What's New at DFIR Training

June 20, 2020. Regularly updated, never outdone, check out the latest additions to keep up on your DFIR training! Website updates. DFIR Subcontractor listings, Forensic Artifacts and more.

 Enter for a chance to win a Guardonix Write Blocker!

Enter your name/email address here: I WANT TO WIN!

appcompatprocessor

29

DFIR Tools

License Type
Free
Forensic Utilities - Windows
Amcache
"Evolving AppCompat/AmCache data analysis beyond grep" 

AppCompatProcessor has been designed to extract additional value from enterprise-wide AppCompat / AmCache data beyond the classic stacking and grepping techniques.

Installation:

OSX You need Python 2.7+, libregf and pyregf (python bindings) from https://github.com/libyal/libregf

-Option A Source distribution package from https://github.com/libyal/libregf/releases

  • ./configure --enable-python && make
  • sudo make install
  • python setup.py build
  • python setup.py install
-Option B Direct from source

  • git clone https://github.com/libyal/libregf.git
  • cd libregf/
  • ./synclibs.sh
  • ./autogen.sh
  • ./configure --enable-python && make
  • sudo make install
  • python setup.py build
  • python setup.py install
The rest of the requirements you can handle with 'pip install -r requirements.txt'.

Linux You need Python 2.7+ and 'sudo pip install -r requirements.txt' should take care of everything for you. If you have issues with libregf or pyregf (python bindings for libregf) you can find them here: https://github.com/libyal/libregf

Note: There seems to be an issue with some libregf versions on some linux environments in which libregf apparently provides file paths encoded in UTF16 (breaking sql inserts for us) when it used to do UTF8. Still trying to pinpoint when and why that happens to handle it correctly.

SIFT v3 users Sift comes pre-packaged with libregf v20141030 so 'sudo pip install -r requirements.txt' will add the few missing pieces easily.

Windows Note: ACP is currently broken on Windows due to differences in implementation of multiprocessing!

User comments

There are no user comments for this listing.