awesome-awesomeness/html/incidentresponse.html

<h1 id="awesome-incident-response-awesome-check-urls">Awesome Incident
Response <a href="https://github.com/sindresorhus/awesome"><img
src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg"
alt="Awesome" /></a> <a
href="https://github.com/meirwah/awesome-incident-response/actions/workflows/check_urls.yml"><img
src="https://github.com/meirwah/awesome-incident-response/actions/workflows/check_urls.yml/badge.svg"
alt="Check URLs" /></a></h1>
<blockquote>
<p>A curated list of tools and resources for security incident response,
aimed to help security analysts and <a
href="http://www.acronymfinder.com/Digital-Forensics%2c-Incident-Response-%28DFIR%29.html">DFIR</a>
teams.</p>
</blockquote>
<p>Digital Forensics and Incident Response (DFIR) teams are groups of
people in an organization responsible for managing the response to a
security incident, including gathering evidence of the incident,
remediating its effects, and implementing controls to prevent the
incident from recurring in the future.</p>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#adversary-emulation">Adversary Emulation</a></li>
<li><a href="#all-in-one-tools">All-In-One Tools</a></li>
<li><a href="#books">Books</a></li>
<li><a href="#communities">Communities</a></li>
<li><a href="#disk-image-creation-tools">Disk Image Creation
Tools</a></li>
<li><a href="#evidence-collection">Evidence Collection</a></li>
<li><a href="#incident-management">Incident Management</a></li>
<li><a href="#knowledge-bases">Knowledge Bases</a></li>
<li><a href="#linux-distributions">Linux Distributions</a></li>
<li><a href="#linux-evidence-collection">Linux Evidence
Collection</a></li>
<li><a href="#log-analysis-tools">Log Analysis Tools</a></li>
<li><a href="#memory-analysis-tools">Memory Analysis Tools</a></li>
<li><a href="#memory-imaging-tools">Memory Imaging Tools</a></li>
<li><a href="#osx-evidence-collection">OSX Evidence Collection</a></li>
<li><a href="#other-lists">Other Lists</a></li>
<li><a href="#other-tools">Other Tools</a></li>
<li><a href="#playbooks">Playbooks</a></li>
<li><a href="#process-dump-tools">Process Dump Tools</a></li>
<li><a href="#sandboxingreversing-tools">Sandboxing/Reversing
Tools</a></li>
<li><a href="#scanner-tools">Scanner Tools</a></li>
<li><a href="#timeline-tools">Timeline Tools</a></li>
<li><a href="#videos">Videos</a></li>
<li><a href="#windows-evidence-collection">Windows Evidence
Collection</a></li>
</ul>
<h2 id="ir-tools-collection">IR Tools Collection</h2>
<h3 id="adversary-emulation">Adversary Emulation</h3>
<ul>
<li><a
href="https://github.com/NextronSystems/APTSimulator">APTSimulator</a> -
Windows Batch script that uses a set of tools and output files to make a
system look as if it was compromised.</li>
<li><a href="https://github.com/redcanaryco/atomic-red-team">Atomic Red
Team (ART)</a> - Small and highly portable detection tests mapped to the
MITRE ATT&amp;CK Framework.</li>
<li><a href="https://github.com/jymcheong/AutoTTP">AutoTTP</a> -
Automated Tactics Techniques &amp; Procedures. Re-running complex
sequences manually for regression tests, product evaluations, generate
data for researchers.</li>
<li><a href="https://github.com/mitre/caldera">Caldera</a> - Automated
adversary emulation system that performs post-compromise adversarial
behavior within Windows Enterprise networks. It generates plans during
operation using a planning system and a pre-configured adversary model
based on the Adversarial Tactics, Techniques &amp; Common Knowledge
(ATT&amp;CK™) project.</li>
<li><a
href="https://github.com/TryCatchHCF/DumpsterFire">DumpsterFire</a> -
Modular, menu-driven, cross-platform tool for building repeatable,
time-delayed, distributed security events. Easily create custom event
chains for Blue Team drills and sensor / alert mapping. Red Teams can
create decoy incidents, distractions, and lures to support and scale
their operations.</li>
<li><a href="https://github.com/uber-common/metta">Metta</a> -
Information security preparedness tool to do adversarial
simulation.</li>
<li><a href="https://github.com/alphasoc/flightsim">Network Flight
Simulator</a> - Lightweight utility used to generate malicious network
traffic and help security teams to evaluate security controls and
network visibility.</li>
<li><a href="https://github.com/endgameinc/RTA">Red Team Automation
(RTA)</a> - RTA provides a framework of scripts designed to allow blue
teams to test their detection capabilities against malicious tradecraft,
modeled after MITRE ATT&amp;CK.</li>
<li><a href="https://github.com/redhuntlabs/RedHunt-OS">RedHunt-OS</a> -
Virtual machine for adversary emulation and threat hunting.</li>
</ul>
<h3 id="all-in-one-tools">All-In-One Tools</h3>
<ul>
<li><a href="https://belkasoft.com/ec">Belkasoft Evidence Center</a> -
The toolkit will quickly extract digital evidence from multiple sources
by analyzing hard drives, drive images, memory dumps, iOS, Blackberry
and Android backups, UFED, JTAG and chip-off dumps.</li>
<li><a href="https://github.com/PowerShellMafia/CimSweep">CimSweep</a> -
Suite of CIM/WMI-based tools that enable the ability to perform incident
response and hunting operations remotely across all versions of
Windows.</li>
<li><a href="https://github.com/byt3smith/CIRTKit">CIRTkit</a> - CIRTKit
is not just a collection of tools, but also a framework to aid in the
ongoing unification of Incident Response and Forensics investigation
processes.</li>
<li><a href="http://www.cybertriage.com">Cyber Triage</a> - Cyber Triage
collects and analyzes host data to determine if it is compromised. It’s
scoring system and recommendation engine allow you to quickly focus on
the important artifacts. It can import data from its collection tool,
disk images, and other collectors (such as KAPE). It can run on an
examiner’s desktop or in a server model. Developed by Sleuth Kit Labs,
which also makes Autopsy.</li>
<li><a href="https://github.com/fox-it/dissect">Dissect</a> -
Dissect is a digital forensics &amp; incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk
and file formats, developed by Fox-IT (part of NCC Group).</li>
<li><a href="https://github.com/mwielgoszewski/doorman">Doorman</a> -
osquery fleet manager that allows remote management of osquery
configurations retrieved by nodes. It takes advantage of osquery’s TLS
configuration, logger, and distributed read/write endpoints, to give
administrators visibility across a fleet of devices with minimal
overhead and intrusiveness.</li>
<li><a href="https://github.com/CrowdStrike/falcon-orchestrator">Falcon
Orchestrator</a> - Extendable Windows-based application that provides
workflow automation, case management and security response
functionality.</li>
<li><a href="https://github.com/fireeye/flare-vm">Flare</a> - A fully
customizable, Windows-based security distribution for malware analysis,
incident response, penetration testing.</li>
<li><a href="https://github.com/fleetdm/fleet">Fleetdm</a> - State of
the art host monitoring platform tailored for security experts.
Leveraging Facebook’s battle-tested osquery project, Fleetdm delivers
continuous updates, features and fast answers to big questions.</li>
<li><a href="https://github.com/google/grr">GRR Rapid Response</a> -
Incident response framework focused on remote live forensics. It
consists of a python agent (client) that is installed on target systems,
and a python server infrastructure that can manage and talk to the
agent. Besides the included Python API client, <a
href="https://github.com/swisscom/PowerGRR">PowerGRR</a> provides an API
client library in PowerShell working on Windows, Linux and macOS for GRR
automation and scripting.</li>
<li><a href="https://github.com/dfir-iris/iris-web">IRIS</a> - IRIS is a
web collaborative platform for incident response analysts allowing to
share investigations at a technical level.</li>
<li><a href="https://github.com/DFIRKuiper/Kuiper">Kuiper</a> - Digital
Forensics Investigation Platform</li>
<li><a href="https://www.limacharlie.io/">Limacharlie</a> - Endpoint
security platform composed of a collection of small projects all working
together that gives you a cross-platform (Windows, OSX, Linux, Android
and iOS) low-level environment for managing and pushing additional
modules into memory to extend its functionality.</li>
<li><a href="https://github.com/matanolabs/matano">Matano</a>: Open
source serverless security lake platform on AWS that lets you ingest,
store, and analyze petabytes of security data into an Apache Iceberg
data lake and run realtime Python detections as code.</li>
<li><a href="https://github.com/mozilla/MozDef">MozDef</a> - Automates
the security incident handling process and facilitate the real-time
activities of incident handlers.</li>
<li><a
href="https://github.com/MutableSecurity/mutablesecurity">MutableSecurity</a>
- CLI program for automating the setup, configuration, and use of
cybersecurity solutions.</li>
<li><a
href="https://github.com/biggiesmallsAG/nightHawkResponse">nightHawk</a>
- Application built for asynchronous forensic data presentation using
ElasticSearch as the backend. It’s designed to ingest Redline
collections.</li>
<li><a href="http://sourceforge.net/projects/ocfa/">Open Computer
Forensics Architecture</a> - Another popular distributed open-source
computer forensics framework. This framework was built on Linux platform
and uses postgreSQL database for storing data.</li>
<li><a href="https://osquery.io/">osquery</a> - Easily ask questions
about your Linux and macOS infrastructure using a SQL-like query
language; the provided <em>incident-response pack</em> helps you detect
and respond to breaches.</li>
<li><a
href="https://www.fireeye.com/services/freeware/redline.html">Redline</a>
- Provides host investigative capabilities to users to find signs of
malicious activity through memory and file analysis, and the development
of a threat assessment profile.</li>
<li><a href="https://github.com/zdhenard42/SOC-Multitool">SOC
Multi-tool</a> - A powerful and user-friendly browser extension that
streamlines investigations for security professionals.</li>
<li><a href="http://www.sleuthkit.org">The Sleuth Kit &amp; Autopsy</a>
- Unix and Windows based tool which helps in forensic analysis of
computers. It comes with various tools which helps in digital forensics.
These tools help in analyzing disk images, performing in-depth analysis
of file systems, and various other things.</li>
<li><a href="https://thehive-project.org/">TheHive</a> - Scalable 3-in-1
open source and free solution designed to make life easier for SOCs,
CSIRTs, CERTs and any information security practitioner dealing with
security incidents that need to be investigated and acted upon
swiftly.</li>
<li><a href="https://github.com/Velocidex/velociraptor">Velociraptor</a>
- Endpoint visibility and collection tool</li>
<li><a href="http://www.x-ways.net/forensics/">X-Ways Forensics</a> -
Forensics tool for Disk cloning and imaging. It can be used to find
deleted files and disk analysis.</li>
<li><a href="https://github.com/zentralopensource/zentral">Zentral</a> -
Combines osquery’s powerful endpoint inventory features with a flexible
notification and action framework. This enables one to identify and
react to changes on OS X and Linux clients.</li>
</ul>
<h3 id="books">Books</h3>
<ul>
<li><a
href="https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268/">Applied
Incident Response</a> - Steve Anson’s book on Incident Response.</li>
<li><a
href="https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098/">Art
of Memory Forensics</a> - Detecting Malware and Threats in Windows,
Linux, and Mac Memory.</li>
<li><a
href="https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406">Crafting
the InfoSec Playbook: Security Monitoring and Incident Response Master
Plan</a> - by Jeff Bollinger, Brandon Enright and Matthew Valites.</li>
<li><a
href="https://www.amazon.com/Digital-Forensics-Incident-Response-techniques/dp/183864900X">Digital
Forensics and Incident Response: Incident response techniques and
procedures to respond to modern cyber threats</a> - by Gerard
Johansen.</li>
<li><a
href="https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/">Introduction
to DFIR</a> - By Scott J. Roberts.</li>
<li><a
href="https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684/">Incident
Response &amp; Computer Forensics, Third Edition</a> - The definitive
guide to incident response.</li>
<li><a
href="https://www.amazon.com/Incident-Response-Techniques-Ransomware-Attacks/dp/180324044X">Incident
Response Techniques for Ransomware Attacks</a> - A great guide to build
an incident response strategy for ransomware attacks. By Oleg
Skulkin.</li>
<li><a
href="https://www.amazon.com/Incident-response-Threat-Intelligence-intelligence-based/dp/1801072957">Incident
Response with Threat Intelligence</a> - Great reference to build an
incident response plan based also on Threat Intelligence. By Roberto
Martinez.</li>
<li><a
href="https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary-ebook-dp-B074ZRN5T7/dp/B074ZRN5T7">Intelligence-Driven
Incident Response</a> - By Scott J. Roberts, Rebekah Brown.</li>
<li><a
href="https://www.amazon.com/Operator-Handbook-Team-OSINT-Reference/dp/B085RR67H5/">Operator
Handbook: Red Team + OSINT + Blue Team Reference</a> - Great reference
for incident responders.</li>
<li><a
href="https://www.amazon.com/Practical-Memory-Forensics-Jumpstart-effective/dp/1801070334">Practical
Memory Forensics</a> - The definitive guide to practice memory
forensics. By Svetlana Ostrovskaya and Oleg Skulkin.</li>
<li><a href="http://www.amazon.com/gp/product/1593275099">The Practice
of Network Security Monitoring: Understanding Incident Detection and
Response</a> - Richard Bejtlich’s book on IR.</li>
</ul>
<h3 id="communities">Communities</h3>
<ul>
<li><a href="https://discordapp.com/invite/JUqe9Ek">Digital Forensics
Discord Server</a> - Community of 8,000+ working professionals from Law
Enforcement, Private Sector, and Forensic Vendors. Additionally, plenty
of students and hobbyists! Guide <a
href="https://aboutdfir.com/a-beginners-guide-to-the-digital-forensics-discord-server/">here</a>.</li>
<li><a href="https://dfircommunity.slack.com">Slack DFIR channel</a> -
Slack DFIR Communitiy channel - <a
href="https://start.paloaltonetworks.com/join-our-slack-community">Signup
here</a>.</li>
</ul>
<h3 id="disk-image-creation-tools">Disk Image Creation Tools</h3>
<ul>
<li><a
href="http://accessdata.com/product-download/?/support/adownloads#FTKImager">AccessData
FTK Imager</a> - Forensics tool whose main purpose is to preview
recoverable data from a disk of any kind. FTK Imager can also acquire
live memory and paging file on 32bit and 64bit systems.</li>
<li><a href="https://github.com/vitaly-kamluk/bitscout">Bitscout</a> -
Bitscout by Vitaly Kamluk helps you build your fully-trusted
customizable LiveCD/LiveUSB image to be used for remote digital
forensics (or perhaps any other task of your choice). It is meant to be
transparent and monitorable by the owner of the system, forensically
sound, customizable and compact.</li>
<li><a href="http://www.forensicimager.com/">GetData Forensic Imager</a>
- Windows based program that will acquire, convert, or verify a forensic
image in one of the following common forensic file formats.</li>
<li><a href="http://guymager.sourceforge.net">Guymager</a> - Free
forensic imager for media acquisition on Linux.</li>
<li><a href="https://www.magnetforensics.com/magnet-acquire/">Magnet
ACQUIRE</a> - ACQUIRE by Magnet Forensics allows various types of disk
acquisitions to be performed on Windows, Linux, and OS X as well as
mobile operating systems.</li>
</ul>
<h3 id="evidence-collection">Evidence Collection</h3>
<ul>
<li><a href="https://github.com/fox-it/acquire">Acquire</a> - Acquire is
a tool to quickly gather forensic artifacts from disk images or a live
system into a lightweight container. This makes Acquire an excellent
tool to, among others, speedup the process of digital forensic triage.
It uses <a href="https://github.com/fox-it/dissect">Dissect</a> to
gather that information from the raw disk, if possible.</li>
<li><a
href="https://github.com/forensicanalysis/artifactcollector">artifactcollector</a>
- The artifactcollector project provides a software that collects
forensic artifacts on systems.</li>
<li><a
href="https://github.com/simsong/bulk_extractor">bulk_extractor</a> -
Computer forensics tool that scans a disk image, a file, or a directory
of files and extracts useful information without parsing the file system
or file system structures. Because of ignoring the file system
structure, the program distinguishes itself in terms of speed and
thoroughness.</li>
<li><a href="https://github.com/rough007/CDQR">Cold Disk Quick
Response</a> - Streamlined list of parsers to quickly analyze a forensic
image file (<code>dd</code>, E01, <code>.vmdk</code>, etc) and output
nine reports.</li>
<li><a href="https://github.com/orlikoski/CyLR">CyLR</a> - The CyLR tool
collects forensic artifacts from hosts with NTFS file systems quickly,
securely and minimizes impact to the host.</li>
<li><a href="https://github.com/ForensicArtifacts/artifacts">Forensic
Artifacts</a> - Digital Forensics Artifact Repository</li>
<li><a href="https://github.com/diogo-fernan/ir-rescue">ir-rescue</a> -
Windows Batch script and a Unix Bash script to comprehensively collect
host forensic data during incident response.</li>
<li><a href="https://www.brimorlabs.com/tools/">Live Response
Collection</a> - Automated tool that collects volatile data from
Windows, OSX, and *nix based operating systems.</li>
<li><a
href="https://github.com/ThreatResponse/margaritashotgun">Margarita
Shotgun</a> - Command line utility (that works with or without Amazon
EC2 instances) to parallelize remote memory acquisition.</li>
<li><a href="https://github.com/alpine-sec/SPECTR3">SPECTR3</a> -
Acquire, triage and investigate remote evidence via portable iSCSI
readonly access</li>
<li><a href="https://github.com/tclahr/uac">UAC</a> - UAC (Unix-like
Artifacts Collector) is a Live Response collection script for Incident
Response that makes use of native binaries and tools to automate the
collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD,
NetScaler, OpenBSD and Solaris systems artifacts.</li>
</ul>
<h3 id="incident-management">Incident Management</h3>
<ul>
<li><a href="https://github.com/SecurityBrewery/catalyst">Catalyst</a> -
A free SOAR system that helps to automate alert handling and incident
response processes.</li>
<li><a href="https://www.cybercpr.com">CyberCPR</a> - Community and
commercial incident management tool with Need-to-Know built in to
support GDPR compliance while handling sensitive incidents.</li>
<li><a href="https://medevel.com/cyphon/">Cyphon</a> - Cyphon eliminates
the headaches of incident management by streamlining a multitude of
related tasks through a single platform. It receives, processes and
triages events to provide an all-encompassing solution for your analytic
workflow — aggregating data, bundling and prioritizing alerts, and
empowering analysts to investigate and document incidents.</li>
<li><a href="https://www.paloaltonetworks.com/cortex/xsoar">CORTEX
XSOAR</a> - Paloalto security orchestration, automation and response
platform with full Incident lifecycle management and many integrations
to enhance automations.</li>
<li><a href="https://github.com/log2timeline/dftimewolf">DFTimewolf</a>
- A framework for orchestrating forensic collection, processing and data
export.</li>
<li><a href="https://github.com/dfirtrack/dfirtrack">DFIRTrack</a> -
Incident Response tracking application handling one or more incidents
via cases and tasks with a lot of affected systems and artifacts.</li>
<li><a href="https://github.com/certsocietegenerale/FIR/">Fast Incident
Response (FIR)</a> - Cybersecurity incident management platform designed
with agility and speed in mind. It allows for easy creation, tracking,
and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs
and SOCs alike.</li>
<li><a href="https://www.bestpractical.com/rtir/">RTIR</a> - Request
Tracker for Incident Response (RTIR) is the premier open source incident
handling system targeted for computer security teams. We worked with
over a dozen CERT and CSIRT teams around the world to help you handle
the ever-increasing volume of incident reports. RTIR builds on all the
features of Request Tracker.</li>
<li><a href="https://github.com/sandialabs/scot">Sandia Cyber Omni
Tracker (SCOT)</a> - Incident Response collaboration and knowledge
capture tool focused on flexibility and ease of use. Our goal is to add
value to the incident response process without burdening the user.</li>
<li><a href="https://github.com/frikky/Shuffle">Shuffle</a> - A general
purpose security automation platform focused on accessibility.</li>
<li><a href="https://github.com/defpoint/threat_note">threat_note</a> -
Lightweight investigation notebook that allows security researchers the
ability to register and retrieve indicators related to their
research.</li>
<li><a href="https://www.zenduty.com">Zenduty</a> - Zenduty is a novel
incident management platform providing end-to-end incident alerting,
on-call management and response orchestration, giving teams greater
control and automation over the incident management lifecycle.</li>
</ul>
<h3 id="knowledge-bases">Knowledge Bases</h3>
<ul>
<li><a href="https://github.com/ForensicArtifacts/artifacts-kb">Digital
Forensics Artifact Knowledge Base</a> - Digital Forensics Artifact
Knowledge Base</li>
<li><a href="https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES">Windows
Events Attack Samples</a> - Windows Events Attack Samples</li>
<li><a href="https://github.com/libyal/winreg-kb">Windows Registry
Knowledge Base</a> - Windows Registry Knowledge Base</li>
</ul>
<h3 id="linux-distributions">Linux Distributions</h3>
<ul>
<li><a href="https://forensics.cert.org/#ADIA">The Appliance for Digital
Investigation and Analysis (ADIA)</a> - VMware-based appliance used for
digital investigation and acquisition and is built entirely from public
domain software. Among the tools contained in ADIA are Autopsy, the
Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and
Wireshark. Most of the system maintenance uses Webmin. It is designed
for small-to-medium sized digital investigations and acquisitions. The
appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and
x86_64 (64-bit) versions are available.</li>
<li><a href="http://www.caine-live.net/index.html">Computer Aided
Investigative Environment (CAINE)</a> - Contains numerous tools that
help investigators during their analysis, including forensic evidence
collection.</li>
<li><a href="https://github.com/rough007/CCF-VM">CCF-VM</a> - CyLR CDQR
Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing
collected data, making it easily searchable with built-in common
searches, enable searching of single and multiple hosts
simultaneously.</li>
<li><a
href="https://sourceforge.net/projects/nst/files/latest/download?source=files">NST
- Network Security Toolkit</a> - Linux distribution that includes a vast
collection of best-of-breed open source network security applications
useful to the network security professional.</li>
<li><a href="https://sumuri.com/software/paladin/">PALADIN</a> -
Modified Linux distribution to perform various forensics task in a
forensically sound manner. It comes with many open source forensics
tools included.</li>
<li><a
href="https://github.com/Security-Onion-Solutions/security-onion">Security
Onion</a> - Special Linux distro aimed at network security monitoring
featuring advanced analysis tools.</li>
<li><a href="http://digital-forensics.sans.org/community/downloads">SANS
Investigative Forensic Toolkit (SIFT) Workstation</a> - Demonstrates
that advanced incident response capabilities and deep dive digital
forensic techniques to intrusions can be accomplished using cutting-edge
open-source tools that are freely available and frequently updated.</li>
</ul>
<h3 id="linux-evidence-collection">Linux Evidence Collection</h3>
<ul>
<li><a href="https://github.com/SekoiaLab/Fastir_Collector_Linux">FastIR
Collector Linux</a> - FastIR for Linux collects different artifacts on
live Linux and records the results in CSV files.</li>
<li><a href="https://github.com/MagnetForensics/dumpit-linux">MAGNET
DumpIt</a> - Fast memory acquisition open source tool for Linux written
in Rust. Generate full memory crash dumps of Linux machines.</li>
</ul>
<h3 id="log-analysis-tools">Log Analysis Tools</h3>
<ul>
<li><a
href="https://github.com/mbevilacqua/appcompatprocessor">AppCompatProcessor</a>
- AppCompatProcessor has been designed to extract additional value from
enterprise-wide AppCompat / AmCache data beyond the classic stacking and
grepping techniques.</li>
<li><a href="https://github.com/ahmedkhlief/APT-Hunter">APT Hunter</a> -
APT-Hunter is Threat Hunting tool for windows event logs.</li>
<li><a href="https://github.com/countercept/chainsaw">Chainsaw</a> -
Chainsaw provides a powerful ‘first-response’ capability to quickly
identify threats within Windows event logs.</li>
<li><a href="https://eventlogxp.com/">Event Log Explorer</a> - Tool
developed to quickly analyze log files and other data.</li>
<li><a href="https://lizard-labs.com/event_log_observer.aspx">Event Log
Observer</a> - View, analyze and monitor events recorded in Microsoft
Windows event logs with this GUI tool.</li>
<li><a href="https://github.com/Yamato-Security/hayabusa">Hayabusa</a> -
Hayabusa is a Windows event log fast forensics timeline generator and
threat hunting tool created by the Yamato Security group in Japan.</li>
<li><a href="https://support.kaspersky.com/13850">Kaspersky
CyberTrace</a> - Threat intelligence fusion and analysis tool that
integrates threat data feeds with SIEM solutions. Users can immediately
leverage threat intelligence for security monitoring and incident report
(IR) activities in the workflow of their existing security
operations.</li>
<li><a href="https://lizard-labs.com/log_parser_lizard.aspx">Log Parser
Lizard</a> - Execute SQL queries against structured log data: server
logs, Windows Events, file system, Active Directory, log4net logs,
comma/tab separated text, XML or JSON files. Also provides a GUI to
Microsoft LogParser 2.2 with powerful UI elements: syntax editor, data
grid, chart, pivot table, dashboard, query manager and more.</li>
<li><a href="https://github.com/jensvoid/lorg">Lorg</a> - Tool for
advanced HTTPD logfile security analysis and forensics.</li>
<li><a href="https://github.com/dogoncouch/logdissect">Logdissect</a> -
CLI utility and Python API for analyzing log files and other data.</li>
<li><a href="https://github.com/JPCERTCC/LogonTracer">LogonTracer</a> -
Tool to investigate malicious Windows logon by visualizing and analyzing
Windows event log.</li>
<li><a href="https://github.com/SigmaHQ/sigma">Sigma</a> - Generic
signature format for SIEM systems already containing an extensive
ruleset.</li>
<li><a href="https://github.com/airbnb/streamalert">StreamAlert</a> -
Serverless, real-time log data analysis framework, capable of ingesting
custom data sources and triggering alerts using user-defined logic.</li>
<li><a href="https://github.com/JPCERTCC/SysmonSearch">SysmonSearch</a>
- SysmonSearch makes Windows event log analysis more effective and less
time consuming by aggregation of event logs.</li>
<li><a href="https://github.com/Yamato-Security/WELA">WELA</a> - Windows
Event Log Analyzer aims to be the Swiss Army knife for Windows event
logs.</li>
<li><a href="https://github.com/wagga40/Zircolite">Zircolite</a> - A
standalone and fast SIGMA-based detection tool for EVTX or JSON.</li>
</ul>
<h3 id="memory-analysis-tools">Memory Analysis Tools</h3>
<ul>
<li><a href="https://github.com/microsoft/avml">AVML</a> - A portable
volatile memory acquisition tool for Linux.</li>
<li><a href="https://github.com/JamesHabben/evolve">Evolve</a> - Web
interface for the Volatility Memory Forensics Framework.</li>
<li><a href="https://github.com/ShaneK2/inVtero.net">inVtero.net</a> -
Advanced memory analysis for Windows x64 with nested hypervisor
support.</li>
<li><a href="https://github.com/504ensicsLabs/LiME">LiME</a> - Loadable
Kernel Module (LKM), which allows the acquisition of volatile memory
from Linux and Linux-based devices, formerly called DMD.</li>
<li><a href="https://github.com/JPCERTCC/MalConfScan">MalConfScan</a> -
MalConfScan is a Volatility plugin extracts configuration data of known
malware. Volatility is an open-source memory forensics framework for
incident response and malware analysis. This tool searches for malware
in memory images and dumps configuration data. In addition, this tool
has a function to list strings to which malicious code refers.</li>
<li><a
href="https://www.fireeye.com/services/freeware/memoryze.html">Memoryze</a>
- Free memory forensic software that helps incident responders find evil
in live memory. Memoryze can acquire and/or analyze memory images, and
on live systems, can include the paging file in its analysis.</li>
<li><a
href="https://www.fireeye.com/services/freeware/memoryze.html">Memoryze
for Mac</a> - Memoryze for Mac is Memoryze but then for Macs. A lower
number of features, however.</li>
<li>[MemProcFS] (https://github.com/ufrisk/MemProcFS) - MemProcFS is an
easy and convenient way of viewing physical memory as files in a virtual
file system.</li>
<li><a href="https://github.com/LDO-CERT/orochi">Orochi</a> - Orochi is
an open source framework for collaborative forensic memory dump
analysis.</li>
<li><a href="http://www.rekall-forensic.com/">Rekall</a> - Open source
tool (and library) for the extraction of digital artifacts from volatile
memory (RAM) samples.</li>
<li><a
href="https://github.com/volatilityfoundation/volatility">Volatility</a>
- Advanced memory forensics framework.</li>
<li><a
href="https://github.com/volatilityfoundation/volatility3">Volatility
3</a> - The volatile memory extraction framework (successor of
Volatility)</li>
<li><a
href="https://github.com/mkorman90/VolatilityBot">VolatilityBot</a> -
Automation tool for researchers cuts all the guesswork and manual tasks
out of the binary extraction phase, or to help the investigator in the
first steps of performing a memory analysis investigation.</li>
<li><a href="https://github.com/aim4r/VolDiff">VolDiff</a> - Malware
Memory Footprint Analysis based on Volatility.</li>
<li><a
href="http://www.windowsscope.com/windowsscope-cyber-forensics/">WindowsSCOPE</a>
- Memory forensics and reverse engineering tool used for analyzing
volatile memory offering the capability of analyzing the Windows kernel,
drivers, DLLs, and virtual and physical memory.</li>
</ul>
<h3 id="memory-imaging-tools">Memory Imaging Tools</h3>
<ul>
<li><a href="http://belkasoft.com/ram-capturer">Belkasoft Live RAM
Capturer</a> - Tiny free forensic tool to reliably extract the entire
content of the computer’s volatile memory – even if protected by an
active anti-debugging or anti-dumping system.</li>
<li><a href="https://github.com/halpomeranz/lmg/">Linux Memory
Grabber</a> - Script for dumping Linux memory and creating Volatility
profiles.</li>
<li><a
href="https://www.magnetforensics.com/resources/magnet-dumpit-for-windows">MAGNET
DumpIt</a> - Fast memory acquisition tool for Windows (x86, x64, ARM64).
Generate full memory crash dumps of Windows machines.</li>
<li><a
href="https://www.magnetforensics.com/free-tool-magnet-ram-capture/">Magnet
RAM Capture</a> - Free imaging tool designed to capture the physical
memory of a suspect’s computer. Supports recent versions of
Windows.</li>
<li><a href="http://www.osforensics.com/">OSForensics</a> - Tool to
acquire live memory on 32-bit and 64-bit systems. A dump of an
individual process’s memory space or physical memory dump can be
done.</li>
</ul>
<h3 id="osx-evidence-collection">OSX Evidence Collection</h3>
<ul>
<li><a
href="https://objective-see.com/products/knockknock.html">Knockknock</a>
- Displays persistent items(scripts, commands, binaries, etc.) that are
set to execute automatically on OSX.</li>
<li><a href="https://github.com/ydkhatri/mac_apt">macOS Artifact Parsing
Tool (mac_apt)</a> - Plugin based forensics framework for quick mac
triage that works on live machines, disk images or individual artifact
files.</li>
<li><a href="https://github.com/jipegit/OSXAuditor">OSX Auditor</a> -
Free Mac OS X computer forensics tool.</li>
<li><a href="https://github.com/yelp/osxcollector">OSX Collector</a> -
OSX Auditor offshoot for live response.</li>
<li><a href="https://themittenmac.com/the-esf-playground/">The ESF
Playground</a> - A tool to view the events in Apple Endpoint Security
Framework (ESF) in real time.</li>
</ul>
<h3 id="other-lists">Other Lists</h3>
<ul>
<li><a href="https://github.com/stuhli/awesome-event-ids">Awesome Event
IDs</a> - Collection of Event ID resources useful for Digital Forensics
and Incident Response.</li>
<li><a href="https://github.com/cugu/awesome-forensics">Awesome
Forensics</a> - A curated list of awesome forensic analysis tools and
resources.</li>
<li><a href="https://github.com/DidierStevens/DidierStevensSuite">Didier
Stevens Suite</a> - Tool collection</li>
<li><a href="https://ericzimmerman.github.io/">Eric Zimmerman Tools</a>
- An updated list of forensic tools created by Eric Zimmerman, an
instructor for SANS institute.</li>
<li><a href="https://github.com/deralexxx/security-apis">List of various
Security APIs</a> - Collective list of public JSON APIs for use in
security.</li>
</ul>
<h3 id="other-tools">Other Tools</h3>
<ul>
<li><a href="https://thehive-project.org">Cortex</a> - Cortex allows you
to analyze observables such as IP and email addresses, URLs, domain
names, files or hashes one by one or in bulk mode using a Web interface.
Analysts can also automate these operations using its REST API.</li>
<li><a href="https://crits.github.io/">Crits</a> - Web-based tool which
combines an analytic engine with a cyber threat database.</li>
<li><a href="https://github.com/Netflix-Skunkworks/diffy">Diffy</a> -
DFIR tool developed by Netflix’s SIRT that allows an investigator to
quickly scope a compromise across cloud instances (Linux instances on
AWS, currently) during an incident and efficiently triaging those
instances for followup actions by showing differences against a
baseline.</li>
<li><a href="https://github.com/diogo-fernan/domfind">domfind</a> -
Python DNS crawler for finding identical domain names under different
TLDs.</li>
<li><a href="https://github.com/keithjjones/fileintel">Fileintel</a> -
Pull intelligence per file hash.</li>
<li><a href="https://github.com/Cyb3rWard0g/HELK">HELK</a> - Threat
Hunting platform.</li>
<li><a
href="https://github.com/obsidianforensics/hindsight">Hindsight</a> -
Internet history forensics for Google Chrome/Chromium.</li>
<li><a href="https://github.com/keithjjones/hostintel">Hostintel</a> -
Pull intelligence per host.</li>
<li><a href="https://github.com/ralphje/imagemounter">imagemounter</a> -
Command line utility and Python package to ease the (un)mounting of
forensic disk images.</li>
<li><a href="https://github.com/davehull/Kansa/">Kansa</a> - Modular
incident response framework in PowerShell.</li>
<li><a href="https://github.com/kacos2000/MFT_Browser">MFT Browser</a> -
MFT directory tree reconstruction &amp; record info.</li>
<li><a href="https://github.com/Neo23x0/munin">Munin</a> - Online hash
checker for VirusTotal and other services.</li>
<li><a href="https://github.com/swisscom/PowerSponse">PowerSponse</a> -
PowerSponse is a PowerShell module focused on targeted containment and
remediation during security incident response.</li>
<li><a
href="https://github.com/nogoodconfig/pyarascanner">PyaraScanner</a> -
Very simple multi-threaded many-rules to many-files YARA scanning Python
script for malware zoos and IR.</li>
<li><a href="https://github.com/rastrea2r/rastrea2r">rastrea2r</a> -
Allows one to scan disks and memory for IOCs using YARA on Windows,
Linux and OS X.</li>
<li><a href="https://raqet.github.io/">RaQet</a> - Unconventional remote
acquisition and triaging tool that allows triage a disk of a remote
computer (client) that is restarted with a purposely built forensic
operating system.</li>
<li><a href="https://github.com/Neo23x0/Raccine">Raccine</a> - A Simple
Ransomware Protection</li>
<li><a
href="https://www.percona.com/doc/percona-toolkit/2.2/pt-stalk.html">Stalk</a>
- Collect forensic data about MySQL when problems occur.</li>
<li><a href="https://nccgroup.github.io/Scout2/">Scout2</a> - Security
tool that lets Amazon Web Services administrators assess their
environment’s security posture.</li>
<li><a href="https://github.com/google/stenographer">Stenographer</a> -
Packet capture solution which aims to quickly spool all packets to disk,
then provide simple, fast access to subsets of those packets. It stores
as much history as it possible, managing disk usage, and deleting when
disk limits are hit. It’s ideal for capturing the traffic just before
and during an incident, without the need explicit need to store all of
the network traffic.</li>
<li><a href="https://github.com/0x4d31/sqhunter">sqhunter</a> - Threat
hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc
or distributed queries without the need for osquery’s tls plugin.
sqhunter allows you to query open network sockets and check them against
threat intelligence sources.</li>
<li><a
href="https://github.com/SwiftOnSecurity/sysmon-config">sysmon-config</a>
- Sysmon configuration file template with default high-quality event
tracing</li>
<li><a
href="https://github.com/olafhartong/sysmon-modular">sysmon-modular</a>
- A repository of sysmon configuration modules</li>
<li><a
href="https://github.com/CIRCL/traceroute-circl">traceroute-circl</a> -
Extended traceroute to support the activities of CSIRT (or CERT)
operators. Usually CSIRT team have to handle incidents based on IP
addresses received. Created by Computer Emergency Response Center
Luxembourg.</li>
<li><a href="https://www.raymond.cc/blog/xray/">X-Ray 2.0</a> - Windows
utility (poorly maintained or no longer maintained) to submit virus
samples to AV vendors.</li>
</ul>
<h3 id="playbooks">Playbooks</h3>
<ul>
<li><a
href="https://github.com/aws-samples/aws-incident-response-runbooks/tree/0d9a1c0f7ad68fb2c1b2d86be8914f2069492e21">AWS
Incident Response Runbook Samples</a> - AWS IR Runbook Samples meant to
be customized per each entity using them. The three samples are: “DoS or
DDoS attack”, “credential leakage”, and “unintended access to an Amazon
S3 bucket”.</li>
<li><a
href="https://github.com/counteractive/incident-response-plan-template/tree/master/playbooks">Counteractive
Playbooks</a> - Counteractive PLaybooks collection.</li>
<li><a
href="https://github.com/guardsight/gsvsoc_cirt-playbook-battle-cards">GuardSIght
Playbook Battle Cards</a> - A collection of Cyber Incident Response
Playbook Battle Cards</li>
<li><a href="https://github.com/certsocietegenerale/IRM">IRM</a> -
Incident Response Methodologies by CERT Societe Generale.</li>
<li><a href="https://response.pagerduty.com/">PagerDuty Incident
Response Documentation</a> - Documents that describe parts of the
PagerDuty Incident Response process. It provides information not only on
preparing for an incident, but also what to do during and after. Source
is available on <a
href="https://github.com/PagerDuty/incident-response-docs">GitHub</a>.</li>
<li><a href="https://github.com/phantomcyber/playbooks">Phantom
Community Playbooks</a> - Phantom Community Playbooks for Splunk but
also customizable for other use.</li>
<li><a
href="https://github.com/OTRF/ThreatHunter-Playbook">ThreatHunter-Playbook</a>
- Playbook to aid the development of techniques and hypothesis for
hunting campaigns.</li>
</ul>
<h3 id="process-dump-tools">Process Dump Tools</h3>
<ul>
<li><a
href="https://docs.microsoft.com/en-us/sysinternals/downloads/procdump">Microsoft
ProcDump</a> - Dumps any running Win32 processes memory image on the
fly.</li>
<li><a href="http://www.ntsecurity.nu/toolbox/pmdump/">PMDump</a> - Tool
that lets you dump the memory contents of a process to a file without
stopping the process.</li>
</ul>
<h3 id="sandboxingreversing-tools">Sandboxing/Reversing Tools</h3>
<ul>
<li><a href="https://app.any.run/">Any Run</a> - Interactive online
malware analysis service for dynamic and static research of most types
of threats using any environment.</li>
<li><a href="https://github.com/mandiant/capa">CAPA</a> - detects
capabilities in executable files. You run it against a PE, ELF, .NET
module, or shellcode file and it tells you what it thinks the program
can do.</li>
<li><a href="https://github.com/kevoreilly/CAPEv2">CAPEv2</a> - Malware
Configuration And Payload Extraction.</li>
<li><a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo</a> - Open
Source Highly configurable sandboxing tool.</li>
<li><a
href="https://github.com/spender-sandbox/cuckoo-modified">Cuckoo-modified</a>
- Heavily modified Cuckoo fork developed by community.</li>
<li><a
href="https://github.com/keithjjones/cuckoo-modified-api">Cuckoo-modified-api</a>
- Python library to control a cuckoo-modified sandbox.</li>
<li><a href="https://github.com/rizinorg/cutter">Cutter</a> - Free and
Open Source Reverse Engineering Platform powered by rizin.</li>
<li><a
href="https://github.com/NationalSecurityAgency/ghidra">Ghidra</a> -
Software Reverse Engineering Framework.</li>
<li><a href="https://www.hybrid-analysis.com/">Hybrid-Analysis</a> -
Free powerful online sandbox by CrowdStrike.</li>
<li><a href="https://analyze.intezer.com/#/">Intezer</a> - Intezer
Analyze dives into Windows binaries to detect micro-code similarities to
known threats, in order to provide accurate yet easy-to-understand
results.</li>
<li><a href="https://www.joesandbox.com/">Joe Sandbox (Community)</a> -
Joe Sandbox detects and analyzes potential malicious files and URLs on
Windows, Android, Mac OS, Linux, and iOS for suspicious activities;
providing comprehensive and detailed analysis reports.</li>
<li><a href="https://github.com/KoreLogicSecurity/mastiff">Mastiff</a> -
Static analysis framework that automates the process of extracting key
characteristics from a number of different file formats.</li>
<li><a href="https://www.metadefender.com">Metadefender Cloud</a> - Free
threat intelligence platform providing multiscanning, data sanitization
and vulnerability assessment of files.</li>
<li><a href="https://github.com/radareorg/radare2">Radare2</a> - Reverse
engineering framework and command-line toolset.</li>
<li><a href="https://www.reverse.it/">Reverse.IT</a> - Alternative
domain for the Hybrid-Analysis tool provided by CrowdStrike.</li>
<li><a href="https://github.com/rizinorg/rizin">Rizin</a> - UNIX-like
reverse engineering framework and command-line toolset</li>
<li><a href="https://github.com/fireeye/stringsifter">StringSifter</a> -
A machine learning tool that ranks strings based on their relevance for
malware analysis.</li>
<li><a href="https://app.threat.zone">Threat.Zone</a> - Cloud based
threat analysis platform which include sandbox, CDR and interactive
analysis for researchers.</li>
<li><a href="https://valkyrie.comodo.com">Valkyrie Comodo</a> - Valkyrie
uses run-time behavior and hundreds of features from a file to perform
analysis.</li>
<li><a href="https://github.com/viper-framework/viper">Viper</a> -
Python based binary analysis and management framework, that works well
with Cuckoo and YARA.</li>
<li><a href="https://www.virustotal.com">Virustotal</a> - Free online
service that analyzes files and URLs enabling the identification of
viruses, worms, trojans and other kinds of malicious content detected by
antivirus engines and website scanners.</li>
<li><a
href="https://github.com/keithjjones/visualize_logs">Visualize_Logs</a>
- Open source visualization library and command line tools for logs
(Cuckoo, Procmon, more to come).</li>
<li><a href="https://yomi.yoroi.company">Yomi</a> - Free MultiSandbox
managed and hosted by Yoroi.</li>
</ul>
<h3 id="scanner-tools">Scanner Tools</h3>
<ul>
<li><a href="https://github.com/Neo23x0/Fenrir">Fenrir</a> - Simple IOC
scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain
bash. Created by the creators of THOR and LOKI.</li>
<li><a href="https://github.com/Neo23x0/Loki">LOKI</a> - Free IR scanner
for scanning endpoint with yara rules and other indicators(IOCs).</li>
<li><a href="https://github.com/spyre-project/spyre">Spyre</a> - Simple
YARA-based IOC scanner written in Go</li>
</ul>
<h3 id="timeline-tools">Timeline Tools</h3>
<ul>
<li><a
href="https://github.com/cyb3rfox/Aurora-Incident-Response">Aurora
Incident Response</a> - Platform developed to build easily a detailed
timeline of an incident.</li>
<li><a
href="https://www.fireeye.com/services/freeware/highlighter.html">Highlighter</a>
- Free Tool available from Fire/Mandiant that will depict log/text file
that can highlight areas on the graphic, that corresponded to a key word
or phrase. Good for time lining an infection and what was done post
compromise.</li>
<li><a href="https://github.com/etsy/morgue">Morgue</a> - PHP Web app by
Etsy for managing postmortems.</li>
<li><a href="https://github.com/log2timeline/plaso">Plaso</a> - a
Python-based backend engine for the tool log2timeline.</li>
<li><a href="https://github.com/google/timesketch">Timesketch</a> - Open
source tool for collaborative forensic timeline analysis.</li>
</ul>
<h3 id="videos">Videos</h3>
<ul>
<li><a href="https://www.youtube.com/watch?v=bDcx4UNpKNc">The Future of
Incident Response</a> - Presented by Bruce Schneier at OWASP AppSecUSA
2015.</li>
</ul>
<h3 id="windows-evidence-collection">Windows Evidence Collection</h3>
<ul>
<li><a href="https://github.com/OMENScan/AChoir">AChoir</a> -
Framework/scripting tool to standardize and simplify the process of
scripting live acquisition utilities for Windows.</li>
<li><a href="http://www.crowdstrike.com/community-tools/">Crowd
Response</a> - Lightweight Windows console application designed to aid
in the gathering of system information for incident response and
security engagements. It features numerous modules and output
formats.</li>
<li><a href="http://www.cybertriage.com">Cyber Triage</a> - Cyber Triage
has a lightweight collection tool that is free to use. It collects
source files (such as registry hives and event logs), but also parses
them on the live host so that it can also collect the executables that
the startup items, scheduled, tasks, etc. refer to. It’s output is a
JSON file that can be imported into the free version of Cyber Triage.
Cyber Triage is made by Sleuth Kit Labs, which also makes Autopsy.</li>
<li><a href="https://dfir-orc.github.io/">DFIR ORC</a> - DFIR ORC is a
collection of specialized tools dedicated to reliably parse and collect
critical artifacts such as the MFT, registry hives or event logs. DFIR
ORC collects data, but does not analyze it: it is not meant to triage
machines. It provides a forensically relevant snapshot of machines
running Microsoft Windows. The code can be found on <a
href="https://github.com/DFIR-ORC/dfir-orc">GitHub</a>.</li>
<li><a href="https://github.com/SekoiaLab/Fastir_Collector">FastIR
Collector</a> - Tool that collects different artifacts on live Windows
systems and records the results in csv files. With the analyses of these
artifacts, an early compromise can be detected.</li>
<li><a href="https://github.com/rabbitstack/fibratus">Fibratus</a> -
Tool for exploration and tracing of the Windows kernel.</li>
<li><a href="https://github.com/muteb/Hoarder">Hoarder</a> - Collecting
the most valuable artifacts for forensics or incident response
investigations.</li>
<li><a href="https://binalyze.com/products/irec-free/">IREC</a> -
All-in-one IR Evidence Collector which captures RAM Image, $MFT,
EventLogs, WMI Scripts, Registry Hives, System Restore Points and much
more. It is FREE, lightning fast and easy to use.</li>
<li><a
href="https://github.com/mgreen27/Invoke-LiveResponse">Invoke-LiveResponse</a>
- Invoke-LiveResponse is a live response tool for targeted
collection.</li>
<li><a
href="https://www.fireeye.com/services/freeware/ioc-finder.html">IOC
Finder</a> - Free tool from Mandiant for collecting host system data and
reporting the presence of Indicators of Compromise (IOCs). Support for
Windows only. No longer maintained. Only fully supported up to Windows 7
/ Windows Server 2008 R2.</li>
<li><a href="https://github.com/AJMartel/IRTriage">IRTriage</a> -
Incident Response Triage - Windows Evidence Collection for Forensic
Analysis.</li>
<li><a
href="https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape">KAPE</a>
- Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage
tool that finds the most prevalent digital artifacts and then parses
them quickly. Great and thorough when time is of the essence.</li>
<li><a href="https://github.com/Neo23x0/Loki">LOKI</a> - Free IR scanner
for scanning endpoint with yara rules and other indicators(IOCs).</li>
<li><a href="https://github.com/TonyPhipps/Meerkat">MEERKAT</a> -
PowerShell-based triage and threat hunting for Windows.</li>
<li><a href="https://github.com/AlmCo/Panorama">Panorama</a> - Fast
incident overview on live Windows systems.</li>
<li><a
href="https://github.com/Invoke-IR/PowerForensics">PowerForensics</a> -
Live disk forensics platform, using PowerShell.</li>
<li><a href="https://github.com/gfoss/PSRecon/">PSRecon</a> - PSRecon
gathers data from a remote Windows host using PowerShell (v2 or later),
organizes the data into folders, hashes all extracted data, hashes
PowerShell and various system properties, and sends the data off to the
security team. The data can be pushed to a share, sent over email, or
retained locally.</li>
<li><a href="https://github.com/keydet89/RegRipper3.0">RegRipper</a> -
Open source tool, written in Perl, for extracting/parsing information
(keys, values, data) from the Registry and presenting it for
analysis.</li>
</ul>
<p><a
href="https://github.com/meirwah/awesome-incident-response">incidentresponse.md
Github</a></p>