Links

Windows Analysis

Tools to conduct forensic analysis on various Windows artifacts

amcache.py

Website: Original (https://github.com/williballenthin/python-registry) Description: AmCache Registry Hive Parser Author: Willi Ballenthin and Corey Forman License: Apache License 2.0 (https://github.com/williballenthin/python-registry/blob/master/LICENSE.TXT) Version: 2.0 Notes: This version has been modified from the original, and is not stored online at this time

Autorunner

Website: https://github.com/woanware/autorunner Description: Checks for autorun applications on Windows Author: Mark Woan License: Public Domain Version: 0.0.16 Notes:

autotimeliner

Website: https://github.com/andreafortuna/autotimeliner Description: Timeline generator using Sleuthkit and Volatility Author: Andrea Fortuna License: MIT License (https://github.com/andreafortuna/autotimeliner/blob/master/LICENSE) Version: 1.1.0 Notes:

bitsparser

Website: https://github.com/digitalsleuth/bitsparser Description: A python tool to parse Windows BITS database files Author: Corey Forman / FireEye License: Apache License v2.0 (https://github.com/digitalsleuth/BitsParser/blob/master/LICENSE) Version: 1.0 Notes:

bmc-tools

Website: https://github.com/ANSSI-FR/bmc-tools Description: Parse Bitmap Cache RDP files Author: ANSSI-FR License: CeCILL Free Software License Agreement v2.1 (https://github.com/ANSSI-FR/bmc-tools/blob/master/LICENCE.txt) Version: 3.00 Notes:

Event Log Explorer

Website: https://eventlogxp.com/ Description: Windows Event Log Parser Author: FSPro License: Multiple (https://eventlogxp.com/order.html) Version: 5.3 Notes: 30 Day Trial

Hindsight

Website: https://github.com/obsidianforensics/hindsight Description: Web-based Chromium Browser artifact parser (Chrome origins) Author: Obsidian Forensics License: Apache v2.0 (https://github.com/obsidianforensics/hindsight/blob/master/LICENSE.md) Version: 2021.12 Notes:

Kansa

Website: https://github.com/davehull/kansa Description: Powershell Incident Response Framework Author: Dave Hull License: Apache License v2.0 (https://github.com/davehull/Kansa/blob/master/LICENSE) Version: 18NOV2022 (No defined version) Notes:

kape

Website: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape Description: Incident Response Artifact Parser and Extractor Author: Eric Zimmerman / Kroll License: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape Version: 1.3.0.2 Notes:

LogFileParser

Website: https://github.com/jschicht/LogFileParser Description: NTFS $LogFile Parser Author: Joakim Schicht License: MIT (https://github.com/jschicht/LogFileParser/blob/master/LICENSE.md) Version: 2.0.0.49 Notes:

MagnetRamCapture (MRC)

Website: https://magnetforensics.com Description: Windows memory capture utility Author: Magnet Forensics License: EULA Version: 1.2.0 Notes:

MFT Browser

Website: https://github.com/kacos2000/MFT_Browser Description: Graphical MFT Browser utility Author: Costas K. License: MIT License (https://github.com/kacos2000/MFT_Browser/blob/master/LICENSE) Version: 0.0.68.0 Notes:

MiTeC Tool Suite

Website: https://mitec.cz Description: Suite of Windows-based analysis tools Author: Michal Mutl (mitec) License: Free to use for private, educational and non-commercial purposes Version: Various Notes:

Nirsoft

Website: https://nirsoft.net Description: Suite of various Windows Analysis Tools Author: Nir Sofer License: Version: 1.23.65 Notes:

NTFS Log Tracker

Website: https://sites.google.com/site/forensicnote/ntfs-log-tracker Description: NTFS $LogFile, $UsnJrnl:$J parser Author: Junghoon Oh (blueangel) License: Version: 1.71 Notes:

Pilfer

Website: https://github.com/digitalsleuth/forensics_tools Description: Rapid triage tool using Windows in-built binaries Author: Corey Forman (digitalsleuth) License: GNU General Public License v3 (https://github.com/digitalsleuth/forensics_tools/blob/master/LICENSE) Version: 2.4 Notes:

Shadow Explorer

Website: https://www.shadowexplorer.com Description: Windows Volume Shadow Copy viewer Author: ShadowExplorer License: Version: 0.9.462.0 Notes:

SilkETW

Website: https://github.com/mandiant/SilkETW Description: Wrapper for ETW (Event Tracing for Windows) Author: Mandiant License: Apache License v2 (https://github.com/mandiant/SilkETW/raw/master/LICENSE.txt) 3rd-party license (https://github.com/mandiant/SilkETW/blob/master/LICENSE-3RD-PARTY.txt) Version: 0.8 Notes: Sample Usage - https://www.mandiant.com/resources/blog/silketw-because-free-telemetry-is-free

srum-dump

Website: https://github.com/MarkBaggett/srum-dump Description: Tool to analyze data in the Windows System Resource Usage Monitor database Author: Mark Baggett License: GNU General Public License v3 (https://github.com/MarkBaggett/srum-dump/blob/master/LICENSE) Version: 2.4 Notes:

Sysinternals

Website: https://sysinternals.com Description: Suite of Windows Analysis and Management Tools Author: Microsoft / Mark Russinovich License: https://learn.microsoft.com/en-us/sysinternals/license-terms Version: 2023.01.25 (date of last update - no specific version number identified) Notes:

The Sleuth Kit

Website: https://github.com/sleuthkit/sleuthkit/ Description: Library and collection of command line DFIR tools Author: Brian Carrier License: Multiple Licenses (https://www.sleuthkit.org/sleuthkit/licenses.php) Version: 4.12.0 Notes:

ThumbCache Viewer

Website: https://thumbcacheviewer.github.io/ Description: Windows Thumbnail Cache parser Author: Eric Kutcher License: GNU General Public License v3.0 (identified within program) Version: 1.0.3.7 Notes:

usbdeviceforensics

Website: https://github.com/digitalsleuth/usbdeviceforensics Description: Track a USB device throughout a Windows system Author: Corey Forman / Mark Woan License: Public Domain Version: 1.0.0 Notes:

Velociraptor

Website: https://docs.velociraptor.app/ Description: DFIR live acquisition tool Author: Mike Cohen (scudette) License: GNU Affero General Public License v3 (https://github.com/Velocidex/velociraptor/blob/master/LICENSE) Version: 0.6.7-5 Notes:

Volatility

Website: https://github.com/volatilityfoundation/volatility Description: Memory analysis toolset Author: https://github.com/volatilityfoundation/volatility/blob/master/AUTHORS.txt License: GNU General Public License v2 (https://github.com/volatilityfoundation/volatility/blob/master/LICENSE.txt) Version: 2 Notes:

Volatility3

Website: https://github.com/volatilityfoundation/volatility3 Description: Memory analysis toolset Author: Volatility Foundation License: Volatility Software License (https://www.volatilityfoundation.org/license/vsl-v1.0) Version: 3 Notes:

vssmount

Website: https://github.com/digitalsleuth/forensics_tools Description: Windows Batch script to work with and mount Volume Shadow Copies Author: Corey Forman (digitalsleuth) License: GNU General Public License v3 (https://github.com/digitalsleuth/forensics_tools/blob/master/LICENSE) Version: 2.0 Notes:

Windows Timeline

Website: https://github.com/kacos2000/WindowsTimeline Description: Windows Timeline / Activities Cache parser Author: Costas K. License: Mozilla Public License v2.0 (https://github.com/kacos2000/WindowsTimeline/blob/master/LICENSE) Version: 2.0.81.0 Notes:

winpmem

Website: https://github.com/velocidex/WinPmem Description: Memory Acquisition Tool Author: Mike Cohen (scudette) License: Apache License v2 (https://github.com/Velocidex/WinPmem/blob/master/LICENSE) Version: 4.0.rc2 Notes:

WLEAPP

Website: https://github.com/abrignoni/wleapp Description: Windows Logs Events and Properties Parser Author: Alexis Brignoni License: MIT License (https://github.com/abrignoni/WLEAPP/blob/main/LICENSE) Version: 0.1 Notes:

WMI Parser

Website: https://github.com/woanware/wmi-parser Description: Parse the WMI object database for persistence Author: Mark Woan License: Unknown Version: 0.0.2 Notes:

Zimmerman Tools

Website: https://ericzimmerman.github.io Description: Suite of Forensic Tools Author: Eric Zimmerman License: MIT License (https://github.com/EricZimmerman/Issues/blob/master/LICENSE) Version: 2021-01-22 Notes: