Sarah Edwards has updated her Mac MRU Parser. Now it parses the Spotlight Shortcuts plist and also the Bookmark and Alias BLOB data. You can get the script here!

HFS Journal Parser finds and parses catalog file record in HFS+/HFSX .journal file.  It has searching capabilities, allows the examiner to create a list of found records, and determine meta data information. Download the tool.

Bitscout allows anyone who is running Ubuntu OS to build own LiveCD/LiveUSB image to be used for remote digital forensics (or other tasks of your own choice). Bitscout relies on 3 roles in the process of remote forensics: 1. The Owner. The owner is a user who has physical access to the target system and owns it. The owner’s role …

Chromensics is an open source tool by Nishant Grover capable of reading all information from Chrome Browser directory and present it to an examiner in easy readable tabular format. The tool will also allow you to retrieve information from other Chrome installation brought from different machine for analyzing. The acquired artifacts can be exported in PDF report to present it in …

Andrea Fortuna has published a useful list of Python tools you can use for malware detection and analysis. You will learn about pyew, Exefilter, jsunpack-n, yara-python, phoneyc and pyClamd.

With help of yarGen you can generate YARA rules automatically. The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use. You can learn more …

New version of FSEventsParser has been released. FSEvents files are written to disk by OS X apis and contain historical records of events that occurred for the partition. They are stored in the root of the partition within the directory ‘/.fseventsd/’. FSEvent files can be found on the OS X system partition and can also be found on external storage devices that …

PassMark Software has released a beta version of Volatility Workbench – a graphical user interface (GUI) for the Volatility tool. Volatility Workbench is free, open source and runs in Windows. It provides a number of advantages over the command line version including: No need to remember command line parameters Storage of the operating system profile, KDBG address and process list with the memory …

Mark McKinnon has written a plugin that will export the /.fseventsd directory to the temp folder and will then call an executable program that will parse the data into a SQLite database and import it into Autopsy into the Extracted Content area. Learn more about the plugin here.

The new version of our favorite open source forensic tool – Autopsy, – has been released. New triage features. Make a VHD image during analysis. Pre-program files to analyze… Version 4.4.0 can be downloaded here.