Ma2Tl – macOS Forensic Timeline Generator Using The Analysis Result DBs Of Mac_Apt

This is a DFIR tool for generating a macOS forensic timeline from the analysis result DBs of mac_apt. Requirements Python 3.7.0 or later pytz tzlocal xlsxwriter Installation % git clone https://github.com/mnrkbys/ma2tl.git Usage % python ./ma2tl.py -husage: ma2tl.py [-h] [-i INPUT] [-o OUTPUT] [-ot OUTPUT_TYPE] [-s START] [-e END] [-t TIMEZONE] [-l LOG_LEVEL] plugin [plugin …]ForensicRead More

Autotimeliner – Automagically Extract Forensic Timeline From Volatile Memory Dump

Automagically extract forensic timeline from volatile memory dumps. Requirements Python 3 Volatility mactime (from SleuthKit) (Developed and tested on Debian 9.6 with Volatility 2.6-1 and sleuthkit 4.4.0-5) How it works AutoTimeline automates this workflow: Identify correct volatility profile for the memory image. Runs the timeliner plugin against volatile memory dump using volatility. Runs the mftparserRead More

FACT – A Tool To Collect, Process And Visualise Forensic Data From Clusters Of Machines Running In The Cloud Or On-Premise

FACT is a tool to collect, process and visualise forensic data from clusters of machines running in the cloud or on-premise. Deployment For a basic single-node deployment, we recommend using Docker and Docker Compose. First, read docker-compose.yaml for configuration and requirements. Then, start the stack using: docker-compose up -d See the installation guide for moreRead More

Androidqf – (Android Quick Forensics) Helps Quickly Gathering Forensic Evidence From Android Devices, In Order To Identify Potential Traces Of Compromise

androidqf (Android Quick Forensics) is a portable tool to simplify the acquisition of relevant forensic data from Android devices. It is the successor of Snoopdroid, re-written in Go and leveraging official adb binaries. androidqf is intended to provide a simple and portable cross-platform utility to quickly acquire data from Android devices. It is similar inRead More

RdpCacheStitcher – RdpCacheStitcher Is A Tool That Supports Forensic Analysts In Reconstructing Useful Images Out Of RDP Cache Bitmaps

RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. Using raw RDP cache tile bitmaps extracted by tools like e.g. ANSSI’s BMC-Tools (https://github.com/ANSSI-FR/bmc-tools) as input, it provides a graphical user interface and several placement heuristics for stitching tiles together so that meaningful images or even full screenshotsRead More

IPED – Digital Forensic Tool – Process And Analyze Digital Evidence, Often Seized At Crime Scenes By Law Enforcement Or In A Corporate Investigation By Private Examiners

IPED is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners. Introduction IPED – Digital Evidence Processor and Indexer (translated from Portuguese) is a tool implemented in java and originally and still developed byRead More

IRTriage – Incident Response Triage – Windows Evidence Collection For Forensic Analysis

Scripted collection of system information valuable to a Forensic Analyst. IRTriage will automatically “Run As ADMINISTRATOR” in all Windows versions except WinXP. The original source was Triage-ir v0.851 an Autoit script written by Michael Ahrendt. Unfortunately Michael’s last changes were posted on 9th November 2012 I let Michael know that I have forked his project:Read More

Columbo – A Computer Forensic Analysis Tool Used To Simplify And Identify Specific Patterns In Compromised Datasets

Columbo is a computer forensic analysis tool used to simplify and identify specific patterns in compromised datasets. It breaks down data to small sections and uses pattern recognition and machine learning models to identify adversaries behaviour and their possible locations in compromised Windows platforms in a form of suggestions. Currently Columbo operates on Windows platform.Read More

Gargamel – A Forensic Evidence Acquirer

A Forensic Evidence Acquirer Compile Assuming you have Rust 1.41+ installed. Open terminal in the project directory and to compile a release build type cargo build –release Debug build can be compiled using cargo build Compiled executable is located at target/release/gargamel.exe or target/debug/gargamel.exe, respectively. Set log level If you wish to change the logging level:Read More

FAMA – Forensic Analysis For Mobile Apps

LabCIF – Forensic Analysis for Mobile Apps Getting Started Android extraction and analysis framework with an integrated Autopsy Module. Dump easily user data from a device and generate powerful reports for Autopsy or external applications. Functionalities Extract user application data from an Android device with ADB (root and ADB required). Dump user data from anRead More

X