Windows Analysis
Tools to conduct forensic analysis on various Windows artifacts
amcache.py
Website: Original (https://github.com/williballenthin/python-registry) Description: AmCache Registry Hive Parser Author: Willi Ballenthin and Corey Forman License: Apache License 2.0 (https://github.com/williballenthin/python-registry/blob/master/LICENSE.TXT) Version: 2.0 Notes: This version has been modified from the original, and is not stored online at this time
Autorunner
Website: https://github.com/woanware/autorunner Description: Checks for autorun applications on Windows Author: Mark Woan License: Public Domain Version: 0.0.16 Notes:
autotimeliner
Website: https://github.com/andreafortuna/autotimeliner Description: Timeline generator using Sleuthkit and Volatility Author: Andrea Fortuna License: MIT License (https://github.com/andreafortuna/autotimeliner/blob/master/LICENSE) Version: 1.1.0 Notes:
bitsparser
Website: https://github.com/digitalsleuth/bitsparser Description: A python tool to parse Windows BITS database files Author: Corey Forman / FireEye License: Apache License v2.0 (https://github.com/digitalsleuth/BitsParser/blob/master/LICENSE) Version: 1.0 Notes:
bmc-tools
Website: https://github.com/ANSSI-FR/bmc-tools Description: Parse Bitmap Cache RDP files Author: ANSSI-FR License: CeCILL Free Software License Agreement v2.1 (https://github.com/ANSSI-FR/bmc-tools/blob/master/LICENCE.txt) Version: 3.02 Notes:
Hibernation-Recon
Website: https://arsenalrecon.com Description: Tool to parse a Windows hibernation file Author: Arsenal Recon License: EULA Version: 1.2.2.86 Notes: Available, but not installed by default
Hindsight
Website: https://github.com/obsidianforensics/hindsight Description: Web-based Chromium Browser artifact parser (Chrome origins) Author: Obsidian Forensics License: Apache v2.0 (https://github.com/obsidianforensics/hindsight/blob/master/LICENSE.md) Version: 2023.03 Notes:
Kansa
Website: https://github.com/davehull/kansa Description: Powershell Incident Response Framework Author: Dave Hull License: Apache License v2.0 (https://github.com/davehull/Kansa/blob/master/LICENSE) Version: 18NOV2022 (No defined version) Notes:
kape
Website: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape Description: Incident Response Artifact Parser and Extractor Author: Eric Zimmerman / Kroll License: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape Version: 1.3.0.2 Notes:
Live Response Collection (Cedarpelta)
Website: https://www.brimorlabs.com/tools/ Description: Incident Response Artifact Parser and Extractor Author: Brian Moran License: GNU General Public License v3.0 (see COPYING in zip file) Version: Cedarpelta - 20190905 Notes: Also does macOS and Linux collection
LogFileParser
Website: https://github.com/jschicht/LogFileParser Description: NTFS $LogFile Parser Author: Joakim Schicht License: MIT (https://github.com/jschicht/LogFileParser/blob/master/LICENSE.md) Version: 2.0.0.50 Notes:
MFT Browser
Website: https://github.com/kacos2000/MFT_Browser Description: Graphical MFT Browser utility Author: Costas K. License: MIT License (https://github.com/kacos2000/MFT_Browser/blob/master/LICENSE) Version: 1.0.72.0 Notes:
Mimikatz
Website: https://github.com/gentilkiwi/mimikatz Description: Windows-based hash extraction tool Author: Benjamin Delpy License: Creative Commons BY 4.0 Version: 2.2.0-20220919 Notes: Detects as a virus in Windows - Exclusion gets added during install
MiTeC Tool Suite
Website: https://mitec.cz Description: Suite of Windows-based analysis tools Author: Michal Mutl (mitec) License: Free to use for private, educational and non-commercial purposes Version: Various Notes:
Nirsoft
Website: https://nirsoft.net Description: Suite of various Windows Analysis Tools Author: Nir Sofer License: Version: 1.30.6 Notes:
NTFS Log Tracker
Website: https://sites.google.com/site/forensicnote/ntfs-log-tracker Description: NTFS $LogFile, $UsnJrnl:$J parser Author: Junghoon Oh (blueangel) License: Version: 1.71 Notes:
OneDriveExplorer
Website: https://github.com/Beercow/OneDriveExplorer Description: Command-line and GUI tool for viewing OneDrive folder structure Author: Brian Maloney License: MIT License (https://github.com/Beercow/OneDriveExplorer/blob/master/LICENSE) Version: 2023.09.22 Notes:
Shadow Explorer
Website: https://www.shadowexplorer.com Description: Windows Volume Shadow Copy viewer Author: ShadowExplorer License: Version: 0.9.462.0 Notes:
SilkETW
Website: https://github.com/mandiant/SilkETW Description: Wrapper for ETW (Event Tracing for Windows) Author: Mandiant License: Apache License v2 (https://github.com/mandiant/SilkETW/raw/master/LICENSE.txt) 3rd-party license (https://github.com/mandiant/SilkETW/blob/master/LICENSE-3RD-PARTY.txt) Version: 0.8 Notes: Sample Usage - https://www.mandiant.com/resources/blog/silketw-because-free-telemetry-is-free
srum-dump
Website: https://github.com/MarkBaggett/srum-dump Description: Tool to analyze data in the Windows System Resource Usage Monitor database Author: Mark Baggett License: GNU General Public License v3 (https://github.com/MarkBaggett/srum-dump/blob/master/LICENSE) Version: 2.5 Notes:
Sysinternals
Website: https://sysinternals.com Description: Suite of Windows Analysis and Management Tools Author: Microsoft / Mark Russinovich License: https://learn.microsoft.com/en-us/sysinternals/license-terms Version: 2023.11.13 (date of last update - no specific version number identified) Notes:
The Sleuth Kit
Website: https://github.com/sleuthkit/sleuthkit/ Description: Library and collection of command line DFIR tools Author: Brian Carrier License: Multiple Licenses (https://www.sleuthkit.org/sleuthkit/licenses.php) Version: 4.12.1 Notes:
ThumbCache Viewer
Website: https://thumbcacheviewer.github.io/ Description: Windows Thumbnail Cache parser Author: Eric Kutcher License: GNU General Public License v3.0 (identified within program) Version: 1.0.3.9 Notes:
USB Detective
Website: https://usbdetective.com Description: Windows USB analysis tool Author: Jason Hale License: Software License Agreement (https://usbdetective.com/docs/usbdla.pdf) Version: 1.6.3 Notes: Available, but not installed by default
usbdeviceforensics
Website: https://github.com/digitalsleuth/usbdeviceforensics Description: Track a USB device throughout a Windows system Author: Corey Forman / Mark Woan License: Public Domain Version: 1.0.0 Notes:
USN Journal Parser
Website: https://github.com/digitalsleuth/USN-Journal-Parser Description: Updated version of PoorBillionaire's USN-Journal-Parser Author: Corey Forman / Adam Witt License: MIT License (https://github.com/digitalsleuth/USN-Journal-Parser/blob/main/LICENSE) Version: 5.0.0 Notes: Commands: usn, usn.py
Velociraptor
Website: https://docs.velociraptor.app/ Description: DFIR live acquisition tool Author: Mike Cohen (scudette) License: GNU Affero General Public License v3 (https://github.com/Velocidex/velociraptor/blob/master/LICENSE) Version: 0.7.0-3 Notes:
Volatility
Website: https://github.com/volatilityfoundation/volatility Description: Memory analysis toolset Author: https://github.com/volatilityfoundation/volatility/blob/master/AUTHORS.txt License: GNU General Public License v2 (https://github.com/volatilityfoundation/volatility/blob/master/LICENSE.txt) Version: 2 Notes:
Volatility3
Website: https://github.com/volatilityfoundation/volatility3 Description: Memory analysis toolset Author: Volatility Foundation License: Volatility Software License (https://www.volatilityfoundation.org/license/vsl-v1.0) Version: 3 Notes:
Volatility Workbench
Website: https://www.osforensics.com/tools/volatility-workbench.html Description: Windows-based GUI for the Volatility 3 Framework Author: OSForensics License: Volatility Software License (https://www.volatilityfoundation.org/license/vsl-v1.0) Version: 3.0.1006 Notes:
vssmount
Website: https://github.com/digitalsleuth/forensics_tools Description: Windows Batch script to work with and mount Volume Shadow Copies Author: Corey Forman (digitalsleuth) License: GNU General Public License v3 (https://github.com/digitalsleuth/forensics_tools/blob/master/LICENSE) Version: 2.0 Notes:
Windows Timeline
Website: https://github.com/kacos2000/WindowsTimeline Description: Windows Timeline / Activities Cache parser Author: Costas K. License: Mozilla Public License v2.0 (https://github.com/kacos2000/WindowsTimeline/blob/master/LICENSE) Version: 2.0.82.0 Notes:
WLEAPP
Website: https://github.com/abrignoni/wleapp Description: Windows Logs Events and Properties Parser Author: Alexis Brignoni License: MIT License (https://github.com/abrignoni/WLEAPP/blob/main/LICENSE) Version: 0.1 Notes:
WMI Parser
Website: https://github.com/woanware/wmi-parser Description: Parse the WMI object database for persistence Author: Mark Woan License: Unknown Version: 0.0.2 Notes:
Zimmerman Tools
Website: https://ericzimmerman.github.io Description: Suite of Forensic Tools Author: Eric Zimmerman License: MIT License (https://github.com/EricZimmerman/Issues/blob/master/LICENSE) Version: 2023-05-18 Notes:
Last updated