My Favorite Tools & Resources
(This page is a work in progress)
I will periodically update this page to contain a list of my favorite tools, references, and resources for SecOps/DFIR/etc. I will add (and sometimes remove) things over time.
This is not mean to be an “all inclusive” list, just a curated list of some of my favorites — for a larger collection of awesome DFIR tools, check out this list.
A free and open source DFIR case management tool by the CERT at Airbus. One of its strengths is in building intrusion timelines and diagrams.
One of the first and best open source SOC/IR case management tools. Comes with the powerful Cortex engine for enriching observables/IOCs.
Velociraptor is a DFIR “Swiss army knife” written by Mike Cohen and honestly belongs in most of these categories. It can do almost anything you can imagine.
Check out my video walk-through of using Velociraptor for a live incident response.
Every DFIR practitioner should know about EZ’s tool repo. Eric has made superhuman contributions to the DFIR community with the tools he’s written over the years and makes available free of charge. He’s got a tool for nearly every Windows DFIR artifact we know and love.
KAPE is a fantastic Windows-only triage acquisition tool written by Eric Zimmerman. It is free, but not open source. Take note that the EULA for KAPE does not support using it for paid IR work without paying a license fee. That said, Velociraptor can be used for the same purpose and even takes advantages of the same KAPE Files (see next).
The KAPE Files repository is as equally a significant resource as it is an open source repository of all the “best hits” forensic artifacts that a triage tool should know about.
Artifact Parsing/Timeline Analysis
FOSS tool for generating forensic timelines of a variety of different evidence sources. Easily one of the most powerful open source forensic frameworks available.
Timesketch is an open-source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can organize and work together.
A phenomenal tool for parsing EVTX files to detect threats using Sigma and its own builtin threat detection rules.
Check out my guided walk-through in this post.
One of the newer memory analysis tools out there, yet quickly becoming a favorite among many.
Memory acquisition tool
Telemetry, Log Aggregation & Detection
No list would be complete without Sysmon — a free telemetry-generating agent from Microsoft Sysinternals that writes its own event log ripe with telemetry similar to any top-shelf EDR agent.
A paid platform with a free tier, LimaCharlie offers “Security infrastructure as a Service” with a cross-platform EDR agent. Not designed to be a “push button” solution, but offers to you all the log aggregation and threat rule engine of a SIEM.
The truly open source hard-fork of Elastic.
One of the easiest log aggregation solutions to deploy and use. Leverages the Sidecar agent to deploy log shipping across endpoints. Has a free and paid version.
A C2 tool from the team at BishopFox. Great for getting command-and-control on a system for testing detections, etc. Get hands-on with it in my guide: So you want to be a SOC analyst?
Very popular (paid) tool for adversary emulation. Supports Malleable C2 profiles for quickly tailoring your malware and traffic to resemble different threat actors.
Privacy & Secure Communication
ProtonMail (affiliate link)
If you value privacy and security of your email, there is no better choice than ProtonMail!
Not only do I recommend Signal for individuals that value secure and private communications, but using Group chats is a great way for security teams to have secure out-of-band communication when production apps (Slack, Teams, etc) may be compromised during an intrusion.