ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc). See the authors’ article “Using VBA Emulation to Analyze Obfuscated Macros“, for real-life examples of malware deobfucation with ViperMonkey. You can download the tool and learn more about it here.

PhishPhinder is a tool for locating and purging messages in O365. You can learn more about how to use this PowerShell script and download it here.

The new versions of the Sleuth Kit and Autopsy have been released. You can already download them at GitHub and test. New features and bug fixes can be also found at GitHub.

Imago is a python tool that extract digital evidence from images recursively. This tool is useful throughout a digital forensic investigation. If you need to extract digital evidences and you have a lot of images, through this tool you will be able to compare them easily. Imago permits to extract the evidences into a CSV file or in a sqlite …

Lasq has posted a step-by-step guide on how to deobfuscate Emotet’s PowerShell payload. Also he shared a Python script to automate the process. Emotet is a banking trojan, targeting computer users since around 2014.

Mike Cary has written a PowerShell script that automates the use of Eric Zimmerman’s cmd line tools (https://ericzimmerman.github.io/) against a mounted forensic image. The following tools are run where applicable to the image being processed: JLECmd.exe LEcmd.exe PEcmd.exe SBECmd.exe AppCompatParser.exe AmcacheParser.exe RecentFileCacheParser.exe WxTCmd.exe MFTECmd.exe Registry Explorer project file creation Learn more about the script at Mike’s GitHub.

Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix’s Security Intelligence and Response Team (SIRT). Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin …

After yesterday’s webcast Matt Bromiley released his Office365 Log Analysis Framework or OLAF to the public. You can learn more about the framework and download it here. Also, make sure you have checked this webcast.

LiMEaide is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. This will simplify Linux digital forensics in a remote environment. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite …

Memtriage allows you to quickly query a live Windows machine for RAM artifacts. This tool utilizes the Winpmem drivers to access physical memory, and Volatility for analysis. Learn more about it here.