Arsenal’s Brian Gerdon presented Backstage Parser – a python tool that can be used to parse the contents of Microsoft Office files found in the “\Users(User)\AppData\Local\Microsoft\Office\16.0\BackstageinAppNavCache” path. Learn more about the tool at Arsenal’s GitHub.

Free-B-sd m-emory A-cquisition M-odule Tool/Kernel Module allows acquisition of volatile memory from FreeBSD. You can learn more about the tool at GitHub.

The latest version of the system dedicated to forensic analysis and incident management, DEFT X, is released and available for downloading here.

GiftStick allows an inexperimented user to easily (one click) upload forensics evidence (such as some information about the system, a full disk image as well as the system’s firmware, if supported) from a target device (that will boot on an external device containing the code) to Google Cloud Storage. Learn more about the project at GitHub.

New versions of our open source DFIR tools have been released: Autopsy New Features: Removed data from table that are time intensive and can be found in content viewers (such as hash set hits) Added ability to find common items (files, emails, etc.) between current case and past cases using the Central Repository. Added ability to ignore common items that …

This Autopsy plugin by Rebecca Anderson won Autopsy Plugin Contest this year at Open Source Digital Forensics Conference (OSDFCon). It searches Virus Total for SHA1 hashes of executables from amcache. You can get the plugin here.

0.2-alpha version of memtriage has been released. This tool allows you to quickly query a Windows machine for RAM artifacts. It utilizes the Winpmem drivers to access physical memory, and Volatility for analysis.

Maxim Suhanov presented winmem_decompress – a program that tries to extract compressed memory pages from page-aligned data. Such compressed memory pages can be found in virtual memory of Windows 8.1 & 10 operating systems. Learn more about the tool here.

libfsapfs is a library and tools by Joachim Metz to access the Apple File System (APFS). Source code is available at GitHub.

Eric Zimmerman has released another amazing tool – VSCMount. Now we have “a simple way to mount Volume Shadow Copies from the command line without having to do much of anything except provide the drive letter to where the VSCs are and where you want the VSCs to be mounted to.” Learn more about it here.