Awesome-anti-forensic

Tools and packages that are used for countering forensic activities, including encryption, steganography, and anything that modify attributes. This all includes tools to work with anything in general that makes changes to a system for the purposes of hiding information.

Tools

System/Digital Image

Afflib : An extensible open format for the storage of disk images and related forensic.information.
Air-Imager : A GUI front-end to dd/dc3dd designed for easily creating forensic images.
Bmap-tools : Tool for copying largely sparse files using information from a block map file.
dd : The dd command allows you to copy all or part of a disk.
- Dc3dd : A patched version of dd that includes a number of features useful for computer forensics.
- Dcfldd : DCFL (DoD Computer Forensics Lab), a dd replacement with hashing.
ddrescue : GNU data recovery tool.
Dmg2img : A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format.
Frida : Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
- Fridump : A universal memory dumper using Frida.
Imagemounter : Command line utility and Python package to ease the (un)mounting of forensic disk images.

Recovering tool / Memory Extraction

Extundelete : Utility for recovering deleted files from ext2, ext3 or ext4 partitions by parsing the journal.
Foremost : A console program to recover files based on their headers, footers, and internal data structures.
MagicRescue : Find and recover deleted files on block devices.
MemDump : Dumps system memory to stdout, skipping over holes in memory maps.
MemFetch : Simple utility that can be used to dump process memory of any userspace process running on the system without affecting its execution.
Mxtract : Memory Extractor & Analyzer.
Recoverjpeg : Recover jpegs from damaged devices.
SafeCopy : A disk data recovery tool to extract data from damaged media.
Scrounge-Ntfs : Data recovery program for NTFS file systems.
TestDisk & PhotoRec : TestDisk checks the partition and boot sectors of your disks. It is very useful in recovering lost partitions. PhotoRec is file data recovery software designed to recover lost pictures from digital camera memory or even hard disks. It has been extended to search also for non audio/video headers.

Analysis / Gathering tool (Know your ennemies)

Autopsy : The forensic browser. A GUI for the Sleuth Kit.
Bulk-extractor : Bulk Email and URL extraction tool.
captipper : Malicious HTTP traffic explorer tool.
Chromefreak : A Cross-Platform Forensic Framework for Google Chrome.
SkypeFreak : A Cross Platform Forensic Framework for Skype.
Dumpzilla : A forensic tool for firefox.
Emldump : Analyze MIME files.
Galleta : Examine the contents of the IE's cookie files for forensic purposes.
Guymager : A forensic imager for media acquisition.
Indxparse : A Tool suite for inspecting NTFS artifacts.
IOSforensic : iOS forensic tool.
IPBA2 : IOS Backup Analyzer.
Iphoneanalyzer : Allows you to forensically examine or recover date from in iOS device.
LiMEaide : Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host.
MboxGrep : A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats.
Mobiusft : An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions.
Naft : Network Appliance Forensic Toolkit.
Networkminer A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer.
Nfex : A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile.
Ntdsxtract [windows]: Active Directory forensic framework.
Pasco : Examines the contents of Internet Explorer's cache files for forensic purposes. |
PcapXray : Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
ReplayProxy : Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file.
Pdfbook-analyzer : Utility for facebook memory forensics.
Pdfid : Scan a file to look for certain PDF keywords.
PdfResurrect : A tool aimed at analyzing PDF documents.
Peepdf : A Python tool to explore PDF files in order to find out if the file can be harmful or not.
Pev : Command line based tool for PE32/PE32+ file analysis.
Rekall : Memory Forensic Framework.
Recuperabit : A tool for forensic file system reconstruction.
Rifiuti2 : A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file.
Rkhunter : Checks machines for the presence of rootkits and other unwanted tools.
Sleuthkit : A library and collection of command line digital forensics tools that allow you to investigate volume and file system data.
Swap-digger : A tool used to automate Linux swap analysis during post-exploitation or forensics.
Vinetto : A forensics tool to examine Thumbs.db files.
Volafox : macOS Memory Analysis Toolkit.
Volatility : Advanced memory forensics framework.
Xplico : Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT).

Data tampering

Exiftool : Reader and rewriter of EXIF informations that supports raw files.
Exiv2 : Exif, Iptc and XMP metadata manipulation library and tools.
nTimetools : Timestomper and Timestamp checker with nanosecond accuracy for NTFS volumes.
Scalpel : An open source data carving tool.
SetMace : Manipulate timestamps on NTFS.

Hiding process

Harness : Execute ELFs in memory.
Unhide : A forensic tool to find processes hidden by rootkits, LKMs or by other techniques.
Kaiser : File-less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit).
Papa Shango : Inject code into running processes with ptrace().
Saruman : ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection).

Cleaner / Data Destruction / Wiping / FileSystem

BleachBit : System cleaner for Windows and Linux.
ChainSaw : ChainSaw automates the process of shredding log files and bash history from a system. It is a tool that cleans up the bloody mess you left behind when you went for a stroll behind enemy lines.
Clear-EventLog : Powershell Command. Clears all entries from specified event logs on the local or remote computers.
DBAN : Darik's Boot and Nuke ("DBAN") is a self-contained boot image that securely wipes the hard disks of most computers. DBAN is appropriate for bulk or emergency data destruction.
delete-self-poc : A way to delete a locked file, or current running executable, on disk.
Forensia : Anti Forensics Tool For Red Teamers, Used For Erasing Footprints In The Post Exploitation Phase.
Hdpram : get/set hard disk parameters.
LogKiller : Clear all your logs in linux/windows servers.
Meterpreter > clearev : The meterpreter clearev command will clear the Application, System, and Security logs on a Windows system.
NTFS-3G : NTFS-3G Safe Read/Write NTFS Driver.
Nuke My LUKS : Network panic button designed to overwrite with random data the LUKS header of computers in a LAN.
Permanent-Eraser : Secure file erasing utility for macOS.
Shred : Overwrite a file to hide its contents, and optionally delete it.
Silk-guardian : An anti-forensic kill-switch that waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer.
Srm : Srm is a command-line compatible rm which overwrites file contents before unlinking.
Wipe : A Unix tool for secure deletion.
Wipedicks : Wipe files and drives securely with randoms ASCII dicks.
wiper : Toolkit to perform secure destruction of sensitive virtual data, temporary files and swap memories.

chntpw : Offline NT Password Editor - reset passwords in a Windows NT SAM user database file.
lazagne : An open source application used to retrieve lots of passwords stored on a local computer.
Mimipenguin : A tool to dump the login password from the current linux user.

Encryption / Obfuscation

BurnEye : ELF encryption program.
cryptsetup : Utility used to conveniently set up disk encryption based on the DMCrypt kernel module.
- cryptsetup-nuke-password : Configure a special "nuke password" that can be used to destroy the encryption keys required to unlock the encrypted partitions.
ELFcrypt : ELF crypter.
FreeOTFE : A free "on-the-fly" transparent disk encryption program for PC & PDAs.
Midgetpack : Midgetpack is a multiplatform secure ELF packer.
panic_bcast : Decentralized opsec panic button operating over UDP broadcasts and HTTP. Provides automatic ejection of encrypted drives as a safe-measure against cold-boot attacks.
Sherlocked : Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging.
- suicideCrypt : A toolset for creating cryptographically strong volumes that destroy themselves upon tampering (event) or via issued command.
Tchunt-ng : Reveal encrypted files stored on a filesystem.
TrueHunter : Detect TrueCrypt containers using a fast and memory efficient approach.

Policies / Logging (Event) / Monitoring

Auditpol : Displays information about and performs functions to manipulate audit policies in Windows.
evtkit : Fix acquired .evt - Windows Event Log files (Forensics) [windows]
Grokevt : A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files. [windows]
Lfle : Recover event log entries from an image by heurisitically looking for record structures.
python-evtx : A tool to parse the Windows XML Event Log (EVTX) format.
USBGuard : Software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system).
wecutil : Enables you to create and manage subscriptions to events that are forwarded from remote computers. The remote computer must support the WS-Management protocol. [windows]
Wevtutil : Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs (windows server).

Steganography

AudioStego : Hides text or files inside audio files and retrieve them automatically.
ChessSteg : Steganography in chess games.
Cloakify : Transforms any filetype into a list of harmless-looking strings. This lets you hide the file in plain sight, and transfer the file without triggering alerts.
Jsteg : jsteg is a package for hiding data inside jpeg files.
Mp3nema : A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data.
PacketWhisper : Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography.
steg86 : Format-agnostic steganographic tool for x86 and AMD64 binaries. You can use it to hide information in compiled programs, regardless of executable format (PE, ELF, Mach-O, raw, &c).
steganography : Simple C++ Image Steganography tool to encrypt and hide files insde images using Least-Significant-Bit encoding.
Steganography : Least Significant Bit Steganography for bitmap images (.bmp and .png), WAV sound files, and byte sequences.
StegaStamp : Invisible Hyperlinks in Physical Photographs.
StegCloak : Hide secrets with invisible characters in plain text securely using passwords.
Stegdetect : Automated tool for detecting steganographic content in images.
StegFS : A FUSE based steganographic file system.
Steghide : Steganography program that is able to hide data in various kinds of image- and audio-files.
Stegify : Go tool for LSB steganography, capable of hiding any file within an image.
Stego : stego is a steganographic swiss army knife.
- StegoGAN : A tool for creating steganographic images using adversarial training.
stego-toolkit : This project is a Docker image useful for solving Steganography challenges as those you can find at CTF platforms.
StegoVeritas : Yet another Stego Tool.
tweetable-polyglot-png : Pack up to 3MB of data into a tweetable PNG polyglot file.

Malware / AV

Malheur : A tool for the automatic analyze of malware behavior.
MalwareDetect : Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware.

OS/VM

HiddenVM : Use any desktop OS without leaving a trace.
Tails : portable operating system that protects against surveillance and censorship.

Hardware

BusKill : BusKill is an hardware and software project that uses a hardware tripwire/dead-man-switch to trigger a computer to lock or shutdown if the user is physically separated from their machine.
Day Tripper : Hide-My-Windows Laser Tripwire.
DoNotDisturb : Security tool for macOS that aims to detect unauthorized physical access to your laptop.
Silk Guardian : Anti-forensic kill-switch that waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer.
USB Kill : Anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
USB Death : Anti-forensic tool that writes udev rules for known usb devices and do some things at unknown usb insertion or specific usb device removal.
xxUSBSentinel : Windows anti-forensics USB monitoring tool.

Android App

Lockup : A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques.
Ripple : A "panic button" app for triggering a "ripple effect" across apps that are set up to respond to panic events.

Contributing

Thanks for visiting ! If you have suggestions, then open an issue, or submit a PR. Contributions are welcome, and much appreciated !

Awesome anti-forensic