Awesome Incident Response – Essential Tools And Resources

Digital Forensics and Incident Response (DFIR) teams are groups of people in an organization responsible for managing the response to a security incident, including gathering evidence of the incident, remediating its effects, and implementing controls to prevent the incident from recurring in the future.

Contents

• Adversary Emulation
• All-In-One Tools
• Books
• Communities
• Disk Image Creation Tools
• Evidence Collection
• Incident Management
• Knowledge Bases
• Linux Distributions
• Linux Evidence Collection
• Log Analysis Tools
• Memory Analysis Tools
• Memory Imaging Tools
• OSX Evidence Collection
• Other Lists
• Other Tools
• Playbooks
• Process Dump Tools
• Sandboxing/Reversing Tools
• Scanner Tools
• Timeline Tools
• Videos
• Windows Evidence Collection

IR Tools Collection

Adversary Emulation

• APTSimulator – Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
• Atomic Red Team (ART) – Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.
• AutoTTP – Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
• Caldera – Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.
• DumpsterFire – Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
• Metta – Information security preparedness tool to do adversarial simulation.
• Network Flight Simulator – Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
• Red Team Automation (RTA) – RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
• RedHunt-OS – Virtual machine for adversary emulation and threat hunting.

All-In-One Tools

• Belkasoft Evidence Center – The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
• CimSweep – Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
• CIRTkit – CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
• Cyber Triage – Cyber Triage collects and analyzes host data to determine if it is compromised. It’s scoring system and recommendation engine allow you to quickly focus on the important artifacts. It can import data from its collection tool, disk images, and other collectors (such as KAPE). It can run on an examiner’s desktop or in a server model. Developed by Sleuth Kit Labs, which also makes Autopsy.
• Dissect – Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
• Doorman – osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery’s TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
• Falcon Orchestrator – Extendable Windows-based application that provides workflow automation, case management and security response functionality.
• Flare – A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing.
• Fleetdm – State of the art host monitoring platform tailored for security experts. Leveraging Facebook’s battle-tested osquery project, Fleetdm delivers continuous updates, features and fast answers to big questions.
• GRR Rapid Response – Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, PowerGRR provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.
• IRIS – IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level.
• Kuiper – Digital Forensics Investigation Platform
• Limacharlie – Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality.
• Matano: Open source serverless security lake platform on AWS that lets you ingest, store, and analyze petabytes of security data into an Apache Iceberg data lake and run realtime Python detections as code.
• MozDef – Automates the security incident handling process and facilitate the real-time activities of incident handlers.
• MutableSecurity – CLI program for automating the setup, configuration, and use of cybersecurity solutions.
• nightHawk – Application built for asynchronous forensic data presentation using ElasticSearch as the backend. It’s designed to ingest Redline collections.
• Open Computer Forensics Architecture – Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
• osquery – Easily ask questions about your Linux and macOS infrastructure using a SQL-like query language; the provided incident-response pack helps you detect and respond to breaches.
• Redline – Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
• SOC Multi-tool – A powerful and user-friendly browser extension that streamlines investigations for security professionals.
• The Sleuth Kit & Autopsy – Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
• TheHive – Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
• Velociraptor – Endpoint visibility and collection tool
• X-Ways Forensics – Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.
• Zentral – Combines osquery’s powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.