Clik here to view.
Windows 10 Creators update vs shimcache parsers: Fight!!
So it seems Microsoft has tweaked the format of AppCompatCache, aka shimcache, yet again with the latest release (or soon to be released) of Windows 10 (Creators update).Here is an example of what...
View ArticleClik here to view.
Introducing Timeline Explorer v0.4.0.0
Timeline Explorer is a program that started out as a means to view mactime and Plaso generated CSV timelines without the need to use Excel. From these two formats, it has expanded into a tool that...
View ArticleClik here to view.
Timeline Explorer 0.5.0.0 released
Some user requested changes in this version.Changelog:NEW: Add Tools | Go to line # to quickly jump to a given lineNEW: Can tag rows via clicking on Tag cell vs needing to use shortcutNEW: Added an...
View ArticleClik here to view.
Registry Explorer v0.9.0.0 released!
This is a big release with a lot of cool new stuff including both features and new plugins.Overall, the changes look like this:NEW: Added Raw Value property to non-RegBinary values that contains the...
View ArticleClik here to view.
ShellBags Explorer 0.9.5.0 released!
Changes in this version include:NEW: Additional GUIDs addedNEW: Several new Shellbag types and extension blocks addedNEW: SBECmd.exe can now process the live registry on the system it runs on via the...
View ArticleClik here to view.
(Am)cache still rules everything around me (part 2 of 1)
Salutations!It seems in recent versions of Windows 10 (i.e. those in the fast ring as of the last few weeks) has introduced some changes to artifacts, similar to what was done with appcompatcache back...
View ArticleClik here to view.
Timeline Explorer 0.6.0 released!
The changelog for this version includes:NEW: More file formats (pescan, sigcheck, density scout, all new AmacacheParser formats)NEW: When editing filters, you can customize via text (vs clicking thru...
View ArticleClik here to view.
Introducing SDB Explorer
This is the initial release of SDB Explorer. SDB Explorer is a GUI program that allows for interacting with Microsoft Shim databases. For more details on what kind of data is contained in these types...
View ArticleClik here to view.
Updates to the left of me, updates to the right of me, version 1 releases are...
Yay for version 1 releases! With Registry Explorer's v1.0 release and its underlying support of replaying transaction LOG files, it was only appropriate for my other Registry based tools to also be...
View ArticleClik here to view.
Introducing WxTCmd!
WxTCmd is a parser for the new Windows 10 Timeline feature database.We have been hearing about it for several weeks now, but with 1803 finally final, I had a chance to update my system and let the...
View ArticleA fluery of updates!
Pretty much all my software has been updated.The biggest changes include switching to comma separators in all of the command line tools by default. The option to export to TSV is still there via the...
View ArticleClik here to view.
Introducing MFTECmd!
MFTECmd (code name "Solved problem" 😃) is a command line MFT parser built around my MFT project, found here. I wrote this program for a lot of reasons to include getting to know NTFS better, wanting to...
View ArticleClik here to view.
MFTECmd v0.2.6.0 released
This version adds a lot of polish to the --de output and adds several new options as well. Changelog:body file output (NOTE: INDEX_ROOT entries are not included (yet? maybe never))Remove msg about -d...
View ArticleClik here to view.
Introducing VSCMount
Nothing crazy here, just a simple way to mount Volume Shadow Copies from the command line without having to do much of anything except provide the drive letter to where the VSCs are and where you want...
View ArticleEverything gets an update, Sept 2018 edition
All of my software has been updated (well, almost all). Here is a list of what's changedGeneralnuget package updates3rd party control updatesMoving away from LibZ to Fody.Costura (this makes all my...
View ArticleClik here to view.
MFTECmd 0.3.6.0 released
MFTECmd 0.3.6.0 is now available.Changes include:- Added support for $Boot, $SDS, and $J files ($LogFile is coming soon)- Changed the output format for body file to 1252 vs UTF8 because log2timeline-...
View ArticleClik here to view.
Registry Explorer and RECmd 1.2.0.0 released!
This release sees changes in several different places. Let's start with the main Registry parser.New in this release is the ability to expand a path with wildcards to all matching paths. We will see...
View ArticleClik here to view.
Locked file support added to AmcacheParser, AppCompatCacheParser, MFTECmd,...
So what does this mean for you?More access to more data, more faster!What does it allow you to do? Automate more and leverage these tools for more proactive threat hunting because they now all run on...
View ArticleClik here to view.
Introducing KAPE!
(From the manual, which is included, and you should read...)What is KAPE?Kroll Artifact Parser and Extractor (KAPE) is primarily a triage program that will target a device or storage location, find the...
View ArticleClik here to view.
KAPE v0.8.1.0 released!
TL;DR:Use the same URL you were emailed to download the update!Changes in 0.8.1.0:Add support for UNC paths for --tsource and --tdestBetter detection when out of storage space on destinationAdd check...
View Article
