fatcousin
// case type

ransomware response

encryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.

tools
18
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. ransomware encryption onset timerdrop mft csv and evtx csv · pinpoint the exact moment encryption began · identify patient zero file · work backward to find initial access · correlate with attacker actions · runs locally
  2. ransomware pre-encryption staging detectordrop evtx csv and mft csv · identify pre-encryption staging behaviors · network scanning · credential dumping · data exfiltration before encryption · lateral movement artifacts · runs locally
  3. ransomware family identifierdrop encrypted file samples · ransom notes · iocs · fingerprint against 200+ families · output family name · known decryptors · nomoransom hints · extension patterns · c2 patterns · runs locally
  4. ransom note analyzerpaste or drop ransom notes · 55+ family fingerprints · crypto addresses · onion urls · emails · nomoreransom hints · highlighted text · runs locally
  5. double extortion evidence collectordrop mft csv · evtx csv · proxy logs · identify data staging directories · compression artifacts · cloud upload indicators · estimate what data was stolen before encryption · runs locally
  6. lateral movement chain visualizerdrop evtx csvs · link logon service creation and remote execution events · reconstruct multi-hop chains · runs locally
  7. backup deletion artifact analyzerdrop evtx csvs and vss registry exports · parse deliberate backup deletion across windows backup · veeam artifacts · backup exec artifacts · correlate with ransomware timeline · runs locally
  8. mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. windows event log parserdrop a .evtx file · parse Windows event log · filter by event ID · level · source · export CSV · runs locally
  2. windows event log deep divedrop EVTX · map event IDs to attack techniques · 4624 logon · 4688 process creation · 7045 service install · 4698 scheduled task · Kerberoasting · lateral movement chains · runs locally
  3. lateral movement network pattern detectordrop pcap pcapng or zeek conn log · detect smb admin share rdp hops credential reuse pivot patterns · movement chain · export csv · runs locally
  4. credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally
  5. volume shadow copy deletion detectordrop system or security evtx csv · detect vss deletion commands · identify shadow copy destruction patterns · correlate with ransomware or anti-forensic activity · surface which deletion method was used · runs locally
  6. shadow copy creation disable and suppression detectordrop registry export and system evtx csv · detect volume shadow copy service disabled or shadow copy creation suppressed · identify configuration changes preventing future shadow copy creation · surface vss service manipulation · runs locally
  7. amcache parserdrop Amcache.hve · parse executed binaries · SHA1 hashes · file paths · first run timestamps · program inventory · export CSV · runs locally
  8. shimcache parserdrop SYSTEM hive · parse AppCompatCache · execution traces · deleted binary detection · timestamps · heuristic · export CSV · runs locally
  9. incident timeline builderdrop multiple CSVs with timestamps from any forensic tool · merge into unified chronological timeline · entity tagging · filter by source · export full timeline · runs locally
  10. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • ransomware response — timeline kit

    6 steps

    drop artifact bundles + IOC lists → merge timeline → extract + dedupe IOCs → triage → report

    1. 01evidence-manifest-generatorhash every input — required for evidentiary integrity
    2. 02forensic-timeline-buildermerge all timestamped events from input bundles into one ordered timeline
    3. 03ioc-extractorextract IOCs from any text inputs (notes, logs)
    4. 04ioc-deduplicator-normalizermerge with any pre-existing IOC bundles in the input set
    5. 05ioc-bulk-validator-and-triagescore the merged IOC set
    6. 06case-report-generatordraft an executive + technical report
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 207 more in this pattern match. browse the full forensics catalog via the forensics category.

ready