Windows Analysis
Tools to conduct forensic analysis on various Windows artifacts
Website: Original (https://github.com/williballenthin/python-registry)
Description: AmCache Registry Hive Parser
Author: Willi Ballenthin and Corey Forman
License: Apache License 2.0 (https://github.com/williballenthin/python-registry/blob/master/LICENSE.TXT)
Version: 2.0
Notes: This version has been modified from the original, and is not stored online at this time
Website: https://github.com/woanware/autorunner
Description: Checks for autorun applications on Windows
Author: Mark Woan
License: Public Domain
Version: 0.0.16
Notes:
Website: https://github.com/andreafortuna/autotimeliner
Description: Timeline generator using Sleuthkit and Volatility
Author: Andrea Fortuna
License: MIT License (https://github.com/andreafortuna/autotimeliner/blob/master/LICENSE)
Version: 1.1.0
Notes:
Website: https://github.com/digitalsleuth/bitsparser
Description: A python tool to parse Windows BITS database files
Author: Corey Forman / FireEye
License: Apache License v2.0 (https://github.com/digitalsleuth/BitsParser/blob/master/LICENSE)
Version: 1.0
Notes:
Website: https://github.com/ANSSI-FR/bmc-tools
Description: Parse Bitmap Cache RDP files
Author: ANSSI-FR
License: CeCILL Free Software License Agreement v2.1 (https://github.com/ANSSI-FR/bmc-tools/blob/master/LICENCE.txt)
Version: 3.00
Notes:
Website: https://eventlogxp.com/
Description: Windows Event Log Parser
Author: FSPro
License: Multiple (https://eventlogxp.com/order.html)
Version: 5.3
Notes: 30 Day Trial
Website: https://github.com/obsidianforensics/hindsight
Description: Web-based Chromium Browser artifact parser (Chrome origins)
Author: Obsidian Forensics
License: Apache v2.0 (https://github.com/obsidianforensics/hindsight/blob/master/LICENSE.md)
Version: 2021.12
Notes:
Website: https://github.com/davehull/kansa
Description: Powershell Incident Response Framework
Author: Dave Hull
License: Apache License v2.0 (https://github.com/davehull/Kansa/blob/master/LICENSE)
Version: 18NOV2022 (No defined version)
Notes:
Website: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
Description: Incident Response Artifact Parser and Extractor
Author: Eric Zimmerman / Kroll
License: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
Version: 1.3.0.2
Notes:
Website: https://github.com/jschicht/LogFileParser
Description: NTFS $LogFile Parser
Author: Joakim Schicht
License: MIT (https://github.com/jschicht/LogFileParser/blob/master/LICENSE.md)
Version: 2.0.0.49
Notes:
Website: https://magnetforensics.com
Description: Windows memory capture utility
Author: Magnet Forensics
License: EULA
Version: 1.2.0
Notes:
Website: https://github.com/kacos2000/MFT_Browser
Description: Graphical MFT Browser utility
Author: Costas K.
License: MIT License (https://github.com/kacos2000/MFT_Browser/blob/master/LICENSE)
Version: 0.0.68.0
Notes:
Website: https://mitec.cz
Description: Suite of Windows-based analysis tools
Author: Michal Mutl (mitec)
License: Free to use for private, educational and non-commercial purposes
Version: Various
Notes:
Website: https://nirsoft.net
Description: Suite of various Windows Analysis Tools
Author: Nir Sofer
License:
Version: 1.23.65
Notes:
Website: https://sites.google.com/site/forensicnote/ntfs-log-tracker
Description: NTFS $LogFile, $UsnJrnl:$J parser
Author: Junghoon Oh (blueangel)
License:
Version: 1.71
Notes:
Website: https://github.com/digitalsleuth/forensics_tools
Description: Rapid triage tool using Windows in-built binaries
Author: Corey Forman (digitalsleuth)
License: GNU General Public License v3 (https://github.com/digitalsleuth/forensics_tools/blob/master/LICENSE)
Version: 2.4
Notes:
Website: https://www.shadowexplorer.com
Description: Windows Volume Shadow Copy viewer
Author: ShadowExplorer
License:
Version: 0.9.462.0
Notes:
Website: https://github.com/mandiant/SilkETW
Description: Wrapper for ETW (Event Tracing for Windows)
Author: Mandiant
License: Apache License v2 (https://github.com/mandiant/SilkETW/raw/master/LICENSE.txt) 3rd-party license (https://github.com/mandiant/SilkETW/blob/master/LICENSE-3RD-PARTY.txt)
Version: 0.8
Notes: Sample Usage - https://www.mandiant.com/resources/blog/silketw-because-free-telemetry-is-free
Website: https://github.com/MarkBaggett/srum-dump
Description: Tool to analyze data in the Windows System Resource Usage Monitor database
Author: Mark Baggett
License: GNU General Public License v3 (https://github.com/MarkBaggett/srum-dump/blob/master/LICENSE)
Version: 2.4
Notes:
Website: https://sysinternals.com
Description: Suite of Windows Analysis and Management Tools
Author: Microsoft / Mark Russinovich
License: https://learn.microsoft.com/en-us/sysinternals/license-terms
Version: 2023.01.25 (date of last update - no specific version number identified)
Notes:
Website: https://github.com/sleuthkit/sleuthkit/
Description: Library and collection of command line DFIR tools
Author: Brian Carrier
License: Multiple Licenses (https://www.sleuthkit.org/sleuthkit/licenses.php)
Version: 4.12.0
Notes:
Website: https://thumbcacheviewer.github.io/
Description: Windows Thumbnail Cache parser
Author: Eric Kutcher
License: GNU General Public License v3.0 (identified within program)
Version: 1.0.3.7
Notes:
Website: https://github.com/digitalsleuth/usbdeviceforensics
Description: Track a USB device throughout a Windows system
Author: Corey Forman / Mark Woan
License: Public Domain
Version: 1.0.0
Notes:
Website: https://docs.velociraptor.app/
Description: DFIR live acquisition tool
Author: Mike Cohen (scudette)
License: GNU Affero General Public License v3 (https://github.com/Velocidex/velociraptor/blob/master/LICENSE)
Version: 0.6.7-5
Notes:
Website: https://github.com/volatilityfoundation/volatility
Description: Memory analysis toolset
Author: https://github.com/volatilityfoundation/volatility/blob/master/AUTHORS.txt
License: GNU General Public License v2 (https://github.com/volatilityfoundation/volatility/blob/master/LICENSE.txt)
Version: 2
Notes:
Website: https://github.com/volatilityfoundation/volatility3
Description: Memory analysis toolset
Author: Volatility Foundation
License: Volatility Software License (https://www.volatilityfoundation.org/license/vsl-v1.0)
Version: 3
Notes:
Website: https://github.com/digitalsleuth/forensics_tools
Description: Windows Batch script to work with and mount Volume Shadow Copies
Author: Corey Forman (digitalsleuth)
License: GNU General Public License v3 (https://github.com/digitalsleuth/forensics_tools/blob/master/LICENSE)
Version: 2.0
Notes:
Website: https://github.com/kacos2000/WindowsTimeline
Description: Windows Timeline / Activities Cache parser
Author: Costas K.
License: Mozilla Public License v2.0 (https://github.com/kacos2000/WindowsTimeline/blob/master/LICENSE)
Version: 2.0.81.0
Notes:
Website: https://github.com/velocidex/WinPmem
Description: Memory Acquisition Tool
Author: Mike Cohen (scudette)
License: Apache License v2 (https://github.com/Velocidex/WinPmem/blob/master/LICENSE)
Version: 4.0.rc2
Notes:
Website: https://github.com/abrignoni/wleapp
Description: Windows Logs Events and Properties Parser
Author: Alexis Brignoni
License: MIT License (https://github.com/abrignoni/WLEAPP/blob/main/LICENSE)
Version: 0.1
Notes:
Website: https://github.com/woanware/wmi-parser
Description: Parse the WMI object database for persistence
Author: Mark Woan
License: Unknown
Version: 0.0.2
Notes:
Website: https://ericzimmerman.github.io
Description: Suite of Forensic Tools
Author: Eric Zimmerman
License: MIT License (https://github.com/EricZimmerman/Issues/blob/master/LICENSE)
Version: 2021-01-22
Notes:
Last modified 7mo ago