammars
  • Disk image handling
  • Decryption
• Learn Forensics
  • CTFs
• Resources
  • File System Corpora
  • Twitter
  • Blogs
  • Other
• Related Awesome Lists
• Contributing

Collections

• DFIR – The definitive compendium project - Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more
• dfir.training - Database of forensic resources focused on events, tools and more
• ForensicArtifacts.com Artifact Repository - A machine-readable knowledge base of forensic artifacts

Tools

• Forensics tools on Wikipedia
• Free computer forensic tools - Comprehensive list of free computer forensic tools

Distributions

• deft - Linux distribution for forensic analysis

Frameworks

• dff - Forensic framework
• PowerForensics - PowerForensics is a framework for live disk forensic analysis
• The Sleuth Kit - Tools for low level forensic analysis

Live forensics

• grr - GRR Rapid Response: remote live forensics for incident response
• mig - Distributed & real time digital forensics at the speed of the cloud

Imageing

• dc3dd - Improved version of dd
• dcfldd - Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
• FTK Imager - Free imageing tool for windows
• Guymager - Open source version for disk imageing on linux systems

Carving

more at Malware Analysis List

• bstrings - Improved strings utility
• bulk_extractor - Extracts informations like email adresses, creditscard numbers and histrograms of disk images
• floss - Static analysis tool to automatically deobfuscate strings from malware binaries
• photorec - File carving tool

Memory Forensics

more at Malware Analysis List

• KeeFarce - Extract KeePass passwords from memory
• volatility - The memory forensic framework
• VolUtility - Web App for Volatility framework

Network Forensics

more at Malware Analysis List, Forensicswiki's Tool List, awesome-pcaptools and Wireshark Tool and Script List

• SiLK Tools - SiLK is a suite of network traffic collection and analysis tools
• Wireshark - The network traffic analysis tool

Windows Artifacts

more at Malware Analysis List

• FastIR Collector - Collect artifacts on windows
• FRED - A cross-platform microsoft registry hive editor
• MFT-Parsers - Comparison of MFT-Parsers
• MFTExtractor - MFT-Parser
• NTFS journal parser
• NTFS USN Journal parser
• RecuperaBit - Reconstruct and recover NTFS data
• python-ntfs - NTFS analysis

OS X Forensics

• OSXAuditor

Internet Artifacts

• hindsight - Internet history forensics for Google Chrome/Chromium

Hex Editors

• 0xED - Native hex editor for OS X
• Hexinator - Windows Version of Synalyze It!
• HxD - Small, fast hex editor for Windows
• iBored - Cross platform, sektor based hex editor
• Synalyze It! - Hex editor with templates for binary analysis
• wxHex Editor - Cross platform editor with file comparison

Binary Converter

• CyberChef - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
• DateDecode - Convert binary data into differnt kinds of date formats

File Grammars

• 010 Editor Templates - Templates for the 010 Editor
• Contruct formats - Parser for different file formats for the python construct package
• HFSPlus Grammars - HFS+ grammars for Synalysis
• Sleuth Kit file system grammars - Grammars for different file systems
• Synalyse It! Grammars - File type grammars for the Synalyze It! editor
• TestDisk grammars - Grammars used by TestDisk and PhotoRec
• WinHex Templates - Grammars for the WinHex editor and X-Ways

Disk image handling

• aff4 - AFF4 is an alternative, fast file format
• libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
• xmount - Convert between different disk image formats

Decryption

• hashcat - Fast password cracker with GPU support
• John the Ripper - Password cracker

Learn forensics

• Forensic challanges - Mindmap of forensic challanges
• Training material - Online training material by European Union Agency for Network and Information Security for different topics (e.g. Digital forensics, Network forensics)

CTFs

• Forensics CTFs

Resources

File System Corpora

• Digital Forensic Challenge Images - Two DFIR challanges with images
• Digital Forensics Tool Testing Images
• FAU Open Research Challenge Digital Forensics
• The CFReDS Project
  • Hacking Case (4.5 GB NTFS Image)

Twitter

• @4n6ist
• @4n6k
• @aheadless
• @AppleExaminer - Apple OS X & iOS Digital Forensics
• @blackbagtech
• @carrier4n6 - Brian Carrier, author of Autopsy and the Sleuth Kit
• @CindyMurph - Detective & Digital Forensic Examiner
• @forensikblog - Computer forensic geek
• @HECFBlog - SANS Certified Instructor
• @Hexacorn - DFIR+Malware
• @hiddenillusion
• @iamevltwin - Mac Nerd, Forensic Analyst, Author & Instructor of SANS FOR518
• @jaredcatkinson - PowerShell Forensics
• @maridegrazia - Computer Forensics Examiner
• @sleuthkit
• @williballenthin
• @XWaysGuide

Blogs

• thisweekin4n6.wordpress.com - Weekly updates for forensics

Other

• /r/computerforensics/ - Subreddit for computer forensics
• ForensicPosters - Posters of file system structures

Related Awesome Lists

• Android Security
• AppSec
• CTFs
• Hacking
• Honeypots
• Incident-Response
• Infosec
• Malware Analysis
• Pentesting
• Security

Contributing

Pull requests and issues with suggestions are welcome!