Imago is a python tool that extract digital evidence from images recursively. This tool is useful throughout a digital forensic investigation. If you need to extract digital evidences and you have a lot of images, through this tool you will be able to compare them easily. Imago permits to extract the evidences into a CSV file or in a sqlite …

Lasq has posted a step-by-step guide on how to deobfuscate Emotet’s PowerShell payload. Also he shared a Python script to automate the process. Emotet is a banking trojan, targeting computer users since around 2014.

Mike Cary has written a PowerShell script that automates the use of Eric Zimmerman’s cmd line tools (https://ericzimmerman.github.io/) against a mounted forensic image. The following tools are run where applicable to the image being processed: JLECmd.exe LEcmd.exe PEcmd.exe SBECmd.exe AppCompatParser.exe AmcacheParser.exe RecentFileCacheParser.exe WxTCmd.exe MFTECmd.exe Registry Explorer project file creation Learn more about the script at Mike’s GitHub.

Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix’s Security Intelligence and Response Team (SIRT). Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin …

After yesterday’s webcast Matt Bromiley released his Office365 Log Analysis Framework or OLAF to the public. You can learn more about the framework and download it here. Also, make sure you have checked this webcast.

LiMEaide is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. This will simplify Linux digital forensics in a remote environment. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite …

Memtriage allows you to quickly query a live Windows machine for RAM artifacts. This tool utilizes the Winpmem drivers to access physical memory, and Volatility for analysis. Learn more about it here.

afro can parse APFS images. It not only extracts the latest data but also older versions of the files. Learn more about the tool here.

Epochalypse utility by Pasquale Stirparo has been updated. Now it supports APFS timestamps. You can download this Python script at Pasquale’s GitHub.

Darwin-Collector.sh is a script designed to be run against a mounted image, live system, or device in target disk mode. The script automates the collection of key files for MacOS investigations. You can learn more about the tool and download it here.