skip to content
DFIRinProgress Blog

DFIR Tools and Resources

/ 2 min read

cybersecurity , tools

Note: this is work in progress and I will update the list along the way

Business Email Compromise (BEC)

Hawk Forensics

Hawk Forensics is a PowerShell module to quickly collect data from M365 and Azure for analysis.

Links

Collection

Kroll Artifact Parser and Extractor (KAPE)

KAPE by Eric Zimmerman. KAPE is a triaging tool that collects and parses artifacts quickly.

Links

Notes

Basic KAPE collection of C drive with the SANs triage compound target and output as VHD:

Terminal window
.\kape.exe --tsource C: --tdest C:\Temp --target !SANS_Triage --vhd <Insert VHD Name> --gui

Windows

Hayabusa

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool.

Links

Notes csv-timeline output from directory:

Terminal window
.\hayabusa.exe csv-timeline -d {EVTXFileDirectory} -o results.csv

Include HTML report + csv output:

Terminal window
.\hayabusa.exe csv-timeline -d {EVTXFileDirectory} -o results.csv -H results.html
Ntdissector

Ntdissector is a tool for parsing records of an NTDS database.

Links

Notes Dump all records:

ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f all

Memory

Volatility

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.

Links

MemProcFS

MemProcFS is a powerful memory analysis tool that creates a virtual file system from a memory image. This enhancing the efficiency of memory analysis by centralizing key information into a browsable format accessible through a mounted drive.

Links

Notes Quick Start Commandline:

Terminal window
.\MemProcFS.exe -device $MemoryImage -forensic 1 -license-accept-elastic-license-2-0