Digital Forensics for Windows
Tools and methodologies for investigating digital incidents and gathering electronic evidence. Task: WindowsExplore 24 curated tools and resources
RELATED TASKS
PINNED
Promoted • 4 tools
Want your tool featured here?
Get maximum visibility with pinned placement
LATEST ADDITIONS
A command line utility for managing volume shadow copies with capabilities for evasion, persistence, and file extraction.
A command line utility for managing volume shadow copies with capabilities for evasion, persistence, and file extraction.
RegRippy is a modern Python 3 alternative to RegRipper for extracting data from Windows registry hives.
A comprehensive incident response tool for Windows computers, providing advanced memory forensics and access to locked systems.
A comprehensive incident response tool for Windows computers, providing advanced memory forensics and access to locked systems.
ForensicMiner, Redefine DFIR Automations
A library to access and parse Windows NT Registry File (REGF) format.
A Windows Registry hive extraction library that reads and writes Windows Registry 'hive' binary files.
A Windows Registry hive extraction library that reads and writes Windows Registry 'hive' binary files.
Automated collection tool for incident response triage in Windows systems.
Automated collection tool for incident response triage in Windows systems.
Windows anti-forensics USB monitoring tool with the ability to shutdown the computer upon detecting the unplugging of a specified USB device.
Windows anti-forensics USB monitoring tool with the ability to shutdown the computer upon detecting the unplugging of a specified USB device.
A utility package that monitors hard drive health through SMART technology to detect and prevent disk failures before data loss occurs.
A utility package that monitors hard drive health through SMART technology to detect and prevent disk failures before data loss occurs.
A library to access and parse Windows Shortcut File (LNK) format.
A suite of console tools for working with timestamps in Windows with 100-nanosecond precision.
A suite of console tools for working with timestamps in Windows with 100-nanosecond precision.
A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.
A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.
CyLR is a Live Response Collection tool for quickly and securely collecting forensic artifacts from hosts with NTFS file systems.
CyLR is a Live Response Collection tool for quickly and securely collecting forensic artifacts from hosts with NTFS file systems.
Windows event log fast forensics timeline generator and threat hunting tool.
Windows event log fast forensics timeline generator and threat hunting tool.
A library to access the Extensible Storage Engine (ESE) Database File (EDB) format used in various Windows applications.
A library to access the Extensible Storage Engine (ESE) Database File (EDB) format used in various Windows applications.
Tool for analyzing Windows Recycle Bin INFO2 file
A library to access the Windows New Technology File System (NTFS) format with read-only support for NTFS versions 3.0 and 3.1.
A library to access the Windows New Technology File System (NTFS) format with read-only support for NTFS versions 3.0 and 3.1.
DFIR ORC Documentation provides detailed instructions for setting up the build environment and deploying the tool.
DFIR ORC Documentation provides detailed instructions for setting up the build environment and deploying the tool.
A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.
A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.
A library to access and parse Windows XML Event Log (EVTX) format, useful for digital forensics and incident response.
A library to access and parse Windows XML Event Log (EVTX) format, useful for digital forensics and incident response.
WinSearchDBAnalyzer can parse and recover records in Windows.edb, providing detailed insights into various data types.
WinSearchDBAnalyzer can parse and recover records in Windows.edb, providing detailed insights into various data types.
A library for working with Windows NT data types, providing access and manipulation functions.
A library for working with Windows NT data types, providing access and manipulation functions.
Generate comprehensive reports about Windows systems with detailed system, security, networking, and USB information.
Generate comprehensive reports about Windows systems with detailed system, security, networking, and USB information.