Digital Forensics Artifact Collection Tools

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

WeChatMsg is a database forensic parser and local data processor designed to extract and reconstruct structured message data from raw binary files. By operating entirely on the host machine, the tool ensures data sovereignty and privacy, performing all decryption and transformation tasks without requiring network access or external dependencies. The project distinguishes itself through a static analysis-based extraction method that reconstructs message threads by matching unique identifiers and timestamps across fragmented database tables. Its decoupled architecture separates low-level binary reading from high-level data formatting, utilizing a schema-driven engine to translate proprietary records into human-readable formats. This approach allows for consistent data migration and preservation across different software versions. Beyond its core utility, the repository includes a comprehensive governance framework and engineering standards. These documents establish operational principles and technical guidelines to maintain codebase quality and facilitate collaborative stewardship among contributors.

This project is a command-line forensic toolkit designed for the investigation and security auditing of mobile devices. It provides a framework for collecting system logs, application data, and forensic artifacts to identify potential security breaches, unauthorized access, or evidence of malicious activity. The utility employs a modular extraction architecture that parses diverse file formats and system logs into a standardized, normalized data structure. By utilizing this unified format, the tool performs both heuristic analysis of system metadata and pattern matching against structured threat intelligence databases to detect indicators of compromise and targeted spyware infections. The software functions as an automated forensic pipeline, orchestrating the sequential collection, processing, and scanning of device data. It is intended for use in incident response and security auditing workflows where verifying the integrity of mobile operating systems against known threat patterns is required.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

Chainsaw is a Windows forensic analysis tool used for parsing system databases and extracting security artefacts. It functions as a forensic artefact extractor and a scanner for identifying security threats and log tampering within Windows event logs. The project distinguishes itself by implementing a Sigma rule forensic scanner that applies standardized detection logic and custom rule sets to event logs and forensic artefacts. It enables threat hunting workflows by matching event data against patterns to identify malicious activity, lateral movement, and brute force attacks. The tool's capabilities include event log triage using regular expressions, execution timeline reconstruction through the correlation of shimcache and amcache data, and the parsing of system resource usage databases. It further provides forensic data search utilities and the ability to export raw binary artefacts into structured JSON formats for external analysis.

Mole is a terminal-based utility designed for comprehensive system maintenance, storage management, and real-time hardware monitoring. It provides a command-line interface for users to analyze disk usage, track system health metrics, and perform routine optimization tasks to maintain machine stability and performance. The project distinguishes itself through a declarative configuration model that uses structured data files to define custom cleanup logic, allowing for precise control over the removal of temporary files and project artifacts. It incorporates a safety-first execution layer that wraps destructive operations in validation checks, ensuring that user intent is verified before any files are modified or deleted. This approach extends to application lifecycle management, where the tool facilitates the complete removal of software binaries along with their associated configuration files and orphaned data. Beyond its core cleanup capabilities, the tool offers a broad suite of maintenance functions, including the clearing of system caches, the removal of redundant installer packages, and the optimization of background processes. It features a recursive file-system traversal engine to identify storage-consuming data and provides real-time visibility into hardware resources such as CPU, memory, and network status. Users can further extend the utility by integrating custom script directories to automate specific workflows directly from the command line.

This project is a comprehensive, community-driven directory of open-source tools, datasets, and documentation for malware analysis and cybersecurity research. It serves as a centralized index for security professionals and researchers to locate resources for investigating, reverse engineering, and analyzing malicious software. The directory organizes information through a structured taxonomy, covering specialized domains such as memory forensics, network traffic inspection, and honeypot threat research. By aggregating links to external utilities and frameworks, it provides a platform-agnostic reference for identifying tools used in static analysis, dynamic sandboxing, and threat intelligence gathering. The repository is maintained as a collection of markdown files, facilitating version control and collaborative updates from the security community. This structure allows users to navigate complex technical categories efficiently to find the specific debuggers, disassemblers, and forensic utilities required for incident investigation.

Rufus is a disk imaging tool designed to create bootable USB drives by writing disk images directly to removable storage media. It functions as a standalone utility that formats drives and prepares installation media for operating systems, hardware deployment, and embedded system flashing. The application distinguishes itself through direct-access disk input and output, which bypasses high-level file system abstractions to perform low-level sector-based write operations. It utilizes specialized stream mapping to translate file system structures from disk images onto physical media, ensuring bootable integrity. Furthermore, the tool manages low-level drive partitioning and boot sector configuration, including support for both master boot records and GUID partition tables to maintain compatibility across various firmware environments. The software operates as a portable executable, packaging all necessary dependencies into a single binary that requires no formal installation or registry modifications. It interacts with hardware through native system calls to enumerate drives and manage exclusive access locks during the imaging process.

Autopsy is a digital forensic analysis platform and evidence management suite used to process disk images and file systems. It provides a graphical interface for performing deep forensic examinations of computer hard drives to identify and extract digital artifacts for investigations. The platform is built as a Java-based forensic framework that integrates native libraries to perform direct disk image analysis. It utilizes a modular architecture, allowing for the extension of data ingestion and report generation through the use of plugins. The system manages digital evidence within a centralized workspace, organizing forensic metadata and analysis results across multiple case files. It covers broad capability areas including digital evidence management, forensic tool customization, and the automation of data workflows.

RevokeMsgPatcher is a binary patching utility designed to modify the execution logic of desktop messaging applications. By applying low-level changes to compiled executable files and libraries, the tool enables functionality not natively supported by the original software, specifically focusing on message persistence and process management. The utility distinguishes itself through targeted binary instrumentation and control flow redirection. It identifies specific function patterns and memory offsets within proprietary software to inject custom assembly instructions. These modifications allow the software to suppress incoming message recall commands, ensuring that deleted content remains visible in chat histories. Additionally, the tool overrides application startup constraints by disabling synchronization primitives, which permits the simultaneous execution of multiple instances of the same messaging client. The project covers a range of binary modification techniques, including static instrumentation and dynamic library injection, to ensure that changes persist across application sessions. It provides automated mechanisms for locating and patching target code blocks, effectively bypassing built-in restrictions to customize the behavior of communication platforms.

Ciphey is an automated decryption and data obfuscation tool designed to identify and reverse complex, multi-layered encoding schemes. By utilizing statistical analysis and probability scoring, the system automatically detects unknown data formats and recovers human-readable plaintext from obfuscated input strings without requiring manual algorithm specification. The tool distinguishes itself through a recursive pipeline that processes nested data structures and strips formatting anomalies or invisible characters to ensure consistent input. It employs a heuristic search and multithreaded execution engine to evaluate multiple decryption paths concurrently, prioritizing those with the highest statistical likelihood of success to resolve obfuscated content efficiently. Beyond core decryption, the system provides capabilities for cybersecurity incident analysis and forensic examination of suspicious payloads. It includes features for identifying specific data types such as API keys or network addresses, enforcing execution timeouts to maintain predictable performance, and distinguishing valid text from random noise. The software is distributed as a command-line utility for integration into automated data processing workflows.

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory access and instruction-set-aware disassembly to translate machine code into readable assembly. These capabilities facilitate specialized tasks such as malware reverse engineering, software vulnerability research, and the analysis of complex system crashes. The platform includes a modular plugin architecture that enables the integration of external libraries for custom analysis and automation. It also features memory-mapped symbol resolution to correlate machine addresses with source code labels, assisting in the interpretation of internal application logic.

dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, set breakpoints, and inspect memory state within compiled binaries to troubleshoot application behavior. Beyond core analysis and debugging, the platform provides an interactive scripting environment for automating repetitive tasks and manipulating assembly structures. It includes capabilities for abstract syntax tree manipulation and memory-mapped file inspection, allowing users to navigate between high-level code constructs and raw binary data.

Kubeshark is a network observability platform designed for Kubernetes environments, functioning as an eBPF-powered engine for cluster-wide traffic analysis. It captures, indexes, and visualizes network activity and API calls directly from the kernel, providing deep visibility into service-to-service communication without requiring sidecar proxies or manual code instrumentation. The platform distinguishes itself through its ability to perform protocol-aware traffic dissection and user-space cryptographic hooking, which allows for the inspection of encrypted traffic and the reconstruction of application-layer protocols like HTTP, gRPC, and Kafka. It supports advanced diagnostic capabilities, including AI-driven troubleshooting, forensic analysis of network snapshots, and the correlation of infrastructure events with application-level traffic patterns. Beyond core monitoring, the system provides a comprehensive suite of tools for managing traffic data, including granular role-based access control, sensitive data redaction, and flexible storage options ranging from ephemeral local buffers to cloud-based object storage. It is built to operate in diverse environments, supporting air-gapped deployments and integrating with standard Kubernetes ingress resources for secure dashboard access. The project is managed via a command-line interface that facilitates deployment control, custom script execution, and the sharing of specific traffic analysis views through encoded search queries.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

Velociraptor is a digital forensics and incident response platform, endpoint detection and response system, and visibility tool. It provides a query engine and remote forensic collector used to hunt for indicators of compromise and perform triage across a fleet of hosts. The system is distinguished by its specialized query language for interrogating host state and parsing binary files. It features a notebook environment that combines markdown documentation with executable query cells to standardize investigative workflows and enable collaborative reporting. The platform covers a wide range of capabilities including real-time kernel event streaming, remote filesystem browsing, and raw NTFS parsing for forensic evidence preservation. It includes an extensibility framework for importing community-defined artifacts and supports multi-tenant data isolation to separate evidence by organization. The project provides a command-line interface for artifact validation and execution, and it supports deploying persistent agents or standalone offline collectors.

Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detection logic through composite rules and provides mechanisms for baseline management, which enables teams to ignore existing findings and focus exclusively on new security risks. By offering pre-commit hook integration and exit-code-based orchestration, it allows for the enforcement of security policies directly within developer workflows and automated build environments. Beyond core scanning, the project provides a broad set of utilities for managing security findings, including support for decoding obfuscated strings, inspecting compressed archives, and filtering results through allowlisting or path exclusions. It facilitates compliance and reporting by exporting structured data, which can be integrated into external dashboards or tracking systems. The tool is built to handle various input sources, including direct file system traversal and standard input streams, ensuring compatibility with diverse development and deployment environments.

Tracee is a cloud-native runtime security and forensics tool that uses eBPF to capture system calls and kernel events in real time. It operates as a standalone binary or a Helm-deployable agent for Kubernetes, normalizing system calls, network events, and container activities into a unified event pipeline for consistent analysis. The tool distinguishes itself through policy-driven event filtering using YAML-based rules, allowing users to target specific workloads and reduce noise during monitoring. It includes built-in threat detection signatures that flag suspicious behavioral patterns without requiring custom rules, and it collects forensic artifacts such as memory dumps, binaries, and network traffic for post-incident investigation. Tracee provides comprehensive system observability by tracking over 400 system events, including process execution, file operations, and network activity. It generates real-time security alerts and supports incident investigation through detailed audit trails with process lineage and file paths. The tool is designed for monitoring containerized environments and Kubernetes clusters without requiring application modifications.

Magisk is an Android rooting framework designed to manage system-level modifications and grant administrative access to mobile devices. It functions by patching boot and recovery images to inject custom code into the operating system initialization sequence, allowing for system-wide control while maintaining compatibility with the underlying hardware. The project distinguishes itself through a systemless modification layer that overlays a virtual file system on top of read-only partitions, enabling changes without altering core system files. It includes a policy daemon to manage security contexts and granular access control for privileged applications, alongside dynamic binary instrumentation capabilities that intercept function calls in running processes. These features are supported by a native toolchain that interacts directly with the hardware abstraction layer and kernel. The framework provides a comprehensive suite for device modification management, including tools for patching firmware images, managing bootloader states, and handling recovery-based modifications on devices lacking a dedicated boot ramdisk. It also incorporates a cross-platform build toolchain for compiling and signing deployable packages, facilitating standardized software deployment across diverse hardware models.

This project is a comprehensive, curated directory of cybersecurity resources, software, and documentation designed to support system and network protection. It serves as a centralized knowledge base and index for security professionals, aggregating industry-standard practices and open-source tools across a wide range of technical domains. The repository distinguishes itself by providing a structured collection of methodologies and frameworks for security operations. It covers critical areas including threat intelligence, digital forensics, infrastructure auditing, and vulnerability assessment management. By organizing these materials, the project assists in the discovery and implementation of solutions for network monitoring, incident response, and the maintenance of consistent security configurations across diverse environments.