π Malicious Document Analysis
| Tool | Description |
|---|---|
| oletools | A suite of Python tools to analyze OLE and MS Office files. Includes olevba to extract and analyze VBA macros. |
| oleid | Part of oletools; quickly summarizes security-relevant features of an OLE file (e.g., macros, external links). |
| oledump.py | Lightweight tool for examining OLE files and extracting embedded streams like macros or payloads. Supports plugin extensions. |
| ViperMonkey | VBA emulation engine that deobfuscates and simulates macro execution. Useful for analyzing obfuscated or staged macros. |
| mraptor | Macro risk analyzer β flags Office documents that use risky macro behavior (e.g., auto-execution). |
| ExifTool | Extracts metadata from Office documents (author, creation time, embedded objects). Helpful for tracking attacker tooling or staging. |
π PDF Analysis
| Tool | Description |
|---|---|
| Peepdf | Python tool to deeply analyze PDF files. Supports shell mode for inspecting objects, JavaScript, streams, and exploits. |
| PDFiD | Scans PDF files for suspicious keywords (e.g., /JavaScript, /OpenAction). Useful for triaging potentially malicious PDFs without full parsing. Handles obfuscation. |
π§ Memory Forensics
| Tool | Description |
|---|---|
| Volatility3 | Leading framework for memory analysis (extracts processes, network connections, DLLs, etc.) |
| Belkasoft RAM Capturer | Lightweight tool to capture memory on Windows. |
| Redline | FireEyeβs premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. |
πΎ Disk & File System Forensics
| Tool | Description |
|---|---|
| Autopsy/Sleuth Kit | GUI front-end for Sleuth Kit; supports timeline, keyword search, and metadata analysis. |
| FTK Imager | Forensic imaging and previewing tool; great for carving and verifying disk images. |
| LiME | Linux Memory Extractor. A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices. |
| Magnet AXIOM | Comprehensive commercial suite for disk, mobile, and cloud forensics. |
| MAGNET DumpIt | DumpIt is a fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines. |
| Bulk Extractor | Scans disk images for email addresses, credit card numbers, and other artifacts. |
π§° Live Incident Triage
| Tool | Description |
|---|---|
| KAPE (Kroll Artifact Parser and Extractor) | Pulls key forensic artifacts from live systems or images fast; supports modular targets. |
| Velociraptor | Live IR and endpoint visibility tool; allows hunting, artifact collection, and custom queries. |
| GRR Rapid Response | Google-developed remote live forensics and incident response platform. |
| Sysinternals Suite | Tools like Autoruns, PsExec, ProcMon, and TCPView are IR essentials. |
| NirSoft Tools | NirSoft provides a unique collection of small and useful freeware utilities, all of them developed by Nir Sofer. |
| Live-Forensicator | Live Forensicator is part of the Black Widow Toolbox, its aim is to assist Forensic Investigators and Incidence responders in carrying out a quick live forensic investigation. |
π Log and Timeline Analysis
| Tool | Description |
|---|---|
| Hayabusa | Parses Windows Event Logs and produces a timeline with ATT&CK mappings. |
| Chainsaw | Fast event log hunter for EVTX files with Sigma rule support. |
| Timesketch | Timeline analysis tool for combining logs, file metadata, and more in one UI. |
| Plaso (log2timeline) | Extracts and structures timeline artifacts from multiple data sources. |
π Network and Traffic Analysis
| Tool | Description |
|---|---|
| Wireshark | Packet capture analysis with filtering and protocol decoding. |
| NetworkMiner | Parses pcap files to extract hosts, files, and credentials. |
| Arkime (Moloch) | Full packet capture system with search and session replay. |
| Suricata | IDS/IPS engine with powerful ruleset for alerting and forensic PCAP analysis. |
π Malware Analysis (Triage Focused)
| Tool | Description |
|---|---|
| PEStudio | Static malware analysis tool for PE file inspection (suspicious indicators, imports). |
| CAPA (by Mandiant/FLARE) | Detects capabilities in executables (e.g., C2, keylogging) based on rules. |
| Intezer Analyze | Detects code reuse in malware, matches to known threat actor samples. |
π§ Static Malware Analysis
| Tool | Description |
|---|---|
| FLOSS | Extracts obfuscated and stack-encoded strings from malware binaries β great for uncovering C2 URLs, mutexes, and decryption routines. |
| Strings (Sysinternals) | Basic tool to pull ASCII/Unicode strings from executables and memory dumps. Good for quick triage. |
| Detect It Easy (DIE) | Identifies file packers, compilers, and cryptors β helpful in determining how a binary is constructed or obfuscated. |
| PE-bear | Lightweight PE file viewer for examining headers, sections, imports, and resources. Great for analysts wanting fine-grained insight. |
| PEview | Classic PE structure viewer to analyze file headers, section tables, and directory entries. |
| BinText | Extracts readable text, including Unicode and function names, from binary files. Useful in early-stage static analysis. |
| Resource Hacker | Views and extracts resources (icons, strings, dialogs) embedded in Windows executables. |
| Ghidra | Full-featured reverse engineering suite from the NSA; supports static disassembly, decompilation, and analysis of malware logic. |
| IDA Free | Industry-standard disassembler and debugger. Free version available for basic static disassembly and inspection. |
π§ͺ Payload Detonation & Sandbox
| Tool | Description |
|---|---|
| Cuckoo Sandbox | Open-source automated malware analysis sandbox. Supports Windows VM detonation, captures API calls, network traffic, dropped files, and screenshots. |
| Any.Run | Interactive malware sandbox (freemium). Analysts can control the environment in real-time to interact with documents, click buttons, and observe behavior. |
| Joe Sandbox | Commercial sandbox with detailed behavioral reports. Supports Windows, Android, macOS, Linux, and Office macro analysis. |
| Hybrid Analysis | Free behavioral analysis powered by Falcon Sandbox. Provides YARA matches, memory dumps, and execution graphs. |
| InQuest Labs | Offers multi-engine document and malware analysis. Focus on attachments, phishing payloads, and OLE documents. |
| Cape Sandbox | Fork of Cuckoo focused on code injection and payload extraction. Useful for fileless malware and in-memory payloads. |
| Valkyrie by Comodo | Cloud-based sandbox for dynamic analysis of unknown files. Focuses on zero-day and heuristic detection. |
| Triage by Recorded Future | Cloud sandbox with API support. Categorizes behavior, detects known malware families, and shows MITRE ATT&CK mapping. |
π URL Sandboxes & Web Payload Analysis
| Tool | Description |
|---|---|
| Browserling | Browser sandbox that lets you render websites in real browsers (Chrome, IE, Firefox, etc.) from remote VMs β good for testing drive-by downloads and rendering issues. |
| urlscan.io | Sandboxes and scans a URL, showing HTTP requests, DOM content, redirects, trackers, and screenshots. Great for phishing site forensics. |
| URLhaus Viewer | Community-driven malicious URL database; useful for checking if a URL is associated with known malware delivery. |
| VirusTotal (URL Scan) | Submits URLs to multiple AV engines and sandbox backends, including behavior reports and redirect chains. |
| url2png | Renders a visual snapshot of a given URL. Good for safe previewing and evidence generation. API-based. |
| Screenshot Machine | Captures website screenshots remotely without visiting the site locally. Can automate phishing site documentation. |
| PhishTool | Tailored for phishing investigations β parses email headers and URLs, and renders landing pages in isolation. |
π Cloud & Remote IR
| Tool | Description |
|---|---|
| AWS IR Playbooks | For Amazon cloud incident response. |
| DFIR IRIS | Open-source IR case management and timeline tool β good for team workflows. |
𧬠Registry, Artifacts, and Metadata
| Tool | Description |
|---|---|
| RegRipper | Extracts forensic evidence from Windows Registry hives. |
| EZ Tools by Eric Zimmerman | Includes RECmd, MFTECmd, JumpListExplorer, EvtxECmd, etc. |
| Events-Ripper | Easily extract additional value/pivot points from a TLN events file |
π§βπ» Command Line/Automation
| Tool | Description |
|---|---|
| CyberChef | Web-based tool for decoding, deobfuscation, and data transformation. |
| Sigma | Generic log detection rule format that can be translated to SIEM queries. |
| Strelka | File analysis framework at scale (e.g., for binary triage in IR). |