Tag Archives: Forensics

OSXCollector – Forensic Evidence Collection Toolkit

OSXCollector is a forensic evidence collection & analysis toolkit for OSX.The collection script runs on a potentially infected machine and outputs a JSON file that describes the target machine. OSXCollector gathers information from plists, SQLite databases and the local file

sysprofiler -windows disk images profiling

Sysprofiler is a Bash script that uses a combination of existing tools and manual processing to extract these artefacts and output them into either a Tab Separated (TSV) file, which can be opened as a spreadsheet, or a plaintext (TXT)

nightHawkResponse – Incident Response Framework

nightHawkResponse is a custom built application for asynchronus forensic data presentation on an Elasticsearch backend. This application is designed to ingest a Mandiant Redline "collections" file and give flexibility in search/stack and tagging.

CyLR — Live Response Collection Tool

The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

GetData Forensic Imager – Program to Take Forensic Image

GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.

CDQR — Cold Disk Quick Response Tool

The CDQR tool uses Plaso to parse disk images with specific parsers and create easy to analyze custom reports. The parsers were chosen based triaging best practices and the custom reports group like items together to make analysis easier.

ArtifactExtractor – Extract common Windows Artifacts

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.