Windows Forensics Analysis — Tools And Resources

https://pixabay.com/illustrations/fingerprint-expression-328992/

With the amount of information and artifacts that one needs to collect and sift through when doing forensics analysis, it can get quite difficult to make sense of it all.

Fortunately, many tools and resources are available at our disposal that can make this process a little bit easier.

Network Analysis Tools

• Wireshark
• Network Appliance Forensic Toolkit
• NetworkMiner

Registry Analysis Tools

• RegRipper
• ShellBags Explorer
• AmcacheParser
• AppCompatCacheParser
• JLECmd
• RecentFileCacheParser
• Computer Account Forensic Artifact Extractor (cafae)
• Yet Another Registry Utility (yaru)

RDP Cache Analysis Tools

• BMC-Tools

Recycle Bin Analysis Tools

• RBCmd
• $I Parser

“$” Files Analysis Tools

• MFTExplorer ($MFT)
• MFTECmd ($MFT, $Boot, $J, $SDS, and $LogFile (coming soon) parser)
• UsnJrnl2Csv ($UsnJrnl)
• INDXParse ($I30)

Logs Analysis Tools

• Log Parser (Windows Event Logs)
• Evtx Explorer/EvtxECmd
• Apache Scalp

Processes And Memory Analysis Tools

• Volatility
• Memoryze
• Magnet Process Capture
• Magnet RAM Capture

Disk And File Analysis Tools

• FTK Imager
• Encrypted Disk Detector
• Disk Editor Freeware
• HxD

Browsers Analysis Tools

• DB Browser for SQLite (Open “.sqlite” files)
• Nirsoft Web Browsers Tools (Contains a multitude of tools to open cache files, cookies and history data)
• BrowsingHistoryView
• ESEDatabaseView
• Session History Scrounger for Firefox (Opens “.jsonlz4” files)
• Sysinternals Strings
• OS Forensics
• Magnet IEF (Internet Evidence Finder)
• Browser History Viewer
• Browser History Examiner (Free Trial)
• Hindsight
• libsedb (Library to access the Extensible Storage Engine (ESE) Database File (EDB) format)
• Web Browser Addons View (Use to view installed extensions and addons)
• The LaZagne Project
• firepwd.py (open source tool to decrypt Mozilla protected passwords)
• Firefox Search Engine Extractor (Open ‘search.json.mozlz4’ files)
• Firefox Bookmark Backup Reader/Decompressor (Open ‘ jsonlz4’ files)

Frameworks, Toolkits and VM’s

• SANS SIFT Workstation
• ANSSI DFIR-ORC
• Redline
• OSForensics
• Kali Linux
• Forensic Toolkit FTK
• The Sleuth Kit
• EnCase
• C.A.I.N.E (Computer Aided INvestigative Environment)

Other

• Eric Zimmerman’s tools
• DB Browser For SQLite
• NirSoft — freeware utilities: password recovery, system utilities, desktop utilities
• ExifTool
• Log2timeline
• ProcDOT

Resources / Getting Started

• 13Cubed YouTube Channel
• Ponder the Bits
• Digital Forensics Stream
• Journey Into Incident Response
• SANS DFIR Posters
• Didier Stevens Blog

I’ll be updating this list constantly so please look forward to it.

Thanks for reading. Please feel free to send me any suggestions or comments on twitter @nas_bench