Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

21 KiB

##Forensics & Incident Response


Better security - Mean time to detect/Mean time to respond


Human Hunting * Much of what appears to be happening in information security seems to be focused on replacing humans with magic boxes and automation rather than providing tools to augment human capabilities. However, when we look at good physical security we see technology is being used to augment human capabilities rather than simply replace them. The adversary is human so we are ultimately looking for human directed behaviors. If analysts don't know how to go looking for evil without automated detection tools then they are not going to be able to effectively evaluate if the detection tools are working properly or if the deployment was properly engineered. An over reliance on automated detection also puts organizations in a position of paying protection money if they want to remain secure. We should be spending more resources on honing analyst hunting skills to find human adversaries rather than purchasing more automated defenses for human adversaries to bypass.

[Claimsman](Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system.)


  • Web interface for the Volatility Memory Forensics Framework

Finding Bad Guys with 35 million Flows, 2 Analysts, 5 Minutes and 0 Dollars

  • There are a lot of proof of concepts out there for building open source networks forensics analysis environments. Taking them into production in an enterprise? Another story entirely. This talk will focus on my journey into constructing a large scale Netflow security analytics platform for a large healthcare management company's complex environment on no additional budget. Important points to be covered were technology considerations, scalability, and how to quickly break the collected data down to find malicious activity on the network with minimal effort.

Fully Integrated Defense Operation (FIDO)

  • FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them. As an orchestration platform FIDO can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.

Unmasking Careto through Memory Analysis - Andrew Case

IRMA - Incident Response & Malware Analysis

  • IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).

—————————Sniper Forensics

The Malware Management Framework

LiME - Linux Memory Extractor

  • A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.


  • Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.

Computer Security Incident Handling Guide - NIST

An Incident Handling Process for Small and Medium Businesses - SANS 2007

Triaging Malware Incidents

  • Good writeup/blogpost from Journey into Incidence Response

Firmware Forensics: Diffs, Timelines, ELFs and Backdoors

How to Pull passwords from a memory dump

Sniper Forensics

Forensics on Amazon’s EC2 SSDeep

  • ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.

———————Firmware Firmware Forensics: Diffs, Timelines, ELFs and Backdoors

————Bitlocker NVbit : Accessing Bitlocker volumes from linux



  • RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst

—————IOC IOC Bucket

  • IOC sharing platform

—————Browser Forensics Firefox private browsing forensics


  • Recovers the master password of key3.db files, i.e. Thunderbird, Firefox

—————Memory Forensics Detekt

  • Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit). Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.


  • An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

Mem forenics cheat sheet

Volatility Framework

——————————Training material ENISA CERT Exercises and Training

  • ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.

###Presentations & Talks Ways to Identify Malware on a System Ryan Irving

Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22

  • This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.


Secure Deletion of Data from Magnetic and Solid-State Memory

###Mobile Device Forensics

####Android Forensics Android Forensics class - OpenSecurity Training

  • This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.


  • Androick is a python tool to help in forensics analysis on android. Put the package name, some options and the program will download automatically apk, datas, files permissions, manifest, databases and logs. It is easy to use and avoid all repetitive tasks!

####iOS Forensics


  • iosForensic is a python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.

iOS Forensics Analyis(2012) SANS Whitepaper

iOS Forensic Investigative Methods Guide

###PDF Forensics

PDF Forensics

###Photo Forensics


  • Exif Jpeg header manipulation tool




  • StegExpose is a steganalysis tool specialized in detecting LSB (least significant bit) steganography in lossless images such as PNG and BMP. It has a command line interface and is designed to analyse images in bulk while providing reporting capabilities and customization which is comprehensible for non forensic experts. StegExpose rating algorithm is derived from an intelligent and thoroughly tested combination of pre-existing pixel based staganalysis methods including Sample Pairs by Dumitrescu (2003), RS Analysis by Fridrich (2001), Chi Square Attack by Westfeld (2000) and Primary Sets by Dumitrescu (2002). In addition to detecting the presence of steganography, StegExpose also features the quantitative steganalysis (determining the length of the hidden message). StegExpose is part of my MSc of a project at the School of Computing of the University of Kent, in Canterbury, UK.

###Linux Forensics

###Windows Forensics

####Windows Forensics Tools

NTDSXtract - Active Directory Forensics Framework

  • Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT). Did it Execute? - Mandiant
  • You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.

HowTo: Determine Program Execution

Kansa -A Powershell incident response framework

  • A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine

License to Kill: Malware Hunting with the Sysinternals Tools

Windows Program Automatic Startup Locations

Collection of Windows Autostart locations

Spotting the Adversary with Windows Event Log Monitoring - NSA

  • NSA 70-page writeup on windows event log monitoring


  • This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API

Techniques for fast windows forensics investigations

  • Look at sniper forensics, skip around, 18min has resources you want to grab for snapshots

Know your Windows Processes or Die Trying

  • Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.

WinPrefetchView v1.25

  • Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot. BTA - AD Security Audit Framework
  • BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as: Who has rights over a given object (computer, user account, etc.) ? Who can read a given mailbox ? Which are the accounts with domain admin rights ? Who has extended rights (userForceChangePassword, SendAs, etc.) ? What are the changes done on an AD between two points in time ?

###OS X Forensics Tools

OS X Audiotr

  • OS X Auditor is a free Mac OS X computer forensics tool.


File Signature Table

Extensible Metadata Platform

  • The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and data sets.

[Bootkit Disk Forensics Part 1 Part 2

Windows Memory Analysis Checklist


  • Recovers the master password of key3.db files, i.e. Thunderbird, Firefox

Event Tracing for Windows and Network Monitor

  • "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."

File Signature Table

  • This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at

Handler Diaries - Another Hunting Post(DFIR)

  • Good post on not only knowing the layout, but knowing expected behaviours.

Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)


  • PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.

####Hacking Exposed - Automating DFIR Series Automating DFIR - How to series on programming libtsk with python Part 1 - Automating DFIR - How to series on programming libtsk with python Part 2 Automating DFIR - How to series on programming libtsk with python Part 3

Windows Attribute changer

Malware Management Framework - Sniper Forensics Toolkit


  • What is xmount? xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, DMG, VHD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike. binwally
  • Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)

Attrition Forensics

Forensics wiki

Add Enterprise Forensics section? Yelp/Github - OSX Collector - Mass style forensics/management