Python Dfir

Open-source Python projects categorized as Dfir

Top 23 Python Dfir Projects

  • ThreatHunter-Playbook

    A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

  • Loki

    Loki - Simple IOC and YARA Scanner (by Neo23x0)

  • Project mention: My Boss Downloaded and Opened a .lnk File and Installed a Malware in His Device | /r/computerforensics | 2023-06-06

    You should run a tool like loki for ioc scanning. This will identify persistence

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
  • IntelOwl

    IntelOwl: manage your Threat Intelligence at scale

  • Project mention: Monthly Security Checklist | /r/msp | 2023-06-25
  • timesketch

    Collaborative forensic timeline analysis

  • yeti

    Your Everyday Threat Intelligence

  • Digital-Forensics-Guide

    Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics.

  • Project mention: Most used DFIR tools | /r/cybersecurity | 2023-12-10

    If you're looking to learn on your own, try mikeroyal's digital forensics guide on Github. There's a lot of recommended resources there that'll speed you up.

  • beagle

    Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs. (by yampelo)

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo
  • threathunting

    A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

  • hindsight

    Web browser forensics for Google Chrome/Chromium

  • Project mention: Saving cached telegram messages from Edge | /r/DataHoarder | 2023-04-29

    I guess it would work like any Chromium cache so first make a backup of your data %AppData%\Local\Microsoft\Edge\User Data\Default\ and use Telegram is encrypted so I don't know how this is going to be readable.

  • Hunting-Queries-Detection-Rules

    KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

  • Project mention: Advanced Hunting queries every admin should use | /r/DefenderATP | 2023-05-29
  • dissect

    Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

  • CyberThreatHunting

    A collection of resources for Threat Hunters - Sponsored by Falcon Guard

  • ThreatIngestor

    Extract and aggregate threat intelligence.

  • mac_apt

    macOS (& ios) Artifact Parsing Tool

  • Project mention: My productivity app is a never-ending .txt file | | 2024-02-19
  • turbinia

    Automation and Scaling of Digital Forensics Tools

  • Project mention: Log2Timeline -> Timesketch | /r/computerforensics | 2023-05-16

    You want Turbinia and DFTimewolf. Literally the tools built by the DF team at Google (the same team that makes L2T) purpose-built to do exactly what you're asking.

  • lookyloo

    Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other.

  • atc-react

    A knowledge base of actionable Incident Response techniques

  • RecuperaBit

    A tool for forensic file system reconstruction.

  • Project mention: RecuperaBit: A tool for forensic file system reconstruction | | 2024-02-07
  • iocextract

    Defanged Indicator of Compromise (IOC) Extractor.

  • misp-warninglists

    Warning lists to inform users of MISP about potential false-positives or other information in indicators

  • Project mention: Lists | | 2023-04-27
  • PurpleCloud

    A little tool to play with Azure Identity - Azure Active Directory lab creation tool

  • dfirtrack

    DFIRTrack - The Incident Response Tracking Application

  • LOOBins

    Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in "living off the land" macOS binaries and how they can be used by threat actors for malicious purposes.

  • Project mention: LOOBins | | 2023-05-25

    I’m excited to announce the release of Living Off the Orchard: macOS Binaries (LOOBins)!

    LOOBins is a resource designed to help cybersecurity professionals and researchers understand and defend against the potential risks associated with binaries built into macOS.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

Python Dfir related posts


What are some of the best open-source Dfir projects in Python? This list will help you:

Project Stars
1 ThreatHunter-Playbook 3,859
2 Loki 3,219
3 IntelOwl 3,103
4 timesketch 2,485
5 yeti 1,617
6 Digital-Forensics-Guide 1,335
7 beagle 1,250
8 threathunting 1,102
9 hindsight 1,014
10 Hunting-Queries-Detection-Rules 993
11 dissect 850
12 CyberThreatHunting 792
13 ThreatIngestor 781
14 mac_apt 716
15 turbinia 710
16 lookyloo 644
17 atc-react 571
18 RecuperaBit 502
19 iocextract 485
20 misp-warninglists 474
21 PurpleCloud 473
22 dfirtrack 466
23 LOOBins 386

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives