AndrewRathbun

DFIRMindMaps

A repository of DFIR-related Mind Maps geared towards the visual learners!

DFIRArtifactMuseum

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.

Awesome-KAPE

A curated list of KAPE-related resources

VanillaWindowsReference

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!

DFIRRegex

A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.

KAPE-EZToolsAncillaryUpdater

A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools

VanillaWindowsRegistryHives

A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.

DFIRPowerShellScripts

Various PowerShells scripts I've made to automate some of the boring stuff in my everyday DFIR journey!

KapeFiles

This repository serves as a place for community created Targets and Modules for use with KAPE.

AndrewRathbun

KapeDocs

Documentation repository

EVTX-ETW-Resources

Event Tracing For Windows (ETW) Resources

RECmd

Command line access to the Registry

Slides

Misc Threat Hunting Resources

TLEFilePlugins

Plugins for parsing CSV files in Timeline Explorer. This project allows for anyone to add more supported files (i,e. they get a Line #/tag column, layout support, searching, etc.)

APTSimulator

A toolset to make a system look as if it was the victim of an APT attack

bstrings

A better strings utility!

CSIRT-Collect

PowerShell script to collect memory and (triage) disk forensics

ericzimmerman.github.io

Software downloads

iOS_Photos.sqlite_Queries

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to work for the Photos.sqlite database stored at: iOS: /private/var/mobile/media/PhotoData/Photos.Sqlite Mac OS: /Users//Pictures/PhotosLibrary.photoslibrary/database/Photos.sqlite

JLECmd

Automatic and Custom Destinations jump list parser with Windows 10 support

KAPEConfigurationFIles

LawEnforcementResources

Resources provided by the community that can serve to be useful for Law Enforcement worldwide

LECmd

Lnk Explorer Command line edition!!

MFTECmd

Parses $MFT from NTFS file systems

nextron-helper-scripts

Public tools, scripts or code snippets that can help when working with our products

open-DFIR-pol-proc

A collaboration to develop robust policies and procedures for DFIR labs

RegistryPlugins

Srum

thor-manual

THOR Scanner User Manual