I’ve organised the tools I normally go to by the artefact it’s used for. Of course these are my personal preference, so try as many tools as you can or better yet, make them from scratch yourself. The better you understand the artefact, the more you will get out of tools.
Summary
- UserAssist — Registry Explorer/RECmd
- Shimcache — Registry Explorer/RECmd
- Amcache.hve — AmcacheParser
- System Resource Usage Monitor (SRUM) — srum-dump
- Prefetch — PECmd
- Event Logs — Event Log Explorer
- USN Journal — ExtractUsnJrnl, UsnJrnl2Csv
- MFT — RawCopy, MFTDump.exe
UserAssist
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssistRegistry Explorer/RECmd — A versatile registry tool by Eric Zimmerman. It’s GUI has a builtin parser to display the entries in their un-ROT13 form.
Shimcache
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCacheRegistry Explorer/RECmd — The less tools the better. Registry Explorer has an AppCompatCache viewer all while still being a fast application. It even bookmarks them for you when you load the hives!
Amcache.hve
C:\Windows\AppCompat\Programs\Amcache.hveAmcacheParser — There has been a lot of research on this artefact and as it contains the SHA1 hash executables, it’s one of my favourites. Please read Eric’s intro blog about the tool as it has some very helpful command line switches
System Resource Usage Monitor (SRUM)
C:\Windows\system32\sru\SRUDB.datsrum-dump — This python based tool can dump the database to CSV so you can easily calculate usages by process.
Prefetch
C:\Windows\Prefetch\*.pfPECmd — You can run it per prefetch file, or just recursively on a directory containing multiple prefetch files.
Event Logs
C:\Windows\System32\winevt\Logs\*.evtxEvent Log Explorer — Quick lightweight event log view that is much easier to search and filter through compared to the built-in viewer. Free Personal Use License.
USN Journal
c:\$Extend\$UsnJrnl:$JTo Obtain: ExtractUsnJrnl — jschicht created a smart tool that grabs only what you need from the $J alternate data stream of the $UsnJrnl and keeps the output file size small.
To Parse: UsnJrnl2Csv — as seen above jschicht has great forensic tools and his *2Csv tools are no different.
MFT
c:\$MFTTo Obtain: RawCopy — I use this generally for anything that is locked by the system. It also supports sending the data to a remote system.
To Parse: MFTDump.exe — I’ve use a few MFT parsers but this one seems to handle deleted files the best and has all the timestamp fields.
Here is an awesome blog detailing the difference between a few MFT tools so you can make up your own mind. It doesn’t include my 2nd favourite, MFT2Csv, which even has a GUI!
Thanks for reading! — @7a616368
