Tools

619 results - showing 381 - 400
« 1 ... 15 16 17 18 19 20 21 22 23 24 ... »

Tools

License Type
Free

DFIRtriage is an incident response tool designed to provide the Incident Responder with rapid host data. Upon execution, select host data and information will be gathered and placed into the execution directory. DFIRtriage may be ran from a USB drive or executed remotely on the target host.

Tools

License Type
Free

EventTranscriptParser is python based tool to extract forensically useful details from EventTranscript.db (Windows Diagnostic Database).

Tools

License Type
Free

Turbinia is composed of different components for the client, server and the workers. These components can be run in the Cloud, on local machines, or as a hybrid of both. The Turbinia client makes requests to process evidence to the Turbinia server. The Turbinia server creates logical jobs from these incoming user requests, which creates and schedules forensic processing tasks to be run by the workers. The evidence to be processed will be split up by the jobs when possible, and many tasks can be created in order to process the evidence in parallel. One or more workers run continuously to process tasks from the server. Any new evidence created or discovered by the tasks will be fed back into Turbinia for further processing.

Tools

License Type
Free

Wombat Forensics is a new Forensic Analysis tool built entirely in C and C++. The GUI is built using Qt5, so it may one day work on Windows, Linux and Macintosh systems. The current design is Linux specific, but if there ever is a need I can eventually implement various IF's to make it work on the Windows and Mac. The application is designed to be user friendly, fast, and always maintain GUI responsiveness. Having used AD Lab, X-Ways, Encase and Autopsy, I found various things that would bother me or were slow and unresponsive. I decided for a resource intensive application, using C/C++ was important.

Tools

License Type
Free

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.

Artifacts in VSCs will be checked (via hash) if they are different from a later VSC/image copy before extraction.

Tools

License Type
Free

A portable volatile memory acquisition tool for Linux.

AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary. AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.

Tools

License Type
Free

The artifactcollector project provides a software that collects forensic artifacts on systems. These artifacts can be used in forensic investigations to understand attacker behavior on compromised computers.

The artifactcollector offers the following features

  • ️🖥️ Runs on 🖼️ Windows, 🐧 Linux and 🍏 macOS
  • 🛍️ Can extract files, directories, registry entries, command and WMI output
  • ⭐ Uses the configurable and extensible Forensics Artifacts
  • 💾 Creates a forensicstore as structured output
  • 🕊️ It's open source
  • 🆓 Free for everyone (including commercial use)

Tools

Developer
Nextron Systems
A RESTful web service that receives samples and returns a scan result. It is feature-rich and very fast.

Tools

License Type
Commercial - Paid
Developer
Nextron Systems

THOR Cloud provides on-demand live forensic scans right at your fingertips.

THOR Cloud doesn’t require an on-premise system for licensing and scanner package downloads. All you need is a small script that we call THOR Seed. It acts as nucleus of a comprehensive on-demand forensic investigation using our scanner THOR. Our customer portal provides a preconfigured version of THOR Seed that already includes your API key.

You just have to run it – it will license the end system and automatically download the required scan components for the respective operating system and architecture.

Tools

License Type
Commercial - Paid
Developer
Nextron Systems

HOR is the most sophisticated and flexible compromise assessment tool on the market. 

Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly affected. The manual analysis of many forensic images can be challenging.

THOR speeds up your forensic analysis with more than 12,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.

THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.

Tools

License Type
Free
Developer
Nextron Systems

Meet our new fast and flexible multi-platform IOC and YARA scanner THOR in a reduced free version named THOR Lite.

THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms.

While our enterprise scanner THOR uses VALHALLA‘s big YARA rule base, the free THOR Lite version ships with the Open Source signature base, which is also part of our free Python scanner LOKI.

  • Free scanner for Windows, Linux and macOS
  • Precompiled and encrypted open source signature set
  • Update utility to download tested versions with signature updates
  • Documentation
  • Option add your custom IOCs and signatures
  • Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
  • Scan throttling to limit the CPU usage

Tools

License Type
Free

Scanner for Simple Indicators of Compromise

Detection is based on four detection methods:

1. File Name IOC
   Regex match on full file path/name

2. Yara Rule Check
   Yara signature match on file data and process memory

3. Hash Check
   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
   
4. C2 Back Connect Check
   Compares process connection endpoints with C2 IOCs (new since version v.10)

Additional Checks:

1. Regin filesystem check (via --reginfs)
2. Process anomaly check (based on [Sysforensics](http://goo.gl/P99QZQ)
3. SWF decompressed scan (new since version v0.8)
4. SAM dump check

The Windows binary is compiled with PyInstaller and should run as x86 application on both x86 and x64 based systems.

Tools

License Type
Free

Simple Bash IOC Scanner

Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs):

  • Hashes

    MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256)

  • File Names

    string - checked for substring of the full path, e.g. "temp/p.exe" in "/var/temp/p.exe"

  • Strings

    grep in files

  • C2 Server

    checking for C2 server strings in 'lsof -i' and 'lsof -i -n' output

  • Hot Time Frame

    using stat in different modes - define min and max epoch time stamp and get all files that have been created in between

Basic characteristics:

  • Bash Script
  • No installation or agent needed
  • Uses common tools to extract attributes (e.g. md5sum, grep, stat in different modes)
  • Intended to run on any Linux / Unix / OS X with Bash
  • Low footprint - Ansible playbook with RAM drive solution
  • Smart exclusions (file size, extension, certain directories) speeds up the scan process

 

Why Fenrir?

FENRIR is the 3rd tool after THOR and LOKI. THOR is our full featured APT Scanner with many modules and export types for corporate customers. LOKI is a free and open IOC scanner that uses YARA as signature format.

The problem with both predecessors is that both have certain requirements on the Linux platform. We build THOR for a certain Linux version in order to match the correct libc that is required by the YARA module. LOKI requires Python and YARA installed on Linux to run.

We faced the problem of checking more than 100 different Linux systems for certain Indicators of Compromise (IOCs) without installing an agent or software packages. We already had an Ansible playbook for the distribution of THOR on a defined set of Linux remote systems. This playbook creates a RAM drive on the remote system, copies the local program binary to the remote system, runs it and retrieves the logs afterwards. This ensures that the program's footprint on the remote system is minimal. I adapted the Ansible playbook for Fenrir. (it is still untested)

Fenrir is still 'testing'. Please report back errors (and solutions) via the "Issues" section here on github.

Tools

License Type
Free

UAC is a Live Response collection tool for Incident Response that makes use of built-in tools to automate the collection of Unix-like systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements.

UAC reads artifacts files on the fly and, based on their contents, collects relevant artifacts using one of the 5 available collectors. This makes UAC very customizable and extensible.

Tools

License Type
Free

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

Tools

License Type
Free

The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System and derivatives. Like an aircraft flight recorded (or black box), its main purpose is to reliably record OS level events that concern process execution, file access and network endpoint creation from each of the monitored Linux clients. IT experts (security analysts, system administrators, devops engineers and information security researchers) can then use the collected information to:

Tools

License Type
Free

GRR Rapid Response is an incident response framework focused on remote live forensics.

GRR is a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients.

Tools

License Type
Free

Microsoft Windows

WinFE Will allow forensic imaging of Windows 2000 to Windows 10, Including server versions (x86/x64/ARM)

Apple MacOS

WinFE has been tested on the latest MacOS Operating Systems (x86/x64)

Linux

Forensic images can be created of most Linux variants running on x86/x64/ARM

Tools

License Type
Free

Tsurugi Linux is a DFIR open source project that is and will be totally free, independent, without involving any commercial brand

Tools

License Type
Free

The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite. SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

619 results - showing 381 - 400
« 1 ... 15 16 17 18 19 20 21 22 23 24 ... »