Awesome Incident Response
A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.
Digital Forensics and Incident Response (DFIR) teams are groups of people in an organization responsible for managing the response to a security incident, including gathering evidence of the incident, remediating its effects, and implementing controls to prevent the incident from recurring in the future.
Contents
- Adversary Emulation
- All-In-One Tools
- Books
- Communities
- Disk Image Creation Tools
- Evidence Collection
- Incident Management
- Knowledge Bases
- Linux Distributions
- Linux Evidence Collection
- Log Analysis Tools
- Memory Analysis Tools
- Memory Imaging Tools
- OSX Evidence Collection
- Other Lists
- Other Tools
- Playbooks
- Process Dump Tools
- Sandboxing/Reversing Tools
- Scanner Tools
- Timeline Tools
- Videos
- Windows Evidence Collection
IR Tools Collection
Adversary Emulation
- APTSimulator - Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
- Atomic Red Team (ART) - Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.
- AutoTTP - Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
- Caldera - Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.
- DumpsterFire - Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
- Metta - Information security preparedness tool to do adversarial simulation.
- Network Flight Simulator - Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
- Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
- RedHunt-OS - Virtual machine for adversary emulation and threat hunting.
All-In-One Tools
- Belkasoft Evidence Center - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
- CimSweep - Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
- CIRTkit - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
- Cyber Triage - Cyber Triage collects and analyzes host data to determine if it is compromised. It's scoring system and recommendation engine allow you to quickly focus on the important artifacts. It can import data from its collection tool, disk images, and other collectors (such as KAPE). It can run on an examiner's desktop or in a server model. Developed by Sleuth Kit Labs, which also makes Autopsy.
- Dissect - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).