Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

90 KiB

Forensics & Incident Response

Table of Contents


  • Sort sections alphabetically
  • Update ToC

End Sort

Incident Response


  • 101

  • Articles/Talks/Writeups

  • Android & iOS

    • Incident Response for Android and iOS - NowSecure
      • This book will prepare enterprises and practitioners for the inevitable increase in mobile compromise. We will use step-by-step tutorials, guiding the reader from setting up a mobile IR practice all the way through continuous monitoring of mobile devices.
  • General

  • Papers

  • Talks/Presentations/Videos

    • Anti-Forensics for the Louise - Derbycon - int0x80 (of Dual Core)
    • Hardware Backdooring is Practical** -Jonathan Brossard
    • Hiding the breadcrumbs: Forensics and anti-forensics on SAP systems - Juan Perez-Etchegoyen
      • The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customer data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there and attackers know it. For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim’s SAP platforms. SAP systems need to be ready for Forensic Analysis, so the big question is: Are your systems prepared to retain the attackers breadcrumbs in the event of an attack? Join us and learn how to do a forensic analysis of an SAP system, looking for traces of a security breach We will also show novel techniques being used by attackers to avoid being detected during post attack forensic investigations. Vulnerabilities related to anti-forensic techniques will be presented together with their mitigation. NEW New attacks never presented before will be shown. JAVA, ABAP and BO systems will be covered.
    • Forensics Impossible: Self-Destructing Thumb Drives - Brandon Wilson
    • Anti-Forensics and Anti-Anti-Forensics Attacks - Michael Perkins
      • Everyone's heard the claim: Security through obscurity is no security at all. Challenging this claim is the entire field of steganography itself - the art of hiding things in plain sight. Most people know you can hide a text file inside a photograph, or embed a photograph inside an MP3. But how does this work under the hood? What's new in the stego field? This talk will explore how various techniques employed by older steganographic tools work and will discuss a new technique developed by the speaker which embodies both data hiding and data enciphering properties by encoding data inside NTFS volumes. A new tool will be released during this talk that will allow attendees to both encode and decode data with this new scheme.
      • Slides: Slides(link)
    • Destroying Evidence Before Its Evidence
    • And That's How I Lost My Other Eye...Explorations in Data Destruction
    • An Anti-Forensics Primer - Jason Andress
    • This talk will cover the basics of anti-forensics, the tools and techniques that can be used to make life harder for computer forensic examiners. We will cover some of the basic methods that are used (disk wiping, time stomping, encryption, etc…) and talk about which of these methods might actually work and which are easily surmounted with common forensic tools.
    • Anti-Forensics for Fun and Privacy - Alissa Gilbert(Shmoocon 2020)
      • Want to learn how to avoid surveillance and investigators? Anti-forensics is the practice of modifying or removing data so that others cannot find it later during an investigation. While annoying to forensic practitioners and law enforcement, it is unavoidable to help maintain privacy in a world of shady ToS, snooping partners, and potential search and seizures. How far do you need to go to maintain your privacy? This talk will break down anti-forensics techniques that you can use to protect yourself from audiences like your mom to an extreme nation-state level actor. The only thing more fun than forensics is anti-forensics.
  • Tools

    • usbkill
      • A tool that shuts down your computer if USB devices change, for example if you unplug or plug-in a device.
    • CleanAfterMe
      • CleanAfterMe allows you to easily clean files and Registry entries that are automatically created by the Windows operating system during your regular computer work. With CleanAfterMe, you can clean the cookies/history/cache/passwords of Internet Explorer, the 'Recent' folder, the Registry entries that record the last opened files, the temporary folder of Windows, the event logs, the Recycle Bin, and more.
  • Miscellaneous

General Forensics(Systems Agnostic - as much as one can be)

  • 101
  • Reference
    • File Signature Table
      • This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002.
  • Articles & Writeups
  • Talks & Presentations
  • Papers
  • Tools
    • binwally
      • Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
    • SSDeep
      • ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
    • Xmount
      • What is xmount? xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, DMG, VHD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.
    • PEview
      • PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
    • SQLite
  • Training
  • Miscellaneous
    • The Sleuth Kit
      • The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs. The Sleuth Kit uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The TCT code was modified for platform independence. In addition, support was added for the NTFS (see docs/ntfs.README) and FAT (see docs/fat.README) file systems. Previously, The Sleuth Kit was called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent of any commercial or academic organizations.

Android Forensics

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • wechat-dump
      • Dump wechat messages from android. Right now it can dump messages in text-only mode, or generate a single-file html containing voice messages, images, emoji, etc.
    • Androick
      • Androick is a python tool to help in forensics analysis on android. Put the package name, some options and the program will download automatically apk, datas, files permissions, manifest, databases and logs. It is easy to use and avoid all repetitive tasks!
  • Training
  • Miscellaneous

Browser Forensics

  • 101
  • Articles/Papers/Talks/Writeups
  • Talks/Presentations/Videos
    • Efficiently Summarizing Web Browsing Activity - Ryan Benson(SANS DFIR Summit2018)
      • Reviewing web browsing activity is relevant in a wide variety of DFIR cases. With many users having multiple devices that may need to be analyzed, we need better ways to get answers quickly. This presentation will show how a synopsis of browsing activity can be a starting point before a deep-dive investigation and can help investigators decide whether a device is relevant to their case. We will also examine if a device is relevant to their case, and how this summary can provide quick answers to some common questions that are useful in communicating one’s findings to a less technical audience.
  • Tools
    • Chrome
      • Chrome Ragamuffin
        • Volatility plugin designed to extract useful information from Google Chrome's address space. The goal of this plugin is to make possible the analysis of a Google Chrome running instance. Starting from a memory dump, Chrome Ragamuffin can list which page was open on which tab and it is able to extract the DOM Tree in order to analyze the full page structure.
    • Firefox
      • MozillaRecovery
        • Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
      • firefox_decrypt
        • Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox/Thunderbird/Seabird) profiles
        •, an open source tool to decrypt Mozilla protected passwords
      • Firefed
        • Firefed is a command-line tool to inspect Firefox profiles. It can extract saved passwords, preferences, addons, history and more. You may use it for forensic analysis, to audit your config for insecure settings or just to quickly extract some data without starting up the browser.
    • Neutral
      • Extension Finder
        • Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons. Attempts to find installed browser extensions (sometimes called add-ons or plug-ins, depending on the browser).
      • Hindsight
        • Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications (with more to come!). Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.
  • Miscellaneous

####Cloud Forensics

  • 101
  • Agnostic/Multiple
    • Articles/Blogposts/Writeups
    • Presentations/Talks/Videos
      • Logging in the Cloud: From Zero to (Incident Response) Hero - Jonathon Poling(2020)
        • Slides
        • So many logs, so little time. What logs even exist? Which are enabled by default? Which are the most critical to enable and configure for effective incident response? AWS. Azure. GCP. My. Dear. God. Send help! And, help you this presentation shall. This session will walk through the most important logging to enable (and how) in each cloud provider to take you from zero to incident response hero!Pre-Requisites: Basic familiarity operating with the three major Cloud providers: AWS, Azure, and GCP.
  • AWS
  • Azure
  • GCP
    • Articles/Blogposts/Writeups
    • Presentations/Talks/Videos
      • Cloud Forensics 101 - Sami Zuhuruddin(Cloud Next '18)
        • We hope it never happens, but we need a plan to deal with 'incidents' should we ever suspect one is happening. This could be anything from an application issue to a suspected compromise. How do we capture needed environment details on the spot and carry out a full investigation? We'll demonstrate the tools and processes that everyone should be familiar with when running in a cloud environment.
  • GSuite
    • Articles/Blogposts/Writeups
    • Presentations/Talks/Videos
      • GSuite Digital Forensics and Incident Response - Megan Roddie(BSides SanAntonio)
        • With the current standard of companies transitioning to the cloud, digital forensic investigators and incident responders are facing new, unknown territory. As a starting point of talking about cloud DFIR, this talk aims to provide a real-life case study of what it is like to respond to an incident in GSuite, Google’s cloud business suite. The goal is that by reviewing this case study the audience will not only learn about GSuite DFIR but also begin to think about how this extends to all cloud environments.
  • O365
    • Tools
      • hawk
        • Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
  • Miscellaneous


Linux Forensics

  • 101
  • Articles/Blogposts/Writeups
  • Presentations/Talks/Videos
  • Tools
    • USB
      • usbrip
        • usbrip is a small piece of software written in pure Python 3 (using some external modules, see Dependencies/pip) which analyzes Linux log data (journalctl output or /var/log/syslog* and /var/log/messages* files, depending on the distro) for constructing USB event history tables. Such tables may contain the following columns: "Connected" (date & time), "Host", "VID" (vendor ID), "PID" (product ID), "Product", "Manufacturer", "Serial Number", "Port" and "Disconnected" (date & time).
  • Miscellaneous

Memory Forensics

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • lmg - Linux Memory Grabber
    • A script for dumping Linux memory and creating Volatility(TM) profiles.
    • Detekt
      • Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit). Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.
    • Dshell
      • An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
    • LiME - Linux Memory Extractor
      • A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
      • Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences.
  • Miscellaneous
  • Volatility
    • Volatility
      • An advanced memory forensics framework
    • VolUtility
      • Web Interface for Volatility Memory Analysis framework
    • evolve
      • Web interface for the Volatility Memory Forensics Framework
    • Vortessence

Mobile Device(Android/iOS) Forensics

Network Forensics

OS X Forensics

Windows Forensics

PDF Forensics

SD card Forensics

###< a name="photo">Image Forensics

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • Extensible Metadata Platform
      • The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and data sets.
    • jhead
      • Exif Jpeg header manipulation tool
    • Jeffrey's Image Metadata Viewer
  • Miscellaneous


  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • StegExpose
      • StegExpose is a steganalysis tool specialized in detecting LSB (least significant bit) steganography in lossless images such as PNG and BMP. It has a command line interface and is designed to analyse images in bulk while providing reporting capabilities and customization which is comprehensible for non forensic experts. StegExpose rating algorithm is derived from an intelligent and thoroughly tested combination of pre-existing pixel based staganalysis methods including Sample Pairs by Dumitrescu (2003), RS Analysis by Fridrich (2001), Chi Square Attack by Westfeld (2000) and Primary Sets by Dumitrescu (2002). In addition to detecting the presence of steganography, StegExpose also features the quantitative steganalysis (determining the length of the hidden message). StegExpose is part of my MSc of a project at the School of Computing of the University of Kent, in Canterbury, UK.
  • Miscellaneous

Bootkit Disk Forensics