What's New at DFIR Training

June 20, 2020. Regularly updated, never outdone, check out the latest additions to keep up on your DFIR training! Website updates. DFIR Subcontractor listings, Forensic Artifacts and more.

 Enter for a chance to win a Guardonix Write Blocker!

Enter your name/email address here: I WANT TO WIN!

Autopsy-Plugins - Mark Mckinnon

35

DFIR Tools

License Type
Free
 Autopsy Python Plugins
Autopsy-Plugins

This is a repository of Autopsy Python Plugins. You can download all of them and place them in the python plugin directory. All the plugins will recompile on execution.
 
Plugin Overview

Here is a brief overview of all of the plugins.
 
[Amazon Echosystem Parser]((./Amazon_Echosystem_Parser/README.md)
Parse the databases from an Amazon Alexa image.
BAM Key
Parse the BAM key from the registry.
CCM Recently Used Apps
Parse the WMI() database for Recently used apps.
Create Data Source Hashset
Will create a file with the hashset of a data source that can then be pulled back into Autopsy as a hash set.
Create Preview Data Container
Create VHD expandable volumen and mount it. Then read SQLite database of file extensions that can be exported to it and export those files matching the file extensions. Finally it will unmount the VHD so it can be added back into an autopsy case.
Cuckoo
Check the status of a Cuckoo server and submit files to it.
Parse File History
Export the Catalog1.edb file and then call the command line version of the Expor_FileHistory. A sqlite database that contains the File History information is created and then imported into the extracted view section of Autopsy.
Gui Test
Example of the different types of things you can do with the GUI portion of Autopsy Python Plugins.
Gui Test With Settings
Example of the saving and retrieving of settings from the GUI of an Autopsy Python Plugin.
Hash Images
Hash raw, vmdk and vhdi images. Like E01 hashing.
Jump List AD
Export the JumpList AutoDestinations and then call the command line version of the Export_JL_Ad program. A SQLite database that contains the JumpList information is created and then imported into the extracted view section of Autopsy.
MacFSEvents
Export the .fsevents directory and run the FSEParser_v2.1.exe program against the exported data. It will then import the SQLite database that was created from the program.
MacOSX Recent
Export/Parse Mac recents.
MacOSX Safari
Export/Parse Mac OSX safari. A SQLite database that contains the Safari information is created and then imported into the extracted view section of Autopsy.
Parse PList
Parse any plist and convert it to a SQLite database and then import the information into the extracted contant.
SAM Parse
Export SAM Registry Hive and then call the command line version of SAM Parse program. A SQLite database that contains SAM information is created then imported into the extracted view section of Autopsy.
Parse She

User comments

There are no user comments for this listing.