AndrewRathbun

DFIR @ Unit 42, Admin of the Digital Forensics Discord Server, AboutDFIR.com Contributor, USMC Veteran, Former LE.

@krollcyber Michigan

Pinned Repositories

Awesome-KAPE
A curated list of KAPE-related resources
145 12 315
DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
Language:HTML534 30 1848
DFIRMindMaps
A repository of DFIR-related Mind Maps geared towards the visual learners!
484 32 066
DFIRPowerShellScripts
Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!
Language:PowerShell40 3 614
DFIRRegex
A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.
77 4 09
EventTranscript.db-Research
A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.
38 3 03
KAPE-EZToolsAncillaryUpdater
A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools
Language:PowerShell50 9 146
VanillaWindowsReference
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
122 6 215
VanillaWindowsRegistryHives
A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.
42 4 15
TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts
The official repo for a project involving a crowdsourced DFIR book. The main purpose of this book is to give anyone interested an opportunity to write a chapter of a book to get their name out there, get a publication on their resume with an actual ISBN number, and ideally lower the bar for people to contribute something back to the DFIR Community. Want to write a chapter? Let me know and let's make it happen!
Language:Ruby181 19 4921

AndrewRathbun's Repositories

AndrewRathbun/DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
Language:HTML534 30 1848
AndrewRathbun/Awesome-KAPE
A curated list of KAPE-related resources
145 12 315
AndrewRathbun/EventLogMonitor
An updated fork of @AbdulRhmanAlfaifi's EventLogMonitor, which hooks into Window Event Logs and displays the new events as they are written to disk.
Language:C#61
AndrewRathbun/KapeFiles
This repository serves as a place for community created Targets and Modules for use with KAPE.
6 2 01
AndrewRathbun/BeaconHunter
An updated fork of @3lp4tr0n's BeaconHunter. Detect and respond to Cobalt Strike beacons using ETW
Language:C#4 1 01
AndrewRathbun/ForensicMiner
A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.
4
AndrewRathbun/Regshot-Advanced
This is an updated fork of RegShot Advanced. The main point of this fork is to provide a compiled, signed binary for the most recent version.
Language:C4 2 0
AndrewRathbun/AndrewRathbun
3 3 0
AndrewRathbun/WMI-Parser
An updated fork of @woanware's WMI-Parser project
Language:C#3 1 1
AndrewRathbun/Bogus
:card_index: A simple fake data generator for C#, F#, and VB.NET. Based on and ported from the famed faker.js.
Language:C#2 1 0
AndrewRathbun/DiscordTokenCarver
Carves/steals tokens for discord from local machine
Language:Python2
AndrewRathbun/EtwExplorer
View ETW Provider manifest
Language:C#2 1 0
AndrewRathbun/GHOSTS
GHOSTS is a realistic user simulation framework for cyber simulation, training, and exercise
Language:C#2 1 0
AndrewRathbun/OneDriveExplorer
Language:Python2 1 01
AndrewRathbun/openhardwaremonitor
Open Hardware Monitor
Language:C#2 1 0
AndrewRathbun/WinSearchDBAnalyzer
An updated fork of @moaistory's WinSearchDBAnalyzer project
Language:C#2 2 1
AndrewRathbun/WMI-Explorer
An updated fork of @vinaypamnani's wmie2 project
Language:C#2 2 01
AndrewRathbun/xxUSBSentinel
An updated fork of @thereisnotime's xxUSBSentinel, a Windows anti-forensics USB monitoring tool.
Language:C#2 2 0
AndrewRathbun/CSVHeaderHunter
C# program to grab all CSV headers from a directory recursively and output to a CSV file
Language:C#1 2 0
AndrewRathbun/evtx
C# based evtx parser with lots of extras
Language:C#1 0 0
AndrewRathbun/MFTECmd
Parses $MFT from NTFS file systems
Language:C#1 1 01
AndrewRathbun/Seatbelt
An updated fork of @GhostPack's Seatbelt project, Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Language:C#1 1 0
AndrewRathbun/WMIParserStr
An updated fork of @ignacioj's WMIParserStr project
Language:C#1 2 0
AndrewRathbun/Get-ZimmermanTools
Get all my software
Language:PowerShell
AndrewRathbun/hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Language:Rust1 0
AndrewRathbun/SharpAbeebus
A GeoIP lookup utility utilizing ipinfo.io services.
Language:C#
AndrewRathbun/sidr
Search Index Database Reporter
Language:Rust1 0
AndrewRathbun/sigma
Generic Signature Format for SIEM Systems
Language:Python1 01
AndrewRathbun/spectre.console
A .NET library that makes it easier to create beautiful console applications.
Language:C#1 0
AndrewRathbun/WingetUI
WingetUI: The Graphical Interface for your package managers
Language:PowerShell