A sample VHDX file with multiple verbose examples of forensic and anti-forensics artifacts. Meant to be basic and can be expanded upon. Please add a new issue if you have an idea for something to a…

A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.

A config file that's curated for DFIR examiners with shortcuts to common Windows artifacts and settings enabled that help make your life easier with various file management tasks.

A repository of output using KAPE (!EZParser Module) for various publicly available forensic images!

A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.

Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!

Event Tracing For Windows (ETW) Resources

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs t…

A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added w…

A curated list of KAPE-related resources

A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifa…

Documentation repository

This repository serves as a place for community created Targets and Modules for use with KAPE.

C# based evtx parser with lots of extras

Registry Explorer bookmark definitions

Command line access to the Registry

Plugins for parsing CSV files in Timeline Explorer. This project allows for anyone to add more supported files (i,e. they get a Line #/tag column, layout support, searching, etc.)

A repository of DFIR-related Mind Maps geared towards the visual learners!

The official repo for a project involving a crowdsourced DFIR book. The main purpose of this book is to give anyone interested an opportunity to write a chapter of a book to get their name out ther…

Resources provided by the community that can serve to be useful for Law Enforcement worldwide

A repository containing the research output from my GCFE Gold Paper which compared Windows 10 and Windows 11.

A repo hosting the Markua content for the EZ Tools manuals hosted on Leanpub

A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca

A command-line application to extract (recursively, if needed) IDv3 metadata from audio files

A C# (.NET 6) tool to compare the file signature of files recursively and inform the user of matches and mismatches

A repo that aims to centralize a current, running list of relevant parsers/tools for known DFIR artifacts

A simple tool to enumerate useful details from CSV files recursively from a provided folder path

A simple program to merge CSV files together.