A Python package and CLI for parsing aggregate and forensic DMARC reports

Cross-platform incident response and live forensics toolkit with built-in detection, structured analysis, and report generation — designed for fast, actionable security investigations.

DFF (Digital Forensics Framework) is a Forensics Framework coming with command line and graphical interfaces. DFF can be used to investigate hard drives and volatile memory and create reports about user and system activities.

VOYEUR's main purpose is to generate a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies (just .Net Framework 3.5 and Ofiice Excel if you want an useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, or security researchers who want to quickly analyze threats in Active Directory Services.

Hollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis techniques. The plugin detects such attacks by finding discrepancy in the VAD and PEB, it also disassembles the address of entry point to detect any redirection attempts and also reports any suspicious memory regions which should help in detecting any injected code.

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service - https://circl.lu/services/hashlookup/

PCAP Hunter is an AI threat hunting workbench. It uses Zeek and Tshark to analyze PCAPs, enriched by OSINT. Features include a world map, JA3 forensics, and C2 detection. It generates multi-language security reports via local or cloud LLMs, prioritizing privacy and speed.

Browser Reviewer is a portable forensic tool for analyzing user activity in Firefox and Chrome-based browsers. It extracts and displays browsing history, downloads, bookmarks, and autofill data. The tool allows analysts to tag, comment, and export reports in PDF.

Documents and forensic artifacts from 2018-2019 HRW investigation reported in ”China’s Algorithms of Repression” (available at: https://www.hrw.org/node/329384)

Repository of Digital Forensics lab experiments for academic purposes, including evidence acquisition, Autopsy analysis, Wireshark traffic capture, log investigation, memory forensics, and report writing.

Digital forensics for Google Drive—done right. Identify, preserve, and document cloud evidence with hash verification, timeline reconstruction, and defensible reporting for typical DLP cases.

This is a Forensics Report made after a thorough digital examination of the Jeans Case Evidence Image.

2020 was a roller coaster of major, world-shaking events. We all couldn't wait for the year to end. But just as 2020 was about to close, it pulled another fast one on us: the SolarWinds hack, one of the biggest cybersecurity breaches of the 21st century. The SolarWinds hack was a major event not because a single company was breached, but because it triggered a much larger supply chain incident that affected thousands of organizations, including the U.S. government. What is SolarWinds? SolarWinds is a major software company based in Tulsa, Okla., which provides system management tools for network and infrastructure monitoring, and other technical services to hundreds of thousands of organizations around the world. Among the company's products is an IT performance monitoring system called Orion. As an IT monitoring system, SolarWinds Orion has privileged access to IT systems to obtain log and system performance data. It is that privileged position and its wide deployment that made SolarWinds a lucrative and attractive target. What is the SolarWinds hack? The SolarWinds hack is the commonly used term to refer to the supply chain breach that involved the SolarWinds Orion system. In this hack, suspected nation-state hackers that have been identified as a group known as Nobelium by Microsoft -- and often simply referred to as the SolarWinds Hackers by other researchers -- gained access to the networks, systems and data of thousands of SolarWinds customers. The breadth of the hack is unprecedented and one of the largest, if not the largest, of its kind ever recorded. More than 30,000 public and private organizations -- including local, state and federal agencies -- use the Orion network management system to manage their IT resources. As a result, the hack compromised the data, networks and systems of thousands when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software. SolarWinds customers weren't the only ones affected. Because the hack exposed the inner workings of Orion users, the hackers could potentially gain access to the data and networks of their customers and partners as well -- enabling affected victims to grow exponentially from there. Orion Platform hack compromised networks of thousands of SolarWinds customers Hackers compromised a digitally signed SolarWinds Orion network monitoring component, opening a backdoor into the networks of thousands of SolarWinds government and enterprise customers. How did the SolarWinds hack happen? The hackers used a method known as a supply chain attack to insert malicious code into the Orion system. A supply chain attack works by targeting a third party with access to an organization's systems rather than trying to hack the networks directly. The third-party software, in this case the SolarWinds Orion Platform, creates a backdoor through which hackers can access and impersonate users and accounts of victim organizations. The malware could also access system files and blend in with legitimate SolarWinds activity without detection, even by antivirus software. SolarWinds was a perfect target for this kind of supply chain attack. Because their Orion software is used by many multinational companies and government agencies, all the hackers had to do was install the malicious code into a new batch of software distributed by SolarWinds as an update or patch. The SolarWinds hack timeline Here is a timeline of the SolarWinds hack: September 2019. Threat actors gain unauthorized access to SolarWinds network October 2019. Threat actors test initial code injection into Orion Feb. 20, 2020. Malicious code known as Sunburst injected into Orion March 26, 2020. SolarWinds unknowingly starts sending out Orion software updates with hacked code According to a U.S. Department of Homeland Security advisory, the affected versions of SolarWinds Orion are versions are 2019.4 through 2020.2.1 HF1. More than 18,000 SolarWinds customers installed the malicious updates, with the malware spreading undetected. Through this code, hackers accessed SolarWinds's customer information technology systems, which they could then use to install even more malware to spy on other companies and organizations. Who was affected? According to reports, the malware affected many companies and organizations. Even government departments such as Homeland Security, State, Commerce and Treasury were affected, as there was evidence that emails were missing from their systems. Private companies such as FireEye, Microsoft, Intel, Cisco and Deloitte also suffered from this attack. The breach was first detected by cybersecurity company FireEye. The company confirmed they had been infected with the malware when they saw the infection in customer systems. FireEye labeled the SolarWinds hack "UNC2452" and identified the backdoor used to gain access to its systems through SolarWinds as "Sunburst." Microsoft also confirmed that it found signs of the malware in its systems, as the breach was affecting its customers as well. Reports indicated Microsoft's own systems were being used to further the hacking attack, but Microsoft denied this claim to news agencies. Later, the company worked with FireEye and GoDaddy to block and isolate versions of Orion known to contain the malware to cut off hackers from customers' systems. They did so by turning the domain used by the backdoor malware used in Orion as part of the SolarWinds hack into a kill switch. The kill switch here served as a mechanism to prevent Sunburst from operating further. Nonetheless, even with the kill switch in place, the hack is still ongoing. Investigators have a lot of data to look through, as many companies using the Orion software aren't yet sure if they are free from the backdoor malware. It will take a long time before the full impact of the hack is known. Why did it take so long to detect the SolarWinds attack? With attackers having first gained access to the SolarWinds systems in September 2019 and the attack not being publicly discovered or reported until December 2020, attackers may well have had 14 or more months of unfettered access. The time it takes between when an attacker is able to gain access and the time an attack is actually discovered is often referred to as dwell time. According to a report released in January 2020 by security firm CrowdStrike, the average dwell time in 2019 was 95 days. Given that it took well over a year from the time the attackers first entered the SolarWinds network until the breach was discovered, the dwell time in the attack exceeded the average. The question of why it took so long to detect the SolarWinds attack has a lot to do with the sophistication of the Sunburst code and the hackers that executed the attack. "Analysis suggests that by managing the intrusion through multiple servers based in the United States and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government," SolarWinds said in its analysis of the attack. FireEye, which was the first firm to publicly report the attack, conducted its own analysis of the SolarWinds attack. In its report, FireEye described in detail the complex series of action that the attackers took to mask their tracks. Even before Sunburst attempts to connect out to its command-and-control server, the malware executes a number of checks to make sure no antimalware or forensic analysis tools are running. What was the purpose of the hack? The purpose of the hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad. There are speculations that many enterprises might be collateral damage, as the main focus of the attack was government agencies that make use of the SolarWinds IT management systems. Who was responsible for the hack? Federal investigators and cybersecurity agents believe a Russian espionage operation -- mostly likely Russia's Foreign Intelligence Service -- is behind the SolarWinds attack. The Russian government has denied any involvement in the attack, releasing a statement that said, "Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and understanding of interstate relations." They also added that "Russia does not conduct offensive operations in the cyber domain." Contrary to experts in his administration, then-President Donald Trump hinted at around the time of the discovery of the SolarWinds hack that Chinese hackers might be behind the cybersecurity attack. However, he did not present any evidence to back up his claim. Shortly after his inauguration, President Joe Biden vowed that his administration intended to hold Russia accountable, through the launch of a full-scale intelligence assessment and review of the SolarWinds attack and those behind it. The president also created the position of deputy national security adviser for cybersecurity as part of the National Security Council. The role, held by veteran intelligence operative Anne Neuberger, is part of an overall bid by the Biden administration to refresh the federal government's approach to cybersecurity and better respond to nation-state actors. Naming the attack: What is Solorigate, Sunburst and Nobelium? The SolarWinds attack has a number of different names associated with it. While the attack is often referred to simply as the SolarWinds attack, that isn't the only name to know. Sunburst. This is the name of the actual malicious code injection that was planted by hackers into the SolarWinds Orion IT monitoring system code. Both SolarWinds and CrowdStrike generally refer to the attack as Sunburst. Solorigate. Microsoft initially dubbed the actual threat actor group behind the SolarWinds attack as Solorigate. It's a name that stuck and was adopted by other researchers as well as media. Nobelium. In March 2021, Microsoft decided that the primary designation for the threat actor behind the SolarWinds attack should actually be Nobelium -- the idea being that the group is active against multiple victims -- not just SolarWinds -- and uses more malware than just Sunburst. The China connection to the SolarWinds attack While it is suspected that the initial Sunburst code and the attack against SolarWinds and its users came from a threat actor based in Russia, other nation-state threat actors have also used SolarWinds in attacks. According to a Reuters report, suspected nation-state hackers based in China exploited SolarWinds during the same period of time the Sunburst attack occurred. The suspected China-based threat actors targeted the National Finance Center, which is a payroll agency within the U.S. Department of Agriculture. It is suspected that the China-based attackers did not use Sunburst, but rather a different malware that SolarWinds identifies as Supernova. Why is the SolarWinds hack important? The SolarWinds supply chain attack is a global hack, as threat actors turned the Orion software into a weapon gaining access to several government systems and thousands of private systems around the world. Due to the nature of the software -- and by extension the Sunburst malware -- having access to entire networks, many government and enterprise networks and systems face the risk of significant breaches. The hack could also be the catalyst for rapid, broad change in the cybersecurity industry. Many companies and government agencies are now in the process of devising new methods to react to these types of attacks before they happen. Governments and organizations are learning that it is not enough to build a firewall and hope it protects them. They have to actively seek out vulnerabilities in their systems, and either shore them up or turn them into traps against these types of attacks. Since the hack was discovered, SolarWinds has recommended customers update their existing Orion platform. The company has released patches for the malware and other potential vulnerabilities discovered since the initial Orion attack. SolarWinds also recommended customers not able to update Orion isolate SolarWinds servers and/or change passwords for accounts that have access to those servers. The greater White House cybersecurity focus will be crucial, some industry experts have said. But organizations should consider adopting modern software-as-a-service tools for monitoring and collaboration. While the cybersecurity industry has significantly advanced in the last decade, these kinds of attacks show that there is still a long way to go to get really secure systems. The Nobelium group continues to attack targets The suspected threat actor group behind the SolarWinds attack has remained active in 2021 and hasn't stopped at just targeting SolarWinds. On May 27, 2021, Microsoft reported that Nobelium, the group allegedly behind the SolarWinds attack, infiltrated software from email marketing service Constant Contact. According to Microsoft, Nobelium targeted approximately 3,000 email accounts at more than 150 different organizations. The initial attack vector appears to be an account used by USAID. From that initial foothold, Nobelium was able to send out phishing emails in an attempt to get victims to click on a link that would deploy a backdoor Trojan designed to steal user information.

AI-powered DFIR triage for Windows and Linux. Upload a disk image, select artifacts, get a forensic report - in minutes, not hours. Runs entirely on your machine. No cloud, no external services. Built for incident responders who need speed without sacrificing control.

Forensic Wace is a python tool that allows you to analyse the data contained within the WhatsApp database for iOS. It allows you to explore the data in the database and generate detailed, anti-tamper reports. This tool supports multi-threading and can be installed on a central server in your company network and use it from employees PCs

A Forensic SQLite Database Analyser and Reporting Tool written in Python 2.7.

🗝️ The Voidweaver's Trail: Season 1 Investigation Reports for Echo Response. Uncovering hidden identities and securing the Nullform Key across the Cyber Realm via advanced forensics and cryptanalysis.

Browse Windows Recycle Bin from E01 forensic images with Explorer-style interface. Parse $I/$R artifacts, view deleted files in original folder structure, export with timestamps & hash calculation. Supports Win7/8/10/11. Built with PySide6, pyewf, pytsk3. CSV/JSON reports. DFIR tool for investigators.

This report was written for the Digital Forensics Analysis coursework, specifically the first assignment. In which, steps and screenshots for each investigation process are recorded.

Forensic Wace is a python tool that allows you to analyse the data contained within the WhatsApp database for iOS. It allows you to explore the data in the database and generate detailed, anti-tamper reports.

Blockchain and AI are on just about every chief information officers watchlist of game-changing technologies that stand to reshape industries. Both technologies come with immense benefits, but both also bring their own challenges for adoption. It is also fair to say that the hype surrounding these technologies individually may be unprecedented, so the thought of bringing these two ingredients together may be viewed by some as brewing a modern-day version of IT pixie dust. At the same time, there is a logical way to think about this mash-up that is both sensible and pragmatic. Today, AI is for all intents and purposes a centralized process. An end user must have extreme faith in the central authority to produce a trusted business outcome. By decentralizing the three key elements of AI — that is, data, models, and analytics — blockchain can deliver the trust and confidence often needed for end users to fully adopt and rely on AI-based business processes. Let’s explore how blockchain is poised to enrich AI by bringing trust to data, models and analytics. Your data is your data Many of the world’s most notable AI technology services are centralized — including Amazon, Apple, Facebook, Google, as well as Chinese companies Alibaba, Baidu and Tencent. Yet all have encountered challenges in establishing trust among their eager, but somewhat cautious users. How can a business provide assurance to its users that its AI has not overstepped its bounds? Imagine if these AI services could produce a “forensic report,” verified by a third party, to prove to you, beyond a reasonable doubt, how and when businesses are using your data once those are ingested. Imagine further that your data could be used only if you gave permission to do so. A blockchain ledger can be used as a digital rights management system, allowing your data to be “licensed” to the AI provider under your terms, conditions and duration. The ledger would act as an access management system storing the proofs and permission by which a business can access and use the user’s data. Trusted AI models Consider the example of using blockchain technology as a means of providing trusted data and provenance of training models for machine learning. In this case, we’ve created a fictitious system to answer the question of whether a fruit is an apple or orange. This question-answering system that we build is called a model, and this model is created via a process called training. The goal of training is to create an accurate model that answers our questions correctly most of the time. Of course, to train a model, we need to collect data to train on — for this example, that could be the color of the fruit (as a wavelength of light) and the sugar content (as a percentage). With blockchain, you can track the provenance of the training data as well as see an audit trail of the evidence that led to the prediction of why a particular fruit is considered an apple versus an orange. A business can also prove that it is not “juicing up” its books by tagging fruit more often as apples, if that is the more expensive of the two fruits. Explaining AI decisions The European Union has adopted a law requiring that any decision made by a machine be readily explainable, on penalty of fines that could cost companies billions of dollars. The EU General Data Protection Regulation (GDPR), which came into force in 2018, includes a right to obtain an explanation of decisions made by algorithms and a right to opt out of some algorithmic decisions altogether. Massive amounts of data are being produced every second — more data than humans have the ability to assess and use as the basis for drawing conclusions. However, AI applications are capable of assessing large data sets and many variables, while learning about or connecting those variables relevant to its tasks and objectives. For this very reason, AI continues to be adopted in various industries and applications, and we are relying more and more on their outcomes. It is essential, however, that any decisions made by AI are still verified for accuracy by humans. Blockchain can help clarify the provenance, transparency, understanding, and explanations of those outcomes and decisions. If decisions and associated data points are recorded via transactions on a blockchain, the inherent attributes of blockchain will make auditing them much simpler. Blockchain is a key technology that brings trust to transactions in a network; therefore, infusing blockchain into AI decision-making processes could be the element needed to achieve the transparency necessary to fully trust the decisions and outcomes derived from AI. Blockchain and the Internet of Things More than a billion intelligent, connected devices are already part of today’s IoT. The expected proliferation of hundreds of billions more places us at the threshold of a transformation sweeping across the electronics industry and many other areas. With the advancement in IoT, industries are now enabled to capture data, gain insight from the data, and make decisions based on the data. Therefore, there is a lot of “trust” in the information obtained. But the real truth of the matter is, do we really know where these data came from and should we be making decisions and transacting based on data we cannot validate? For example, did weather data really originate from a censor in the Atlantic Ocean or did the shipping container really not exceed the agreed temperature limit? The IoT use cases are massive, but they all share the same issue with trust. IoT with blockchain can bring real trust to captured data. The underlying idea is to give devices, at the time of their creation, an identity that can be validated and verified throughout their lifecycle with blockchain. There is great potential for IoT systems in blockchain technology capabilities that rely on device identity protocols and reputation systems. With a device identity protocol, each device can have its own blockchain public key and send encrypted challenge and response messages to other devices, thereby ensuring a device remains in control of its identity. In addition, a device with an identity can develop a reputation or history that is tracked by a blockchain. Smart contracts represent the business logic of a blockchain network. When a transaction is proposed, these smart contracts are autonomously executed within the guidelines set by the network. In IoT networks, smart contracts can play a pivotal role by providing automated coordination and authorization for transactions and interactions. The original idea behind IoT was to surface data and gain actionable insight at the right time. For example, smart homes are a thing of the present and most everything can be connected. In fact, with IoT, when something goes wrong, these IoT devices can even take action — for example, ordering a new part. We need a way to govern the actions taken by these devices, and smart contracts are a great way to do so. In an ongoing experiment I have followed in Brooklyn, New York, a community is using a blockchain to record the production of solar energy and enable the purchase of excess renewable energy credits. The device itself has an identity and builds a reputation through its history of records and exchange. Through the blockchain, people can aggregate their purchasing power more easily, share the burden of maintenance, and trust that devices are recording actual solar production. As IoT continues to evolve and its adoption continues to grow, the ability to autonomously manage devices and actions taken by devices will be essential. Blockchain and smart contracts are positioned well to integrate those capabilities into IoT.

A Python package and CLI for parsing aggregate and forensic DMARC reports.

All-in-one Linux CLI for CTF steganography & forensic image analysis. Automates exiftool, zsteg, binwalk, steghide, and more — one command, full report, organized output.

Windows FeatureUsage Analyzer: Extract and analyze Windows registry FeatureUsage artifacts for forensic investigation. Tracks app switching, Start Menu usage, search patterns, and user behavior with detailed JSON/HTML reports

The Electric Network Frequency (ENF) is the supply frequency of power distribution networks, which can be captured by multimedia signals recorded near electrical activities. It normally fluctuates slightly over time from its nominal value of 50 Hz/60 Hz. The ENF remain consistent across the entire power grid. This has led to the emergence of multiple forensic application like estimating the recording location and validating the time of recording. Recently an ENF based Machine Learning system was proposed which infers the region of recording from the power grids ENF signal extracted from the recorded multimedia signal, with the help of relevant features. In this work, we report some features novel to this application which serve as identifying characteristics for detecting the region of origin of the multimedia recording. In addition to the ENF variation itself, the utilization of the ENF harmonics pattern extracted from the media signals as novel features enables a more accurate identification of the region of origin. These characteristics were used in a multiclass machine learning implementation to identify the grid of the recorded signal.

Several python scripts for "dump and go" type mobile forensic reports.

Forensic snapshot tool. Generates browsable offline HTML reports from drives, folders, and E01 images. Features file hashing and keyword search.Forensic snapshot tool. Generates browsable offline HTML reports from drives, folders, and E01 images. Features file hashing and keyword search.

SudoCop HashBro is a powerful file hashing utility designed for digital forensics and evidence verification. It allows users to compute cryptographic hash values for files, compare hashes to identify matching files, and generate detailed reports for documentation.

Adds the results of a digital investigation directly and automatically into structured and styled tables inside a forensic expert witness report whilst allowing the selection of three pre-existing forensic expert witness report templates to choose from.

Offline Microsoft 365 forensic triage for exported CSV logs (UAL + Entra ID sign-ins). Generates a court-friendly, evidence-focused HTML report and SQLite dataset with suspicious activity findings no Microsoft APIs required.