AndrewRathbun
DFIR @ Unit 42, Admin of the Digital Forensics Discord Server, AboutDFIR.com Contributor, USMC Veteran, Former LE.
@krollcyber Michigan
Pinned Repositories
Awesome-KAPE
A curated list of KAPE-related resources
DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
DFIRMindMaps
A repository of DFIR-related Mind Maps geared towards the visual learners!
DFIRPowerShellScripts
Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!
DFIRRegex
A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.
EventTranscript.db-Research
A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.
KAPE-EZToolsAncillaryUpdater
A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools
VanillaWindowsReference
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
VanillaWindowsRegistryHives
A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.
TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts
The official repo for a project involving a crowdsourced DFIR book. The main purpose of this book is to give anyone interested an opportunity to write a chapter of a book to get their name out there, get a publication on their resume with an actual ISBN number, and ideally lower the bar for people to contribute something back to the DFIR Community. Want to write a chapter? Let me know and let's make it happen!
AndrewRathbun's Repositories
AndrewRathbun/adsec
An introduction to Active Directory security
AndrewRathbun/Awesome
:computer: 🎉 An awesome & curated list of best applications and tools for Windows.
AndrewRathbun/CalculatorX
An expression calculator
AndrewRathbun/cheatsheets-forensic
Forensic cheatsheets for use with cheat
AndrewRathbun/dfirt
Collect information of Windows PC when doing incident response
AndrewRathbun/File_Watcher
File Watcher - Powershell based file activity monitoring tool
AndrewRathbun/ForensicsDetective
AndrewRathbun/Invoke-Forensics
Invoke-Forensics provides PowerShell commands to simplify working with the forensic tools KAPE and RegRipper.
AndrewRathbun/MajorGeeks-Windows-Tweaks
MajorGeeks Windows Tweaks contains approximately 190 registry, PowerShell, Visual Basic, and batch files to enable tweaks and hidden features in Windows 10, 8, and 7 for any skill level.
AndrewRathbun/PE-Inspector
The PE-Inspector can be used to gather information about any PE-File in Windows. It works with both 32bit and 64bit files.
AndrewRathbun/SharpScribbles
My doodles as I learn C#
AndrewRathbun/W32RegActionParser
Parses Win32_RegistryAction entries from WMI. Portable, modern and simple-to-use GUI application for Windows 7/10.
AndrewRathbun/Win10LiveInfo
Windows 10 Live Information viewer
AndrewRathbun/windows-itpro-docs
This is used for contributions to the Windows 10 content for IT professionals on docs.microsoft.com.
AndrewRathbun/1029_crack.py
Crack base64(sha256(username)) hash from Microsoft Event ID 1029
AndrewRathbun/awesome-event-ids
Collection of Event ID ressources useful for Digital Forensics and Incident Response
AndrewRathbun/awesome-forensics
A curated list of awesome forensic analysis tools and resources
AndrewRathbun/awesome-incident-response
A curated list of tools for incident response
AndrewRathbun/DeepBlueCLI
AndrewRathbun/evtx-1
A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
AndrewRathbun/EVTX-ATTACK-SAMPLES
Windows Events Attack Samples
AndrewRathbun/evtx-specimens
Windows XML Event Log (EVTX) specimens
AndrewRathbun/EVTX-to-MITRE-Attack
Set of EVTX samples (>170) mapped to MITRE Att@k tactic and techniques to measure your SIEM coverage or developed new use cases.
AndrewRathbun/InfoSec-Black-Friday
All the deals for InfoSec related software/tools this Black Friday
AndrewRathbun/ios_triage
Bash script to extract data from a "chekcra1ned" iOS device
AndrewRathbun/Loki
Loki - Simple IOC and Incident Response Scanner
AndrewRathbun/mordor
Re-play Adversarial Techniques
AndrewRathbun/sof-elk
Configuration files for the SOF-ELK VM, used in SANS FOR572
AndrewRathbun/Tiny-PowerShell-Projects
Learning PowerShell through test-driven development of games and puzzles
AndrewRathbun/USBDevices
Get USB Devices from Registry hives