Wednesday, September 23, 2015

Autopsy Python File Marker Module


Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points.  So I created a script to mark files as interesting just to save time digging through the folder hierarchy.  The File Marker module can be downloaded from GitHub at: https://github.com/jblukach/AutopsyModules

File Marker Module

Listed the marked files with some of my favorite tools for parsing the artifacts too.    

Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP

·             bulk_extractor – https://github.com/simsong/bulk_extractor
·             Volatility – http://www.volatilityfoundation.org

File System: $MFT, $LogFile and $UsnJrnl:$J

·             Triforce ANJP Free Edition – https://www.gettriforce.com

Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve

·             Registry Explorer - http://binaryforay.blogspot.com
·             RegRipper – https://github.com/keydet89/RegRipper2.8

Event Logs: *.evtx

·             python-evtx – https://github.com/williballenthin/python-evtx

Prefetch: *.pf

Please comment and share additional disk artifacts or tools that you use for triage!

File Marker Output


No comments:

Post a Comment