Awesome Incident Response

A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.

Digital Forensics and Incident Response (DFIR) teams are groups of people in an organization responsible for managing the response to a security incident, including gathering evidence of the incident, remediating its effects, and implementing controls to prevent the incident from recurring in the future.

Adversary Emulation
All-In-One Tools
Books
Communities
Disk Image Creation Tools
Evidence Collection
Incident Management
Knowledge Bases
Linux Distributions
Linux Evidence Collection
Log Analysis Tools
Memory Analysis Tools
Memory Imaging Tools
OSX Evidence Collection
Other Lists
Other Tools
Playbooks
Process Dump Tools
Sandboxing/Reversing Tools
Scanner Tools
Timeline Tools
Videos
Windows Evidence Collection

IR Tools Collection

Adversary Emulation

APTSimulator - Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
Atomic Red Team (ART) - Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.
AutoTTP - Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
Caldera - Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.
DumpsterFire - Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
Metta - Information security preparedness tool to do adversarial simulation.
Network Flight Simulator - Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
RedHunt-OS - Virtual machine for adversary emulation and threat hunting.

All-In-One Tools

Belkasoft Evidence Center - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
CimSweep - Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
CIRTkit - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
Cyber Triage - Cyber Triage collects and analyzes host data to determine if it is compromised. It's scoring system and recommendation engine allow you to quickly focus on the important artifacts. It can import data from its collection tool, disk images, and other collectors (such as KAPE). It can run on an examiner's desktop or in a server model. Developed by Sleuth Kit Labs, which also makes Autopsy.
Dissect - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
Doorman - osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
Falcon Orchestrator - Extendable Windows-based application that provides workflow automation, case management and security response functionality.
Flare - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing.
Fleetdm - State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Fleetdm delivers continuous updates, features and fast answers to big questions.
GRR Rapid Response - Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, PowerGRR provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.
IRIS - IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level.
Kuiper - Digital Forensics Investigation Platform
Limacharlie - Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality.
Matano: Open source serverless security lake platform on AWS that lets you ingest, store, and analyze petabytes of security data into an Apache Iceberg data lake and run realtime Python detections as code.
MozDef - Automates the security incident handling process and facilitate the real-time activities of incident handlers.
MutableSecurity - CLI program for automating the setup, configuration, and use of cybersecurity solutions.
nightHawk - Application built for asynchronous forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections.
Open Computer Forensics Architecture - Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
osquery - Easily ask questions about your Linux and macOS infrastructure using a SQL-like query language; the provided incident-response pack helps you detect and respond to breaches.
Redline - Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
SOC Multi-tool - A powerful and user-friendly browser extension that streamlines investigations for security professionals.
The Sleuth Kit & Autopsy - Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
TheHive - Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
Velociraptor - Endpoint visibility and collection tool
X-Ways Forensics - Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.
Zentral - Combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.

Books

Applied Incident Response - Steve Anson's book on Incident Response.
Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan - by Jeff Bollinger, Brandon Enright and Matthew Valites.
Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats - by Gerard Johansen.
Introduction to DFIR - By Scott J. Roberts.
Incident Response & Computer Forensics, Third Edition - The definitive guide to incident response.
Incident Response Techniques for Ransomware Attacks - A great guide to build an incident response strategy for ransomware attacks. By Oleg Skulkin.
Incident Response with Threat Intelligence - Great reference to build an incident response plan based also on Threat Intelligence. By Roberto Martinez.
Intelligence-Driven Incident Response - By Scott J. Roberts, Rebekah Brown.
Operator Handbook: Red Team + OSINT + Blue Team Reference - Great reference for incident responders.
Practical Memory Forensics - The definitive guide to practice memory forensics. By Svetlana Ostrovskaya and Oleg Skulkin.
The Practice of Network Security Monitoring: Understanding Incident Detection and Response - Richard Bejtlich's book on IR.

Communities

Digital Forensics Discord Server - Community of 8,000+ working professionals from Law Enforcement, Private Sector, and Forensic Vendors. Additionally, plenty of students and hobbyists! Guide here.
Slack DFIR channel - Slack DFIR Communitiy channel - Signup here.

Disk Image Creation Tools

AccessData FTK Imager - Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.
Bitscout - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.
GetData Forensic Imager - Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
Guymager - Free forensic imager for media acquisition on Linux.
Magnet ACQUIRE - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Evidence Collection

Acquire - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container. This makes Acquire an excellent tool to, among others, speedup the process of digital forensic triage. It uses Dissect to gather that information from the raw disk, if possible.
artifactcollector - The artifactcollector project provides a software that collects forensic artifacts on systems.
bulk_extractor - Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness.
Cold Disk Quick Response - Streamlined list of parsers to quickly analyze a forensic image file (dd, E01, .vmdk, etc) and output nine reports.
CyLR - The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.
Forensic Artifacts - Digital Forensics Artifact Repository
ir-rescue - Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Live Response Collection - Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.
Margarita Shotgun - Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.
SPECTR3 - Acquire, triage and investigate remote evidence via portable iSCSI readonly access
UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.

Incident Management

Catalyst - A free SOAR system that helps to automate alert handling and incident response processes.
CyberCPR - Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.
Cyphon - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and