Windows Forensics Analysis — Tools And Resources
2 min readSep 15, 2019
With the amount of information and artifacts that one needs to collect and sift through when doing forensics analysis, it can get quite difficult to make sense of it all.
Fortunately, many tools and resources are available at our disposal that can make this process a little bit easier.
Network Analysis Tools
Registry Analysis Tools
- RegRipper
- ShellBags Explorer
- AmcacheParser
- AppCompatCacheParser
- JLECmd
- RecentFileCacheParser
- Computer Account Forensic Artifact Extractor (cafae)
- Yet Another Registry Utility (yaru)
RDP Cache Analysis Tools
Recycle Bin Analysis Tools
“$” Files Analysis Tools
- MFTExplorer ($MFT)
- MFTECmd ($MFT, $Boot, $J, $SDS, and $LogFile (coming soon) parser)
- UsnJrnl2Csv ($UsnJrnl)
- INDXParse ($I30)
Logs Analysis Tools
- Log Parser (Windows Event Logs)
- Evtx Explorer/EvtxECmd
- Apache Scalp
Processes And Memory Analysis Tools
Disk And File Analysis Tools
Browsers Analysis Tools
- DB Browser for SQLite (Open “.sqlite” files)
- Nirsoft Web Browsers Tools (Contains a multitude of tools to open cache files, cookies and history data)
- BrowsingHistoryView
- ESEDatabaseView
- Session History Scrounger for Firefox (Opens “.jsonlz4” files)
- Sysinternals Strings
- OS Forensics
- Magnet IEF (Internet Evidence Finder)
- Browser History Viewer
- Browser History Examiner (Free Trial)
- Hindsight
- libsedb (Library to access the Extensible Storage Engine (ESE) Database File (EDB) format)
- Web Browser Addons View (Use to view installed extensions and addons)
- The LaZagne Project
- firepwd.py (open source tool to decrypt Mozilla protected passwords)
- Firefox Search Engine Extractor (Open ‘search.json.mozlz4’ files)
- Firefox Bookmark Backup Reader/Decompressor (Open ‘ jsonlz4’ files)
Frameworks, Toolkits and VM’s
- SANS SIFT Workstation
- ANSSI DFIR-ORC
- Redline
- OSForensics
- Kali Linux
- Forensic Toolkit FTK
- The Sleuth Kit
- EnCase
- C.A.I.N.E (Computer Aided INvestigative Environment)
Other
- Eric Zimmerman’s tools
- DB Browser For SQLite
- NirSoft — freeware utilities: password recovery, system utilities, desktop utilities
- ExifTool
- Log2timeline
- ProcDOT
Resources / Getting Started
- 13Cubed YouTube Channel
- Ponder the Bits
- Digital Forensics Stream
- Journey Into Incident Response
- SANS DFIR Posters
- Didier Stevens Blog
I’ll be updating this list constantly so please look forward to it.
Thanks for reading. Please feel free to send me any suggestions or comments on twitter @nas_bench