AndrewRathbun
DFIR @ Unit 42, Admin of the Digital Forensics Discord Server, USMC Veteran, Former LE.
Unit 42Michigan
Pinned Repositories
Awesome-KAPE
A curated list of KAPE-related resources
DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
DFIRMindMaps
A repository of DFIR-related Mind Maps geared towards the visual learners!
DFIRPowerShellScripts
Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!
DFIRRegex
A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.
EventTranscript.db-Research
A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.
KAPE-EZToolsAncillaryUpdater
A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools
VanillaWindowsReference
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
VanillaWindowsRegistryHives
A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.
TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts
The official repo for a project involving a crowdsourced DFIR book. The main purpose of this book is to give anyone interested an opportunity to write a chapter of a book to get their name out there, get a publication on their resume with an actual ISBN number, and ideally lower the bar for people to contribute something back to the DFIR Community. Want to write a chapter? Let me know and let's make it happen!
AndrewRathbun's Repositories
AndrewRathbun/DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
AndrewRathbun/VanillaWindowsReference
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
AndrewRathbun/DFIRPowerShellScripts
Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!
AndrewRathbun/DirectoryOpus-DFIRConfig
A config file that's curated for DFIR examiners with shortcuts to common Windows artifacts and settings enabled that help make your life easier with various file management tasks.
AndrewRathbun/SigHunter
A C# (.NET 6) tool to compare the file signature of files recursively and inform the user of matches and mismatches
AndrewRathbun/RAMDumpExplorer
An updated fork of @bacanoicua's RAMDumpExplorer project. This is a program designed to analyze a dump of the RAM memory to search for potentially malicious files. The program scans the dump file for specific patterns and uses regular expressions to identify and extract the matched values
AndrewRathbun/EventLogMonitor
An updated fork of @AbdulRhmanAlfaifi's EventLogMonitor, which hooks into Window Event Logs and displays the new events as they are written to disk.
AndrewRathbun/KapeFiles
This repository serves as a place for community created Targets and Modules for use with KAPE.
AndrewRathbun/xxUSBSentinel
An updated fork of @thereisnotime's xxUSBSentinel, a Windows anti-forensics USB monitoring tool.
AndrewRathbun/WMI-Parser
An updated fork of @woanware's WMI-Parser project
AndrewRathbun/WMI-Explorer
An updated fork of @vinaypamnani's wmie2 project
AndrewRathbun/RECmd
Command line access to the Registry
AndrewRathbun/BinReveal
An updated fork of @MTJailed's BinReveal project. This is a project for analyzing files to find signatures or hidden files in a file
AndrewRathbun/DateDecoder
An updated fork of DateDecoder originally by @jacobsoo.
AndrewRathbun/ericzimmerman.github.io
Software downloads
AndrewRathbun/EVTX-ETW-Resources
Event Tracing For Windows (ETW) Resources
AndrewRathbun/Seatbelt
An updated fork of @GhostPack's Seatbelt project, Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
AndrewRathbun/TLEFilePlugins
Plugins for parsing CSV files in Timeline Explorer. This project allows for anyone to add more supported files (i,e. they get a Line #/tag column, layout support, searching, etc.)
AndrewRathbun/WMIParserStr
An updated fork of @ignacioj's WMIParserStr project
AndrewRathbun/AndrewRathbun.github.io
AndrewRathbun/InfoSec-Black-Friday
All the deals for InfoSec related software/tools this Black Friday
AndrewRathbun/Microsoft-Extractor-Suite
A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
AndrewRathbun/parseusbs
Parses USB connection artifacts from offline Registry hives
AndrewRathbun/Registry
Full featured, offline Registry parser in C#
AndrewRathbun/Srum
AndrewRathbun/sysinternals
Content for sysinternals.com
AndrewRathbun/TCSA.V2
A revamp of The C# Academy using all the power of .NET 8's new Blazor!
AndrewRathbun/velociraptor-docs
Documentation site for Velociraptor
AndrewRathbun/winamp
Iconic media player
AndrewRathbun/winforms-demos
This repository contains the samples for Syncfusion Windows Forms UI Controls and File Format libraries and the guide to use them.