Skip to content

OlFo66/windows_forensics

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
demo.gif
demo.gif
 
 
windows_forensics.py
windows_forensics.py
 
 

Repository files navigation

This tool will search in mounted archive all Windows artifacts that Zimmerman' tool suite can manage and list/process them.

There are 3 functions:

  • help() : prints help
  • checkup() : checks if tools are installed & executable and folders exist and are writable
  • invest() : launches investigation on all/requested artifacts

Everything is logged in the log file and created in the investigation folder. Nothing is printed or returned (may be an update for latter)

_init_() options are:

  • <PATH_INVESTIGATION_ROOT> (optional, ./investigations by default): path to the archive hosting artifacts.
  • <INVESTIGATION_NAME> (optional, '%Y-%m-%d_%Hh%Mm%Ss' by default): name of the investigation path the script will log & create files to.
  • <PATH_TO_FOLDER_HOSTING_ZIMMERMAN_TOOLS> (optional, ./tools by default): path to folder hosting all .exe from Zimmerman suite.
  • <LOG_FILENAME> (optional, <INVESTIGATION_NAME>.log by default): log of actions.
  • <FILE_FORMAT> (optional, csv format by default): can be changed to json.

ATTENTION: json format is not managed by all Zimmerman tools !!!

invest() options are:

  • artifact (optional, by default, search/processes against all artifacts listed bellow)
  • mode (optional, "listing" by default):
    • listing: lists all artifacts found in the archive tree
    • forensics: uses Zimmerman tools on

Managed artifacts:

  • ntfs: $MFT, $I30, $J, $Boot, $SDS
  • link: .lnk
  • log: .evtx
  • jumplist: .automaticDestinations-ms
  • recycle_bin: INFO2, $I
  • prefetch: .pf
  • shellbag: NTUSER.DAT, USRCLASS.DAT
  • srum: SRUDB.dat
  • sum: SystemIdentity.mdb
  • wxtcmd: ActivitiesCache.db
  • shimcache: SYSTEM hive
  • registry: SYSTEM, SOFTWARE, SECURITY, SAM, DEFAULT hives
  • sql: .db
  • amcache: .hve
i.e: from windows_forensics import *
     test = WinInvest(path_investigation_root="E:\\", investigation_name="MyInvest", log_filename="invest.log")
     test.invest(artifact="link", mode="listing")

The default folder tree looks like that:

windows_forensics (working directory)
│   README.md
│   __init.py__
│   windows_forensics.py
│
└───investigations
│   │   
|   └───<INVEST_NAME_1>
│   │   artifact 1
│   │   artifact 2
│   │   ...
│   │   log file.log
│   │   
|   └───<INVEST_NAME_2>
│   │   artifact 1
│   │   artifact 2
│   │   ...
│   │   log file.log
│   
└───tools
│   │   Zimmerman_tool_1.exe
│   │   Zimmerman_tool_2.exe
│   │   Zimmerman_tool_3.exe
│   │   ...

Demo

About

Sandbox project to manipulate windows artifacts carved with zimmerman's tool

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages