• DFIR Tools
  • TZWorks Computer Account Forensic Artifact Extractor (cafae)

TZWorks Computer Account Forensic Artifact Extractor (cafae)


DFIR Tools

License Type
Forensic Utilities - Windows
cafae is a Windows registry parser that targets specific registry keys that help identify user activity as it pertains to files and program execution. Chosen are a handful of registry entries that are specific to an account's registry hive(s). This includes both a user's ntuser.dat hive and the usrclass.dat hive for Vista and later. Collectively, these two registry hives contain artifacts useful in piecing together some sort of file/program activity that occurred on a specific account. The newer versions of cafae extended the report generation to the software, system, security and amcache hives.

User comments

There are no user comments for this listing.
Already have an account? or Create an account