| API Monitor |
HTTP |
API Monitor is a tool for monitoring Windows API calls. |
reverse-engineering, api-tracing, dynamic-analysis |
.exe, .dll |
|
| BlueTuxedo |
Git |
A tiny tool built to find and fix common misconfigurations in Active Directory-integrated DNS |
windows, network-analysis, dns |
|
|
| CimSweep |
Git |
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. |
windows, forensics |
|
|
| Fibratus |
GitHub Release |
Adversary tradecraft detection, protection, and hunting |
windows, monitoring |
.etl |
Full only |
| Jumplist Browser |
GitHub Release |
Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser |
windows, forensics, artifact-extraction |
.automaticDestinations-ms, .customDestinations-ms, .lnk |
|
| LnkParse3 |
Python |
Windows Shortcut file (LNK) parser |
windows, forensics, file-analysis |
.lnk |
|
| Prefetch Browser |
GitHub Release |
Prefetch Browser is a tool for analyzing Windows Prefetch files, which can provide valuable information about program execution and system activity. |
windows, forensics, filesystem |
.pf |
|
| ProcDOT |
HTTP |
ProcDOT is a visual malware analysis tool for process, file, and network activity. |
malware-analysis, visualization, dynamic-analysis |
.csv, .log |
Full only |
| Thumbcacheviewer |
GitHub Release |
Thumbcache Viewer - Extract Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10 thumbcache database files. |
windows, forensics, metadata |
.db |
|
| TotalRecall |
Git |
This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots. |
windows, forensics |
|
|
| psexposed |
Git |
Community-driven PowerShell detection indicators |
windows, forensics |
.ps1 |
|
| recbin |
HTTP |
recbin parses Windows Recycle Bin files. |
binary-analysis, carving |
.bin |
|
| sidr |
GitHub Release |
Search Index Database Reporter |
browser-forensics, forensics |
.db, .sqlite |
|
| srum_dump |
GitHub Release |
A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet. |
windows, forensics, filesystem |
.dat |
|
| usnjrnl |
Cargo |
The usnjrnl tool is a command-line utility for parsing Windows UsnJrnl files. It allows you to extract and analyze information from the USN Journal, which is a feature of the NTFS file system that tracks changes to files and directories. This tool can be useful for forensic investigations and understanding file system activity. |
filesystem, forensics, ntfs, windows |
.bin |
|