Skip to main content

Powerful Tools

· loading · loading · ·
Table of Contents

In the field of cybersecurity and digital forensics, having the right set of tools is essential to effectively analyze, detect, and respond to threats. During my studies, I relied on a variety of powerful tools to perform various analyses.

Below, I’ve compiled a list of tools. This list is not intended to present the best or most powerful tools, nor all the tools available on the Internet, but rather tools that have sparked my interest as part of my blue team activities. Everyone is free to use the tools they prefer; the important thing is to be familiar with them.

Threat Hunting Tools
#

  • Wireshark
    Wireshark is a network protocol analyzer used to capture and examine data passing through a network in real-time. It is essential for detailed analysis of network communications and diagnosing performance and security issues.
    https://www.wireshark.org/

  • URLScan
    URLScan is an online service that analyzes URLs to detect malicious behavior. It provides detailed information about the content and connections of submitted URLs, helping to identify potential threats.
    https://urlscan.io/

  • VirusTotal
    VirusTotal is a well-known service for scanning files and URLs for viruses and other malicious content.
    https://www.virustotal.com/gui/home/upload

  • Elastic/OpenSearch
    Elastic and OpenSearch are open-source SIEMs (Security Information and Event Management) that are particularly useful for incident detection rather than forensic analysis. They are highly effective in environments with large volumes of logs, allowing for efficient querying and analysis using KQL (Kibana Query Language). OpenSearch, maintained by Amazon, is a recommended option for those looking to deploy one of these solutions.
    https://www.elastic.co/
    https://opensearch.org/

  • OpenCTI
    OpenCTI (Open Cyber Threat Intelligence) is an open-source platform that facilitates the management and sharing of cyber threat intelligence. It helps to centralize, structure, and analyze threat information to improve organizational cybersecurity.
    https://github.com/OpenCTI-Platform/opencti

  • Joe Sandbox
    Joe Sandbox is a malware analysis platform that executes suspicious files in an isolated environment to observe their behavior. It generates detailed reports on the activities of the malware, aiding in threat detection and analysis.
    https://www.joesandbox.com/

  • Cuckoo Sandbox
    Cuckoo Sandbox is a self-hosted alternative to Joe Sandbox. Although the project is no longer actively maintained, it remains relevant for dynamic malware analysis.
    https://github.com/cuckoosandbox

Log Analysis Tools
#

  • Timeline Explorer
    Timeline Explorer is a data visualization tool useful for analyzing and interpreting events that have occurred within an operating system over time. It is particularly effective for analyzing MFT (Master File Table) and EVTX (Windows Event Log) files. Eric Zimmerman’s tools, including Timeline Explorer, are highly regarded in the forensic community.
    https://ericzimmerman.github.io/#!index.md

  • APT-Hunter
    APT-Hunter is an EVTX log analysis tool that, when used in conjunction with Timeline Explorer, can yield excellent results for detecting advanced persistent threats.
    https://github.com/ahmedkhlief/APT-Hunter

  • Hayabusa
    Hayabusa is similar to APT-Hunter, focusing on EVTX log analysis and can be used alongside Timeline Explorer. It offers additional detection capabilities based on Sigma rule sets.
    https://github.com/Yamato-Security/hayabusa

  • Autopsy
    Autopsy is a graphical interface for the Sleuth Kit forensic toolset. It facilitates detailed analysis of disks and partitions by allowing examination of file systems and recovery of deleted data.
    https://www.autopsy.com/

Live Memory Analysis
#

  • Volatility
    Volatility is a RAM analysis tool used to extract and examine artifacts present in the memory of a compromised system. The Python 2 version of Volatility remains more feature-complete than the Python 3 version, but the community is actively working to enhance the newer version. While it may initially be complex to use, it becomes an invaluable tool with experience.
    https://volatilityfoundation.org/

  • PyDFIR
    PyDFIR is a framework primarily based on Volatility. It is expected to expand with additional network functionalities in the near future.
    https://github.com/PyDFIR

Virtual Machines / Bundles of Tools
#

  • SIFT Workstation
    SIFT Workstation is an open-source Linux distribution pre-configured with forensic and incident response tools, such as Volatility and Sleuth Kit. It is designed to be a comprehensive digital forensic environment.
    https://www.sans.org/tools/sift-workstation/

  • REMnux
    REMnux is a Linux distribution specialized in reverse engineering. It includes a collection of tools for malware analysis, network traffic analysis, and digital forensic investigations.
    https://remnux.org/

  • Flare VM
    Flare VM is a collection of tools to prepare a Windows VM for reverse engineering and forensic analysis. It serves as a Windows alternative to SIFT Workstation and REMnux.
    https://github.com/mandiant/flare-vm

Incident Response Tools
#

  • Velociraptor
    Velociraptor is an open-source incident response and analysis tool that allows for large-scale querying and artifact collection from compromised systems.
    https://docs.velociraptor.app/

  • DFIR-ORC
    DFIR ORC is for those who want to acquire the data they need to respond to security incidents reliably.
    https://github.com/DFIR-ORC/dfir-orc

This list will evolve over time. I hope it will help you as much as it has helped me in the past.

Related

Windows & Powershell Customisation
·1736 words·9 mins· loading · loading
En Powershell Oh-My-Posh Windows Terminal Privacy Nilesoft
Debrief conférences Coriin 2024
·2152 words·11 mins· loading · loading
Fr Blueteam Coriin DFIR Forensic