Windows

Cheat sheet with common enumeration and attack methods for Windows Active Directory.

A Windows context menu integration tool that scans files and folders for malware patterns, crypto signatures, and malicious documents using Yara rules and PEID signatures.

TikiTorch is a process injection tool that executes code within the address space of other processes using various injection techniques.

GrokEVT is a tool for reading Windows event log files and converting them to a human-readable format.

An open-source tool that automates the detection and analysis of DLL hijacking vulnerabilities in Windows applications, providing detailed reports and remediation guidance.

A discontinued project for Windows system administration that has been archived due to the author's dissatisfaction with the Windows operating system.

A comprehensive cheat sheet for Windows and Linux terminals and command lines, covering essential commands and syntax for various tasks.

A script that validates Group Policy Object audit settings required for proper Microsoft Defender for Endpoint functionality.

A library for accessing and parsing Extensible Storage Engine (ESE) Database Files used by Microsoft applications like Windows Search, Exchange, and Active Directory for forensic analysis purposes.

Tool for analyzing Windows Recycle Bin INFO2 file

A process scanning tool that detects and dumps malicious implants, shellcodes, hooks, and memory patches in running processes.

ProcFilter is a process filtering system for Windows with built-in YARA integration, designed for malware analysts to create YARA signatures for Windows environments.

A Sysmon configuration file template with detailed explanations and tutorial-like features.

A comprehensive cheat sheet for accessing Windows systems from Linux hosts using smbclient and rpcclient tools, covering password management, user and group enumeration, and more.

A library to access the Windows New Technology File System (NTFS) format with read-only support for NTFS versions 3.0 and 3.1.

DFIR ORC Documentation provides detailed instructions for setting up the build environment and deploying the tool.

APT Simulator is a tool for simulating a compromised system on Windows.

An educational workshop providing hands-on training materials, lab environments, and tools for learning local privilege escalation techniques on Windows and Linux systems.

A repository containing scripts and configuration files to help administrators implement Microsoft AppLocker for application whitelisting based on NSA security guidelines.

A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.

Semi-tethered jailbreak for iPhone 5s to iPhone X, running iOS 12.0 and up, using the 'checkm8' bootrom exploit.

A library to access and parse Windows XML Event Log (EVTX) format, useful for digital forensics and incident response.

An open source tool that generates YARA rules from installed software on running operating systems for efficient software identification in digital forensic investigations.

WinSearchDBAnalyzer can parse and recover records in Windows.edb, providing detailed insights into various data types.