0xNisarg's starred repositories
mkdocs-material
Documentation that simply works
LogonTracer
Investigate malicious Windows logon by visualizing and analyzing Windows event log
LiME
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
kaitai_struct_formats
Kaitai Struct: library of binary file formats (.ksy)
mboxviewer
A small but powerfull app for viewing MBOX files
kaitai_struct_visualizer
Kaitai Struct: visualizer and hex viewer tool
HollowFind
Hollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis techniques. The plugin detects such attacks by finding discrepancy in the VAD and PEB, it also disassembles the address of entry point to detect any redirection attempts and also reports any suspicious memory regions which should help in detecting any injected code.
prefetch-hash-cracker
A small util to brute-force prefetch hashes
EventTranscriptParser
Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)
ArtifactParsers
A repo that aims to centralize a current, running list of relevant parsers/tools for known DFIR artifacts
DeepSound-2.0
DeepSound is a steganography tool and audio converter that hides secret data into audio files.
Prefetch-Browser
Browse Windows Prefetch versions: 17,23,26,30v1/2 & some of SuperFetch .7db/.db's
Psinfo
Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related information and spot any process anamoly without having to run multiple plugins.
RegRipper4.0
RegRipper4.0
DFIRCommunityHardwareFund
Repository to track community hardware, data and funding.
BitTorrent-Forensics
Python script for analyzing .torrent and uTorrent .dat files
AutoExtension
Add missing file extensions