Digital Forensics and Memory Analysis

Volatility is a memory forensics framework and digital forensics tool designed to extract and analyze evidence from volatile computer memory dumps. It functions as a memory dump parser and analysis platform used to identify running processes, network connections, and loaded modules from a system RAM capture. The framework enables the reconstruction of system state to uncover malicious activity, such as rootkits and injected code, during malware incident response and threat hunting. It provides capabilities for digital forensic investigations to detect unauthorized access and indicators of compromise that may not be present on physical disks. The system utilizes a plugin-based analysis pipeline and symbol-based structure mapping to interpret raw binary images. It employs address-space translation and profile-driven offset resolution to locate and map operating system data structures within a raw memory dump.

Rekall Memory Forensic Framework

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

MemProcFS

Autopsy is a digital forensic analysis platform and evidence management suite used to process disk images and file systems. It provides a graphical interface for performing deep forensic examinations of computer hard drives to identify and extract digital artifacts for investigations. The platform is built as a Java-based forensic framework that integrates native libraries to perform direct disk image analysis. It utilizes a modular architecture, allowing for the extension of data ingestion and report generation through the use of plugins. The system manages digital evidence within a centralized workspace, organizing forensic metadata and analysis results across multiple case files. It covers broad capability areas including digital evidence management, forensic tool customization, and the automation of data workflows.

Chainsaw is a Windows forensic analysis tool used for parsing system databases and extracting security artefacts. It functions as a forensic artefact extractor and a scanner for identifying security threats and log tampering within Windows event logs. The project distinguishes itself by implementing a Sigma rule forensic scanner that applies standardized detection logic and custom rule sets to event logs and forensic artefacts. It enables threat hunting workflows by matching event data against patterns to identify malicious activity, lateral movement, and brute force attacks. The tool's capabilities include event log triage using regular expressions, execution timeline reconstruction through the correlation of shimcache and amcache data, and the parsing of system resource usage databases. It further provides forensic data search utilities and the ability to export raw binary artefacts into structured JSON formats for external analysis.

This project is a command-line forensic toolkit designed for the investigation and security auditing of mobile devices. It provides a framework for collecting system logs, application data, and forensic artifacts to identify potential security breaches, unauthorized access, or evidence of malicious activity. The utility employs a modular extraction architecture that parses diverse file formats and system logs into a standardized, normalized data structure. By utilizing this unified format, the tool performs both heuristic analysis of system metadata and pattern matching against structured threat intelligence databases to detect indicators of compromise and targeted spyware infections. The software functions as an automated forensic pipeline, orchestrating the sequential collection, processing, and scanning of device data. It is intended for use in incident response and security auditing workflows where verifying the integrity of mobile operating systems against known threat patterns is required.

Hayabusa is a Windows event log analyzer, threat hunting tool, and forensic timeline generator. It functions as a detection engine that applies threat patterns to logs to identify suspicious behavior and security threats. The project distinguishes itself through the ability to synchronize detection rules from remote repositories and tune risk levels to prioritize critical alerts. It also provides specialized forensic capabilities, such as extracting event log data into chronological records for incident response investigations. The tool's broader capabilities include security log enrichment via geolocation, Base64 string decoding, and the calculation of event volume metrics. It further supports threat detection through logon activity summarization, critical system identification, and keyword-based pivot analysis to correlate related security events.

pe-sieve is a set of diagnostic tools for scanning Windows process memory to identify malicious implants, shellcode, and hooks. It functions as an in-memory implant detector, malware unpacker, and process callstack analyzer designed to locate and dump memory patches and injected code from running processes. The project identifies advanced evasion techniques, such as process hollowing and reflective injection, by verifying portable executable structures in memory. It distinguishes itself by analyzing process callstacks to detect anomalies and redirections and by reconstructing executable headers and section alignments from raw memory dumps. The toolset covers a broad range of forensic and analysis capabilities, including dynamic malware unpacking, signature-based implant identification, and the extraction of process artifacts for offline examination. These scanning and analysis functions are available through a programmatic interface for integration into other security applications.

Velociraptor is a digital forensics and incident response platform, endpoint detection and response system, and visibility tool. It provides a query engine and remote forensic collector used to hunt for indicators of compromise and perform triage across a fleet of hosts. The system is distinguished by its specialized query language for interrogating host state and parsing binary files. It features a notebook environment that combines markdown documentation with executable query cells to standardize investigative workflows and enable collaborative reporting. The platform covers a wide range of capabilities including real-time kernel event streaming, remote filesystem browsing, and raw NTFS parsing for forensic evidence preservation. It includes an extensibility framework for importing community-defined artifacts and supports multi-tenant data isolation to separate evidence by organization. The project provides a command-line interface for artifact validation and execution, and it supports deploying persistent agents or standalone offline collectors.

Extracts passwords from a KeePass 2.x database, directly from memory.

Web App for Volatility framework

radare2 is a reverse engineering framework and binary analysis toolset. It functions as a multi-architecture disassembler, low-level binary debugger, and hexadecimal editor for inspecting executable structures and interpreting machine code when original source files are unavailable. The framework provides capabilities for decompiling machine instructions, performing symbolic analysis, and diffing binary files to identify structural changes across versions. It also includes a digital forensic analyzer and disk analyzer for browsing filesystem formats in userland. The toolset supports binary patching, malware analysis, and software vulnerability research. It features a plugin-based architecture to extend core functionality and an embedded scripting engine to automate analysis workflows.

Flare-floss is a security utility and static binary string extractor designed to uncover hidden text and configuration data within compiled binaries. It functions as an obfuscated string decoder and reverse engineering tool to translate encoded strings into readable text for security auditing. The project employs emulated execution to capture the decrypted state of strings in memory by running small chunks of binary code in a virtual CPU. It further utilizes static analysis disassembly, intermediate representation analysis, and heuristic-based pattern matching to identify and decode strings that use non-standard encodings or lack standard null terminators. The toolset supports workflows for malware binary analysis, security research, and reverse engineering to identify embedded secrets and constants. It also provides capabilities for exporting extracted binary data to external analysis platforms.