Skip to main content

Powerful Tools

loading · loading · ·
Table of Contents

In the field of cybersecurity and digital forensics, having the right set of tools is essential to effectively analyze, detect, and respond to threats. During my studies, I relied on a variety of powerful tools to perform various analyses.

Below, I’ve compiled a list of tools. This list is not intended to present the best or most powerful tools, nor all the tools available on the Internet, but rather tools that have sparked my interest as part of my blue team activities. Everyone is free to use the tools they prefer; the important thing is to be familiar with them.

Online tools
#

  • FARELO (Fast Reputation Lookup)
    FARELO is an online threat intelligence aggregator for quick reputation checks. It allows analysts to query an IP address, domain, CVE, or file hash and retrieves real-time threat data from multiple sources in one place. By combining results from various threat intel databases, FARELO provides a convenient snapshot of malicious indicators associated with the queried entity, saving time in investigations.
    https://farelo.nawhack.fr/

  • Exalyze
    Exalyze is a cloud-based malware analysis platform designed to accelerate static analysis of suspicious files. It can disassemble and inspect binaries within seconds, automating tedious tasks (like extracting interesting API-call sequences) to give analysts a quick overview of capabilities. Exalyze also offers one-click YARA rule generation and a similarity search engine to find related malware samples from a large database, greatly streamlining threat research and hunting.
    https://exalyze.io/

  • Dogbolt
    Dogbolt is an interactive online decompiler service that produces decompiled C-like output from binaries using many popular decompilers in parallel. Essentially the reverse of the Compiler Explorer, it lets you upload a program and compare how tools like Ghidra, IDA Pro’s Hex-Rays, Binary Ninja, and others reconstruct the code. This helps reverse engineers and malware analysts quickly see different decompiler interpretations side-by-side for deeper static analysis.
    https://dogbolt.org/

Threat Hunting Tools
#

  • Wireshark
    Wireshark is a network protocol analyzer used to capture and examine data passing through a network in real-time. It is essential for detailed analysis of network communications and diagnosing performance and security issues.
    https://www.wireshark.org/

  • URLScan
    URLScan is an online service that analyzes URLs to detect malicious behavior. It provides detailed information about the content and connections of submitted URLs, helping to identify potential threats.
    https://urlscan.io/

  • VirusTotal
    VirusTotal is a well-known service for scanning files and URLs for viruses and other malicious content.
    https://www.virustotal.com/gui/home/upload

  • Elastic/OpenSearch
    Elastic and OpenSearch are open-source SIEMs (Security Information and Event Management) that are particularly useful for incident detection rather than forensic analysis. They are highly effective in environments with large volumes of logs, allowing for efficient querying and analysis using KQL (Kibana Query Language). OpenSearch, maintained by Amazon, is a recommended option for those looking to deploy one of these solutions.
    https://www.elastic.co/
    https://opensearch.org/

  • OpenCTI
    OpenCTI (Open Cyber Threat Intelligence) is an open-source platform that facilitates the management and sharing of cyber threat intelligence. It helps to centralize, structure, and analyze threat information to improve organizational cybersecurity.
    https://github.com/OpenCTI-Platform/opencti

  • Joe Sandbox
    Joe Sandbox is a malware analysis platform that executes suspicious files in an isolated environment to observe their behavior. It generates detailed reports on the activities of the malware, aiding in threat detection and analysis.
    https://www.joesandbox.com/

  • Cuckoo Sandbox
    Cuckoo3 is a modern, Python 3–based rewrite of Cuckoo Sandbox that provides a self-hosted alternative to commercial solutions like Joe Sandbox. Actively developed and open source, it focuses on automated dynamic malware analysis in isolated Windows environments.
    https://github.com/cert-ee/cuckoo3

  • Drakvuf Sandbox
    DRAKVUF Sandbox is an open-source, self-hosted, hypervisor-level malware sandbox built on the DRAKVUF introspection engine. It provides automated, agentless dynamic malware analysis via a web interface for submitting suspicious files and exploring detailed behavioral reports.
    https://github.com/CERT-Polska/drakvuf-sandbox

Log Analysis Tools
#

  • Timeline Explorer
    Timeline Explorer is a data visualization tool useful for analyzing and interpreting events that have occurred within an operating system over time. It is particularly effective for analyzing MFT (Master File Table) and EVTX (Windows Event Log) files. Eric Zimmerman’s tools, including Timeline Explorer, are highly regarded in the forensic community.
    https://ericzimmerman.github.io/#!index.md

  • APT-Hunter
    APT-Hunter is an EVTX log analysis tool that, when used in conjunction with Timeline Explorer, can yield excellent results for detecting advanced persistent threats.
    https://github.com/ahmedkhlief/APT-Hunter

  • Hayabusa
    Hayabusa is similar to APT-Hunter, focusing on EVTX log analysis and can be used alongside Timeline Explorer. It offers additional detection capabilities based on Sigma rule sets.
    https://github.com/Yamato-Security/hayabusa

  • Autopsy
    Autopsy is a graphical interface for the Sleuth Kit forensic toolset. It facilitates detailed analysis of disks and partitions by allowing examination of file systems and recovery of deleted data.
    https://www.autopsy.com/

Live Memory Analysis
#

  • Volatility
    Volatility is a RAM analysis tool used to extract and examine artifacts present in the memory of a compromised system. The Python 2 version of Volatility remains more feature-complete than the Python 3 version, but the community is actively working to enhance the newer version. While it may initially be complex to use, it becomes an invaluable tool with experience.
    https://volatilityfoundation.org/

  • PyDFIR
    PyDFIR is a framework primarily based on Volatility. It is expected to expand with additional network functionalities in the near future.
    https://github.com/PyDFIR

Virtual Machines / Bundles of Tools
#

  • SIFT Workstation
    SIFT Workstation is an open-source Linux distribution pre-configured with forensic and incident response tools, such as Volatility and Sleuth Kit. It is designed to be a comprehensive digital forensic environment.
    https://www.sans.org/tools/sift-workstation/

  • REMnux
    REMnux is a Linux distribution specialized in reverse engineering. It includes a collection of tools for malware analysis, network traffic analysis, and digital forensic investigations.
    https://remnux.org/

  • Flare VM
    Flare VM is a collection of tools to prepare a Windows VM for reverse engineering and forensic analysis. It serves as a Windows alternative to SIFT Workstation and REMnux.
    https://github.com/mandiant/flare-vm

Incident Response Tools
#

  • Velociraptor
    Velociraptor is an open-source incident response and analysis tool that allows for large-scale querying and artifact collection from compromised systems.
    https://docs.velociraptor.app/

  • DFIR-ORC
    DFIR ORC is for those who want to acquire the data they need to respond to security incidents reliably.
    https://github.com/DFIR-ORC/dfir-orc

This list will evolve over time. I hope it will help you as much as it has helped me in the past.

Related