Faster & Better Way to analyze the EML Files
Scripts automating computer forensics for Windows and Linux
Security incident response case studies demonstrating log analysis, threat hunting, and forensic investigation using Elastic Stack, TheHive, and MITRE ATT&CK
Resources for DFIR. And more.
This tool monitors Velociraptor's syslog messages for specific actions performed by users within the Velociraptor DFIR platform. When certain patterns are detected, it sends detailed email notifications to designated recipients, providing enhanced visibility into user activities and potential security events.
AWMFA - Automated Windows Memory Forensics Analysis. Python automation framework for Volatility 2 that streamlines memory analysis. Features: automated plugin execution with threading, intelligent threat detection using 28+ heuristics, no deep Windows internals knowledge required, multi-format reports (TXT/HTML/PDF).
This script is designed to pull data from the carbon black cloud. One disadvantage of the CBC GUI is the inability to see the command line for each process in bulk. Instead, you need to click on each process individually. This spits out the command line so you can quickly spot evil.
Windows Artifact Parser
Este script recompilará una gran parte de la información que se suele obtener de un sistema Linux ante un peritaje o análisis forense. Además toda la información será firmada con SHA256.
Cortex-Analyzers Modified - SecTeam/CERT/SOC Security orchestration tools on steroids
AutoParser is a forensic tool for parsing offline registry hives.
A forensic command-line tool for deep analyzing PDF files
Ingest and query NIST NSRL Reference Data Sets in Elasticsearch with Python tools and libraries.
Sabonis, a Digital Forensics and Incident Response pivoting tool
This batch script automates the deployment and management of the DFIR-IRIS web application using Docker on Windows
Binalyze AIR and Carbon Black Cloud Integration
osquery_hunter is a lightweight, Python-based triage helper for Windows systems. It uses osquery to enumerate running processes, network sockets, and signatures — helping analysts quickly spot unsigned or suspicious binaries. Ideal for DFIR, incident response, and blue-team investigations in environments without full EDR coverage.
Create a timeline of files in a folder.
Add a description, image, and links to the dfir-automation topic page so that developers can more easily learn about it.
To associate your repository with the dfir-automation topic, visit your repo's landing page and select "manage topics."