# Windows Analysis

### amcache.py

Website: Original (<https://github.com/williballenthin/python-registry)\\>
Description: AmCache Registry Hive Parser\
Author: Willi Ballenthin and Corey Forman\
License: Apache License 2.0 (<https://github.com/williballenthin/python-registry/blob/master/LICENSE.TXT)\\>
Version: 2.0\
Notes: This version has been modified from the original, and is not stored online at this time

### Autorunner

Website: <https://github.com/woanware/autorunner\\>
Description: Checks for autorun applications on Windows\
Author: Mark Woan\
License: Public Domain\
Version: 0.0.16\
Notes:

### autotimeliner

Website: <https://github.com/andreafortuna/autotimeliner\\>
Description: Timeline generator using Sleuthkit and Volatility\
Author: Andrea Fortuna\
License: MIT License (<https://github.com/andreafortuna/autotimeliner/blob/master/LICENSE)\\>
Version: 1.1.0\
Notes:

### bitsparser

Website: <https://github.com/digitalsleuth/bitsparser\\>
Description: A python tool to parse Windows BITS database files\
Author: Corey Forman / FireEye\
License: Apache License v2.0 (<https://github.com/digitalsleuth/BitsParser/blob/master/LICENSE)\\>
Version: 1.0\
Notes:

### bmc-tools

Website: <https://github.com/ANSSI-FR/bmc-tools\\>
Description: Parse Bitmap Cache RDP files\
Author: ANSSI-FR\
License: CeCILL Free Software License Agreement v2.1 (<https://github.com/ANSSI-FR/bmc-tools/blob/master/LICENCE.txt)\\>
Version: 3.02\
Notes:

### Hibernation-Recon

Website: <https://arsenalrecon.com\\>
Description: Tool to parse a Windows hibernation file\
Author: Arsenal Recon\
License: EULA\
Version: 1.2.2.86\
Notes: Available, but not installed by default

### Hindsight

Website: <https://github.com/obsidianforensics/hindsight\\>
Description: Web-based Chromium Browser artifact parser (Chrome origins)\
Author: Obsidian Forensics\
License: Apache v2.0 (<https://github.com/obsidianforensics/hindsight/blob/master/LICENSE.md)\\>
Version: 2023.03\
Notes:

### Kansa

Website: <https://github.com/davehull/kansa\\>
Description: Powershell Incident Response Framework\
Author: Dave Hull\
License: Apache License v2.0 (<https://github.com/davehull/Kansa/blob/master/LICENSE)\\>
Version: 18NOV2022 (No defined version)\
Notes:

### kape

Website: <https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape\\>
Description: Incident Response Artifact Parser and Extractor\
Author: Eric Zimmerman / Kroll\
License: <https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape\\>
Version: 1.3.0.2\
Notes:

### Live Response Collection (Cedarpelta)

Website: <https://www.brimorlabs.com/tools/\\>
Description: Incident Response Artifact Parser and Extractor\
Author: Brian Moran\
License: GNU General Public License v3.0 (see COPYING in zip file)\
Version: Cedarpelta - 20190905\
Notes: Also does macOS and Linux collection

### LogFileParser

Website: <https://github.com/jschicht/LogFileParser\\>
Description: NTFS $LogFile Parser\
Author: Joakim Schicht\
License: MIT (<https://github.com/jschicht/LogFileParser/blob/master/LICENSE.md)\\>
Version: 2.0.0.50\
Notes:

### MFT Browser

Website: <https://github.com/kacos2000/MFT\\_Browser\\>
Description: Graphical MFT Browser utility\
Author: Costas K.\
License: MIT License (<https://github.com/kacos2000/MFT\\_Browser/blob/master/LICENSE)\\>
Version: 1.0.72.0\
Notes:

### Mimikatz

Website: <https://github.com/gentilkiwi/mimikatz\\>
Description: Windows-based hash extraction tool\
Author: Benjamin Delpy\
License: Creative Commons BY 4.0\
Version: 2.2.0-20220919\
Notes: Detects as a virus in Windows - Exclusion gets added during install

### MiTeC Tool Suite

Website: <https://mitec.cz\\>
Description: Suite of Windows-based analysis tools\
Author: Michal Mutl (mitec)\
License: Free to use for private, educational and non-commercial purposes\
Version: Various\
Notes:

### Nirsoft

Website: <https://nirsoft.net\\>
Description: Suite of various Windows Analysis Tools\
Author: Nir Sofer\
License:\
Version: 1.30.6\
Notes:

### NTFS Log Tracker

Website: <https://sites.google.com/site/forensicnote/ntfs-log-tracker\\>
Description: NTFS $LogFile, $UsnJrnl:$J parser\
Author: Junghoon Oh (blueangel)\
License:\
Version: 1.71\
Notes:

### OneDriveExplorer

Website: <https://github.com/Beercow/OneDriveExplorer\\>
Description: Command-line and GUI tool for viewing OneDrive folder structure\
Author: Brian Maloney\
License: MIT License (<https://github.com/Beercow/OneDriveExplorer/blob/master/LICENSE)\\>
Version: 2023.09.22\
Notes:

### Shadow Explorer

Website: <https://www.shadowexplorer.com\\>
Description: Windows Volume Shadow Copy viewer\
Author: ShadowExplorer\
License:\
Version: 0.9.462.0\
Notes:

### SilkETW

Website: <https://github.com/mandiant/SilkETW\\>
Description: Wrapper for ETW (Event Tracing for Windows)\
Author: Mandiant\
License: Apache License v2 (<https://github.com/mandiant/SilkETW/raw/master/LICENSE.txt>) 3rd-party license (<https://github.com/mandiant/SilkETW/blob/master/LICENSE-3RD-PARTY.txt)\\>
Version: 0.8\
Notes: Sample Usage - <https://www.mandiant.com/resources/blog/silketw-because-free-telemetry-is-free>

### srum-dump

Website: <https://github.com/MarkBaggett/srum-dump\\>
Description: Tool to analyze data in the Windows System Resource Usage Monitor database\
Author: Mark Baggett\
License: GNU General Public License v3 (<https://github.com/MarkBaggett/srum-dump/blob/master/LICENSE)\\>
Version: 2.5\
Notes:

### Sysinternals

Website: <https://sysinternals.com\\>
Description: Suite of Windows Analysis and Management Tools\
Author: Microsoft / Mark Russinovich\
License: <https://learn.microsoft.com/en-us/sysinternals/license-terms\\>
Version: 2023.11.13 (date of last update - no specific version number identified)\
Notes:

### The Sleuth Kit

Website: <https://github.com/sleuthkit/sleuthkit/\\>
Description: Library and collection of command line DFIR tools\
Author: Brian Carrier\
License: Multiple Licenses (<https://www.sleuthkit.org/sleuthkit/licenses.php)\\>
Version: 4.12.1\
Notes:

### ThumbCache Viewer

Website: <https://thumbcacheviewer.github.io/\\>
Description: Windows Thumbnail Cache parser\
Author: Eric Kutcher\
License: GNU General Public License v3.0 (identified within program)\
Version: 1.0.3.9\
Notes:

### USB Detective

Website: <https://usbdetective.com\\>
Description: Windows USB analysis tool\
Author: Jason Hale\
License: Software License Agreement (<https://usbdetective.com/docs/usbdla.pdf)\\>
Version: 1.6.3\
Notes: Available, but not installed by default

### usbdeviceforensics

Website: <https://github.com/digitalsleuth/usbdeviceforensics\\>
Description: Track a USB device throughout a Windows system\
Author: Corey Forman / Mark Woan\
License: Public Domain\
Version: 1.0.0\
Notes:

### USN Journal Parser

Website: <https://github.com/digitalsleuth/USN-Journal-Parser\\>
Description: Updated version of PoorBillionaire's USN-Journal-Parser\
Author: Corey Forman / Adam Witt\
License: MIT License (<https://github.com/digitalsleuth/USN-Journal-Parser/blob/main/LICENSE)\\>
Version: 5.0.0\
Notes: Commands: usn, usn.py

### Velociraptor

Website: <https://docs.velociraptor.app/\\>
Description: DFIR live acquisition tool\
Author: Mike Cohen (scudette)\
License: GNU Affero General Public License v3 (<https://github.com/Velocidex/velociraptor/blob/master/LICENSE)\\>
Version: 0.7.0-3\
Notes:

### Volatility

Website: <https://github.com/volatilityfoundation/volatility\\>
Description: Memory analysis toolset\
Author: <https://github.com/volatilityfoundation/volatility/blob/master/AUTHORS.txt\\>
License: GNU General Public License v2 (<https://github.com/volatilityfoundation/volatility/blob/master/LICENSE.txt)\\>
Version: 2\
Notes:

### Volatility3

Website: <https://github.com/volatilityfoundation/volatility3\\>
Description: Memory analysis toolset\
Author: Volatility Foundation\
License: Volatility Software License (<https://www.volatilityfoundation.org/license/vsl-v1.0)\\>
Version: 3\
Notes:

### Volatility Workbench

Website: <https://www.osforensics.com/tools/volatility-workbench.html\\>
Description: Windows-based GUI for the Volatility 3 Framework\
Author: OSForensics\
License: Volatility Software License (<https://www.volatilityfoundation.org/license/vsl-v1.0)\\>
Version: 3.0.1006\
Notes:

### vssmount

Website: <https://github.com/digitalsleuth/forensics\\_tools\\>
Description: Windows Batch script to work with and mount Volume Shadow Copies\
Author: Corey Forman (digitalsleuth)\
License: GNU General Public License v3 (<https://github.com/digitalsleuth/forensics\\_tools/blob/master/LICENSE)\\>
Version: 2.0\
Notes:

### Windows Timeline

Website: <https://github.com/kacos2000/WindowsTimeline\\>
Description: Windows Timeline / Activities Cache parser\
Author: Costas K.\
License: Mozilla Public License v2.0 (<https://github.com/kacos2000/WindowsTimeline/blob/master/LICENSE)\\>
Version: 2.0.82.0\
Notes:

### WLEAPP

Website: <https://github.com/abrignoni/wleapp\\>
Description: Windows Logs Events and Properties Parser\
Author: Alexis Brignoni\
License: MIT License (<https://github.com/abrignoni/WLEAPP/blob/main/LICENSE)\\>
Version: 0.1\
Notes:

### WMI Parser

Website: <https://github.com/woanware/wmi-parser\\>
Description: Parse the WMI object database for persistence\
Author: Mark Woan\
License: Unknown\
Version: 0.0.2\
Notes:

### Zimmerman Tools

Website: <https://ericzimmerman.github.io\\>
Description: Suite of Forensic Tools\
Author: Eric Zimmerman\
License: MIT License (<https://github.com/EricZimmerman/Issues/blob/master/LICENSE)\\>
Version: 2023-05-18\
Notes: