In this post Harlan Carvey has presented his views on incident response tools. In the post you’ll find both “classics” like RegRipper and Yara, and some freshies like vss_carver and YARP.

A few days ago Dan Gunter has published a post about his tool capable of parsing logs from the Bro Intrusion Detection System. You can easily install ParseBroLogs via pip: pip install parsebrologs  If you are interested in the source code – go straight to his GitHub.

Minoru Kobayashi has presented a tool for carving and recreating deleted VSS at at Japan Security Analyst Conference 2018. The script is already available for downloading at his GitHub.

Invoke-LiveResponse is a module for Live Response and Forensic collections over WinRM written by Matthew Green. You can learn more about it reading this LinkedIn post.

Sergey Golovanov and Igor Soumenkov have prepared a New Year present for DFIR community: they have presented their script for APT hunting across the enterprise. They use this script to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers are moving through the network. You can learn more …

page_brute.py is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys. This tool can be used to: Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention. Identify page files that contain remanants …

Sarah Edwards has released the new version of Mac MRU Parser – 1.5. Now the script can gather info from the following sources: Sidebar List plist [10.12-] – /Users/<username>/Library/Preferences/com.apple.sidebarlists.plist Favorite Volumes SFL2 – [10.13+] /Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2 Finder Plist – /Users/<username>/Library/Preferences/com.apple.finder.plist Learn more about the release here.

CERTitude is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It allows analysts to perform large scale scans of Windows-based information systems by searching for behavioural patterns described in IOC (Indicator Of Compromise) files. Notable features: Ability to scan hosts in a way that prevents the target workstation from knowing what the investigator is …

LogonTracer helps digital forensics analysts to investigate malicious logon by visualizing and analyzing Windows active directory event logs. The tool uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log. It can visualize the following event id related to Windows logon based on this research: 4624: Successful logon 4625: Logon failure 4768: Kerberos Authentication (TGT Request) 4769: Kerberos Service Ticket (ST Request) …

Plaso development team has just released a new Plaso version, fixing a couple of small issues and adding a parser for Sophos Antivirus SAV logs. You can download and test the new version here.