1. The Hive: Security Incident Response Platform that is designed to facilitate the work of security operations center analysis, SIEM administrators, and incident response analysts. https://thehive-project.org/

​2. Autopsy: A slick, GUI-based program for digital forensics. This is one program that every incident responder should have in their arsenal.

3. SANS SIFT: “The SIFT Workstation is a compilation of free and open-source incident response and forensic tools. This Linux distro comes packed with many tools and programs to create an all-in-one environment for incident responders and forensic analysts. https://www.sans.org/tools/sift-workstation/

4. Google Rapid Response: “GRR Rapid Response is an incident response framework focused on remote live forensics.” https://grr-doc.readthedocs.io/en/v3.3.0/what-is-grr.html

5. Volatility: “Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research.” If you are looking to assess RAM, look no further than Volatility. https://www.volatilityfoundation.org/releases

6. The Sleuth Kit: This robust collection and compilation of tools will help you with analysis of disk images, recovery of files, and further assist in putting a strong case together. https://www.sleuthkit.org/

7. AlienVault OSSIM: An Open Source Security Information and Event Management (SIEM), provides event collection and an environment for analysis within a GUI. Built by security engineers, for security engineers. https://cybersecurity.att.com/products/ossim

8. SIEM Alternatives: If you are looking for other free SIEM platforms, here are a few of the top projects:

Elastic: https://www.elastic.co/

OSSEC: https://www.ossec.net/

Wazuh: https://wazuh.com/

Apache Metron: https://metron.apache.org/

8. CIMSweep: CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across Windows environments. Using CIMSweep, incident responders can collect large amounts of valuable data from many systems quickly. https://github.com/PowerShellMafia/CimSweep

9. Mozilla MIG: This platform is agent-based and facilitates investigations by collecting data from endpoints. It’s fast, easy and effective for threat hunting and data collection with privacy in-mind. https://github.com/mozilla/mig

10. REMnux: If you are looking into reverse-engineering and analyzing malicious software, REMnux provides a nice collection of tools and programs for that purpose. https://remnux.org/

11. Zeek: Zeek is not a firewall or intrusion prevention system. Rather, Zeek sits on a sensor, and quietly observes network traffic. “Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.” https://zeek.org/

12. WireShark: If you don’t have WireShark in your toolkit, this is a program that you must become familiar with. Network analysis and threat hunting can be complicated. However, getting down to the root level often requires packet analysis. https://www.wireshark.org/

13. Magnet RAM Capture: Imaging of systems is an essential portion of the cyber-incident response process and evidence handling. This program facilitates that process by capturing the physical memory of devices. https://www.magnetforensics.com/resources/magnet-ram-capture/

14. NetworkMiner: This open-source forensic analysis tool if used primary for Windows, but is also available for Linux, Mac, and other operating systems. This is a great tool for running passive network analysis and packet captures. https://www.netresec.com/?page=NetworkMiner

15. Nmap: One of the major prerequisites of incident response is simply knowing where you are on a network and what that network looks like. There are few better tools out there than Nmap to create a network map for your response activities. https://nmap.org/

16. CrowdStrike: has put together a comprehensive library of open-source tools for many aspects of incident response and forensics. Check out the downloads library here: https://www.crowdstrike.com/resources/community-tools/

17. Kali Linux: Well, this operating system should be familiar to most. However, if not: check out all of this glorious operating systems’ capabilities here: https://www.kali.org/

18. CAINE (Computer Aided Investigate Environment): This platform boasts over 80 tools that are geared to forensics and reporting. This is a go-to Linux distro for many. https://www.caine-live.net/

19. Paladin: A comprehensive Linux distro that is built on Ubuntu for forensics. This is another trusted resource for many responders seeking to put together a compelling case. https://sumuri.com/software/paladin/

20. FTK Imager: A perfect toolkit for creating identical copies of data without changing file properties or raw data. https://www.exterro.com/forensic-toolkit