├── .github └── workflows │ └── main.yml ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── LIBS.md /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | schedule: 8 | - cron: '0 0 * * 0' 9 | 10 | jobs: 11 | build: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@v1 15 | - name: Setup Ruby for use with actions 16 | uses: actions/setup-ruby@v1 17 | - name: Test README.md 18 | run: | 19 | gem install awesome_bot 20 | awesome_bot --allow-ssl --request-delay 1 README.md -w "dfir.org,reddit.com,securizame.com,forensicfocus.com,malwaretech.com/labs/,digital-forensics.it,blogspot.com" 21 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | **:wave: Don't hesitate to create a pull request, when you have something awesome to add. Someone will fix it, when it doesn't completely meet the guidelines.** 2 | 3 | # :scroll: Contribution Guidelines 4 | 5 | When making a pull request, please follow these guidelines: 6 | 7 | - Lists within each section are alphabetized 8 | - Add sections if necessary, use existing sections if possible 9 | - Clear, concise descriptions for each link, followed by a period 10 | - Use the following format: `[Item Name](homepage link) - Description.` 11 | - No duplication of tools, put them where they make the most sense 12 | - Prefer quality over quantity, only submit awesome stuff 13 | - By submitting a pull request, you agree to release your submission under 14 | the [LICENSE](LICENSE) 15 | 16 | :thumbsup: **Thanks!** 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | CC0 1.0 Universal 2 | 3 | Statement of Purpose 4 | 5 | The laws of most jurisdictions throughout the world automatically confer 6 | exclusive Copyright and Related Rights (defined below) upon the creator and 7 | subsequent owner(s) (each and all, an "owner") of an original work of 8 | authorship and/or a database (each, a "Work"). 9 | 10 | Certain owners wish to permanently relinquish those rights to a Work for the 11 | purpose of contributing to a commons of creative, cultural and scientific 12 | works ("Commons") that the public can reliably and without fear of later 13 | claims of infringement build upon, modify, incorporate in other works, reuse 14 | and redistribute as freely as possible in any form whatsoever and for any 15 | purposes, including without limitation commercial purposes. These owners may 16 | contribute to the Commons to promote the ideal of a free culture and the 17 | further production of creative, cultural and scientific works, or to gain 18 | reputation or greater distribution for their Work in part through the use and 19 | efforts of others. 20 | 21 | For these and/or other purposes and motivations, and without any expectation 22 | of additional consideration or compensation, the person associating CC0 with a 23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright 24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work 25 | and publicly distribute the Work under its terms, with knowledge of his or her 26 | Copyright and Related Rights in the Work and the meaning and intended legal 27 | effect of CC0 on those rights. 28 | 29 | 1. Copyright and Related Rights. A Work made available under CC0 may be 30 | protected by copyright and related or neighboring rights ("Copyright and 31 | Related Rights"). Copyright and Related Rights include, but are not limited 32 | to, the following: 33 | 34 | i. the right to reproduce, adapt, distribute, perform, display, communicate, 35 | and translate a Work; 36 | 37 | ii. moral rights retained by the original author(s) and/or performer(s); 38 | 39 | iii. publicity and privacy rights pertaining to a person's image or likeness 40 | depicted in a Work; 41 | 42 | iv. rights protecting against unfair competition in regards to a Work, 43 | subject to the limitations in paragraph 4(a), below; 44 | 45 | v. rights protecting the extraction, dissemination, use and reuse of data in 46 | a Work; 47 | 48 | vi. database rights (such as those arising under Directive 96/9/EC of the 49 | European Parliament and of the Council of 11 March 1996 on the legal 50 | protection of databases, and under any national implementation thereof, 51 | including any amended or successor version of such directive); and 52 | 53 | vii. other similar, equivalent or corresponding rights throughout the world 54 | based on applicable law or treaty, and any national implementations thereof. 55 | 56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of, 57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and 58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright 59 | and Related Rights and associated claims and causes of action, whether now 60 | known or unknown (including existing as well as future claims and causes of 61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum 62 | duration provided by applicable law or treaty (including future time 63 | extensions), (iii) in any current or future medium and for any number of 64 | copies, and (iv) for any purpose whatsoever, including without limitation 65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes 66 | the Waiver for the benefit of each member of the public at large and to the 67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver 68 | shall not be subject to revocation, rescission, cancellation, termination, or 69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work 70 | by the public as contemplated by Affirmer's express Statement of Purpose. 71 | 72 | 3. Public License Fallback. Should any part of the Waiver for any reason be 73 | judged legally invalid or ineffective under applicable law, then the Waiver 74 | shall be preserved to the maximum extent permitted taking into account 75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver 76 | is so judged Affirmer hereby grants to each affected person a royalty-free, 77 | non transferable, non sublicensable, non exclusive, irrevocable and 78 | unconditional license to exercise Affirmer's Copyright and Related Rights in 79 | the Work (i) in all territories worldwide, (ii) for the maximum duration 80 | provided by applicable law or treaty (including future time extensions), (iii) 81 | in any current or future medium and for any number of copies, and (iv) for any 82 | purpose whatsoever, including without limitation commercial, advertising or 83 | promotional purposes (the "License"). The License shall be deemed effective as 84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the 85 | License for any reason be judged legally invalid or ineffective under 86 | applicable law, such partial invalidity or ineffectiveness shall not 87 | invalidate the remainder of the License, and in such case Affirmer hereby 88 | affirms that he or she will not (i) exercise any of his or her remaining 89 | Copyright and Related Rights in the Work or (ii) assert any associated claims 90 | and causes of action with respect to the Work, in either case contrary to 91 | Affirmer's express Statement of Purpose. 92 | 93 | 4. Limitations and Disclaimers. 94 | 95 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 96 | surrendered, licensed or otherwise affected by this document. 97 | 98 | b. Affirmer offers the Work as-is and makes no representations or warranties 99 | of any kind concerning the Work, express, implied, statutory or otherwise, 100 | including without limitation warranties of title, merchantability, fitness 101 | for a particular purpose, non infringement, or the absence of latent or 102 | other defects, accuracy, or the present or absence of errors, whether or not 103 | discoverable, all to the greatest extent permissible under applicable law. 104 | 105 | c. Affirmer disclaims responsibility for clearing rights of other persons 106 | that may apply to the Work or any use thereof, including without limitation 107 | any person's Copyright and Related Rights in the Work. Further, Affirmer 108 | disclaims responsibility for obtaining any necessary consents, permissions 109 | or other rights required for any use of the Work. 110 | 111 | d. Affirmer understands and acknowledges that Creative Commons is not a 112 | party to this document and has no duty or obligation with respect to this 113 | CC0 or use of the Work. 114 | 115 | For more information, please see 116 | 117 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Awesome Forensics [![Link Status](https://github.com/cugu/awesome-forensics/workflows/CI/badge.svg)](https://github.com/cugu/awesome-forensics) 2 | 3 | Curated list of awesome **free** (mostly open source) forensic analysis tools and resources. 4 | 5 | - Awesome Forensics 6 | - [Collections](#collections) 7 | - [Tools](#tools) 8 | - [Distributions](#distributions) 9 | - [Frameworks](#frameworks) 10 | - [Live Forensics](#live-forensics) 11 | - [IOC Scanner](#ioc-scanner) 12 | - [Acquisition](#acquisition) 13 | - [Imaging](#imaging) 14 | - [Carving](#carving) 15 | - [Memory Forensics](#memory-forensics) 16 | - [Network Forensics](#network-forensics) 17 | - [Windows Artifacts](#windows-artifacts) 18 | - [NTFS/MFT Processing](#ntfsmft-processing) 19 | - [OS X Forensics](#os-x-forensics) 20 | - [Mobile Forensics](#mobile-forensics) 21 | - [Docker Forensics](#docker-forensics) 22 | - [Internet Artifacts](#internet-artifacts) 23 | - [Timeline Analysis](#timeline-analysis) 24 | - [Disk image handling](#disk-image-handling) 25 | - [Decryption](#decryption) 26 | - [Management](#management) 27 | - [Picture Analysis](#picture-analysis) 28 | - [Metadata Forensics](#metadata-forensics) 29 | - [Steganography](#steganography) 30 | - [Learn Forensics](#learn-forensics) 31 | - [CTFs and Challenges](#ctfs-and-challenges) 32 | - [Resources](#resources) 33 | - [Web](#web) 34 | - [Blogs](#blogs) 35 | - [Books](#books) 36 | - [File System Corpora](#file-system-corpora) 37 | - [Other](#other) 38 | - [Labs](#labs) 39 | - [Related Awesome Lists](#related-awesome-lists) 40 | - [Contributing](#contributing) 41 | 42 | --- 43 | 44 | ## Collections 45 | 46 | - [AboutDFIR – The Definitive Compendium Project](https://aboutdfir.com) - Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more 47 | - :star: [ForensicArtifacts.com Artifact Repository](https://github.com/ForensicArtifacts/artifacts) - Machine-readable knowledge base of forensic artifacts 48 | 49 | ## Tools 50 | 51 | - [Forensics tools on Wikipedia](https://en.wikipedia.org/wiki/List_of_digital_forensics_tools) 52 | - [Eric Zimmerman's Tools](https://ericzimmerman.github.io/#!index.md) 53 | 54 | ### Distributions 55 | 56 | - [bitscout](https://github.com/vitaly-kamluk/bitscout) - LiveCD/LiveUSB for remote forensic acquisition and analysis 57 | - [Remnux](https://remnux.org/) - Distro for reverse-engineering and analyzing malicious software 58 | - [SANS Investigative Forensics Toolkit (sift)](https://github.com/teamdfir/sift) - Linux distribution for forensic analysis 59 | - [Tsurugi Linux](https://tsurugi-linux.org/) - Linux distribution for forensic analysis 60 | - [WinFE](https://www.winfe.net/home) - Windows Forensics enviroment 61 | 62 | ### Frameworks 63 | 64 | - :star:[Autopsy](http://www.sleuthkit.org/autopsy/) - SleuthKit GUI 65 | - [dexter](https://github.com/coinbase/dexter) - Dexter is a forensics acquisition framework designed to be extensible and secure 66 | - [dff](https://github.com/arxsys/dff) - Forensic framework 67 | - [Dissect](https://github.com/fox-it/dissect) - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group). 68 | - [hashlookup-forensic-analyser](https://github.com/hashlookup/hashlookup-forensic-analyser) - A tool to analyse files from a forensic acquisition to find known/unknown hashes from [hashlookup](https://www.circl.lu/services/hashlookup/) API or using a local Bloom filter. 69 | - [IntelMQ](https://github.com/certtools/intelmq) - IntelMQ collects and processes security feeds 70 | - [Kuiper](https://github.com/DFIRKuiper/Kuiper) - Digital Investigation Platform 71 | - [Laika BOSS](https://github.com/lmco/laikaboss) - Laika is an object scanner and intrusion detection system 72 | - [OpenRelik](https://openrelik.org/) - Forensic platform to store file artifacts and run workflows 73 | - [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - PowerForensics is a framework for live disk forensic analysis 74 | - [TAPIR](https://github.com/tap-ir/tapir) - TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework 75 | - :star: [The Sleuth Kit](https://github.com/sleuthkit/sleuthkit) - Tools for low level forensic analysis 76 | - [turbinia](https://github.com/google/turbinia) - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms 77 | - [IPED - Indexador e Processador de Evidências Digitais](https://github.com/sepinf-inc/IPED) - Brazilian Federal Police Tool for Forensic Investigations 78 | - [Wombat Forensics](https://github.com/pjrinaldi/wombatforensics) - Forensic GUI tool 79 | 80 | ### Live Forensics 81 | 82 | - [grr](https://github.com/google/grr) - GRR Rapid Response: remote live forensics for incident response 83 | - [Linux Expl0rer](https://github.com/intezer/linux-explorer) - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask 84 | - [mig](https://github.com/mozilla/mig) - Distributed & real time digital forensics at the speed of the cloud 85 | - [osquery](https://github.com/osquery/osquery) - SQL powered operating system analytics 86 | - [POFR](https://github.com/gmagklaras/pofr) - The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System. 87 | - [UAC](https://github.com/tclahr/uac) - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts. 88 | 89 | ### IOC Scanner 90 | 91 | - [Fastfinder](https://github.com/codeyourweb/fastfinder) - Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules 92 | - [Fenrir](https://github.com/Neo23x0/Fenrir) - Simple Bash IOC Scanner 93 | - [Loki](https://github.com/Neo23x0/Loki) - Simple IOC and Incident Response Scanner 94 | - [Redline](https://fireeye.market/apps/211364) - Free endpoint security tool from FireEye 95 | - [THOR Lite](https://www.nextron-systems.com/thor-lite/) - Free IOC and YARA Scanner 96 | - [recon](https://github.com/rusty-ferris-club/recon) - Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA. 97 | 98 | ### Acquisition 99 | 100 | - [Acquire](https://github.com/fox-it/acquire) - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container 101 | - [ALEX](https://github.com/prosch88/ALEX) - Extract files from ADB devices on Windows, Linux and MacOS. Mostly a wrapper for adbutils. 102 | - [artifactcollector](https://github.com/forensicanalysis/artifactcollector) - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system 103 | - [ArtifactExtractor](https://github.com/Silv3rHorn/ArtifactExtractor) - Extract common Windows artifacts from source images and VSCs 104 | - [AVML](https://github.com/microsoft/avml) - A portable volatile memory acquisition tool for Linux 105 | - [Belkasoft RAM Capturer](https://belkasoft.com/ram-capturer) - Volatile Memory Acquisition Tool 106 | - [DFIR ORC](https://dfir-orc.github.io/) - Forensics artefact collection tool for systems running Microsoft Windows 107 | - [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - Collect artifacts on windows 108 | - [FireEye Memoryze](https://fireeye.market/apps/211368) - A free memory forensic software 109 | - [FIT](https://github.com/fit-project/fit) - Forensic acquisition of web pages, emails, social media, etc. 110 | - [ForensicMiner](https://github.com/securityjoes/ForensicMiner) - A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines. 111 | - [Fuji](https://github.com/Lazza/Fuji/) - MacOS forensic acquisition made simple. It creates full file system copies or targeted collection of Mac computers. 112 | - [Hashment](https://github.com/hashment/yaffs2-forensic-tool) - Python forensic tool to analyze, dump, and recover deleted files from YAFFS2 partitions. 113 | - [LiME](https://github.com/504ensicsLabs/LiME) - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD 114 | - [Magnet RAM Capture / DumpIt](https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/) - A free imaging tool designed to capture the physical memory 115 | - [SPECTR3](https://github.com/alpine-sec/SPECTR3) - Acquire, triage and investigate remote evidence via portable iSCSI readonly access 116 | - [TriageHasher](https://github.com/FlipForensics/TriageHasher) - A flexible hashing tool designed for triage collections on Windows, Linux and MacOS. Only hash files with a given extension and location. 117 | - [UFADE](https://github.com/prosch88/UFADE) - Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups. 118 | - [unix_collector](https://github.com/op7ic/unix_collector) - A live forensic collection script for UNIX-like systems as a single script. 119 | - [Velociraptor](https://github.com/Velocidex/velociraptor) - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries 120 | - [WinTriage](https://www.securizame.com/wintriage-the-triage-tool-for-windows-dfirers/) - Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive. 121 | 122 | ### Imaging 123 | 124 | - [dc3dd](https://sourceforge.net/projects/dc3dd/) - Improved version of dd 125 | - [dcfldd](https://sourceforge.net/projects/dcfldd/) - Different improved version of dd (this version has some bugs!, another version is on github [adulau/dcfldd](https://github.com/adulau/dcfldd)) 126 | - [FTK Imager](https://www.exterro.com/digital-forensics-software/ftk-imager) - Free imageing tool for windows 127 | - :star: [Guymager](https://sourceforge.net/projects/guymager/) - Open source version for disk imageing on linux systems 128 | - [4n6pi](https://github.com/plonxyz/4n6pi) - Forensic disk imager, designed to run on a Raspberry Pi, powered by libewf 129 | 130 | ### Carving 131 | 132 | - [bstrings](https://github.com/EricZimmerman/bstrings) - Improved strings utility 133 | - [bulk_extractor](https://github.com/simsong/bulk_extractor) - Extracts information such as email addresses, creditcard numbers and histrograms from disk images 134 | - [floss](https://github.com/mandiant/flare-floss) - Static analysis tool to automatically deobfuscate strings from malware binaries 135 | - :star: [photorec](https://www.cgsecurity.org/wiki/PhotoRec) - File carving tool 136 | - [swap_digger](https://github.com/sevagas/swap_digger) - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc. 137 | 138 | ### Memory Forensics 139 | 140 | - [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory analysis framework 141 | developed in .NET supports all Windows x64, includes code integrity and write support 142 | - [KeeFarce](https://github.com/denandz/KeeFarce) - Extract KeePass passwords from memory 143 | - [MemProcFS](https://github.com/ufrisk/MemProcFS) - An easy and convenient way of accessing physical memory as files a virtual file system. 144 | - [Rekall](https://github.com/google/rekall) - Memory Forensic Framework 145 | - [volatility](https://github.com/volatilityfoundation/volatility) - The memory forensic framework 146 | - [VolUtility](https://github.com/kevthehermit/VolUtility) - Web App for Volatility framework 147 | 148 | ### Network Forensics 149 | 150 | - [Kismet](https://github.com/kismetwireless/kismet) - A passive wireless sniffer 151 | - [NetworkMiner](https://www.netresec.com/?page=Networkminer) - Network Forensic Analysis Tool 152 | - [RustNet](https://github.com/domcyrus/rustnet) - A cross-platform network monitoring terminal UI providing real-time visibility into network connections 153 | - [Squey](https://squey.org) - Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data. 154 | - :star: [WireShark](https://www.wireshark.org/) - A network protocol analyzer 155 | 156 | ### Windows Artifacts 157 | 158 | - [Beagle](https://github.com/yampelo/beagle) - Transform data sources and logs into graphs 159 | - [Blauhaunt](https://github.com/cgosec/Blauhaunt) - A tool collection for filtering and visualizing logon events 160 | - [FRED](https://www.pinguin.lu/fred) - Cross-platform microsoft registry hive editor 161 | - [Hayabusa](https://github.com/Yamato-Security/hayabusa) - A a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. 162 | - [LastActivityView](https://www.nirsoft.net/utils/computer_activity_view.html) - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. 163 | - [LogonTracer](https://github.com/JPCERTCC/LogonTracer) - Investigate malicious Windows logon by visualizing and analyzing Windows event log 164 | - [PyShadow](https://github.com/alicangnll/pyshadow) - A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies 165 | - [python-evt](https://github.com/williballenthin/python-evt) - Pure Python parser for classic Windows Event Log files (.evt) 166 | - [RegRipper3.0](https://github.com/keydet89/RegRipper3.0) - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis 167 | - [RegRippy](https://github.com/airbus-cert/regrippy) - A framework for reading and extracting useful forensics data from Windows registry hives 168 | 169 | #### NTFS/MFT Processing 170 | 171 | - [MFT-Parsers](http://az4n6.blogspot.com/2015/09/whos-your-master-mft-parsers-reviewed.html) - Comparison of MFT-Parsers 172 | - [MFTEcmd](https://binaryforay.blogspot.com/2018/06/introducing-mftecmd.html) - MFT Parser by Eric Zimmerman 173 | - [MFTExtractor](ttps://github.com/aarsakian/FileSystemForensics) - MFT-Parser 174 | - [MFTMactime](https://github.com/kero99/mftmactime) - MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all. 175 | - [NTFS journal parser](http://strozfriedberg.github.io/ntfs-linker/) 176 | - [NTFSTool](https://github.com/thewhiteninja/ntfstool) - Complete NTFS forensics tool 177 | - [NTFS USN Journal parser](https://github.com/PoorBillionaire/USN-Journal-Parser) 178 | - [RecuperaBit](https://github.com/Lazza/RecuperaBit) - Reconstruct and recover NTFS data 179 | - [python-ntfs](https://github.com/williballenthin/python-ntfs) - NTFS analysis 180 | 181 | ### OS X Forensics 182 | 183 | - [APFS Fuse](https://github.com/sgan81/apfs-fuse) - A read-only FUSE driver for the new Apple File System 184 | - [mac_apt (macOS Artifact Parsing Tool)](https://github.com/ydkhatri/mac_apt) - Extracts forensic artifacts from disk images or live machines 185 | - [MacLocationsScraper](https://github.com/mac4n6/Mac-Locations-Scraper) - Dump the contents of the location database files on iOS and macOS 186 | - [macMRUParser](https://github.com/mac4n6/macMRU-Parser) - Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format 187 | - [OSXAuditor](https://github.com/jipegit/OSXAuditor) 188 | - [OSX Collect](https://github.com/Yelp/osxcollector) 189 | 190 | ### Mobile Forensics 191 | 192 | - [Andriller](https://github.com/den4uk/andriller) - A software utility with a collection of forensic tools for smartphones 193 | - [ALEAPP](https://github.com/abrignoni/ALEAPP) - An Android Logs Events and Protobuf Parser 194 | - [ArtEx](https://www.doubleblak.com/index.php) - Artifact Examiner for iOS Full File System extractions 195 | - [iLEAPP](https://github.com/abrignoni/iLEAPP) - An iOS Logs, Events, And Plists Parser 196 | - [iOS Frequent Locations Dumper](https://github.com/mac4n6/iOS-Frequent-Locations-Dumper) - Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/ 197 | - [MEAT](https://github.com/jfarley248/MEAT) - Perform different kinds of acquisitions on iOS devices 198 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. 199 | - [OpenBackupExtractor](https://github.com/vgmoose/OpenBackupExtractor) - An app for extracting data from iPhone and iPad backups. 200 | 201 | 202 | ### Docker Forensics 203 | 204 | - [dof (Docker Forensics Toolkit)](https://github.com/docker-forensics-toolkit/toolkit) - Extracts and interprets forensic artifacts from disk images of Docker Host systems 205 | - [Docker Explorer](https://github.com/google/docker-explorer) Extracts and interprets forensic artifacts from disk images of Docker Host systems 206 | 207 | ### Internet Artifacts 208 | 209 | - [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html) - A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache 210 | - [chrome-url-dumper](https://github.com/eLoopWoo/chrome-url-dumper) - Dump all local stored infromation collected by Chrome 211 | - [hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium 212 | - [IE10Analyzer](https://github.com/moaistory/IE10Analyzer) - This tool can parse normal records and recover deleted records in WebCacheV01.dat. 213 | - [unfurl](https://github.com/obsidianforensics/unfurl) - Extract and visualize data from URLs 214 | - [WinSearchDBAnalyzer](https://github.com/moaistory/WinSearchDBAnalyzer) - This tool can parse normal records and recover deleted records in Windows.edb. 215 | 216 | ### Timeline Analysis 217 | 218 | - [DFTimewolf](https://github.com/log2timeline/dftimewolf) - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall 219 | - :star: [plaso](https://github.com/log2timeline/plaso) - Extract timestamps from various files and aggregate them 220 | - [Timeline Explorer](https://binaryforay.blogspot.com/2017/04/introducing-timeline-explorer-v0400.html) - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students 221 | - [timeliner](https://github.com/airbus-cert/timeliner) - A rewrite of mactime, a bodyfile reader 222 | - [timesketch](https://github.com/google/timesketch) - Collaborative forensic timeline analysis 223 | 224 | ### Disk image handling 225 | 226 | - [Disk Arbitrator](https://github.com/aburgh/Disk-Arbitrator) - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device 227 | - [imagemounter](https://github.com/ralphje/imagemounter) - Command line utility and Python package to ease the (un)mounting of forensic disk images 228 | - [libewf](https://github.com/libyal/libewf) - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01) 229 | - [PancakeViewer](https://github.com/forensicmatt/PancakeViewer) - Disk image viewer based in dfvfs, similar to the FTK Imager viewer 230 | - [xmount](https://www.pinguin.lu/xmount) - Convert between different disk image formats 231 | 232 | ### Decryption 233 | 234 | - [hashcat](https://hashcat.net/hashcat/) - Fast password cracker with GPU support 235 | - [John the Ripper](https://www.openwall.com/john/) - Password cracker 236 | 237 | ### Management 238 | 239 | - [Catalyst](https://github.com/SecurityBrewery/catalyst) - Catalyst is an open source security automation and ticket system 240 | - [dfirtrack](https://github.com/dfirtrack/dfirtrack) - Digital Forensics and Incident Response Tracking application, track systems 241 | - [Incidents](https://github.com/veeral-patel/incidents) - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads 242 | - [iris](https://github.com/dfir-iris/iris-web) - Collaborative Incident Response platform 243 | 244 | ### Picture Analysis 245 | 246 | - [Ghiro](https://github.com/Ghirensics/ghiro) - A fully automated tool designed to run forensics analysis over a massive amount of images 247 | - [sherloq](https://github.com/GuidoBartoli/sherloq) - An open-source digital photographic image forensic toolset 248 | 249 | ### Metadata Forensics 250 | 251 | - [ExifTool](https://exiftool.org/) by Phil Harvey 252 | - [EXIF Editor](https://exifeditor.io/) In-browser, privacy first EXIF Viewer/Editor/Analysis tool (Zero Sign Up). Home to the The EXIF Guide, and The EXIF Quiz. 253 | - [FOCA](https://github.com/ElevenPaths/FOCA) - FOCA is a tool used mainly to find metadata and hidden information in the documents 254 | 255 | ### Steganography 256 | 257 | - [Sonicvisualizer](https://www.sonicvisualiser.org) 258 | - [Steghide](https://github.com/StegHigh/steghide) - is a steganography program that hides data in various kinds of image and audio files 259 | - [Wavsteg](https://github.com/samolds/wavsteg) - is a steganography program that hides data in various kinds of image and audio files 260 | - [Zsteg](https://github.com/zed-0xff/zsteg) - A steganographic coder for WAV files 261 | 262 | ## Learn Forensics 263 | 264 | - [Forensic challenges](https://www.amanhardikar.com/mindmaps/ForensicChallenges.html) - Mindmap of forensic challenges 265 | - [OpenLearn](https://www.open.edu/openlearn/science-maths-technology/digital-forensics/content-section-0?active-tab=description-tab) - Digital forensic course 266 | 267 | ### CTFs and Challenges 268 | 269 | - [BelkaCTF](https://belkasoft.com/ctf) - CTFs by Belkasoft 270 | - [CyberDefenders](https://cyberdefenders.org/blueteam-ctf-challenges/?type=ctf) 271 | - [DefCon CTFs](https://archive.ooo) - archive of DEF CON CTF challenges. 272 | - [Forensics CTFs](https://github.com/apsdehal/awesome-ctf/blob/master/README.md#forensics) 273 | - [MagnetForensics CTF Challenge](https://www.magnetforensics.com/blog/magnet-weekly-ctf-challenge/) 274 | - [MalwareTech Labs](https://malwaretech.com/labs/) 275 | - [MemLabs](https://github.com/stuxnet999/MemLabs) 276 | - [NW3C Chanllenges](https://nw3.ctfd.io) 277 | - [Precision Widgets of North Dakota Intrusion](https://betweentwodfirns.blogspot.com/2017/11/dfir-ctf-precision-widgets-of-north.html) 278 | - [ReverseEngineering Challenges](https://challenges.re) 279 | 280 | ## Resources 281 | 282 | ### Web 283 | 284 | - [ForensicsFocus](https://www.forensicfocus.com/) 285 | - [SANS Digital Forensics](https://www.sans.org/cybersecurity-focus-areas/digital-forensics-incident-response) 286 | 287 | ### Blogs 288 | 289 | - [Netresec](https://www.netresec.com/index.ashx?page=Blog) 290 | - [SANS Forensics Blog](https://www.sans.org/blog?focus-area=digital-forensics) 291 | - [SecurityAffairs](https://securityaffairs.com/) - blog by Pierluigi Paganini 292 | - [This Week In 4n6](https://thisweekin4n6.com/) - Weekly updates for forensics 293 | - [Zena Forensics](https://blog.digital-forensics.it/) 294 | 295 | ### Books 296 | 297 | *more at [Recommended Readings](http://dfir.org/?q=node/8) by Andrew Case* 298 | 299 | - [Network Forensics: Tracking Hackers through Cyberspace](https://www.pearson.com/en-us/subject-catalog/p/Davidoff-Network-Forensics-Tracking-Hackers-through-Cyberspace/P200000009228) - Learn to recognize hackers’ tracks and uncover network-based evidence 300 | - [The Art of Memory Forensics](https://memoryanalysis.net/amf/) - Detecting Malware and Threats in Windows, Linux, and Mac Memory 301 | - [The Practice of Network Security Monitoring](https://nostarch.com/nsm) - Understanding Incident Detection and Response 302 | 303 | ### File System Corpora 304 | 305 | - [Digital Forensic Challenge Images](https://www.ashemery.com/dfir.html) - Two DFIR challenges with images 306 | - [Digital Forensics Tool Testing Images](https://sourceforge.net/projects/dftt/) 307 | 308 | ### Other 309 | 310 | - [/r/computerforensics/](https://www.reddit.com/r/computerforensics/) - Subreddit for computer forensics 311 | - [CybersecurityGuide – Digital Forensics Careers](https://cybersecurityguide.org/careers/digital-forensics/) - Guide on skills, certs, and career paths in cyber forensics. 312 | - [ForensicPosters](https://github.com/Invoke-IR/ForensicPosters) - Posters of file system structures 313 | - [SANS Posters](https://www.sans.org/posters) - Free posters provided by SANS 314 | 315 | ### Labs 316 | 317 | - [BlueTeam.Lab](https://github.com/op7ic/BlueTeam.Lab) - Blue Team detection lab created with Terraform and Ansible in Azure. 318 | 319 | ## Related Awesome Lists 320 | 321 | - [Android Security](https://github.com/ashishb/android-security-awesome) 322 | - [AppSec](https://github.com/paragonie/awesome-appsec) 323 | - [CTFs](https://github.com/apsdehal/awesome-ctf) 324 | - [Hacking](https://github.com/carpedm20/awesome-hacking) 325 | - [Honeypots](https://github.com/paralax/awesome-honeypots) 326 | - [Incident-Response](https://github.com/meirwah/awesome-incident-response) 327 | - [Infosec](https://github.com/onlurking/awesome-infosec) 328 | - [Malware Analysis](https://github.com/rshipp/awesome-malware-analysis) 329 | - [Pentesting](https://github.com/enaqx/awesome-pentest) 330 | - [Security](https://github.com/sbilly/awesome-security) 331 | - [Social Engineering](https://github.com/giuliacassara/awesome-social-engineering) 332 | - [YARA](https://github.com/InQuest/awesome-yara) 333 | 334 | ## [Contributing](CONTRIBUTING.md) 335 | 336 | Pull requests and issues with suggestions are welcome! 337 | -------------------------------------------------------------------------------- /LIBS.md: -------------------------------------------------------------------------------- 1 | List of libraries that can be used in forensic software. This is mostly just an extension of the 2 | overview of [github.com/libyal/libyal](https://github.com/libyal/libyal/wiki/Overview), which is an 3 | insane collection of parsers. View a little wider: http://cugu.github.io/awesome-forensics/LIBS 4 | 5 | | URL | Description (Language) | Last Commit | Stars | License | 6 | |-----------------------------------------------------------------------|--------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------:|--------------------------------------------------------------------------------------------:|-----------------------------------------------------------------------------------------:| 7 | | **Forensic Artifact Handling** | | | | | 8 | | [artifactlib](https://github.com/forensicanalysis/artifactlib) | Process forensic artifact definition files (Go & Python) | ![Last Commit](https://img.shields.io/github/last-commit/forensicanalysis/artifactlib?label=) | ![GitHub stars](https://img.shields.io/github/stars/forensicanalysis/artifactlib?label=) | ![License](https://img.shields.io/github/license/forensicanalysis/artifactlib?label=) | 9 | | [artifacts](https://github.com/ForensicArtifacts/artifacts) | Process forensic artifact definition files (Python) | ![Last Commit](https://img.shields.io/github/last-commit/ForensicArtifacts/artifacts?label=) | ![GitHub stars](https://img.shields.io/github/stars/ForensicArtifacts/artifacts?label=) | ![License](https://img.shields.io/github/license/ForensicArtifacts/artifacts?label=) | 10 | | **High Level File System Parser** | | | | | 11 | | [fslib](https://github.com/forensicanalysis/fslib) | Parse filesystems, archives and other data types (Go) | ![Last Commit](https://img.shields.io/github/last-commit/forensicanalysis/fslib?label=) | ![GitHub stars](https://img.shields.io/github/stars/forensicanalysis/fslib?label=) | ![License](https://img.shields.io/github/license/forensicanalysis/fslib?label=) | 12 | | [dfvfs](https://github.com/log2timeline/dfvfs) | Digital Forensics Virtual File System (Python) | ![Last Commit](https://img.shields.io/github/last-commit/log2timeline/dfvfs?label=) | ![GitHub stars](https://img.shields.io/github/stars/log2timeline/dfvfs?label=) | ![License](https://img.shields.io/github/license/log2timeline/dfvfs?label=) | 13 | | [pytsk](https://github.com/py4n6/pytsk) | Bindings for The Sleuth Kit (libtsk) (Python) | ![Last Commit](https://img.shields.io/github/last-commit/py4n6/pytsk?label=) | ![GitHub stars](https://img.shields.io/github/stars/py4n6/pytsk?label=) | ![License](https://img.shields.io/github/license/py4n6/pytsk?label=) | 14 | | **Store** | | | | | 15 | | [forensicstore](https://github.com/forensicanalysis/forensicstore) | A forensics storage format (Go & Python) | ![last-commit](https://img.shields.io/github/last-commit/forensicanalysis/forensicstore?label=) | ![GitHub stars](https://img.shields.io/github/stars/forensicanalysis/forensicstore?label=) | ![License](https://img.shields.io/github/license/forensicanalysis/forensicstore?label=) | 16 | | [acstore](https://github.com/log2timeline/acstore) | Attribute Container store (Python) | ![last-commit](https://img.shields.io/github/last-commit/log2timeline/acstore?label=) | ![GitHub stars](https://img.shields.io/github/stars/log2timeline/acstore?label=) | ![License](https://img.shields.io/github/license/log2timeline/acstore?label=) | 17 | | **Cross-platform Functionality** | | | | | 18 | | [libcdata](https://github.com/libyal/libcdata/wiki/) | generic data functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcdata?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcdata?label=) | ![License](https://img.shields.io/github/license/libyal/libcdata?label=) | 19 | | [libcdatetime](https://github.com/libyal/libcdatetime/wiki/) | date and time functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcdatetime?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcdatetime?label=) | ![License](https://img.shields.io/github/license/libyal/libcdatetime?label=) | 20 | | [libcdirectory](https://github.com/libyal/libcdirectory/wiki/) | directory functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcdirectory?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcdirectory?label=) | ![License](https://img.shields.io/github/license/libyal/libcdirectory?label=) | 21 | | [libcerror](https://github.com/libyal/libcerror/wiki/) | error functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcerror?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcerror?label=) | ![License](https://img.shields.io/github/license/libyal/libcerror?label=) | 22 | | [libcfile](https://github.com/libyal/libcfile/wiki/) | file functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcfile?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcfile?label=) | ![License](https://img.shields.io/github/license/libyal/libcfile?label=) | 23 | | [libclocale](https://github.com/libyal/libclocale/wiki/) | locale functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libclocale?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libclocale?label=) | ![License](https://img.shields.io/github/license/libyal/libclocale?label=) | 24 | | [libcnotify](https://github.com/libyal/libcnotify/wiki/) | notification functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcnotify?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcnotify?label=) | ![License](https://img.shields.io/github/license/libyal/libcnotify?label=) | 25 | | [libcpath](https://github.com/libyal/libcpath/wiki/) | path functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcpath?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcpath?label=) | ![License](https://img.shields.io/github/license/libyal/libcpath?label=) | 26 | | [libcsplit](https://github.com/libyal/libcsplit/wiki/) | split string functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcsplit?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcsplit?label=) | ![License](https://img.shields.io/github/license/libyal/libcsplit?label=) | 27 | | [libcthreads](https://github.com/libyal/libcthreads/wiki/) | threads functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcthreads?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcthreads?label=) | ![License](https://img.shields.io/github/license/libyal/libcthreads?label=) | 28 | | [dfdatetime](https://github.com/log2timeline/dfdatetime) | Digital Forensics date and time (Python) | ![Last Commit](https://img.shields.io/github/last-commit/log2timeline/dfdatetime?label=) | ![GitHub stars](https://img.shields.io/github/stars/log2timeline/dfdatetime?label=) | ![License](https://img.shields.io/github/license/log2timeline/dfdatetime?label=) | 29 | | **Data Formats** | | | | | 30 | | [libcaes](https://github.com/libyal/libcaes/wiki/) | AES encryption functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcaes?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcaes?label=) | ![License](https://img.shields.io/github/license/libyal/libcaes?label=) | 31 | | [libfcache](https://github.com/libyal/libfcache/wiki/) | generic file data cache functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfcache?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfcache?label=) | ![License](https://img.shields.io/github/license/libyal/libfcache?label=) | 32 | | [libfcrypto](https://github.com/libyal/libfcrypto/wiki/) | encryption formats (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfcrypto?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfcrypto?label=) | ![License](https://img.shields.io/github/license/libyal/libfcrypto?label=) | 33 | | [libfdata](https://github.com/libyal/libfdata/wiki/) | generic file data functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfdata?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfdata?label=) | ![License](https://img.shields.io/github/license/libyal/libfdata?label=) | 34 | | [libfdatetime](https://github.com/libyal/libfdatetime/wiki/) | for date and time formats (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfdatetime?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfdatetime?label=) | ![License](https://img.shields.io/github/license/libyal/libfdatetime?label=) | 35 | | [libfguid](https://github.com/libyal/libfguid/wiki/) | for GUID/UUID format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfguid?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfguid?label=) | ![License](https://img.shields.io/github/license/libyal/libfguid?label=) | 36 | | [libfmapi](https://github.com/libyal/libfmapi/wiki/) | for Message API (MAPI) data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfmapi?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfmapi?label=) | ![License](https://img.shields.io/github/license/libyal/libfmapi?label=) | 37 | | [libfole](https://github.com/libyal/libfole/wiki/) | for Object Linking and Embedding (OLE) data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfole?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfole?label=) | ![License](https://img.shields.io/github/license/libyal/libfole?label=) | 38 | | [libfplist](https://github.com/libyal/libfplist/wiki/) | for plist formats (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfplist?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfplist?label=) | ![License](https://img.shields.io/github/license/libyal/libfplist?label=) | 39 | | [libftxf](https://github.com/libyal/libftxf/wiki/) | for Transactional NTFS (TxF) data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libftxf?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libftxf?label=) | ![License](https://img.shields.io/github/license/libyal/libftxf?label=) | 40 | | [libftxr](https://github.com/libyal/libftxr/wiki/) | for Transactional Registry (TxR) data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libftxr?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libftxr?label=) | ![License](https://img.shields.io/github/license/libyal/libftxr?label=) | 41 | | [libfusn](https://github.com/libyal/libfusn/wiki/) | for Update Sequence Number (USN) Journal data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfusn?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfusn?label=) | ![License](https://img.shields.io/github/license/libyal/libfusn?label=) | 42 | | [libfvalue](https://github.com/libyal/libfvalue/wiki/) | generic file value functions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfvalue?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfvalue?label=) | ![License](https://img.shields.io/github/license/libyal/libfvalue?label=) | 43 | | [libfwevt](https://github.com/libyal/libfwevt/wiki/) | for Windows XML Event Log (EVTX) data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfwevt?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfwevt?label=) | ![License](https://img.shields.io/github/license/libyal/libfwevt?label=) | 44 | | [libfwnt](https://github.com/libyal/libfwnt/wiki/) | for Windows NT data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfwnt?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfwnt?label=) | ![License](https://img.shields.io/github/license/libyal/libfwnt?label=) | 45 | | [libfwps](https://github.com/libyal/libfwps/wiki/) | for Windows Property Store data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfwps?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfwps?label=) | ![License](https://img.shields.io/github/license/libyal/libfwps?label=) | 46 | | [libfwsi](https://github.com/libyal/libfwsi/wiki/) | for Windows Shell Item data types (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfwsi?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfwsi?label=) | ![License](https://img.shields.io/github/license/libyal/libfwsi?label=) | 47 | | [libhmac](https://github.com/libyal/libhmac/wiki/) | Hash-based Message Authentication Codes (HMAC) (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libhmac?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libhmac?label=) | ![License](https://img.shields.io/github/license/libyal/libhmac?label=) | 48 | | [libuna](https://github.com/libyal/libuna/wiki/) | Unicode and ASCII (byte string) conversions (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libuna?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libuna?label=) | ![License](https://img.shields.io/github/license/libyal/libuna?label=) | 49 | | **File Formats** | | | | | 50 | | [libagdb](https://github.com/libyal/libagdb/wiki/) | Windows SuperFetch database format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libagdb?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libagdb?label=) | ![License](https://img.shields.io/github/license/libyal/libagdb?label=) | 51 | | [libcreg](https://github.com/libyal/libcreg/wiki/) | Windows 9x/Me Registry File (CREG) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libcreg?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libcreg?label=) | ![License](https://img.shields.io/github/license/libyal/libcreg?label=) | 52 | | [libesedb](https://github.com/libyal/libesedb/wiki/) | Extensible Storage Engine (ESE) Database File (EDB) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libesedb?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libesedb?label=) | ![License](https://img.shields.io/github/license/libyal/libesedb?label=) | 53 | | [libevt](https://github.com/libyal/libevt/wiki/) | Windows Event Log (EVT) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libevt?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libevt?label=) | ![License](https://img.shields.io/github/license/libyal/libevt?label=) | 54 | | [libevtx](https://github.com/libyal/libevtx/wiki/) | Windows XML Event Log (EVTX) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libevtx?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libevtx?label=) | ![License](https://img.shields.io/github/license/libyal/libevtx?label=) | 55 | | [libexe](https://github.com/libyal/libexe/wiki/) | PE/COFF Executable (EXE) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libexe?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libexe?label=) | ![License](https://img.shields.io/github/license/libyal/libexe?label=) | 56 | | [libgzipf](https://github.com/libyal/libgzipf/wiki/) | GZIP file format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libgzipf?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libgzipf?label=) | ![License](https://img.shields.io/github/license/libyal/libgzipf?label=) | 57 | | [liblnk](https://github.com/libyal/liblnk/wiki/) | Windows Shortcut File (LNK) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/liblnk?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/liblnk?label=) | ![License](https://img.shields.io/github/license/libyal/liblnk?label=) | 58 | | [libmdmp](https://github.com/libyal/libmdmp/wiki/) | Windows Minidump (MDMP) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libmdmp?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libmdmp?label=) | ![License](https://img.shields.io/github/license/libyal/libmdmp?label=) | 59 | | [libmsiecf](https://github.com/libyal/libmsiecf/wiki/) | Microsoft Internet Explorer (MSIE) Cache File (index.dat) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libmsiecf?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libmsiecf?label=) | ![License](https://img.shields.io/github/license/libyal/libmsiecf?label=) | 60 | | [libnk2](https://github.com/libyal/libnk2/wiki/) | Microsoft Outlook Nickfile (NK2) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libnk2?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libnk2?label=) | ![License](https://img.shields.io/github/license/libyal/libnk2?label=) | 61 | | [libnsfdb](https://github.com/libyal/libnsfdb/wiki/) | Notes Storage Facility (NSF) database file format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libnsfdb?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libnsfdb?label=) | ![License](https://img.shields.io/github/license/libyal/libnsfdb?label=) | 62 | | [libolecf](https://github.com/libyal/libolecf/wiki/) | OLE 2 Compound File (OLECF) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libolecf?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libolecf?label=) | ![License](https://img.shields.io/github/license/libyal/libolecf?label=) | 63 | | [libpff](https://github.com/libyal/libpff/wiki/) | Personal Folder File (PFF) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libpff?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libpff?label=) | ![License](https://img.shields.io/github/license/libyal/libpff?label=) | 64 | | [libregf](https://github.com/libyal/libregf/wiki/) | Windows NT Registry File (REGF) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libregf?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libregf?label=) | ![License](https://img.shields.io/github/license/libyal/libregf?label=) | 65 | | [libscca](https://github.com/libyal/libscca/wiki/) | Windows Prefetch File (SCCA) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libscca?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libscca?label=) | ![License](https://img.shields.io/github/license/libyal/libscca?label=) | 66 | | [libwtcdb](https://github.com/libyal/libwtcdb/wiki/) | Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db) (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libwtcdb?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libwtcdb?label=) | ![License](https://img.shields.io/github/license/libyal/libwtcdb?label=) | 67 | | [dfwinreg](https://github.com/log2timeline/dfwinreg) | Digital Forensics Windows Registry (dfWinReg) (Python) | ![Last Commit](https://img.shields.io/github/last-commit/log2timeline/dfwinreg?label=) | ![GitHub stars](https://img.shields.io/github/stars/log2timeline/dfwinreg?label=) | ![License](https://img.shields.io/github/license/log2timeline/dfwinreg?label=) | 68 | | [evtx](https://github.com/Velocidex/evtx) | Parser for Microsoft Event Logs (Go) | ![Last Commit](https://img.shields.io/github/last-commit/Velocidex/evtx?label=) | ![GitHub stars](https://img.shields.io/github/stars/Velocidex/evtx?label=) | ![License](https://img.shields.io/github/license/Velocidex/evtx?label=) | 69 | | [go-prefetch](https://github.com/Velocidex/go-prefetch) | A implementation of a prefetch parser. (Go) | ![Last Commit](https://img.shields.io/github/last-commit/Velocidex/go-prefetch?label=) | ![GitHub stars](https://img.shields.io/github/stars/Velocidex/go-prefetch?label=) | ![License](https://img.shields.io/github/license/Velocidex/go-prefetch?label=) | 70 | | [python-evt](https://github.com/williballenthin/python-evt) | Parser for classic Windows Event Log files (.evt) (Python) | ![Last Commit](https://img.shields.io/github/last-commit/williballenthin/python-evt?label=) | ![GitHub stars](https://img.shields.io/github/stars/williballenthin/python-evt?label=) | ![License](https://img.shields.io/github/license/williballenthin/python-evt?label=) | 71 | | [python-evtx](https://github.com/williballenthin/python-evtx) | Parser for recent Windows Event Log files (.evtx) (Python) | ![Last Commit](https://img.shields.io/github/last-commit/williballenthin/python-evtx?label=) | ![GitHub stars](https://img.shields.io/github/stars/williballenthin/python-evtx?label=) | ![License](https://img.shields.io/github/license/williballenthin/python-evtx?label=) | 72 | | [python-registry](https://github.com/williballenthin/python-registry) | Parser for Windows Registry hives. (Python) | ![Last Commit](https://img.shields.io/github/last-commit/williballenthin/python-registry?label=) | ![GitHub stars](https://img.shields.io/github/stars/williballenthin/python-registry?label=) | ![License](https://img.shields.io/github/license/williballenthin/python-registry?label=) | 73 | | [python-sdb](https://github.com/williballenthin/python-sdb) | Parser for Application Compatibility Shim Databases (.sdb files) (Python) | ![Last Commit](https://img.shields.io/github/last-commit/williballenthin/python-sdb?label=) | ![GitHub stars](https://img.shields.io/github/stars/williballenthin/python-sdb?label=) | ![License](https://img.shields.io/github/license/williballenthin/python-sdb?label=) | 74 | | **In-file Formats** | | | | | 75 | | [libmapidb](https://github.com/libyal/libmapidb/wiki/) | Exchange MAPI database format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libmapidb?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libmapidb?label=) | ![License](https://img.shields.io/github/license/libyal/libmapidb?label=) | 76 | | [libwrc](https://github.com/libyal/libwrc/wiki/) | Windows Resource Compiler (WRC) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libwrc?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libwrc?label=) | ![License](https://img.shields.io/github/license/libyal/libwrc?label=) | 77 | | **File System Formats** | | | | | 78 | | [libfsapfs](https://github.com/libyal/libfsapfs/wiki/) | Apple File System (APFS) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfsapfs?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfsapfs?label=) | ![License](https://img.shields.io/github/license/libyal/libfsapfs?label=) | 79 | | [libfsclfs](https://github.com/libyal/libfsclfs/wiki/) | Common Log File System (CLFS) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfsclfs?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfsclfs?label=) | ![License](https://img.shields.io/github/license/libyal/libfsclfs?label=) | 80 | | [libfsext](https://github.com/libyal/libfsext/wiki/) | Extended File System (EXT) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfsext?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfsext?label=) | ![License](https://img.shields.io/github/license/libyal/libfsext?label=) | 81 | | [libfshfs](https://github.com/libyal/libfshfs/wiki/) | Hierarchical File System (HFS) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfshfs?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfshfs?label=) | ![License](https://img.shields.io/github/license/libyal/libfshfs?label=) | 82 | | [libfsntfs](https://github.com/libyal/libfsntfs/wiki/) | New Technology File System (NTFS) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfsntfs?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfsntfs?label=) | ![License](https://img.shields.io/github/license/libyal/libfsntfs?label=) | 83 | | [libfsrefs](https://github.com/libyal/libfsrefs/wiki/) | Resilient File System (ReFS) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfsrefs?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfsrefs?label=) | ![License](https://img.shields.io/github/license/libyal/libfsrefs?label=) | 84 | | [go-ntfs](https://github.com/Velocidex/go-ntfs) | An NTFS file parser (Go) | ![Last Commit](https://img.shields.io/github/last-commit/Velocidex/go-ntfs?label=) | ![GitHub stars](https://img.shields.io/github/stars/Velocidex/go-ntfs?label=) | ![License](https://img.shields.io/github/license/Velocidex/go-ntfs?label=) | 85 | | [python-ntfs](https://github.com/williballenthin/python-ntfs) | Library for NTFS analysis (Python) | ![Last Commit](https://img.shields.io/github/last-commit/williballenthin/python-ntfs?label=) | ![GitHub stars](https://img.shields.io/github/stars/williballenthin/python-ntfs?label=) | ![License](https://img.shields.io/github/license/williballenthin/python-ntfs?label=) | 86 | | **Volume (System) Formats** | | | | | 87 | | [libbde](https://github.com/libyal/libbde/wiki/) | BitLocker drive encryption (BDE) (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libbde?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libbde?label=) | ![License](https://img.shields.io/github/license/libyal/libbde?label=) | 88 | | [libfvde](https://github.com/libyal/libfvde/wiki/) | FileVault drive encryption (FVDE) (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libfvde?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libfvde?label=) | ![License](https://img.shields.io/github/license/libyal/libfvde?label=) | 89 | | [libluksde](https://github.com/libyal/libluksde/wiki/) | LUKS Disk Encryption (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libluksde?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libluksde?label=) | ![License](https://img.shields.io/github/license/libyal/libluksde?label=) | 90 | | [libvsgpt](https://github.com/libyal/libvsgpt/wiki/) | GUID Partition Table (GPT) volume system format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libvsgpt?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libvsgpt?label=) | ![License](https://img.shields.io/github/license/libyal/libvsgpt?label=) | 91 | | [libvshadow](https://github.com/libyal/libvshadow/wiki/) | Volume Shadow Snapshot (VSS) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libvshadow?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libvshadow?label=) | ![License](https://img.shields.io/github/license/libyal/libvshadow?label=) | 92 | | [libvslvm](https://github.com/libyal/libvslvm/wiki/) | Linux Logical Volume Manager (LVM) volume system format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libvslvm?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libvslvm?label=) | ![License](https://img.shields.io/github/license/libyal/libvslvm?label=) | 93 | | [libvsmbr](https://github.com/libyal/libvsmbr/wiki/) | Master Boot Record (MBR) volume system format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libvsmbr?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libvsmbr?label=) | ![License](https://img.shields.io/github/license/libyal/libvsmbr?label=) | 94 | | **Storage Media Image Formats** | | | | | 95 | | [pyaff4](https://github.com/aff4/pyaff4) | A implementation of the AFF4 standard. (Python) | ![Last Commit](https://img.shields.io/github/last-commit/aff4/pyaff4?label=) | ![GitHub stars](https://img.shields.io/github/stars/aff4/pyaff4?label=) | ![License](https://img.shields.io/github/license/aff4/pyaff4?label=) | 96 | | [libewf](https://github.com/libyal/libewf/wiki/) | Expert Witness Compression Format (EWF) image format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libewf?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libewf?label=) | ![License](https://img.shields.io/github/license/libyal/libewf?label=) | 97 | | [libhibr](https://github.com/libyal/libhibr/wiki/) | Windows Hibernation File (hiberfil.sys) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libhibr?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libhibr?label=) | ![License](https://img.shields.io/github/license/libyal/libhibr?label=) | 98 | | [libmodi](https://github.com/libyal/libmodi/wiki/) | Mac OS disk image formats (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libmodi?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libmodi?label=) | ![License](https://img.shields.io/github/license/libyal/libmodi?label=) | 99 | | [libodraw](https://github.com/libyal/libodraw/wiki/) | optical disc (split) RAW image format (bin/cue, iso/cue) (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libodraw?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libodraw?label=) | ![License](https://img.shields.io/github/license/libyal/libodraw?label=) | 100 | | [libphdi](https://github.com/libyal/libphdi/wiki/) | Parallels Hard Disk image format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libphdi?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libphdi?label=) | ![License](https://img.shields.io/github/license/libyal/libphdi?label=) | 101 | | [libqcow](https://github.com/libyal/libqcow/wiki/) | QEMU Copy-On-Write (QCOW) image format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libqcow?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libqcow?label=) | ![License](https://img.shields.io/github/license/libyal/libqcow?label=) | 102 | | [libsmdev](https://github.com/libyal/libsmdev/wiki/) | storage media devices (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libsmdev?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libsmdev?label=) | ![License](https://img.shields.io/github/license/libyal/libsmdev?label=) | 103 | | [libsmraw](https://github.com/libyal/libsmraw/wiki/) | (split) RAW image format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libsmraw?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libsmraw?label=) | ![License](https://img.shields.io/github/license/libyal/libsmraw?label=) | 104 | | [libvhdi](https://github.com/libyal/libvhdi/wiki/) | Virtual Hard Disk (VHD) image format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libvhdi?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libvhdi?label=) | ![License](https://img.shields.io/github/license/libyal/libvhdi?label=) | 105 | | [libvmdk](https://github.com/libyal/libvmdk/wiki/) | VMware Virtual Disk (VMDK) format (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libvmdk?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libvmdk?label=) | ![License](https://img.shields.io/github/license/libyal/libvmdk?label=) | 106 | | [aff4](https://github.com/py4n6/aff4) | Advanced Forensic File Format 4 (Python (& C)) | ![Last Commit](https://img.shields.io/github/last-commit/py4n6/aff4?label=) | ![GitHub stars](https://img.shields.io/github/stars/py4n6/aff4?label=) | ![License](https://img.shields.io/github/license/py4n6/aff4?label=) | 107 | | [c-aff4](https://github.com/Velocidex/c-aff4) | An AFF4 C++ implementation. (C++) | ![Last Commit](https://img.shields.io/github/last-commit/Velocidex/c-aff4?label=) | ![GitHub stars](https://img.shields.io/github/stars/Velocidex/c-aff4?label=) | ![License](https://img.shields.io/github/license/Velocidex/c-aff4?label=) | 108 | | **Utility Libraries** | | | | | 109 | | [libbfio](https://github.com/libyal/libbfio/wiki/) | basic file input/output abstraction (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libbfio?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libbfio?label=) | ![License](https://img.shields.io/github/license/libyal/libbfio?label=) | 110 | | [libsigscan](https://github.com/libyal/libsigscan/wiki/) | binary signature scanning (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libsigscan?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libsigscan?label=) | ![License](https://img.shields.io/github/license/libyal/libsigscan?label=) | 111 | | [libtableau](https://github.com/libyal/libtableau/wiki/) | read metadata from Tableau(TM) forensic bridges (write blockers) (C) | ![Last Commit](https://img.shields.io/github/last-commit/libyal/libtableau?label=) | ![GitHub stars](https://img.shields.io/github/stars/libyal/libtableau?label=) | ![License](https://img.shields.io/github/license/libyal/libtableau?label=) | 112 | --------------------------------------------------------------------------------