Recycle Bin Forensics
As a continuation of Richard Davis’ “Introduction to Windows Forensics” series, this video introduces Recy…
Invoke-LiveResponse
Invoke-LiveResponse is a module for Live Response and Forensic collections over WinRM written by Matthew Green. You can…
Carving Fragmented Registry Files
Yet another registry parser, or yarp, is a library and tools to deal with Windows registry files [1]. Despite the name, yarp…
Incident Response Script for APT Hunting
Sergey Golovanov and Igor Soumenkov have prepared a New Year present for DFIR community: they have presented their scri…
Pagefile forensics: page_brute
page_brute.py is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows…
CERTitude – The seeker of IOC
CERTitude is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It …
Investigate malicious logon with LogonTracer
LogonTracer helps digital forensics analysts to investigate malicious logon by visualizing and analyzing Windows active dire…
Unofficial Guide to Mimikatz & Command Reference
Mimikatz is a common tool used by APT in modern cyber attacks to harvest admin’s and user’s login credentials. I…
In-Depth Forensic Analysis of Windows Registry Files
The Windows registry is an essential source of evidence when performing a wide range of examinations. In a recent talk (Zero…
Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS
Redundant capacity in filesystem timestamps is recently proposed in the literature as an effective means for information hid…
