Skip to content

Latest commit

 

History

History
474 lines (473 loc) · 23.6 KB

JumpDisk-FileList.md

File metadata and controls

474 lines (473 loc) · 23.6 KB
Raw

JumpDisk File List

This is a list of files on my current "jump bag" USB with tooling I use for DFIR. This is a fairly personalised list and is not an indicator that these are the only tools for a given task.

List

  • F:\Documents\DFIR-Smartphone-Forensics-Poster.pdf
  • F:\Documents\Forensic-Analysis-Reports.pdf
  • F:\Documents\FTK Imager Primer.pdf
  • F:\Documents\Hard Drive Acquisition.pdf
  • F:\Documents\Physical Drives and Logical Partition Layouts.pdf
  • F:\Documents\Poster_DFIR_Threat-Intel_2017.pdf
  • F:\Documents\Poster_Memory_Forensics.pdf
  • F:\Documents\Poster_Network-Forensics_WEB.pdf
  • F:\Documents\Poster_SIFT_REMnux_2016_FINAL.pdf
  • F:\Documents\Poster_Windows_Forensics_2018_WEB.pdf
  • F:\Documents\SANS_Poster_2018_Hunt_Evil_FINAL.pdf
  • F:\Acquistion Tooling\FTK_IMAGER
  • F:\Acquistion Tooling\RamCapturer64
  • F:\Acquistion Tooling\BelkaSoftRamCapture.exe
  • F:\Acquistion Tooling\Bin2Dmp.exe
  • F:\Acquistion Tooling\Comae.ps1
  • F:\Acquistion Tooling\dbgeng.dll
  • F:\Acquistion Tooling\dbghelp.dll
  • F:\Acquistion Tooling\Dmp2Bin.exe
  • F:\Acquistion Tooling\Dmp2Json.exe
  • F:\Acquistion Tooling\DumpIt.exe
  • F:\Acquistion Tooling\EDD.exe
  • F:\Acquistion Tooling\Hibr2Bin.exe
  • F:\Acquistion Tooling\Hibr2Dmp.exe
  • F:\Acquistion Tooling\MagnetRAMCapture.exe
  • F:\Acquistion Tooling\Pdb2Json.exe
  • F:\Acquistion Tooling\RamCapture64.exe
  • F:\Acquistion Tooling\RamCaptureDriver64.sys
  • F:\Acquistion Tooling\SwishDbgExt.dll
  • F:\Acquistion Tooling\symsrv.dll
  • F:\Acquistion Tooling\Z2Dmp.exe
  • F:\Acquistion Tooling\MemoryzeSetup3.0.msi
  • F:\Acquistion Tooling\winpmem_1.6.2.exe
  • F:\Acquistion Tooling\Memoryze User Guide.pdf
  • F:\Acquistion Tooling\Redline-1.20.msi
  • F:\Acquistion Tooling\CyLR
  • F:\Acquistion Tooling\FTK_IMAGER\adefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\adencrypt_gui.exe
  • F:\Acquistion Tooling\FTK_IMAGER\adfs_globals.dll
  • F:\Acquistion Tooling\FTK_IMAGER\ADIsoDLL.dll
  • F:\Acquistion Tooling\FTK_IMAGER\adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\ad_globals.dll
  • F:\Acquistion Tooling\FTK_IMAGER\ad_log.dll
  • F:\Acquistion Tooling\FTK_IMAGER\boost_date_time-vc100-mt-1_49.dll
  • F:\Acquistion Tooling\FTK_IMAGER\boost_filesystem-vc100-mt-1_49.dll
  • F:\Acquistion Tooling\FTK_IMAGER\boost_regex-vc100-mt-1_49.dll
  • F:\Acquistion Tooling\FTK_IMAGER\boost_system-vc100-mt-1_49.dll
  • F:\Acquistion Tooling\FTK_IMAGER\boost_thread-vc100-mt-1_49.dll
  • F:\Acquistion Tooling\FTK_IMAGER\cximage.dll
  • F:\Acquistion Tooling\FTK_IMAGER\da7zip.dll
  • F:\Acquistion Tooling\FTK_IMAGER\FTK Imager.exe
  • F:\Acquistion Tooling\FTK_IMAGER\icudt44.dll
  • F:\Acquistion Tooling\FTK_IMAGER\icuuc44.dll
  • F:\Acquistion Tooling\FTK_IMAGER\IsoBuster.dll
  • F:\Acquistion Tooling\FTK_IMAGER\libeay32.dll
  • F:\Acquistion Tooling\FTK_IMAGER\LMS.dll
  • F:\Acquistion Tooling\FTK_IMAGER\MD5Remote.dll
  • F:\Acquistion Tooling\FTK_IMAGER\mfc100u.dll
  • F:\Acquistion Tooling\FTK_IMAGER\msvcp100.dll
  • F:\Acquistion Tooling\FTK_IMAGER\msvcr100.dll
  • F:\Acquistion Tooling\FTK_IMAGER\ProfUIS293ad32.dll
  • F:\Acquistion Tooling\FTK_IMAGER\help
  • F:\Acquistion Tooling\FTK_IMAGER\langs
  • F:\Acquistion Tooling\FTK_IMAGER\help\enu
  • F:\Acquistion Tooling\FTK_IMAGER\help\enu\FTKImager_UserGuide.pdf
  • F:\Acquistion Tooling\FTK_IMAGER\langs\chs_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\chs_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\chs_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\deu_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\deu_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\deu_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\esp_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\esp_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\esp_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\fra_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\fra_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\fra_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\ita_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\ita_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\ita_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\jpn_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\jpn_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\jpn_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\kor_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\kor_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\kor_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\nld_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\nld_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\nld_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\ptb_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\ptb_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\ptb_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\sve_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\sve_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\sve_ftki.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\trk_adencrypt.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\trk_adshattrdefs.dll
  • F:\Acquistion Tooling\FTK_IMAGER\langs\trk_ftki.dll
  • F:\Acquistion Tooling\RamCapturer64\RamCapture64.exe
  • F:\Acquistion Tooling\RamCapturer64\RamCaptureDriver64.sys
  • F:\Acquistion Tooling\CyLR\CyLR.exe
  • F:\Acquistion Tooling\CyLR\CyLR.exe.config
  • F:\Acquistion Tooling\CyLR\CyLR.pdb
  • F:\Acquistion Tooling\CyLR\CYLR_Config.txt
  • F:\DFIR\WMIC
  • F:\DFIR\Powershell
  • F:\DFIR\WMIC\wmic_lr_local.cmd.txt
  • F:\DFIR\WMIC\wmic_lr_remote.cmd.txt
  • F:\DFIR\Powershell\DeepBlueCLI-master
  • F:\DFIR\Powershell\Kansa-master
  • F:\DFIR\Powershell\MimiKatzChecker.ps1
  • F:\DFIR\Powershell\PreFetcher.ps1
  • F:\DFIR\Powershell\quicktriagescript.ps1
  • F:\DFIR\Powershell\UserRights.ps1
  • F:\DFIR\Powershell\huntBotNets.ps1
  • F:\DFIR\Powershell\CimSweep-master
  • F:\DFIR\Powershell\DeepBlueCLI-master.gitattributes
  • F:\DFIR\Powershell\DeepBlueCLI-master\DeepBlue.ps1
  • F:\DFIR\Powershell\DeepBlueCLI-master\DeepBlue.py
  • F:\DFIR\Powershell\DeepBlueCLI-master\DeepWhite-checker.ps1
  • F:\DFIR\Powershell\DeepBlueCLI-master\DeepWhite-collector.ps1
  • F:\DFIR\Powershell\DeepBlueCLI-master\LICENSE
  • F:\DFIR\Powershell\DeepBlueCLI-master\readme-deepblue.py
  • F:\DFIR\Powershell\DeepBlueCLI-master\README-DeepBlue.py.md
  • F:\DFIR\Powershell\DeepBlueCLI-master\README-DeepWhite.md
  • F:\DFIR\Powershell\DeepBlueCLI-master\README.md
  • F:\DFIR\Powershell\DeepBlueCLI-master\regexes.txt
  • F:\DFIR\Powershell\DeepBlueCLI-master\whitelist.txt
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\hashes
  • F:\DFIR\Powershell\DeepBlueCLI-master\whitelists
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\many-events-application.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\many-events-security.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\many-events-system.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\metasploit-psexec-native-target-security.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\metasploit-psexec-native-target-system.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\metasploit-psexec-powershell-target-security.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\metasploit-psexec-powershell-target-system.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\new-user-security.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\Powershell-Invoke-Obfuscation-many.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\powersploit-security.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\powersploit-system.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\psattack-security.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\evtx\smb-password-guessing-security.evtx
  • F:\DFIR\Powershell\DeepBlueCLI-master\hashes\readme.md
  • F:\DFIR\Powershell\DeepBlueCLI-master\whitelists\readme.md
  • F:\DFIR\Powershell\DeepBlueCLI-master\whitelists\win10-x64.csv
  • F:\DFIR\Powershell\Kansa-master.gitignore
  • F:\DFIR\Powershell\Kansa-master\contributing.md
  • F:\DFIR\Powershell\Kansa-master\kansa.ps1
  • F:\DFIR\Powershell\Kansa-master\LICENSE
  • F:\DFIR\Powershell\Kansa-master\MSLimitedPublicLicense.txt
  • F:\DFIR\Powershell\Kansa-master\README.md
  • F:\DFIR\Powershell\Kansa-master\Analysis
  • F:\DFIR\Powershell\Kansa-master\Modules
  • F:\DFIR\Powershell\Kansa-master\Analysis\Analysis.conf
  • F:\DFIR\Powershell\Kansa-master\Analysis\Deserialize-KansaField.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Get-LogparserStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Resolve-WindowsGUID.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep
  • F:\DFIR\Powershell\Kansa-master\Analysis\config
  • F:\DFIR\Powershell\Kansa-master\Analysis\disk
  • F:\DFIR\Powershell\Kansa-master\Analysis\log
  • F:\DFIR\Powershell\Kansa-master\Analysis\meta
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net
  • F:\DFIR\Powershell\Kansa-master\Analysis\process
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-ASEPImagePathLaunchStringMD5UnsignedTimeStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-ASEPImagePathLaunchStringPublisherStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-ASEPImagePathLaunchStringStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-ASEPImagePathLaunchStringUnsignedStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-SvcAllRunningAuto.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-SvcAllStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-SvcFailAllStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-SvcFailCmdLineStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-SvcFailStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-SvcStartNameStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\asep\Get-SvcTrigStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\config\Get-AMHealthStatusStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\config\Get-AMInfectionStatus.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\config\Get-LocalAdminStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\disk\Get-WebrootListingEntropyOutliers.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\log\Get-LogUserAssistValueByDate.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\log\Get-LogUserAssistValueStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\meta\Get-AllFileLengths.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\meta\Get-FileLengths.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-ARPStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-DNSCacheStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatByProtoForeignIpStateComponentProcessStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatDistinctLocal16IPv4.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatDistinctLocal24.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatForeign16sStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatForeign24sStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatForeignIpPortProcesStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatForeignIpProcess.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatListenerStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\Net\Get-NetstatStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-HandleProcessOwnerStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-PrefetchListingLastWriteTime.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-PrefetchListingStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-ProcsWMICLIMD5Stack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-ProcsWMICmdlineStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-ProcsWMIPath.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-ProcsWMIProcessNameStack.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-ProcsWMISortByCreationDate.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-ProcsWMITempExePath.ps1
  • F:\DFIR\Powershell\Kansa-master\Analysis\process\Get-ProxSystemStartTime.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules.gitignore
  • F:\DFIR\Powershell\Kansa-master\Modules\default-template.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Modules.conf
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP
  • F:\DFIR\Powershell\Kansa-master\Modules\bin
  • F:\DFIR\Powershell\Kansa-master\Modules\Config
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk
  • F:\DFIR\Powershell\Kansa-master\Modules\IOC
  • F:\DFIR\Powershell\Kansa-master\Modules\Log
  • F:\DFIR\Powershell\Kansa-master\Modules\Net
  • F:\DFIR\Powershell\Kansa-master\Modules\Process
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-Autorunsc.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-AutorunscDeep.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-ImagePathExecutionOptions.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-PSProfiles.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-SchedTasks.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-Sigcheck.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-SigCheckRandomPath.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-SvcAll.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-SvcFail.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-SvcTrigs.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-WMIEvtConsumer.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-WMIEvtFilter.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\ASEP\Get-WMIFltConBind.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\bin.gitignore
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\psfile.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\PsGetsid64.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\PsInfo64.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\pslist64.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\psloglist.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\pspasswd64.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\PsService.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\PsService64.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\bin\Sysmon64.exe
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-AMHealthStatus.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-AMInfectionStatus.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-CertStore.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-ClrVersion.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-GPResult.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-Hotfix.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-IIS.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-LocalAdmins.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-Products.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-PSDotNetVersion.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-SharePermissions.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Config\Get-SmbShare.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-DiskUsage.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-File.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-FileHashes.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-FilesByHash.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-FilesByHashes.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-FlsBodyfile.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-IOCsByPath.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-MasterFileTable.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-TempDirListing.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Disk\Get-WebrootListing.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\IOC\Get-Loki.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-AppCompatCache.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-LogCBS.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-LogOpenSavePidlMRU.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-LogUserAssist.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-LogWinEvent.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-OfficeMRU.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-RdpConnectionLogs.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-SysmonNetwork.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Log\Get-SysmonProcess.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Net\Get-Arp.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Net\Get-DNSCache.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Net\Get-NetIPInterfaces.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Net\Get-NetRoutes.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Net\Get-Netstat.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Net\Get-SmbSession.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Net\Get-WMIIETelemetry.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-Handle.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-PrefetchFiles.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-PrefetchListing.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-ProcDump.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-ProcsNModules.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-ProcsWMI.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-Prox.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-RekalPslist.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-Tasklistv.ps1
  • F:\DFIR\Powershell\Kansa-master\Modules\Process\Get-WMIRecentApps.ps1
  • F:\DFIR\Powershell\CimSweep-master\appveyor.yml
  • F:\DFIR\Powershell\CimSweep-master\CONTRIBUTORS.md
  • F:\DFIR\Powershell\CimSweep-master\LICENSE
  • F:\DFIR\Powershell\CimSweep-master\README.md
  • F:\DFIR\Powershell\CimSweep-master\CimSweep
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\CimSweep.cat
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\CimSweep.psd1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\CimSweep.psm1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Auditing
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Core
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Tests
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval\AppCompatCache.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval\AppCompatDatabases.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval\Autoruns.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval\NetworkProfiles.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval\SuspiciousFiles.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval\SuspiciousURLs.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\ArtifactRetrieval\UserAssist.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Auditing\ACLAudits.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Auditing\AntiVirusInfo.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Auditing\Bitlocker.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Auditing\DeviceGuard.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Auditing\ProxyConfig.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Auditing\TrustComponents.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Core\CoreFunctions.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Tests\Core.CimSweep.Tests.ps1
  • F:\DFIR\Powershell\CimSweep-master\CimSweep\Tests\Module.Tests.ps1
  • F:\Sysinternals\accesschk.exe
  • F:\Sysinternals\accesschk64.exe
  • F:\Sysinternals\AccessEnum.exe
  • F:\Sysinternals\AdExplorer.chm
  • F:\Sysinternals\ADExplorer.exe
  • F:\Sysinternals\ADInsight.chm
  • F:\Sysinternals\ADInsight.exe
  • F:\Sysinternals\adrestore.exe
  • F:\Sysinternals\Autologon.exe
  • F:\Sysinternals\autoruns.chm
  • F:\Sysinternals\Autoruns.exe
  • F:\Sysinternals\Autoruns64.exe
  • F:\Sysinternals\autorunsc.exe
  • F:\Sysinternals\autorunsc64.exe
  • F:\Sysinternals\Bginfo.exe
  • F:\Sysinternals\Bginfo64.exe
  • F:\Sysinternals\Cacheset.exe
  • F:\Sysinternals\Clockres.exe
  • F:\Sysinternals\Clockres64.exe
  • F:\Sysinternals\Contig.exe
  • F:\Sysinternals\Contig64.exe
  • F:\Sysinternals\Coreinfo.exe
  • F:\Sysinternals\ctrl2cap.amd.sys
  • F:\Sysinternals\ctrl2cap.exe
  • F:\Sysinternals\ctrl2cap.nt4.sys
  • F:\Sysinternals\ctrl2cap.nt5.sys
  • F:\Sysinternals\dbgview.chm
  • F:\Sysinternals\Dbgview.exe
  • F:\Sysinternals\Desktops.exe
  • F:\Sysinternals\Disk2vhd.chm
  • F:\Sysinternals\disk2vhd.exe
  • F:\Sysinternals\diskext.exe
  • F:\Sysinternals\diskext64.exe
  • F:\Sysinternals\Diskmon.exe
  • F:\Sysinternals\DISKMON.HLP
  • F:\Sysinternals\DiskView.exe
  • F:\Sysinternals\DMON.SYS
  • F:\Sysinternals\du.exe
  • F:\Sysinternals\du64.exe
  • F:\Sysinternals\efsdump.exe
  • F:\Sysinternals\Eula.txt
  • F:\Sysinternals\FindLinks.exe
  • F:\Sysinternals\FindLinks64.exe
  • F:\Sysinternals\handle.exe
  • F:\Sysinternals\handle64.exe
  • F:\Sysinternals\hex2dec.exe
  • F:\Sysinternals\hex2dec64.exe
  • F:\Sysinternals\junction.exe
  • F:\Sysinternals\junction64.exe
  • F:\Sysinternals\ldmdump.exe
  • F:\Sysinternals\Listdlls.exe
  • F:\Sysinternals\Listdlls64.exe
  • F:\Sysinternals\livekd.exe
  • F:\Sysinternals\livekd64.exe
  • F:\Sysinternals\LoadOrd.exe
  • F:\Sysinternals\LoadOrd64.exe
  • F:\Sysinternals\LoadOrdC.exe
  • F:\Sysinternals\LoadOrdC64.exe
  • F:\Sysinternals\logonsessions.exe
  • F:\Sysinternals\logonsessions64.exe
  • F:\Sysinternals\movefile.exe
  • F:\Sysinternals\movefile64.exe
  • F:\Sysinternals\notmyfault.exe
  • F:\Sysinternals\notmyfault64.exe
  • F:\Sysinternals\notmyfaultc.exe
  • F:\Sysinternals\notmyfaultc64.exe
  • F:\Sysinternals\ntfsinfo.exe
  • F:\Sysinternals\ntfsinfo64.exe
  • F:\Sysinternals\pagedfrg.exe
  • F:\Sysinternals\pagedfrg.hlp
  • F:\Sysinternals\pendmoves.exe
  • F:\Sysinternals\pendmoves64.exe
  • F:\Sysinternals\pipelist.exe
  • F:\Sysinternals\pipelist64.exe
  • F:\Sysinternals\PORTMON.CNT
  • F:\Sysinternals\portmon.exe
  • F:\Sysinternals\PORTMON.HLP
  • F:\Sysinternals\procdump.exe
  • F:\Sysinternals\procdump64.exe
  • F:\Sysinternals\procexp.chm
  • F:\Sysinternals\procexp.exe
  • F:\Sysinternals\procexp64.exe
  • F:\Sysinternals\procmon.chm
  • F:\Sysinternals\Procmon.exe
  • F:\Sysinternals\PsExec.exe
  • F:\Sysinternals\PsExec64.exe
  • F:\Sysinternals\psfile.exe
  • F:\Sysinternals\psfile64.exe
  • F:\Sysinternals\PsGetsid.exe
  • F:\Sysinternals\PsGetsid64.exe
  • F:\Sysinternals\PsInfo.exe
  • F:\Sysinternals\PsInfo64.exe
  • F:\Sysinternals\pskill.exe
  • F:\Sysinternals\pskill64.exe
  • F:\Sysinternals\pslist.exe
  • F:\Sysinternals\pslist64.exe
  • F:\Sysinternals\PsLoggedon.exe
  • F:\Sysinternals\PsLoggedon64.exe
  • F:\Sysinternals\psloglist.exe
  • F:\Sysinternals\pspasswd.exe
  • F:\Sysinternals\pspasswd64.exe
  • F:\Sysinternals\psping.exe
  • F:\Sysinternals\psping64.exe
  • F:\Sysinternals\PsService.exe
  • F:\Sysinternals\PsService64.exe
  • F:\Sysinternals\psshutdown.exe
  • F:\Sysinternals\pssuspend.exe
  • F:\Sysinternals\pssuspend64.exe
  • F:\Sysinternals\Pstools.chm
  • F:\Sysinternals\psversion.txt
  • F:\Sysinternals\RAMMap.exe
  • F:\Sysinternals\readme.txt
  • F:\Sysinternals\RegDelNull.exe
  • F:\Sysinternals\RegDelNull64.exe
  • F:\Sysinternals\regjump.exe
  • F:\Sysinternals\RootkitRevealer.chm
  • F:\Sysinternals\RootkitRevealer.exe
  • F:\Sysinternals\ru.exe
  • F:\Sysinternals\ru64.exe
  • F:\Sysinternals\sdelete.exe
  • F:\Sysinternals\sdelete64.exe
  • F:\Sysinternals\ShareEnum.exe
  • F:\Sysinternals\ShellRunas.exe
  • F:\Sysinternals\sigcheck.exe
  • F:\Sysinternals\sigcheck64.exe
  • F:\Sysinternals\streams.exe
  • F:\Sysinternals\streams64.exe
  • F:\Sysinternals\strings.exe
  • F:\Sysinternals\strings64.exe
  • F:\Sysinternals\sync.exe
  • F:\Sysinternals\sync64.exe
  • F:\Sysinternals\Sysmon.exe
  • F:\Sysinternals\Sysmon64.exe
  • F:\Sysinternals\Tcpvcon.exe
  • F:\Sysinternals\tcpview.chm
  • F:\Sysinternals\Tcpview.exe
  • F:\Sysinternals\TCPVIEW.HLP
  • F:\Sysinternals\Testlimit.exe
  • F:\Sysinternals\Testlimit64.exe
  • F:\Sysinternals\Vmmap.chm
  • F:\Sysinternals\vmmap.exe
  • F:\Sysinternals\vmmap64.exe
  • F:\Sysinternals\Volumeid.exe
  • F:\Sysinternals\Volumeid64.exe
  • F:\Sysinternals\whois.exe
  • F:\Sysinternals\whois64.exe
  • F:\Sysinternals\Winobj.exe
  • F:\Sysinternals\WINOBJ.HLP
  • F:\Sysinternals\ZoomIt.exe