Wednesday, September 23, 2015

Autopsy Python File Marker Module

Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points.  So I created a script to mark files as interesting just to save time digging through the folder hierarchy.  The File Marker module can be downloaded from GitHub at:

File Marker Module

Listed the marked files with some of my favorite tools for parsing the artifacts too.    

Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP

·             bulk_extractor –
·             Volatility –

File System: $MFT, $LogFile and $UsnJrnl:$J

·             Triforce ANJP Free Edition –

Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve

·             Registry Explorer -
·             RegRipper –

Event Logs: *.evtx

·             python-evtx –

Prefetch: *.pf

Please comment and share additional disk artifacts or tools that you use for triage!

File Marker Output

No comments:

Post a Comment