Qu1cksc0pe

All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.

You can get:

• What DLL files are used.
• Functions and APIs.
• Sections and segments.
• URLs, IP addresses and emails.
• Android permissions (Dangerous/Special/Info).
• MITRE ATT&CK mappings (Windows + Linux static analysis).
• File extensions and their names.
• Embedded executables/exploits.
  And so on...
  

Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.

Qu1cksc0pe Can Analyze Currently

Files	Analysis Type
Windows Executables (.exe, .dll, .msi, .bin)	Static, Dynamic
Linux Executables (.elf, .bin)	Static, Dynamic
MacOS Executables (mach-o)	Static
Android Files (.apk, .jar, .dex)	Static, Dynamic(for now .apk only)
Golang Binaries (Linux)	Static
Document Files	Static
VBScript/VBA Family (.vbs, .vbe, .vba, .vb, .bas, .cls, .frm)	Static (--docs)
HTML Documents (.html, .htm)	Static (--analyze)
JavaScript (.js)	Static (--analyze)
HTA / HTML Application (.hta)	Static (--analyze)
Windows Batch Scripts (.bat, .cmd)	Static (--analyze)
Windows Shortcut (.lnk)	Static (--analyze)
Archive Files (.zip, .rar, .ace)	Static
PCAP Files (.pcap)	Static
Powershell Scripts	Static
E-Mail Files (.eml)	Static

Usage

python qu1cksc0pe.py --file suspicious_file --analyze

# Launch Web UI
python3 qu1cksc0pe.py --ui

Screenshot

Updates

03/03/2026

• Debian package (build_deb.sh): .deb post-install now bundles JADX v1.5.3 download, Ollama installation, and pyOneNote pip install so a fresh Kali/Parrot system is fully functional without any manual post-setup. Depends on default-jre-headless, unzip, curl | wget; adb/strace/ltrace moved to Recommends (non-blocking on systems that lack them).
• Bug fix: all subprocess module-launch calls across qu1cksc0pe.py, apkAnalyzer.py, emulator.py, pcap_analyzer.py, and email_analyzer.py now use sys.executable instead of shutil.which("python3"). Previously, sub-analyzers launched inside a virtualenv fell back to the system Python and raised ModuleNotFoundError for every pip-installed dependency (puremagic, androguard, pyaxmlparser, …).
• Bug fix: apkAnalyzer.py — resolve_decompiler_path() and is_valid_jadx_launcher() now catch PermissionError when scanning the /opt/Qu1cksc0pe/jadx/lib/ directory, falling back to an os.access() check. Previously the tool exited with an unhandled permission exception when run as a normal user and JADX was installed by root.
• Bug fix: archiveAnalyzer.py — RAR5 archives (and RAR archives on systems with unrar-free) returned an empty file list because unrar-free does not support RAR5. Added a two-stage fallback: (1) try rarfile with the best available extractor; (2) if infolist() is empty, fall back to 7z l (list-only, no password needed) parsed via the new _parse_7z_list() helper into a ListOnlyArchive wrapper. Password-protected archives are now listed without hanging — read() returns empty bytes so content scanning is skipped gracefully.
• Debian post-install: added a prominent ASCII-box summary printed at the end of apt install reminding the user to run ollama signin (AI features) and qu1cksc0pe --key_init (VirusTotal API key setup).

02/03/2026

• Removed --console flag and Modules/console.py (interactive shell mode). All analysis capabilities remain fully available via the standard CLI flags.
• Dead code cleanup across the codebase: removed unused libscan variable (qu1cksc0pe.py), unused setup_scr variable (windows_static_analyzer.py, apkAnalyzer.py), and 11 no-op else: pass blocks (qu1cksc0pe.py, apkAnalyzer.py, domainCatcher.py, powershell_analyzer.py). All bare except: clauses in import guards tightened to except ImportError.
• Bug fix: Modules/android_dynamic_analyzer.py was missing import configparser — on Windows the ADB path lookup (adb_conf = configparser.ConfigParser()) would raise NameError at runtime. Import added.
• Installer hardened (Modules/installer.sh): added set -euo pipefail, argument count and validity checks, source directory integrity verification, system user validation (rejects root as target user), python3/pip3 dependency checks, overwrite detection with confirmation prompt, trap ERR rollback on failure, fixed cp -r bug that nested the directory inside /opt/Qu1cksc0pe when destination already existed, pip now runs as the target user (sudo -u) instead of root, dos2unix guarded by command -v, uninstaller requires confirmation and reports when nothing is installed.
• Git history rewritten to remove large blobs that were deleted from the working tree but still downloaded on every clone: .animations/ (GIF demo files, ~80 MB across all historical versions) and RansomWare.WannaCry (test sample). Full clone size reduced from ~110 MB to ~5 MB.

01/03/2026

• Windows dynamic analysis (--watch → Process Monitor) now uses a pure-Python Windows Debug API hook engine (Modules/windows_api_hooker.py) instead of Frida. API calls are intercepted at runtime via INT3 software breakpoints with single-step trap flag reinstatement to reinstall the hook after each hit. No Frida dependency is required for Windows dynamic analysis.
• Windows API Tracer panel shows real-time interception of 45+ monitored APIs across kernel32, ntdll, advapi32, ws2_32, wininet, user32, and shell32. Argument details (file paths, registry keys, socket addresses, hostnames, VK codes, hook types) are extracted from the x64 register context (RCX/RDX/R8/R9 + stack shadow space). ACG-protected processes (e.g. Chrome renderer) are reported as write_failed hooks rather than crashing.
• frida package is no longer required for Windows dynamic analysis. It is still used for Android dynamic analysis only.
• Linux dynamic analysis (PID monitoring) now uses strace/ltrace instead of Frida for syscall and library call tracing. strace -f automatically follows forked children; ltrace is used as fallback when strace is unavailable. Frida dependency and sc0pe_linux_dynamic.js script removed entirely.
• Syscall/API Tracer table in the Linux dynamic analysis TUI now uses a rotating display: rows scroll upward as new events arrive, keeping the last 14 entries visible at all times. Same rotation applied to the Interesting Findings table (11 rows).
• Binary IPC noise filter improved: strace octal/hex escape sequences (e.g. \372) are stripped before the printable-character check, so pipe IPC data no longer leaks into the syscall table.
• setup.sh updated: strace and ltrace are now installed automatically as system dependencies during setup.
• Removed orphaned files: Systems/Linux/linux_trace_list.json (leftover Frida-era syscall definitions) and Modules/mitre.py (deprecated wrapper superseded by integrated Windows static analysis).

28/02/2026

• PCAP analyzer now supports --report and --ai flags. All analysis results (URLs, IPs, DNS queries, DGA suspects, HTTP requests, TLS SNI hostnames, JA3 digests/matches, interesting strings, connection analysis, external IPs, carved executables) are collected into sc0pe_pcap_report.json and fed to the AI analyzer automatically.
• PCAP analyzer: four new detection methods added — detect_dga_domains() (Shannon entropy + label length + digit-ratio heuristics), analyze_connections() (suspicious/C2 port detection + external IP inventory), analyze_http_requests() (dpkt HTTP parsing, suspicious User-Agent flagging), extract_tls_sni() (manual TLS ClientHello byte-level SNI extraction).
• PCAP analyzer: embedded executable detection is now fully automated in --report/--ai mode — sigChecker.py is invoked with an auto_extract flag that skips the interactive confirmation prompt and carves files directly.
• PCAP analyzer: carved executables are now triaged automatically. For each carved PE, the report includes file type, MIME type (via puremagic), architecture, subsystem, compile timestamp, import hash, per-section entropy with packing flag, suspicious Win32 API imports, and embedded IoC strings (URLs, IPs, e-mail addresses extracted from raw bytes).
• PCAP report is cleaned before saving: empty lists/dicts are stripped, extracted_ips removed (superseded by external_ips), and http_requests filtered to non-whitelisted hosts only to reduce noise.
• Android malware family detection improvements: andro_familydetect.py gained a SourceScan() method that scans decompiled source files under TargetAPK/sources/ against SourcePatterns defined in family.json. Three new families added to Systems/Android/family.json: Cerberus, Anubis, EventBot (patterns derived from published YARA rules).
• Web UI: PCAP analysis results are now rendered with dedicated panel handlers — http_requests and suspicious_connections render as proper tables; carved_executables triage data renders across structured panels (basic info KV, PE sections table, suspicious imports list, embedded IoC lists) instead of raw stringified dicts.
• Web UI: "PCAP / Network Traffic" preset removed; PCAP files are handled transparently by the existing "Standart Analysis" preset via magic.from_file() auto-detection.

25/02/2026

• NEW: Added Windows Shortcut (.lnk) file analysis support via --analyze (Modules/lnk_analyzer.py). Parses the MS-SHLLINK binary format without external dependencies: extracts target path, command line arguments, working directory, icon location, timestamps (FILETIME), ShowCommand, hotkey, and network share. Detects suspicious indicators (hidden/minimized window, excessively long arguments, Base64 payloads, UNC paths, temp/AppData targets, icon spoofing) and LOLBAS binaries. Category pattern scanning (Execution / Persistence / Defense Evasion / Download/Network / Obfuscation) operates per-field and reports the full field value for each match — no context-window truncation. YARA rule matching included.
• AI analyzer bug fix: configured model (e.g. kimi-k2.5:cloud in multiple.conf) is now always tried first; discovered local models are used as fallbacks only. Previously, SC0PE_AI_SKIP_CLOUD_WHEN_LOCAL was demoting the configured model behind local ones, causing the entire time budget to be consumed before the intended model was reached.
• AI analyzer bug fix: per-call HTTP generation timeout is no longer capped by SC0PE_AI_HTTP_PROBE_TIMEOUT (which is intended for lightweight model-list probing only). Generation calls now correctly use SC0PE_AI_OLLAMA_HTTP_TIMEOUT as the upper bound.
• MSI analysis bug fix: statistics table is now always printed after Microsoft Software Installer analysis. Previously, when the MSI could not be parsed as a native PE (fallback string-scan path), statistics_method() was skipped entirely. PE-specific fields (Time Date Stamp, IMPHASH) are omitted gracefully when the file is not a standalone PE.
• NEW: Added HTML (.html, .htm), JavaScript (.js), and HTA/HTML Application (.hta) file analysis support via --analyze. Analysis is handled by the new Modules/html_script_analyzer.py module (extracted from document_analyzer.py). HTML/JS analysis covers malicious code patterns, obfuscation, network, execution, shell/Node.js, filesystem, and persistence indicators with Base64 decode hints and YARA scanning. HTA analysis performs full HTML-layer checks (malicious code patterns, URLs, iframe, PowerShell) plus inline script block pattern scanning with automatic VBScript/JScript language detection. These file types are not supported by --docs.

21/02/2026

• Linux static analyzer now performs automatic MITRE ATT&CK mapping and stores results in report fields: mitre_attack, mitre_technique_count, mitre_api_match_count.
• MITRE output is now shown in Web UI as detailed tactic/technique tables.
• Android permission triage was upgraded to 3 states: Dangerous, Special, Info; JSON report now includes permission_summary.
• Web UI report page now renders Android permissions in a dedicated section with state badges.
• Systems/Android/perms.json was expanded/normalized with modern Android permissions (Android 12+/13+ additions included).
• PowerShell analyzer now writes decoded Base64 outputs into a single aggregate file: qu1cksc0pe_decoded_b64_values.txt.
• AI IoC sanitizer now filters whitelisted/legit domains using Systems/Multiple/whitelist_domains.txt (enabled by default).
• Archive analyzer now supports JSON report export (--archive --report) and AI report analysis (--archive --ai).

Available On

Recommended Systems

• Parrot OS
• Kali Linux
• Windows 10 or 11

And also another Linux distributions like as Kali/Parrot

Setup and Installation

Note

If you encounter issues with the Python modules, creating a Python virtual environment (python_venv) should resolve them. For detailed setup and troubleshooting (dependencies, Docker usage, Windows notes), see the project overview documentation. AI model selection is manual: set [Ollama] model in Systems/Multiple/multiple.conf to the exact model you want to use.

# First you need to clone Qu1cksc0pe with this command
git clone --depth 1 https://github.com/CYB3RMX/Qu1cksc0pe

# After cloning the repository YOU MUST create a python virtual environment (for handling python modules)
virtualenv -p python3 sc0pe_venv
source sc0pe_venv/bin/activate

# You can simply execute the following command it will do everything for you!
bash setup.sh
#
# setup.sh also installs required system tools (e.g. adb, strings, unzip, 7z) and sets up JADX.

# If you want to install Qu1cksc0pe on your system just execute the following commands.
python qu1cksc0pe.py --install # Optional

# To prevent interpreter errors after installation, use dos2unix.
dos2unix /usr/bin/qu1cksc0pe

# Or you can use Qu1cksc0pe from Docker!
docker build -t qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze

# For Windows systems you need to execute the following command (Powershell)
# PS C:\Users\user\Desktop\Qu1cksc0pe> .\setup.ps1
#
# setup.ps1 handles winget dependency fallback, Python + 7-Zip setup,
# Sysinternals strings EULA acceptance, and resilient Ollama installation.
# If cloud model auth is needed, run:
# ollama signin
# ollama pull kimi-k2.5:cloud

Environment Variables

You can change some analyzer behaviors via environment variables (useful for CI, reproducibility, or controlling report size/timeouts).

Linux/macOS (bash/zsh) example

SC0PE_ANDROID_REPORT_DETAILED=1 python qu1cksc0pe.py --file app.apk --analyze --report

Windows (PowerShell) example

$env:SC0PE_ANDROID_REPORT_DETAILED="1"
python .\\qu1cksc0pe.py --file app.apk --analyze --report

Variable	Default	What It Does
SC0PE_ANDROID_REPORT_DETAILED	0	Android analyzer JSON becomes more verbose (keeps larger fields and higher limits). Includes more details under resource_scan, and keeps large duplicate fields like code_patterns more often.
SC0PE_WINDOWS_REPORT_DETAILED	0	Windows analyzer stores per-category API lists in more detail (instead of unique API names only).
SC0PE_AUTO_DECRYPT_CHAIN	0	Document analyzer: when an Office document decryption succeeds, automatically re-runs analysis on the decrypted output (best-effort).
SC0PE_AI_INTERESTING_PATTERNS_MAX_KEYS	25	AI analyzer: limit how many keys from interesting_string_patterns are included in the LLM prompt.
SC0PE_AI_INTERESTING_PATTERNS_MAX_VALUES	30	AI analyzer: limit list size per interesting_string_patterns key in the LLM prompt.
SC0PE_AI_INCLUDE_TEMP_EXCERPT	0	AI analyzer: include raw temp.txt excerpt in prompt when set to 1 (default is parsed/summarized mode without raw excerpt).
SC0PE_AI_TEMP_TXT_EXCERPT_CHARS	800	AI analyzer: character limit for raw temp.txt excerpt (used when SC0PE_AI_INCLUDE_TEMP_EXCERPT=1).
SC0PE_AI_TEMP_TXT_MAX_STRINGS	50	AI analyzer: limit number of meaningful strings selected from parsed temp.txt.
SC0PE_AI_TEMP_TXT_MIN_LEN	6	AI analyzer: minimum length for a meaningful string extracted from temp.txt.
SC0PE_AI_TEMP_TXT_MAX_LEN	180	AI analyzer: maximum length for a meaningful string extracted from temp.txt.
SC0PE_AI_TEMP_PARSE_MAX_BYTES	2097152	AI analyzer: max bytes to parse from temp.txt while building compact evidence.
SC0PE_AI_TEMP_PARSE_MAX_LINES	12000	AI analyzer: max lines to parse from temp.txt.
SC0PE_AI_TEMP_SAMPLE_LINES	2500	AI analyzer: sample size used for meaningful-string scoring.
SC0PE_AI_TEMP_IOC_CAP	40	AI analyzer: cap for IoC candidates parsed from temp.txt.
SC0PE_AI_TEMP_IOC_PROMPT_MAX	20	AI analyzer: max parsed IoC values per kind sent to LLM prompt.
SC0PE_AI_MAX_REPORT_CHARS	180000	AI analyzer: threshold for full-report prompt mode; larger reports are compacted automatically.
SC0PE_AI_COMPACT_MAX_LIST_ITEMS	40	AI analyzer: list sampling limit in compact report mode.
SC0PE_AI_COMPACT_MAX_STR	220	AI analyzer: max string length per field in compact report mode.
SC0PE_AI_COMPACT_MAX_DEPTH	4	AI analyzer: nested depth limit in compact report mode.
SC0PE_AI_OLLAMA_HTTP_TIMEOUT	60	AI analyzer: Ollama HTTP call timeout (seconds).
SC0PE_AI_HTTP_PROBE_TIMEOUT	20	AI analyzer: short probe timeout before full HTTP generation call (seconds).
SC0PE_AI_OLLAMA_CLI_TIMEOUT	90	AI analyzer: Ollama CLI call timeout (seconds).
SC0PE_AI_TOTAL_BUDGET	120	AI analyzer: total generation budget across retries/fallback attempts (seconds).
SC0PE_AI_OLLAMA_NUM_PREDICT	700	AI analyzer: default generation token budget per Ollama call.
SC0PE_AI_OLLAMA_RETRY_NUM_PREDICT	1400	AI analyzer: generation token budget for retry when output looks truncated.
SC0PE_AI_OLLAMA_NUM_CTX	8192	AI analyzer: Ollama context window setting.
SC0PE_AI_DISABLE_THINK	1	AI analyzer: sends think=false (if supported) and removes thinking artifacts from displayed/saved output.
SC0PE_AI_ALLOW_MODEL_FALLBACK	1	AI analyzer: when 1, can try locally available Ollama models if configured model fails/unavailable.
SC0PE_AI_SKIP_CLOUD_WHEN_LOCAL	1	AI analyzer: prefer local models over cloud-tagged models when local options exist.
SC0PE_AI_SKIP_CLOUD_CLI	1	AI analyzer: skip cloud-tagged models for CLI fallback attempts.
SC0PE_AI_MAX_MODEL_CANDIDATES	4	AI analyzer: maximum number of candidate models to try in fallback chain.
SC0PE_AI_FILTER_WHITELIST_DOMAINS	1	AI IoC sanitizer: filter legit/whitelisted domains using Systems/Multiple/whitelist_domains.txt.
SC0PE_AI_ALLOW_SHORT_DOMAINS	0	IoC sanitizer: allow very short SLD domains (disabled by default to reduce false positives).
SC0PE_AI_MIN_SLD_LEN	4	IoC sanitizer: minimum registrable-label length for domain validation.
SC0PE_AI_ALLOW_FILELIKE_TLDS	0	IoC sanitizer: when 0, filters file-like pseudo-domains such as sheet1.xml.
SC0PE_AI_KEEP_LOCAL_PATHS	0	IoC sanitizer: when 0, removes local analysis machine paths from file_paths.
SC0PE_DOC_AUTO_EXTRACT_MACROS	1	Document analyzer: automatically extract detected VBA/XLM macros into report output (0 disables).
SC0PE_REPORT_MAX_MACRO_CHARS	50000	Document analyzer: per-macro text cap used while saving extracted macro content into JSON report.
SC0PE_EMAIL_DNSBL_FILTER_NOISY	1	Email analyzer: filter noisy DNSBL providers to reduce false positives.
SC0PE_EMAIL_DNSBL_ALLOW_UNKNOWN	0	Email analyzer: include/exclude DNSBL hits with unknown category.
SC0PE_EMAIL_DNSBL_NOISY_PROVIDERS	unset	Email analyzer: comma-separated extra DNSBL providers to treat as noisy.
SC0PE_AUTO_CLEANUP_ATTACHMENTS	unset	Email analyzer: set 1 for auto-delete, 0 for never-delete, unset for interactive prompt.
OLLAMA_HOST	http://127.0.0.1:11434	AI report analysis backend (Ollama). Set this if Ollama is remote or on a different host/port.
JAVA_HOME	unset	Android analyzer: helps locate Java runtime for JADX. Set this if Java is installed but not detected.

Static Analysis

Normal analysis

Description: You can perform basic analysis and triage against your samples.

Usage: python qu1cksc0pe.py --file suspicious_file --analyze

Resource analysis

Description: With this feature you can analyze assets of given file. Also you can detect and extract embedded payloads from malware samples such as AgentTesla, Formbook etc.

Effective Against:

• .NET Executables

Usage: python qu1cksc0pe.py --file suspicious_file --resource

Note

Android APK resource scanning was moved into the Android analyzer. Use: python qu1cksc0pe.py --file app.apk --analyze --report The JSON report includes resource_scan. Set SC0PE_ANDROID_REPORT_DETAILED=1 to keep more details in the report.

Hash scan

Description: You can check if hash value of the given file is in built-in malware hash database. Also you can scan your directories with this feature.

Usage: python qu1cksc0pe.py --file suspicious_file --hashscan

Folder scan

Supported Arguments:

• --hashscan
• --packer

Usage: python qu1cksc0pe.py --folder FOLDER --hashscan

VirusTotal

Report Contents:

• Threat Categories
• Detections
• CrowdSourced IDS Reports

Usage for --vtFile: python qu1cksc0pe.py --file suspicious_file --vtFile

Note

In Web UI flow, Standart Analysis, Document, and Archive presets also execute VirusTotal file lookup in background and show the result in the report page.

Document scan

Description: This feature can perform deep file inspection against given document files. For example: You can detect and extract possible malicious links or embedded exploits/payloads from your suspicious document file easily!

Effective Against:

• Word Documents (.doc, .docm, .docx)
• Excel Documents (.xls, .xlsm, .xlsx)
• Portable Document Format (.pdf)
• OneNote Documents (.one)
• Rich Text Format Documents (.rtf)
• VBScript/VBA Family (.vbs, .vbe, .vba, .vb, .bas, .cls, .frm)

Usage: python qu1cksc0pe.py --file suspicious_document --docs

Batch Script scan (.bat/.cmd)

Description: Analyze Windows Batch scripts for suspicious commands, encoded payload patterns, URLs/domains/IPs, and rule matches.

Usage: python qu1cksc0pe.py --file suspicious_script.bat --analyze --report

Embedded File/Exploit Extraction

Archive File Scan

Description: With this feature you can perform checks for suspicious files against archive files.

Effective Against:

• ZIP
• RAR
• ACE

Usage: python qu1cksc0pe.py --file suspicious_archive_file --archive
With report: python qu1cksc0pe.py --file suspicious_archive_file --archive --report
With AI support: python qu1cksc0pe.py --file suspicious_archive_file --archive --ai

Note

ACE archive support requires 7z/7zz to be installed (setup scripts install it on supported systems).

File signature analyzer

Description: With this feature you can detect and extract embedded executable files(.exe, .elf) from given file. Also you can analyze large files (even 1gb or higher) and extract actual malware samples from them (pumped-file analysis).

Usage: python qu1cksc0pe.py --file suspicious_file --sigcheck

File Carving

MITRE ATT&CK Technique Extraction

Description: MITRE ATT&CK mapping is generated automatically during static analysis based on detected APIs/functions/patterns.

Effective Against:

• Windows Executables
• Linux Executables

Usage: python qu1cksc0pe.py --file suspicious_file --analyze

Android Permission Risk Classification

Description: Android permission analysis now classifies permissions as Dangerous, Special, or Info and writes an aggregate permission_summary into JSON reports.

Usage: python qu1cksc0pe.py --file suspicious_app.apk --analyze --report

Note

In Web UI report page, Android permissions are shown in a dedicated section with counters and per-permission state badges.

Programming language detection

Description: You can get programming language information from given file.

Usage: python qu1cksc0pe.py --file suspicious_executable --lang

Interactive shell

Description: You can use Qu1cksc0pe in command line mode.

Usage: python qu1cksc0pe.py --console

Dynamic Analysis

Android Application Analysis

Note

You must connect a virtual device or physical device to your computer.

Usage: python qu1cksc0pe.py --watch

android_dynamic_analysis.mp4

Linux Dynamic Analysis

Description: Linux dynamic flow is menu-driven and lets you choose emulation or live process monitoring.

Usage: python qu1cksc0pe.py --watch

After selecting Linux:

• Option 1: Binary Emulation (isolated environment).
• Option 2: PID Monitoring.

Notes:

• PID monitoring accepts both numeric PID and process name.
• Interactive Linux prompts support TAB autocomplete (selection, path, PID/name).
• Emulation fallback order: Docker SDK -> Docker CLI -> host qemu (if Docker is unavailable).

Windows Process Analysis

Usage: python qu1cksc0pe.py --watch

windows_process_analyzer.mp4

References

• The Cyber Security Hub
• Kitploit - Top 20 Most Popular Hacking Tools in 2021
• CSIRT.MAI
• Vulners
• RedPacket Security
• Bournemouth University - CERT
• Hacking Articles - Digital Forensics Tools Mindmap
• HackGit - Twitter Post
• Daily Dark Web - Twitter Post
• SANS ISC - Blog Post
• Korben - Blog Post
• heise online - Blog Post

Star History