CyLR CDQR Forensics Virtual Machine (CCF-VM) by Alan Orlikoski has been updated to version 2.1. Added TimeSketch!!!! Includes Redis & MySQL as well Updated CDQR 4.0.0 Replaced kopf with Cerebro for ElasticSearch DB Updated ElasticSearch Updated Kibana Changed to .zip archive format for the OVF for maximum compatibility Updated “update.sh” script that updates the OS, CDQR, CyLR in one click …
New versions of your favourite open source DFIR tools – the Sleuth Kit and Autopsy, – have been released. The Sleuth Kit 4.4.2 New Features: usnjls tool for NTFS USN log (from noxdafox) Added index to mime type column in DB Use local SQLite3 if it exists (from uckelman-sf) Blackboard Artifacts have a shortDescription metho Bug Fixes: Fix for highest …
There are two scripts by David Pany, which can help an analyst to find evidence in WMI repositories: CCM_RUA_finder.py and PyWMIPersistenceFinder.py. The first script extracts SCCM software metering RecentlyUsedApplication logs from OBJECTS.DATA files, the second – finds WMI persistence via FitlerToConsumerBindings solely by keyword searching the OBJECTS.DATA file without parsing the full WMI repository.
Sysmon View can  help you in tracking and visualizing Sysmon logs. First you should export Sysmon events to  an XML file, then import this file to the Sysmon View – all data will be exported to a SQLite database and can be even shared with other analysts. Learn more about the tool at the GitHub.
Have you ever faced a drive with deleted EXT file system? If yes, there is a really good tool for you – analyzeEXT by DFIR superhero Hal Pomeranz. Of course, you won’t get the metadata, but you’ll get the directory contents! Also don’t forget to check this presentation from SANSÂ DFIR Summit & Training 2017.
FLARE VM is a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc. The project will be released at Blackhat Arsenal on Wednesday, July 26th. Come see a demo at 11:30am-12:50pm | Business Hall, Level 2, Station 8. For more info and examples check this GitHub. Also don’t forget to check this post.
fuse-mft is a FUSE file system driver for MFT files. It allows an forensic examiner to mount the file system tree defined by an MFT on their analysis machine. Then, the examiner can use familiar command line or graphical tools to explore the contents. The tool uses the metadata found within the MFT to populate the entries, and exposes a few virtual files …
Sarah Edwards has updated her Mac MRU Parser. Now it parses the Spotlight Shortcuts plist and also the Bookmark and Alias BLOB data. You can get the script here!
HFS Journal Parser finds and parses catalog file record in HFS+/HFSX .journal file. Â It has searching capabilities, allows the examiner to create a list of found records, and determine meta data information. Download the tool.
Bitscout allows anyone who is running Ubuntu OS to build own LiveCD/LiveUSB image to be used for remote digital forensics (or other tasks of your own choice). Bitscout relies on 3 roles in the process of remote forensics: 1. The Owner. The owner is a user who has physical access to the target system and owns it. The owner’s role …
Login
