Digital Forensics and Incident Response

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

This project is a comprehensive, community-curated directory of resources and methodologies for open-source intelligence gathering. It serves as a centralized reference framework for researchers, providing a structured index of specialized tools, databases, and search techniques used to collect and analyze publicly available information from across the global internet. The directory distinguishes itself through a hierarchical taxonomy that organizes complex investigative domains, ranging from cyber threat intelligence and digital forensic investigation to geospatial analysis and operational security. By leveraging a crowdsourced model, the repository ensures that its collection of investigative tools remains current, with a distributed network of contributors validating links and maintaining the integrity of the resource list. The project covers a broad capability surface, including advanced search operators, reverse image lookup, social network analysis, and domain infrastructure research. It also provides guidance on privacy-focused browsing and anonymity protection to support sensitive research workflows. The entire knowledge base is maintained as a version-controlled markdown repository, offering a portable and searchable index for professionals and researchers conducting deep web investigations or fact-checking tasks.

This project is a community-curated repository of YARA rules used to detect malware, webshells, and other malicious patterns in files. It serves as a dataset of signatures for identifying known malware families, software packers, and threat intelligence indicators. The collection provides specialized detection capabilities for identifying exploit kits and anti-analysis evasion techniques, such as anti-debugging and anti-virtualization methods. It also includes signatures for cryptographic algorithm detection and the identification of unauthorized remote administration tools on servers. The repository covers a broad surface of digital forensics and security analysis, including the inspection of malicious documents and emails for embedded code. It further supports threat hunting through the identification of patterns associated with system compromises and active security breaches.

This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data integrity and collaborative growth by utilizing version-controlled knowledge management and template-driven content generation, ensuring that the research remains current and consistent across a wide range of technical domains. The project covers a broad capability surface, including detailed references for web application security, database injection, insecure deserialization, and AI model security testing. It also aggregates external resources, such as research papers and third-party tools, to provide a holistic view of modern threat analysis and defensive research. The documentation is organized as a hierarchical tree of markdown files, designed for easy navigation and reference during active security engagements.

Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific executables and mobile application packages to establish remote command sessions. The framework covers a broad surface of capabilities, including web application penetration testing, OSINT reconnaissance, memory and disk forensics, and wireless network auditing. It provides tools for payload generation, credential theft, and the automation of information gathering from public data sources. This project is implemented primarily as a shell-based application.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

This project is a comprehensive, community-curated directory of cybersecurity resources, tools, and educational materials. It functions as a centralized index for researchers and students to discover frameworks and utilities across the entire security lifecycle, ranging from initial vulnerability assessment to post-exploitation analysis. The repository distinguishes itself through a hierarchical taxonomy that organizes diverse security disciplines into a searchable, version-controlled knowledge base. Rather than hosting software directly, it utilizes a decentralized aggregation model that links to external platforms, training environments, and specialized toolkits, ensuring the index remains current through community-driven contributions. The collection covers a broad spectrum of security domains, including automated vulnerability scanning, network traffic analysis, and digital forensics. It also provides access to specialized resources for binary reverse engineering, penetration testing training, and competitive platforms such as capture-the-flag events and bug bounty programs. All information is maintained in a lightweight, markdown-based format, allowing for rapid navigation and reference within the repository.

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory access and instruction-set-aware disassembly to translate machine code into readable assembly. These capabilities facilitate specialized tasks such as malware reverse engineering, software vulnerability research, and the analysis of complex system crashes. The platform includes a modular plugin architecture that enables the integration of external libraries for custom analysis and automation. It also features memory-mapped symbol resolution to correlate machine addresses with source code labels, assisting in the interpretation of internal application logic.

This project is a comprehensive, curated directory of cybersecurity resources, software, and documentation designed to support system and network protection. It serves as a centralized knowledge base and index for security professionals, aggregating industry-standard practices and open-source tools across a wide range of technical domains. The repository distinguishes itself by providing a structured collection of methodologies and frameworks for security operations. It covers critical areas including threat intelligence, digital forensics, infrastructure auditing, and vulnerability assessment management. By organizing these materials, the project assists in the discovery and implementation of solutions for network monitoring, incident response, and the maintenance of consistent security configurations across diverse environments.

SecLists is a centralized library of security assessment data designed to support vulnerability discovery and penetration testing. It functions as a comprehensive repository of wordlists, payloads, and testing methodologies used to audit software, firmware, and internet-connected hardware for technical vulnerabilities. The project distinguishes itself through a standardized taxonomy and a language-agnostic data format, which allows security tools to predictably ingest and utilize its assets regardless of the underlying programming environment. By decoupling raw testing data from execution logic, the repository ensures that its collections of usernames, passwords, and injection patterns remain portable and compatible with a wide range of custom auditing frameworks and automated security tools. The collection covers a broad spectrum of security testing domains, including brute-force credential testing, web application fuzzing, and automated vulnerability scanning. It also provides structured guidance for firmware analysis and internet-connected device hardening, enabling researchers to apply consistent methodologies when identifying insecure configurations or potential system flaws. The repository is organized as a collection of flat-file assets within a hierarchical directory structure, facilitating integration into automated security workflows.

pyWhat is a Python-based data extraction tool designed to scan files and text for sensitive identifiers, credentials, and network artifacts using regular expressions. It functions as a pattern matching engine and PII scanner capable of identifying personal identifiers and sensitive data patterns across directories and binary files. The project specializes in the identification of unknown data formats through file signatures and the extraction of high-value identifiers, such as URLs, IP addresses, and phone numbers, from network capture files. It utilizes a rarity-based filtering system and specific tags to reduce false positives during the discovery process. The tool provides broad capabilities for recursive directory scanning, data type identification, and digital forensic processing. Findings can be organized through custom sorting and exported into structured JSON or plain text formats for integration into external security pipelines.

This project serves as a centralized, community-driven repository of technical knowledge and administrative resources. It provides a structured taxonomy that aggregates disparate information into a searchable framework, supporting continuous learning and rapid problem-solving for system administrators and cybersecurity practitioners. By mapping resources across offensive security, infrastructure management, and software development, it offers a unified path for skill acquisition and professional reference. The project is defined by a command-line-first design philosophy, prioritizing terminal-based utilities and scriptable interfaces to facilitate efficient system administration and repeatable security workflows. It distinguishes itself through a platform-agnostic approach, maintaining documentation and operational guides that remain applicable across diverse Unix-like and cloud-based environments. This modular toolchain integration allows users to compose custom environments tailored to specific administrative or security tasks. The repository covers a broad capability surface, including comprehensive toolkits for system auditing, network management, and infrastructure hardening. It provides structured learning paths for cybersecurity skill development, ranging from ethical hacking labs and penetration testing standards to vulnerability assessment and system configuration best practices. The collection also encompasses a wide array of productivity tools, diagnostic utilities, and educational materials designed to streamline routine maintenance and enhance overall security posture.

Volatility is a memory forensics framework and digital forensics tool designed to extract and analyze evidence from volatile computer memory dumps. It functions as a memory dump parser and analysis platform used to identify running processes, network connections, and loaded modules from a system RAM capture. The framework enables the reconstruction of system state to uncover malicious activity, such as rootkits and injected code, during malware incident response and threat hunting. It provides capabilities for digital forensic investigations to detect unauthorized access and indicators of compromise that may not be present on physical disks. The system utilizes a plugin-based analysis pipeline and symbol-based structure mapping to interpret raw binary images. It employs address-space translation and profile-driven offset resolution to locate and map operating system data structures within a raw memory dump.

Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detection logic through composite rules and provides mechanisms for baseline management, which enables teams to ignore existing findings and focus exclusively on new security risks. By offering pre-commit hook integration and exit-code-based orchestration, it allows for the enforcement of security policies directly within developer workflows and automated build environments. Beyond core scanning, the project provides a broad set of utilities for managing security findings, including support for decoding obfuscated strings, inspecting compressed archives, and filtering results through allowlisting or path exclusions. It facilitates compliance and reporting by exporting structured data, which can be integrated into external dashboards or tracking systems. The tool is built to handle various input sources, including direct file system traversal and standard input streams, ensuring compatibility with diverse development and deployment environments.

FOCA is a digital forensics metadata analyzer and open-source intelligence tool used to extract hidden information from various document types. It functions as a metadata extraction tool that isolates technical data and EXIF information from PDFs, office documents, and SVG files. The system integrates an open-source intelligence scanner that identifies and downloads target files from the web using multiple search engine APIs. This allows for the automated discovery and acquisition of remote web assets for batch analysis and digital evidence gathering. The software provides capabilities for document security auditing and forensic analysis by scanning both local file systems and web-based documents. It utilizes a multi-format parser pipeline to identify sensitive embedded metadata that may be concealed within files.

Magisk is an Android rooting framework designed to manage system-level modifications and grant administrative access to mobile devices. It functions by patching boot and recovery images to inject custom code into the operating system initialization sequence, allowing for system-wide control while maintaining compatibility with the underlying hardware. The project distinguishes itself through a systemless modification layer that overlays a virtual file system on top of read-only partitions, enabling changes without altering core system files. It includes a policy daemon to manage security contexts and granular access control for privileged applications, alongside dynamic binary instrumentation capabilities that intercept function calls in running processes. These features are supported by a native toolchain that interacts directly with the hardware abstraction layer and kernel. The framework provides a comprehensive suite for device modification management, including tools for patching firmware images, managing bootloader states, and handling recovery-based modifications on devices lacking a dedicated boot ramdisk. It also incorporates a cross-platform build toolchain for compiling and signing deployable packages, facilitating standardized software deployment across diverse hardware models.

Hayabusa is a Windows event log analyzer, threat hunting tool, and forensic timeline generator. It functions as a detection engine that applies threat patterns to logs to identify suspicious behavior and security threats. The project distinguishes itself through the ability to synchronize detection rules from remote repositories and tune risk levels to prioritize critical alerts. It also provides specialized forensic capabilities, such as extracting event log data into chronological records for incident response investigations. The tool's broader capabilities include security log enrichment via geolocation, Base64 string decoding, and the calculation of event volume metrics. It further supports threat detection through logon activity summarization, critical system identification, and keyword-based pivot analysis to correlate related security events.

RevokeMsgPatcher is a binary patching utility designed to modify the execution logic of desktop messaging applications. By applying low-level changes to compiled executable files and libraries, the tool enables functionality not natively supported by the original software, specifically focusing on message persistence and process management. The utility distinguishes itself through targeted binary instrumentation and control flow redirection. It identifies specific function patterns and memory offsets within proprietary software to inject custom assembly instructions. These modifications allow the software to suppress incoming message recall commands, ensuring that deleted content remains visible in chat histories. Additionally, the tool overrides application startup constraints by disabling synchronization primitives, which permits the simultaneous execution of multiple instances of the same messaging client. The project covers a range of binary modification techniques, including static instrumentation and dynamic library injection, to ensure that changes persist across application sessions. It provides automated mechanisms for locating and patching target code blocks, effectively bypassing built-in restrictions to customize the behavior of communication platforms.

This project is a curated, version-controlled directory of software and resources designed for cybersecurity professionals and researchers. It functions as a centralized knowledge base that aggregates and organizes external security utilities into a structured taxonomy to facilitate discovery and access for specialized research and testing tasks. The repository distinguishes itself through a community-driven model where external resource locations are verified and maintained by contributors. By leveraging a distributed version control system, the project ensures the historical integrity and consistency of its collection, allowing users to track changes and updates to the indexed toolsets over time. The directory covers a broad spectrum of security domains, including penetration testing, digital forensics, network analysis, and threat intelligence gathering. It provides access to frameworks and utilities for tasks such as vulnerability scanning, password auditing, automated software fuzzing, and the deployment of decoy systems. Additionally, the project includes resources for managing competitive security challenges and infrastructure orchestration.