ArtifactParsers

A repo that aims to centralize a current, running list of relevant parsers/tools for known DFIR artifacts.

What makes this different from any other list of DFIR tools?

Ideally, the community will maintain this as tools come and go from relevance. If a tool is listed below, the community is vouching for it that it still works and is an excellent option to solve whatever problem you may be facing with a particular artifact.

Commercial Tool Disclaimer

It's not that commercial tools aren't welcome in this list, but the table would become pretty bloated when you have 5+ tools duplicated in many cells. At the very minimum, this project aims to highlight single-purpose tools made by the DFIR community members to allow for greater visibility at the options (often at no cost) for those looking to solve problems in their everyday investigations.

Much love for the commercial vendors, their efforts, and their contributions to the community, but it would be ideal for anyone looking to learn more about the capabilities of a commercial tool to reach out to the vendor themselves or visit their official website for more information.

Analyzers vs. Parsers

In the instance of Windows Event Logs, the Windows Registry, and possibly other artifacts, there is a distinct difference between a tool that analyzes an artifact and parses the artifact. Generally speaking, an analysis tool would do something similar to running YARA or SIGMA rules against a set of artifacts and provide meaningful output based on the rulesets used. A parser would provide raw output without any predetermined rulesets or logic applied to the set of artifacts, leaving the analysis and interpretation to the end examiner.

This is an important distinction to make with this project because, in the example of Windows Event Logs, it would be troublesome to lead an examiner looking for a tool to parse Windows Event Logs to think that a tool like Chainsaw, Hayabusa, or Zircolite will parse event logs when in reality they analyze the event logs using rulesets and logic created by threat researchers. Those tools do not PARSE the event logs like EvtxECmd, etc.

Contributing

Please contribute to this list if any artifacts and their corresponding tools still need to be included!

Windows

| DFIR Artifact | CLI Tool(s) | GUI Tool(s) | |--------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | $I30 | go-ntfs<br>Index2Csv<br>IndexCarver<br>MFTECmd | | | $J | dfir_ntfs<br>ExtractUsnJrnl<br>go-ntfs<br>MFTECmd | NTFS Log Tracker | | $LogFile | dfir_ntfs<br>go-ntfs<br>LogFileParser<br>RcrdCarver | NTFS Log Tracker | | $MFT | dfir_ntfs<br>Mft2Csv<br>MftCarver<br>MFTECmd<br>MftRcrd | MFT_Browser<br>MFTExplorer<br>NTFS Log Tracker | | $SDS | MFTECmd<br>Secure2Csv | | | Amcache | AmcacheParser | Registry Explorer | | AppCompatCache (ShimCache) | AppCompatCacheParser | Registry Explorer | | AppCompatCache PCA (Windows 11 only) | PCAParser | | | Browsing History | BrowsingHistoryView<br>Hindsight - Chromium only<br>SQLECmd - SQLite only | BrowsingHistoryView<br>Browser History Viewer | | CSV Files | | Modern CSV<br>Timeline Explorer | | Email (MBOX)