Digital Forensics and Incident Response

SIFT Workstation

SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.

• Can match any current incident response and forensic tool suite.
  
• SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
  
• A collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations
  
• Incident Response
  
• Rapid Scripting and Analysis
  
• Threat Intelligence and Indicator of Compromise Support
  
• Threat Hunting and Malware Analysis Capabilities

SANS - https://www.sans.org/tools/sift-workstation/

SOF-ELK

SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel.

• platform is a customized build of the open-source Elastic stack
  
• platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis
  
• pre-built and ready-to-use SOF-ELK® virtual appliance
  
• Configuration
  
• CentOS 7.7 base
  
• Elasticsearch storage and search engine
  
• Logstash ingest and enrichment system
  
• Kibana dashboard frontend
  
• Elastic Beats log shipper

SANS - https://github.com/philhagen/sof-elk

Magnet Forensics

Several free tools to help give the DFIR community new ways to find evidence in their investigations.

• SHIELD - Empower Frontline Officers to Collect and Report on Fleeting Digital Evidence
  
• ACQUIRE - quickly and easily acquire forensic images of any iOS or Android device, hard drive, and removable media
  
• App Simulator - lets you load application data from Android devices in your case into a virtual environment
  
• Process Capture - capture memory from individual running processes
  
• RAM Capture - designed to capture the physical memory
  
• Web Page Saver - tool for capturing how web pages look at a specific point in time
  
• Encrypted Disk Detector - command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response

https://www.magnetforensics.com/free-tools

CSI Linux

CSI Linux is a focused Linux distribution for digital forensics.

• Available in both a Virtual Machine Appliance and Bootable distro to use as a daily driver.
  
• Over 175 tools in CSI Linux
  
• Online Investigations
  
• Incident Response
  
• Malware Analysis
  
• Centralized Evidence Capture
  
• Timestamped archive of evidence

https://csilinux.com/

CAINE (Computer Aided INvestigative Environment)

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
  
• a user-friendly graphical interface
  
• user-friendly tools
  
• CAINE has got a Windows IR/Live forensics tools.

https://www.caine-live.net/

Malware Analysis

REMnux

REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software.

• Analysts can use it to investigate malware without having to find, install, and configure the tools.
  
• Provides a curated collection of free tools created by the community.
  
• Distro
  
• REMnux virtual machine in the OVA format, then import it into your hypervisor.
  
• Install the distro from scratch on a dedicated host or add it to an existing system running a compatible version of Ubuntu.
  
• You can run the REMnux distro as a container.
  
• REMnux toolkit also offers Docker images of popular malware analysis tools, making it possible to run the them as containers without having to install the tools directly on the system.

https://remnux.org/

Polyswarm

Tap into PolySwarm’s next-generation malware intelligence marketplace and get better, fresher insight faster. Cut through extraneous data and noise to detect, analyze, and respond to critical threats before they make an impact.

• Early detection of threats
  
• Unique samples
  
• Higher accuracy
  
• PolyScore threat scoring which enables SOC automation
  
• Unrivaled threat hunting
  
• Daily API Request Limit: 250/day
  
• Scans: 500/month
  
• Hash Searches: 1000/month

https://polyswarm.io/

Penetration Testing, Red Team, Purple Team

KALI Linux

Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering.

• Platform contains a vast array of tools and utilities.
  
• Kali Everywhere - Mobile devices, Docker, ARM, Amazon Web Services, Windows Subsystem for Linux, Prebuilt Virtual Machine, Installer Images, and others are all available.
  
• Customization - With the use of metapackages, optimized for the specific tasks of a security professional, and a highly accessible and well documented ISO customization process.

https://www.kali.org/

BlackArch

BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers.

• The repository contains 2825 tools.
  
• You can install tools individually or in groups.

https://blackarch.org/

Parrot OS

Parrot Security provides a huge arsenal of tools, utilities and libraries that IT and security professionals can use to test and assess the security of their assets in a reliable, compliant and reproducible way. From information gathering to the final report.

• 600+ tools
  
• It includes a full portable arsenal for IT security and digital forensics operations.
  
• Parrot is available in three main editions, Security, Home and Architect Edition, even as Virtual Machine (Virtual Box, Parallels and VMware), on Raspberry Pi and also on Docker.
  
• Parrot was designed to be a very comfortable environment for security experts and researchers.
  
• Parrot Security ships with custom hardening profiles and configurations for AppArmor and other linux hardening technologies.
  

https://www.parrotsec.org/

AttifyOS

AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices.

• It saves a lot of time by providing a pre-configured environment with all the necessary tools loaded.
  
• The new version is based on Ubuntu 18.04 64-Bit - that also means that you'll receive updates for this version till April 2023.
  

https://github.com/adi0x90/attifyos

Fedora Security Lab

The Fedora Security Lab provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies.

• Fedora Security Lab is shipped as a live operating system
  
• It's everything you need to try out Fedora's Security Lab - you don't have to erase anything on your current system to try it out, and it won't put your files at risk.
  
• You can install Fedora directly to your hard drive straight from the Live Media desktop if you like.
  

https://labs.fedoraproject.org/en/security/

Threat Intel

MISP

A threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

• An efficient IoC and indicators database
  
• Automatic correlation
  
• Built-in sharing functionality
  
• Flexible free text import tool
  
• Feed import
  
• Flexible API
  
• STIX support
  

https://www.misp-project.org/

OPENCTI

OpenCTI is an open-source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. The goal is to create a comprehensive tool allowing users to capitalize technical and non-technical information while linking each piece of information to its primary source.

• Structure, store, organize and visualize technical and non-technical information about cyber threats.
  
• OpenCTI can be integrated with other tools and applications such as MISP, TheHive, MITRE ATT&CK, etc.
  
• The structuration of the data is performed using a knowledge schema based on the STIX2 standards.
  
• Features such as links between each information, first and last seen dates, levels of confidence.
  
• The user can also choose to implement their own datasets.
  
• The tool is able to use the MITRE ATT&CK framework (through a dedicated connector) to help structure the data.
  
• Deployment: VM Template, Docker, Terraform, Helm-Chart
  

https://github.com/OpenCTI-Platform/opencti

SOCRadar

Extended Threat Intelligence (XTI) enriched with External Attack Surface Management and Digital Risk Protection. Maximize the efficiency of your SOC team with false-positive free, actionable, and contextualized threat intelligence.

• Instant Test on your Security Posture : https://socradar.io/labs/
  
• BlueBleed, Deep Web Report, External Attach Surface, Account Breach, SOC Tools, Dark Mirror, VPN Security
  
• Freemium Version - https://socradar.io/free-edition/
  
• Free External Attack Surface Management
  
• Get Instant alerts for fraudulent domains against phishing and BEC attacks
  
• Monitor Deep Web and Dark Net for threat trends
  
• Get vulnerability intelligence when a critical zero-day is disclosed
  
• Get IOC search & APT tracking & threat hunting in one place
  
• Get notified with data breach detection
  

https://socradar.io/

Black Kite

Black Kite offers free unique services to the public for you to better understand your cyber risk posture. Know if your account has been compromised, analyze fraudulent domains, and see hundreds of blacklisted IP addresses collected from our honeypot system.

• Domain Phishing: Generate possible words from your domain name and search those words in all domain name databases to detect domain spoofing and phishing.
  
• IP Blacklist: Search your IP assets via Black Kite’s IP Blacklist Service to detect if your IP address appears in any blacklist.
  
• Account Breach: Black Kite Breach Service helps you to identify if your account has been compromised before. Search your domain or email address in our breach database for immediate detection.
  
• Phishing Domain Feeds: Follow, download and analyze fraudulent domains per day that are defined as risky from our proprietary phishing algorithm.
  
• Honeypot Feeds: Collect hundreds of blacklisted IP addresses per day that are defined as risky from our honeypot system.
  
• GDPR Checker: See the compliance levels of your organization according to GDPR standards.
  

https://blackkite.com/community/

NirSoft Utilities

NirSoft web site provides a unique collection of small and useful freeware utilities

• NirLauncher
  
• Password Recovery Utilities
  
• Network Monitoring Tools
  
• Internet Related Utilities
  
• MS-Outlook Tools
  
• Command-Line Utilities
  
• Desktop Utilities
  
• Freeware System Tools

https://www.nirsoft.net/

NirSoft - NirLauncher

NirLauncher is a package of more than 200 portable freeware utilities for Windows, all of them developed for NirSoft Web site during the last few years.

• NirLauncher can be used from USB flash drive without need of any installation.
  
• NirLauncher and all the utilities in the package are completely freeware, without any Spyware/Adware/Malware.
  
• For every utility in the package, you can easily run it, view the help file, or jump to the Web page of the utility.
  
• NirLauncher also allows to add more software packages in additional to the main NirSoft package.
  
• Add Microsoft Sysinternals Suite
  

https://launcher.nirsoft.net/

NirSoft - Password Recovery Utilities

• WebBrowserPassView - View the passwords stored by your Web browser (Supports Internet Explorer, Firefox, Chrome, Safari, and Opera)
  
• RouterPassView: Router Password Recovery - Extract passwords and other information from router backup file (For supported routers).
  
• Mail PassView - Recover the passwords of popular email clients: Outlook Express, MS Outlook, Eudora, Mozilla Thunderbird , and more...
  
• Dialupass: Dialup Password Recovery - Recovers the passwords of dialup entries (VPN and Internet connections). Works also under Windows 2000/XP.
  
• Network Password Recovery - Freeware utility that recovers the network passwords stored by Windows XP (Credentials file).
  
• BulletsPassView - Reveal the passwords hidden behind asterisk ('****') or bullets characters in standard password text-boxes.
  
• WirelessKeyView - Recover lost wireless network key stored on Windows
  
• PstPassword - Recover the password of Outlook PST file.
  

https://www.nirsoft.net/utils/index.html#password_utils

NirSoft – Network Monitoring Tools

• WirelessNetView - View the details of all wireless network in your area (SSID, Signal Quality, MAC Address, and more...)
  
• Wireless Network Watcher - Show who is connected to your wireless network.
  
• BluetoothView - Monitor the Bluetooth activity around you.
  
• SmartSniff: TCP/IP Sniffer - Capture TCP/IP packets on your network adapter and view the captured data as sequence of conversations between clients and servers.
  
• CurrPorts: TCP/IP Connections Viewer - Freeware tool that displays the list of all currently opened TCP and UDP ports on your local computer.
  
• AdapterWatch - displays useful information about your network adapters: IP addresses, Hardware address, WINS servers, DNS servers, MTU value, Number of bytes received or sent, The current transfer speed, and more...
  
• DownTester - Test the download speed of your Internet connection.
  

https://www.nirsoft.net/utils/index.html#network_utils

NirSoft – Internet Utilites

• BrowsingHistoryView: Web Browser History Viewer - View browsing history of your Web browsers (Firefox,Chrome,IE,Edge)
  
• IPNetInfo - Find all available information about an IP address: The owner of the IP address, the country/state name, IP addresses range, contact information (address, phone, fax, and email), and more.
  
• MyLastSearch - View your latest searches with Google, Yahoo, and MSN.
  
• VideoCacheView - Copy video files (.flv and others) from the Web browser cache and temporary folder.
  
• SiteShoter - Take a screenshot of a Web site.
  
• DNSDataView - View the DNS records of specified domains.
  
• IECookiesView: Cookies Viewer/Manager for IE - View/Delete/Modify the cookies that Internet Explorer stores on your computer.
  
• IEHistoryView - View/Delete the URLs that you visited in the last few days.
  
• WhoisThisDomain - Get information about a registered domain.
  
• DNSDataView - DNS lookup tool.

https://www.nirsoft.net/utils/index.html#internet_utils

NirSoft – Outlook Tools

• NK2Edit - Edit, delete, add, merge, and repair records in the AutoComplete files (.NK2) of Outlook.
  
• OutlookAttachView - View and extract attachments of your Outlook mailbox.
  
• OutlookStatView - Get statistics about your Outlook mailbox.
  
• OutlookAddressBookView - View or export the address book of Outlook.
  

https://www.nirsoft.net/utils/index.html#outlook_utils

NirSoft – Command-Line Tools

• NirCmd: Freeware Command-Line Tool - Do some useful tasks from command-line: turn off your monitor, turn off the computer, open/close the door of your cd-rom drive, dial to VPN/Internet connection, change your display settings, and much more !!
  
• SoundVolumeView - Control the sound volume from command-line or GUI on Windows 10/7/8/2008.
  
• GUIPropView - hide,show,disable,enable,minimize,maximize,resize windows from command-line.
  

https://www.nirsoft.net/utils/index.html#commandline_utils

NirSoft – Desktop Utilites

• UninstallView - Alternative to the software uninstaller of Windows.
  
• SearchMyFiles - Alternative to 'Search For Files And Folders' module of Windows and also duplicate files search.
  
• Volumouse - Control the sound volume with your wheel mouse !!
  
• FileTypesMan - Alternative to 'File Types' manager of Windows.
  

https://www.nirsoft.net/utils/index.html#desktop_utils

NirSoft – System Tools

• ProduKey - Recover Office/Windows CD-Key
  
• ShellExView - Displays the details of shell extensions installed on your computer, and allows you to easily disable and enable each shell extension.
  
• WhatInStartup - Add, delete, modify or disable programs that run at Windows startup.
  
• USBDeview - View all installed/connected USB devices on your system.
  
• DevManView - Alternative to device manager of Windows.
  
• DriverView - List all device drivers currently loaded on your Windows.
  
• RegScanner (Registry Scanner) - Scan and find values in the Registry.
  
• OpenedFilesView - View opened/locked files in your system.
  
• SysExporter - Grab the data stored in standard list-views, list boxes, and combo boxes from almost any application running on your system, and export it to text, HTML or XML file.
  
• BlueScreenView - View crash information stored in the MiniDump files created on blue screen of Windows.

https://www.nirsoft.net/utils/index.html#system_utils