DFIR tools

even with the awesome list all over github, I kept losing tracks of cool tools, so here are some of them:

(last update 11.09.2022)

in the spirit of keep updating the resources, I'm moving this post to aldosimon/infosec-compendium

event log parser

chainsaw Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

DeepBlueCLI a PowerShell Module for Threat Hunting via Windows Event Logs

logparser studio event viewer and other logs parsing with SQL Language interface

endpoint

velociraptor Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.

osquery osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.

loki Loki - Simple IOC and YARA Scanner

KAPE Kroll Artifact Parser And Extractor, lets forensic teams collect and process forensically useful artifacts within minutes.

all in one analysis

autposy/ TSK Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

knowledge base, tutorial, cheatsheet, etc

event ids github event id awesome list

mitre to evtx MITRE mapping to event id

lenny zeltser log cheatsheet IR critical log review cheatsheet

lenny zeltser incident survey Security incident survey cheat sheet for server administrators