Open-source alternatives to Volatility

This project is a security tool installation framework and binary analysis toolkit designed to automate the deployment of research utilities. It provides a containerized security research environment and a system for managing Python and Ruby virtual environments to prevent dependency conflicts on the host machine. The framework distinguishes itself through a structured tool catalog and provisioning scripts that automate the installation of utilities into isolated directories. It utilizes executable symlink mapping to provide a unified command interface and supports the bootstrapping of consis

PINCE is a dynamic debugger, instruction tracer, and memory scanner designed for the analysis and manipulation of running processes. It functions as a process memory manipulator and editor, allowing for the identification, modification, and monitoring of values within a target application's active memory. The tool distinguishes itself through memory pointer analysis, tracing addresses and offsets to locate static pointers that lead to dynamic data across different sessions. It also enables the execution of internal functions within a running process by manipulating the instruction pointer and

Rekall Memory Forensic Framework

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

Noriben - Portable, Simple, Malware Analysis Sandbox

Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe

Hayabusa is a Windows event log analyzer, threat hunting tool, and forensic timeline generator. It functions as a detection engine that applies threat patterns to logs to identify suspicious behavior and security threats. The project distinguishes itself through the ability to synchronize detection rules from remote repositories and tune risk levels to prioritize critical alerts. It also provides specialized forensic capabilities, such as extracting event log data into chronological records for incident response investigations. The tool's broader capabilities include security log enrichment

pwndbg is a GDB plugin and binary analysis framework designed for reverse engineering, exploit development, and low-level program analysis. It extends the core functionality of the debugger to provide advanced memory inspection and automation tools. The project distinguishes itself with specialized capabilities for heap analysis across glibc, jemalloc, and musl, as well as a comprehensive kernel debugging toolkit for inspecting Linux kernel tasks and slab allocators. It includes an integrated ROP gadget searcher for constructing exploit chains and an LLM-powered debugging assistant that provi

Cutter is a binary analysis platform and graphical user interface for the Rizin reverse engineering framework. It provides an environment for analyzing the internal logic and data structures of compiled binaries through integrated disassembly and visualization. The platform supports a containerized deployment model to provide isolated environments for binary analysis, which is used to examine suspicious binaries without risking the host system. It is an extensible security tool that allows for the addition of custom analysis capabilities and visualizers via native plugins and scripts. The to

This project is a comprehensive, curated directory of cybersecurity resources, software, and documentation designed to support system and network protection. It serves as a centralized knowledge base and index for security professionals, aggregating industry-standard practices and open-source tools across a wide range of technical domains. The repository distinguishes itself by providing a structured collection of methodologies and frameworks for security operations. It covers critical areas including threat intelligence, digital forensics, infrastructure auditing, and vulnerability assessmen

This project is a comprehensive, community-curated directory of cybersecurity resources, tools, and educational materials. It functions as a centralized index for researchers and students to discover frameworks and utilities across the entire security lifecycle, ranging from initial vulnerability assessment to post-exploitation analysis. The repository distinguishes itself through a hierarchical taxonomy that organizes diverse security disciplines into a searchable, version-controlled knowledge base. Rather than hosting software directly, it utilizes a decentralized aggregation model that lin

GEF is a Python-based extension for GDB that serves as a framework for binary analysis, exploit development, and low-level debugging. It functions as a dynamic analysis extension designed to assist in reverse engineering workflows and malware analysis by enhancing the debugger's ability to inspect process state and memory. The project is distinguished by its specialized heap analysis tools, which allow for the inspection of glibc heap arenas, bins, and chunks to detect memory corruption. It also provides a dedicated toolkit for exploit development, including cyclic pattern generation for offs

CyLR - Live Response Collection Tool

GRR is a distributed incident response platform and asynchronous forensic task orchestrator. It functions as a remote forensics framework designed to collect and analyze volatile data, system memory, and digital artifacts from remote hosts during security incident response. The system operates as a remote endpoint triage system, utilizing a coordinated architecture to manage a fleet of agents. It enables the execution of investigative tasks across multiple systems, allowing for the search of files and registries across a large fleet of machines to identify compromised hosts. The platform pro

Osquery is a unified endpoint monitoring framework that exposes operating system internals as relational tables. By representing hardware, network, and process activity as structured data, it allows users to retrieve system state and configuration information using standard SQL syntax. The system distinguishes itself through a cross-platform abstraction layer that normalizes disparate operating system interfaces into a consistent schema across Windows, macOS, and Linux. It supports both interactive local analysis via a command-line shell and distributed fleet orchestration, where recurring qu

Chainsaw is a Windows forensic analysis tool used for parsing system databases and extracting security artefacts. It functions as a forensic artefact extractor and a scanner for identifying security threats and log tampering within Windows event logs. The project distinguishes itself by implementing a Sigma rule forensic scanner that applies standardized detection logic and custom rule sets to event logs and forensic artefacts. It enables threat hunting workflows by matching event data against patterns to identify malicious activity, lateral movement, and brute force attacks. The tool's capa

AVML - Acquire Volatile Memory for Linux

Web interface for the Volatility Memory Forensics Framework

The Volatility Collaborative GUI

CyberChef is a web-based application designed for performing complex data encoding, decoding, encryption, and analysis tasks. It provides a visual interface where users construct data transformation pipelines by chaining modular operations together, allowing raw input to be processed into a desired output format entirely within the local browser environment. The tool functions as a client-side cryptographic workbench, ensuring that all data processing logic remains local to the user's machine to maintain privacy and eliminate server-side overhead. By utilizing functional pipeline composition

Web App for Volatility framework

VolDiff: Malware Memory Footprint Analysis based on Volatility

Volatility 3.0 development

PowerForensics provides an all in one platform for live disk forensic analysis

Extracts passwords from a KeePass 2.x database, directly from memory.