跳转至

数字取证

本篇翻译整合数字取证相关资源和工具(偏向于免费、开源软件),感谢原作者们:-)

合集

工具

取证系统发行版

取证框架

  • :star:Autopsy
    • 图形化的数字取证工具/平台
  • dff
    • 一个开源计算机取证平台,建立在API之上,为简单使用和自动化而设计
  • dexter
    • Dexter 是一个取证采集框架,旨在实现可扩展性和安全性
  • 🌟IntelMQ
    • 使用消息队列协议收集和处理安全源的解决方案,可用于:自动事件处理、态势感知、自动通知以及作为其他工具的数据收集等
  • Kuiper
    • 一个数字调查平台,为调查团队和个人提供解析、搜索、可视化取证的能力
  • Laika BOSS
    • 一个对象扫描器和入侵检测系统
    • 🐞注:对象扫描器(object scanner)?
  • PowerForensics
    • 一个用于实时磁盘取证分析的框架
  • :star: The Sleuth Kit
    • 用于分析 Microsoft 和 UNIX 文件系统和磁盘,能从事件响应期间或实时系统中获取的图像中识别和恢复证据
  • turbinia
    • 一个开源框架,用于在云平台上部署、管理和运行取证工作负载
  • IPED - Indexador e Processador de Evidências Digitais
    • 巴西联邦警察的数字取证调查工具
  • Wombat Forensics
    • 使用C/C++构建的可视化取证工具

实时取证

  • grr
    • 一个Python编写的客户端,用于事件响应时的远程实时取证
  • Linux Expl0rer
    • 一个易于使用的实时取证工具箱,适用于Linux终端节点,使用Python&Flask编写
  • mig
    • 云上的分布式、实时数字取证平台,属于Mozilla维护,现已弃用
  • osquery
    • 一个SQL驱动的操作系统检测、监控和分析框架
  • UAC
    • UAC(类Unix组件收集器)是事件响应的实时响应收集工具,它利用内置工具自动收集类 Unix 系统工件。支持的系统包括:AIX、FreeBSD、Linux、macOS、NetBSD、Netscaler、OpenBSD 和 Solaris

IOC扫描器

  • Fenrir
    • 一个简单的 IOC 扫描器(Bash脚本),支持扫描 Linux/Unix/macOS系统
  • Loki
    • IOC/YARA扫描器,支持四种检测方法:文件名检测、YARA规则检测、哈希值检测、C2反向连接检测
  • Redline
    • FireEye提供的免费终端安全工具,通过内存和文件分析以及威胁评估配置文件的开发来查找恶意活动的迹象
  • THOR Lite
    • 免费但不开源的IOC/YARA扫描器,与Loki一家,使用Golang编写,相当于开源Loki的增强版

采集器

  • artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

    • 一个可定制的代理,可用于在任何

  • ArtifactExtractor - Extract common Windows artifacts from source images and VSCs

  • AVML - A portable volatile memory acquisition tool for Linux
  • Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
  • CrowdResponse - A static host data collection tool by CrowdStrike
  • DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
  • FastIR Collector - Collect artifacts on windows
  • FireEye Memoryze - A free memory forensic software
  • LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
  • Magnet RAM Capture - A free imaging tool designed to capture the physical memory
  • Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
  • WinTriage - Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive.
  • artifactcollector - 一个可定制的代理,用于在任何 Windows、macOS 或 Linux 系统上收集取证工件
  • ArtifactExtractor - 从源图像和 VSC 中提取常见的 Windows 工件
  • AVML - 适用于 Linux 的便携式易失性内存获取工具
  • Belkasoft RAM Capturer - 易失性内存采集工具
  • CrowdResponse - CrowdStrike 的静态主机数据收集工具
  • DFIR ORC - 用于运行 Microsoft Windows 的系统的取证人工制品收集工具
  • FastIR 收集器- 在 Windows 上收集工件
  • FireEye Memoryze - 免费的内存取证软件
  • LiME - 可加载内核模块 (LKM),允许从 Linux 和基于 Linux 的设备(以前称为 DMD)获取易失性内存
  • Magnet RAM Capture - 一种免费的映像工具,旨在捕获物理内存
  • Velociraptor - Velociraptor 是一种使用 Velocidex 查询语言 (VQL) 查询收集基于主机的状态信息的工具
  • WinTriage - Wintriage 是一种实时响应工具,可提取 Windows 工件。它必须以本地或域管理员权限执行,并建议从外部驱动器执行。

Imaging

  • dc3dd - Improved version of dd
  • dcfldd - Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
  • FTK Imager - Free imageing tool for windows
  • :star: Guymager - Open source version for disk imageing on linux systems

Carving

  • bstrings - Improved strings utility
  • bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
  • floss - Static analysis tool to automatically deobfuscate strings from malware binaries
  • :star: photorec - File carving tool
  • swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.

Memory Forensics

  • inVtero.net - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support
  • KeeFarce - Extract KeePass passwords from memory
  • MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
  • Rekall - Memory Forensic Framework
  • volatility - The memory forensic framework
  • VolUtility - Web App for Volatility framework

Network Forensics

Windows Artifacts

  • Beagle - Transform data sources and logs into graphs
  • FRED - Cross-platform microsoft registry hive editor
  • LastActivityView - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
  • LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • python-evt - Pure Python parser for classic Windows Event Log files (.evt)
  • RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
  • RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives

NTFS/MFT Processing

OS X Forensics

Mobile Forensics

  • Andriller - A software utility with a collection of forensic tools for smartphones
  • ALEAPP - An Android Logs Events and Protobuf Parser
  • ArtEx - Artifact Examiner for iOS Full File System extractions
  • iLEAPP - An iOS Logs, Events, And Plists Parser
  • iOS Frequent Locations Dumper - Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
  • MEAT - Perform different kinds of acquisitions on iOS devices
  • MobSF - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
  • OpenBackupExtractor - An app for extracting data from iPhone and iPad backups.

Docker Forensics

Internet Artifacts

  • ChromeCacheView - A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
  • chrome-url-dumper - Dump all local stored infromation collected by Chrome
  • hindsight - Internet history forensics for Google Chrome/Chromium
  • unfurl - Extract and visualize data from URLs

Timeline Analysis

  • DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
  • :star: plaso - Extract timestamps from various files and aggregate them
  • Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
  • timeliner - A rewrite of mactime, a bodyfile reader
  • timesketch - Collaborative forensic timeline analysis

Disk image handling

  • Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
  • imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
  • libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
  • PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer
  • xmount - Convert between different disk image formats

Decryption

Management

  • dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
  • Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads

Picture Analysis

  • Ghiro - A fully automated tool designed to run forensics analysis over a massive amount of images
  • sherloq - An open-source digital photographic image forensic toolset

Metadata Forensics

  • ExifTool by Phil Harvey
  • FOCA - FOCA is a tool used mainly to find metadata and hidden information in the documents

Steganography

  • Sonicvisualizer
  • Steghide - is a steganography program that hides data in various kinds of image and audio files
  • Wavsteg - is a steganography program that hides data in various kinds of image and audio files
  • Zsteg - A steganographic coder for WAV files

Learn Forensics

CTFs and Challenges

Resources

Web

Blogs

Books

more at Recommended Readings by Andrew Case

File System Corpora

Twitter

Vendors:

Other