# Windows Analysis ### amcache.py Website: Original ( Description: AmCache Registry Hive Parser\ Author: Willi Ballenthin and Corey Forman\ License: Apache License 2.0 ( Version: 2.0\ Notes: This version has been modified from the original, and is not stored online at this time ### Autorunner Website: Description: Checks for autorun applications on Windows\ Author: Mark Woan\ License: Public Domain\ Version: 0.0.16\ Notes: ### autotimeliner Website: Description: Timeline generator using Sleuthkit and Volatility\ Author: Andrea Fortuna\ License: MIT License ( Version: 1.1.0\ Notes: ### bitsparser Website: Description: A python tool to parse Windows BITS database files\ Author: Corey Forman / FireEye\ License: Apache License v2.0 ( Version: 1.0\ Notes: ### bmc-tools Website: Description: Parse Bitmap Cache RDP files\ Author: ANSSI-FR\ License: CeCILL Free Software License Agreement v2.1 ( Version: 3.02\ Notes: ### Hibernation-Recon Website: Description: Tool to parse a Windows hibernation file\ Author: Arsenal Recon\ License: EULA\ Version: 1.2.2.86\ Notes: Available, but not installed by default ### Hindsight Website: Description: Web-based Chromium Browser artifact parser (Chrome origins)\ Author: Obsidian Forensics\ License: Apache v2.0 ( Version: 2023.03\ Notes: ### Kansa Website: Description: Powershell Incident Response Framework\ Author: Dave Hull\ License: Apache License v2.0 ( Version: 18NOV2022 (No defined version)\ Notes: ### kape Website: Description: Incident Response Artifact Parser and Extractor\ Author: Eric Zimmerman / Kroll\ License: Version: 1.3.0.2\ Notes: ### Live Response Collection (Cedarpelta) Website: Description: Incident Response Artifact Parser and Extractor\ Author: Brian Moran\ License: GNU General Public License v3.0 (see COPYING in zip file)\ Version: Cedarpelta - 20190905\ Notes: Also does macOS and Linux collection ### LogFileParser Website: Description: NTFS $LogFile Parser\ Author: Joakim Schicht\ License: MIT ( Version: 2.0.0.50\ Notes: ### MFT Browser Website: Description: Graphical MFT Browser utility\ Author: Costas K.\ License: MIT License ( Version: 1.0.72.0\ Notes: ### Mimikatz Website: Description: Windows-based hash extraction tool\ Author: Benjamin Delpy\ License: Creative Commons BY 4.0\ Version: 2.2.0-20220919\ Notes: Detects as a virus in Windows - Exclusion gets added during install ### MiTeC Tool Suite Website: Description: Suite of Windows-based analysis tools\ Author: Michal Mutl (mitec)\ License: Free to use for private, educational and non-commercial purposes\ Version: Various\ Notes: ### Nirsoft Website: Description: Suite of various Windows Analysis Tools\ Author: Nir Sofer\ License:\ Version: 1.30.6\ Notes: ### NTFS Log Tracker Website: Description: NTFS $LogFile, $UsnJrnl:$J parser\ Author: Junghoon Oh (blueangel)\ License:\ Version: 1.71\ Notes: ### OneDriveExplorer Website: Description: Command-line and GUI tool for viewing OneDrive folder structure\ Author: Brian Maloney\ License: MIT License ( Version: 2023.09.22\ Notes: ### Shadow Explorer Website: Description: Windows Volume Shadow Copy viewer\ Author: ShadowExplorer\ License:\ Version: 0.9.462.0\ Notes: ### SilkETW Website: Description: Wrapper for ETW (Event Tracing for Windows)\ Author: Mandiant\ License: Apache License v2 () 3rd-party license ( Version: 0.8\ Notes: Sample Usage - ### srum-dump Website: Description: Tool to analyze data in the Windows System Resource Usage Monitor database\ Author: Mark Baggett\ License: GNU General Public License v3 ( Version: 2.5\ Notes: ### Sysinternals Website: Description: Suite of Windows Analysis and Management Tools\ Author: Microsoft / Mark Russinovich\ License: Version: 2023.11.13 (date of last update - no specific version number identified)\ Notes: ### The Sleuth Kit Website: Description: Library and collection of command line DFIR tools\ Author: Brian Carrier\ License: Multiple Licenses ( Version: 4.12.1\ Notes: ### ThumbCache Viewer Website: Description: Windows Thumbnail Cache parser\ Author: Eric Kutcher\ License: GNU General Public License v3.0 (identified within program)\ Version: 1.0.3.9\ Notes: ### USB Detective Website: Description: Windows USB analysis tool\ Author: Jason Hale\ License: Software License Agreement ( Version: 1.6.3\ Notes: Available, but not installed by default ### usbdeviceforensics Website: Description: Track a USB device throughout a Windows system\ Author: Corey Forman / Mark Woan\ License: Public Domain\ Version: 1.0.0\ Notes: ### USN Journal Parser Website: Description: Updated version of PoorBillionaire's USN-Journal-Parser\ Author: Corey Forman / Adam Witt\ License: MIT License ( Version: 5.0.0\ Notes: Commands: usn, usn.py ### Velociraptor Website: Description: DFIR live acquisition tool\ Author: Mike Cohen (scudette)\ License: GNU Affero General Public License v3 ( Version: 0.7.0-3\ Notes: ### Volatility Website: Description: Memory analysis toolset\ Author: License: GNU General Public License v2 ( Version: 2\ Notes: ### Volatility3 Website: Description: Memory analysis toolset\ Author: Volatility Foundation\ License: Volatility Software License ( Version: 3\ Notes: ### Volatility Workbench Website: Description: Windows-based GUI for the Volatility 3 Framework\ Author: OSForensics\ License: Volatility Software License ( Version: 3.0.1006\ Notes: ### vssmount Website: Description: Windows Batch script to work with and mount Volume Shadow Copies\ Author: Corey Forman (digitalsleuth)\ License: GNU General Public License v3 ( Version: 2.0\ Notes: ### Windows Timeline Website: Description: Windows Timeline / Activities Cache parser\ Author: Costas K.\ License: Mozilla Public License v2.0 ( Version: 2.0.82.0\ Notes: ### WLEAPP Website: Description: Windows Logs Events and Properties Parser\ Author: Alexis Brignoni\ License: MIT License ( Version: 0.1\ Notes: ### WMI Parser Website: Description: Parse the WMI object database for persistence\ Author: Mark Woan\ License: Unknown\ Version: 0.0.2\ Notes: ### Zimmerman Tools Website: Description: Suite of Forensic Tools\ Author: Eric Zimmerman\ License: MIT License ( Version: 2023-05-18\ Notes: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://digitalsleuth.gitbook.io/win-for-documentation/the-tools/windows-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.