Dfir

Incident Response

A curated list of tools and resources for digital forensics and incident response (DFIR) teams.

Awesome Incident Response

A curated list of tools and resources for digital forensics and incident response (DFIR) teams.

Awesome Forensics

A curated list of awesome free forensic analysis tools, resources, and learning materials for digital investigators.

Forensics

A curated list of awesome free (mostly open source) forensic analysis tools and resources for digital investigations.

ThreatHunter-PlaybookPython

A community-driven open-source project that structures threat hunting workflows using MITRE ATT&CK, Jupyter notebooks, and AI-augmented planning.

LOKIPython

A simple IOC and YARA scanner for detecting malware and security threats via file names, hashes, YARA rules, and C2 connections.

ChainsawRust

A fast, standalone tool for rapid threat hunting and forensic analysis of Windows event logs and other forensic artefacts.

TimesketchPython

An open-source tool for collaborative forensic timeline analysis, enabling teams to organize, annotate, and investigate timelines together.

HayabusaRust

A Sigma-based threat hunting and fast forensics timeline generator for Windows event logs, written in Rust.

LogonTracerPython

A security tool that visualizes and analyzes Windows Active Directory event logs to investigate malicious logon activity.

Security Onion

A Linux distribution for threat hunting, enterprise security monitoring, and log management.

sysmon-modularPowerShell

A modular repository of Sysmon configuration modules for customizable endpoint detection and logging.

Windows Events Attack SamplesHTML

A collection of 200 Windows EVTX event log samples mapped to MITRE ATT&CK techniques for detection testing and threat hunting.

YETIPython

A forensics intelligence platform that bridges CTI and DFIR by storing threat intelligence and enabling bulk observable searches and threat-focused analysis.

APT Notes

A repository of publicly-available reports and blogs on APT (Advanced Persistent Threat) campaigns, activity, and software, organized by year.

KQL Advanced Hunting Queries & Analytics RulesPython

A collection of ready-to-use KQL queries for threat hunting, detection, and analytics in Microsoft Defender for Endpoint and Azure Sentinel.

HindsightPython

A browser forensics tool for analyzing web artifacts from Google Chrome and other Chromium-based browsers.

Forensic Artifact repositoryPython

A community-sourced, machine-readable knowledge base of digital forensic artifacts for use in forensic tools and investigations.

MalcomPython

A malware communication analyzer that visualizes network traffic and cross-references it with known malware sources.

Dissect

A digital forensics and incident response framework for unified analysis of forensic artifacts across disk formats, filesystems, and operating systems.

macOS Artifact Parsing Tool (mac_apt)Python

A Python-based DFIR framework for extracting forensic artifacts from macOS and iOS disk images or live systems.

ThreatIngestorPython

An extendable Python tool to extract and aggregate Indicators of Compromise (IOCs) from various threat intelligence feeds.

ThreatIngestorPython

An extendable Python tool to extract and aggregate Indicators of Compromise (IOCs) from various threat intelligence feeds.

KuiperJavaScript

A digital forensics investigation platform for parsing, searching, visualizing evidence, and enabling team collaboration.

Awesome Event IDs

A curated collection of Event ID resources for digital forensics and incident response professionals.

DFIRTrackPython

A system-focused web application for tracking systems, tasks, and artifacts during major digital forensics and incident response (DFIR) investigations.

CatalystVue

A self-hosted incident response platform that automates alert handling and ticket management for security teams.

CCF-VMShell

An open-source platform for collecting, processing, and analyzing forensic artifacts from macOS, Windows, and Linux systems.

Cold Disk Quick ResponsePython

A forensic artifact parsing tool that quickly analyzes disk images and extracted artifacts from Windows, Linux, macOS, and Android devices.

artifactcollectorGo

A customizable single-binary agent for collecting forensic artifacts from Windows, macOS, and Linux systems.

FastfinderGo

A lightweight incident response tool for rapid suspicious file discovery during threat hunting and forensic triage.

RECmdRebol

A command-line tool for parsing, searching, and analyzing Windows Registry hives with batch processing and forensic capabilities.

CIRTkitPython

A unified console for digital forensics and incident response (DFIR) built on the Viper Framework.

CIRTKitPython

A unified console for digital forensics and incident response built on the Viper Framework.

Invoke-LiveResponsePowerShell

A PowerShell-based live response and forensic collection tool for targeted incident response on Windows systems.

WELAPowerShell

A PowerShell tool for auditing and configuring Windows event log settings to improve security visibility and detection capabilities.