PSRecon
A PowerShell-based incident response and live forensic data acquisition tool for Windows hosts.
Build Branch Status: - main release/10.1 - release/10.2 Requirements: - Visual Studio From 2017 to 2022 - English only (vcpkg limitation) Use this installer configuration or alternatively use vstools. Check also 'Desktop development with C++'. Kitware's CMake >= 3.25 or Visual Studio integrated version. Build environment can be setup quickly using Microsoft's developer virtual machines. Import this .vsconfig from Visual Studio Installer. Commands: - Both 32-bit and 64-bit versions should be built for maximum compatibility before deployment. - See https://dfir-orc.github.io for more details about deployment and configuration. In a prompt like Developer Command Prompt for VS 2019 (prefer to avoid using cmd.exe): - git clone --recursive https://github.com/dfir-orc/dfir-orc.git - cd dfir-orc - mkdir build-x86 build-x64 - cd build-x86 - cmake -G 'Visual Studio 17 2022' -A Win32 -T v141_xp .. - cmake --build . --config MinSizeRel -- -maxcpucount - cd ../build-x64 - cmake -G 'Visual Studio 17 2022' -A x64 -T v141_xp .. - cmake --build . --config MinSizeRel -- -maxcpucount The -T v141_xp option will allow compatibility with Windows XP SP2 and later, it can safely be removed if not needed.
A PowerShell-based incident response and live forensic data acquisition tool for Windows hosts.
Visually inspect regex matches in binary data/text with YARA and regular expressions, displaying matched bytes and surrounding context.
Dump the contents of the location database files on iOS and macOS with output options like KML and CSV.
Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.
Scripts to automate the process of enumerating a Linux system through a Local File Inclusion (LFI) vulnerability.
A library and tools to access and manipulate VMware Virtual Disk (VMDK) files.