Note: this is work in progress and I will update the list along the way
Business Email Compromise (BEC)
Hawk Forensics
Hawk Forensics is a PowerShell module to quickly collect data from M365 and Azure for analysis.
Links
- Website: https://cloudforensicator.com/
- GitHub: https://github.com/T0pCyber/hawk
Collection
Kroll Artifact Parser and Extractor (KAPE)
KAPE by Eric Zimmerman. KAPE is a triaging tool that collects and parses artifacts quickly.
Links
- Website: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
- GitHub: https://github.com/EricZimmerman/KapeFiles
- Documentation: https://ericzimmerman.github.io/KapeDocs/#!index.md
Notes
Basic KAPE collection of C drive with the SANs triage compound target and output as VHD:
Windows
Hayabusa
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool.
Links
Notes csv-timeline output from directory:
Include HTML report + csv output:
Ntdissector
Ntdissector is a tool for parsing records of an NTDS database.
Links
- Website: https://www.synacktiv.com/en/publications/introducing-ntdissector-a-swiss-army-knife-for-your-ntdsdit-files
- Github: https://github.com/synacktiv/ntdissector
Notes Dump all records:
Memory
Volatility
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
Links
- Website: https://www.volatilityfoundation.org/
- GitHub: https://github.com/volatilityfoundation/volatility
- Good quick reference: https://blog.onfvp.com/post/volatility-cheatsheet/
MemProcFS
MemProcFS is a powerful memory analysis tool that creates a virtual file system from a memory image. This enhancing the efficiency of memory analysis by centralizing key information into a browsable format accessible through a mounted drive.
Links
- GitHub: https://github.com/ufrisk/MemProcFS
- MemProcFS - This Changes Everything from 13Cubed: https://www.youtube.com/watch?v=hjWVUrf7Obk
Notes Quick Start Commandline: