AndrewRathbun
DFIR @ Unit 42, Admin of the Digital Forensics Discord Server, AboutDFIR.com Contributor, USMC Veteran, Former LE.
@krollcyber Michigan
Pinned Repositories
Awesome-KAPE
A curated list of KAPE-related resources
DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
DFIRMindMaps
A repository of DFIR-related Mind Maps geared towards the visual learners!
DFIRPowerShellScripts
Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!
DFIRRegex
A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.
EventTranscript.db-Research
A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.
KAPE-EZToolsAncillaryUpdater
A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools
VanillaWindowsReference
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
VanillaWindowsRegistryHives
A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.
TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts
The official repo for a project involving a crowdsourced DFIR book. The main purpose of this book is to give anyone interested an opportunity to write a chapter of a book to get their name out there, get a publication on their resume with an actual ISBN number, and ideally lower the bar for people to contribute something back to the DFIR Community. Want to write a chapter? Let me know and let's make it happen!
AndrewRathbun's Repositories
AndrewRathbun/DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
AndrewRathbun/Awesome-KAPE
A curated list of KAPE-related resources
AndrewRathbun/EventLogMonitor
An updated fork of @AbdulRhmanAlfaifi's EventLogMonitor, which hooks into Window Event Logs and displays the new events as they are written to disk.
AndrewRathbun/KapeFiles
This repository serves as a place for community created Targets and Modules for use with KAPE.
AndrewRathbun/BeaconHunter
An updated fork of @3lp4tr0n's BeaconHunter. Detect and respond to Cobalt Strike beacons using ETW
AndrewRathbun/ForensicMiner
A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.
AndrewRathbun/Regshot-Advanced
This is an updated fork of RegShot Advanced. The main point of this fork is to provide a compiled, signed binary for the most recent version.
AndrewRathbun/AndrewRathbun
AndrewRathbun/WMI-Parser
An updated fork of @woanware's WMI-Parser project
AndrewRathbun/Bogus
:card_index: A simple fake data generator for C#, F#, and VB.NET. Based on and ported from the famed faker.js.
AndrewRathbun/DiscordTokenCarver
Carves/steals tokens for discord from local machine
AndrewRathbun/EtwExplorer
View ETW Provider manifest
AndrewRathbun/GHOSTS
GHOSTS is a realistic user simulation framework for cyber simulation, training, and exercise
AndrewRathbun/OneDriveExplorer
AndrewRathbun/openhardwaremonitor
Open Hardware Monitor
AndrewRathbun/WinSearchDBAnalyzer
An updated fork of @moaistory's WinSearchDBAnalyzer project
AndrewRathbun/WMI-Explorer
An updated fork of @vinaypamnani's wmie2 project
AndrewRathbun/xxUSBSentinel
An updated fork of @thereisnotime's xxUSBSentinel, a Windows anti-forensics USB monitoring tool.
AndrewRathbun/CSVHeaderHunter
C# program to grab all CSV headers from a directory recursively and output to a CSV file
AndrewRathbun/evtx
C# based evtx parser with lots of extras
AndrewRathbun/MFTECmd
Parses $MFT from NTFS file systems
AndrewRathbun/Seatbelt
An updated fork of @GhostPack's Seatbelt project, Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
AndrewRathbun/WMIParserStr
An updated fork of @ignacioj's WMIParserStr project
AndrewRathbun/Get-ZimmermanTools
Get all my software
AndrewRathbun/hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
AndrewRathbun/SharpAbeebus
A GeoIP lookup utility utilizing ipinfo.io services.
AndrewRathbun/sidr
Search Index Database Reporter
AndrewRathbun/sigma
Generic Signature Format for SIEM Systems
AndrewRathbun/spectre.console
A .NET library that makes it easier to create beautiful console applications.
AndrewRathbun/WingetUI
WingetUI: The Graphical Interface for your package managers