fatcousin
// artifact family

anti-forensics detection

190 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.

tools
190
catalog slugs
190
processing
local · in browser

tools in this family

ordered as in the forensics catalog. every tool runs locally — no upload, no account.

  1. event log service stop detectordrop security or system evtx csv · detect event log service stops and restarts · correlate gaps with adjacent events · surface windows event log service manipulation · identify log blackout windows · runs locally
  2. event log selective deletion detectordrop evtx csv · detect record ID sequence gaps indicating selective event deletion · identify missing event ranges · score tampering probability · surface what was removed · runs locally
  3. audit policy modification detectordrop security evtx csv · detect audit policy changes · identify subcategories disabled · surface reduction in logging coverage · correlate with attack timeline · runs locally
  4. object access auditing disable detectordrop security evtx csv · detect object access audit subcategory disabling · identify file system registry and sam auditing gaps · surface what file access was made invisible · runs locally
  5. process creation audit gap detectordrop security evtx csv · detect gaps in 4688 process creation events · identify windows where process execution was invisible · correlate with command line logging status · surface execution blind spots · runs locally
  6. log forwarding disable detectordrop system evtx csv · detect windows event forwarding subscription changes · identify forwarding disabled events · surface periods where logs were not forwarded to SIEM · runs locally
  7. event log size and retention tampering detectordrop system evtx csv or registry export · detect event log maximum size reductions · identify retention policy changes · surface configuration that caused evidence overwriting · runs locally
  8. event log channel disable detectordrop system evtx csv or wevtutil output · detect individual log channels disabled · identify forensically significant channels that were turned off · surface evidence collection blind spots created · runs locally
  9. synthetic event injection detectordrop evtx csv · detect artificially injected events · identify events with anomalous record IDs · surface timestamp inconsistencies indicating fabricated log entries · runs locally
  10. wevtutil execution artifact detectordrop security system and powershell evtx csvs · detect wevtutil execution patterns · identify log clearing commands · correlate with process creation events · surface log manipulation operations · runs locally
  11. timestomp consistency cross-validatordrop mft csv · cross-validate si and fn timestamps · detect divergence indicating timestomping · score each file · surface manipulated entries · runs locally
  12. timestamp cluster anomaly detectordrop mft or artifact csv · detect unnatural timestamp clustering · identify timestamps set to identical values · surface batch timestomping operations · score file populations by timestamp naturalness · runs locally
  13. si fn timestamp divergence analyzerdrop mft csv · deep analysis of standard information vs file name timestamp divergence · visualize delta distributions · detect systematic manipulation patterns · surface file populations with impossible SI/FN relationships · runs locally
  14. midnight timestamp cluster detectordrop mft or artifact csv · detect files timestamped to exactly midnight or other round values · identify timestomping tool artifacts · surface files with suspiciously clean timestamps · runs locally
  15. future timestamp artifact detectordrop mft or artifact csv · detect files with timestamps in the future · identify timestamps before system installation · surface impossible date values · correlate with system clock evidence · runs locally
  16. timestamp precision collapse detectordrop mft csv · detect mass loss of sub-second timestamp precision · identify files where precision was stripped by external tools · surface populations affected by timestomping operations · runs locally
  17. mft sequence vs timestamp conflict analyzerdrop mft csv · detect conflicts between mft entry sequence and file timestamps · impossible ordering · reused entries · runs locally
  18. indx slack timestamp inconsistency detectordrop indx or mft csv · compare index slack timestamps to current mft · timestomp · deleted files · runs locally
  19. created-before-parent directory anomaly detectordrop mft csv · files created before parent directory · si and fn checks · directory clusters · runs locally
  20. system clock rollback artifact detectordrop evtx csv and mft csv · detect deliberate clock manipulation · forward and backward moves · corrected timeline · runs locally
  21. prefetch absence anomaly detectordrop prefetch file listing csv or directory export · detect disabled prefetch on active systems · identify missing prefetch for known-executed binaries · surface prefetch gaps indicating anti-forensic suppression · runs locally
  22. selective prefetch deletion detectordrop prefetch csv and shimcache or 4688 csv · identify executables that ran but have no prefetch · detect targeted prefetch deletion hiding specific tool usage · surface the gap between execution evidence and prefetch evidence · runs locally
  23. mft entry reuse anomaly detectordrop mft csv · detect abnormally high mft entry reuse rates · identify evidence of mass file deletion and creation in entry slots · surface patterns indicating attacker file staging and cleanup · runs locally
  24. ntfs journal gap analyzerdrop usn journal csv or ntfs logfile csv · detect gaps in journal sequence numbers · identify windows where filesystem activity was not recorded · surface journal clearing or rollover events · runs locally
  25. shellbag vs MFT consistency checkerdrop shellbag csv and mft csv · identify directories accessed per shellbags that no longer exist in mft · surface deleted folder access history · detect shellbag clearing · runs locally
  26. AppCompatCache / ShimCache gap analyzerdrop shimcache csv · detect missing entries indicating selective cache clearing · identify time windows with no shimcache activity · surface gaps between shimcache and other execution artifacts · runs locally
  27. alternate data stream forensic scannerdrop ads inventory csv or ntfs file listing · detect files with alternate data streams · identify hidden data in NTFS streams · surface stream names indicating zone identifier manipulation or hidden payloads · runs locally
  28. disk wipe pattern identifierdrop binary sample of unallocated space or paste hex · identify wiping tool signatures · detect overwrite patterns · classify wipe method · surface partial file recovery prospects · runs locally
  29. file shredder remnant and signature scannerdrop mft csv usn journal csv or file listing · detect execution artifacts of file shredding tools · identify sdelete eraser bleachbit cipher patterns · surface files that were securely deleted · runs locally
  30. volume shadow copy deletion detectordrop system or security evtx csv · detect vss deletion commands · identify shadow copy destruction patterns · correlate with ransomware or anti-forensic activity · surface which deletion method was used · runs locally
  31. registry hive rollback detectordrop registry hive exports from multiple control sets · detect values present in backup hive but absent in current · identify registry keys deleted between snapshots · surface rollback evidence · runs locally
  32. UserAssist clearing and gap detectordrop ntuser.dat reg export · detect cleared userassist entries · identify gaps in user program execution history · surface clearing events and suspicious absences · runs locally
  33. runmru and typed paths clearing detectordrop ntuser.dat reg export · detect cleared run dialog history · identify missing typed path entries · surface evidence of user activity history destruction · runs locally
  34. registry key deletion burst detectordrop registry transaction log or security evtx csv · detect rapid bulk registry key deletion · identify scripted registry cleanup operations · surface anti-forensic registry wiping patterns · runs locally
  35. registry ACL and permission modification detectordrop security evtx csv · detect registry key permission changes · identify keys locked from forensic access · surface permission modifications enabling or concealing attacker persistence · runs locally
  36. registry autorun entry removal detectordrop security evtx csv or registry diff export · detect persistence mechanism removal · identify autorun keys deleted during investigation window · surface attacker cleanup of persistence artifacts · runs locally
  37. registry key timestamp anomaly detectordrop registry hive export with last write times · detect abnormal timestamp clustering · identify mass key modification in short windows · surface registry restoration and manipulation events · runs locally
  38. registry value type mismatch detectordrop registry export · detect values with incorrect data types for their expected type · identify type confusion used to hide data or evade tools · surface malformed registry entries indicating tampering · runs locally
  39. deleted registry key remnant scannerdrop registry hive binary or reg export · scan for remnants of deleted registry keys in hive slack space · recover key names and values from deleted cells · surface what was removed from the registry · runs locally
  40. SAM hive modification artifact detectordrop security evtx csv · detect unauthorized sam database access and modification · identify account creation hiding · surface local account manipulation patterns · runs locally
  41. amcache vs prefetch conflict detectordrop amcache csv and prefetch csv · identify conflicts between amcache and prefetch execution records · detect selective artifact deletion · surface executables where one artifact was removed but the other remains · runs locally
  42. bam and dam entry absence detectordrop bam dam registry export and shimcache or 4688 csv · identify executables that ran but have no BAM/DAM entry · detect selective BAM clearing · surface execution evidence gaps in background activity monitor · runs locally
  43. jump list manipulation and clearing detectordrop jumplist csv or automaticDestinations listing · detect cleared jump lists · identify gaps between jump list entries and other execution evidence · surface selective jump list entry removal · runs locally
  44. LNK file absence anomaly detectordrop lnk file listing csv and mft or recent docs csv · identify recently accessed files that have no corresponding LNK file · detect LNK clearing indicating user activity history destruction · surface file access with no shell link record · runs locally
  45. parent process ID spoofing detectordrop 4688 evtx csv or sysmon csv · detect processes with impossible or suspicious parent-child relationships · identify ppid spoofing attacks · surface process trees where claimed parent could not have spawned the child · runs locally
  46. recycle bin artifact and clearing detectordrop recycle bin metadata csv or $I file listing · analyze file deletion timeline · detect bulk deletion events · surface recycle bin clearing patterns · identify deleted file categories · runs locally
  47. scheduled task deletion and history clearing detectordrop security system and task scheduler evtx csvs · detect scheduled task deletion · identify task history clearing · surface task creation followed by deletion indicating attacker cleanup · runs locally
  48. service deletion burst detectordrop system evtx csv · detect rapid service deletion patterns · identify attacker persistence mechanism removal · surface service install-then-delete lifecycle indicating attack tool cleanup · runs locally
  49. shimcache entry order anomaly detectordrop shimcache csv · detect entries out of expected chronological order · identify shimcache manipulation · surface entries inserted at wrong position in the cache · runs locally
  50. userassist vs prefetch execution gap detectordrop userassist csv and prefetch csv · identify executables in one artifact but absent from the other · detect selective artifact clearing targeting specific applications · surface what a user ran that was then hidden · runs locally
  51. antimalware real-time protection disable detectordrop windows defender operational evtx csv or registry export · detect real-time protection disablement · identify antimalware coverage gaps · surface periods where no active scanning was occurring · runs locally
  52. AppLocker and WDAC policy disable detectordrop security evtx csv and registry export · detect application whitelisting policy removal · identify applocker rules deleted · surface wdac policy bypasses and removals · runs locally
  53. etw provider disable and tampering detectordrop system evtx csv or autologger registry export · detect event tracing for windows provider disablement · identify autologger session tampering · surface removal of telemetry and forensic data sources · runs locally
  54. windows firewall log gap detectordrop windows firewall log file · detect gaps in connection logging · identify firewall log clearing events · surface windows where network activity was not recorded · runs locally
  55. LSA protection and credential guard disable detectordrop system evtx csv and registry export · detect lsa protection disabled · identify credential guard removal · surface attempts to weaken credential protection enabling credential theft · runs locally
  56. Sysmon configuration tampering detectordrop sysmon evtx csv and system evtx csv · detect sysmon service stops · identify configuration changes reducing coverage · surface gaps in sysmon telemetry stream · runs locally
  57. defender tamper protection bypass detectordrop windows defender operational evtx csv and security evtx csv · detect tamper protection bypass attempts · identify unauthorized defender configuration changes · surface methods used to modify defender despite tamper protection · runs locally
  58. windows defender exclusion artifact detectordrop security evtx csv or registry export · detect defender exclusion additions · identify paths processes and extensions excluded from scanning · surface exclusions covering attacker tools · runs locally
  59. browser cache clearing burst detectordrop mft csv or browser cache file listing · detect sudden bulk deletion of cached browser files · identify cache clearing events and their timestamps · surface deliberate cache destruction · runs locally
  60. browser extension removal burst detectordrop chrome extensions directory listing or mft csv · detect sudden bulk extension removal · identify forensic or security extensions targeted for removal · surface extension deletion covering investigative tracks · runs locally
  61. AMSI bypass artifact detectordrop powershell evtx csv or script block content · detect amsi bypass attempts · identify known bypass patterns · surface memory patch attempts and reflection-based amsi disabling · runs locally
  62. PowerShell encoded command burst detectordrop 4688 or sysmon evtx csv · detect bursts of base64 encoded powershell commands · decode all encoded commands · identify obfuscation patterns · surface what was executed under encoding cover · runs locally
  63. LOLBin execution burst detectordrop 4688 or sysmon evtx csv · detect living off the land binary execution · identify lolbin abuse patterns · surface unusual lolbin invocations and burst usage · runs locally
  64. PowerShell version 2 downgrade attack detectordrop security evtx csv powershell evtx csv or 4688 csv · detect powershell version 2 invocation · identify downgrade attacks bypassing logging and amsi · surface all version 2 execution instances · runs locally
  65. PowerShell history clearing detectordrop powershell operational evtx csv or psreadline history file · detect cleared powershell command history · identify gaps in command execution record · surface anti-forensic powershell history manipulation · runs locally
  66. psreadline history gap and anomaly analyzerpaste or drop psreadline consolehost_history txt · detect gaps in command history · identify suspicious command sequences · surface anti-forensic commands · reconstruct powershell session timeline · runs locally
  67. script block logging disable detectordrop powershell operational evtx csv and security evtx csv · detect script block logging disablement · identify registry changes disabling powershell logging · surface gaps in powershell execution record · runs locally
  68. browser history clearing pattern detectordrop chrome firefox or edge sqlite history db csv · detect history clearing events · identify gaps in browsing timeline · surface clearing timestamps and what was removed · runs locally
  69. favicon database forensic gap analyzerdrop chrome favicon db csv or firefox favicons sqlite csv · detect favicon records for domains with no corresponding history · surface browsing activity preserved in favicon cache after history was cleared · runs locally
  70. private browsing session artifact remnant detectordrop browser profile directory listing mft csv or dns cache export · detect remnants of private browsing sessions · identify artifacts that survive incognito mode · surface what private browsing left behind · runs locally
  71. anti-analysis and sandbox evasion artifact detectordrop 4688 or sysmon evtx csv · detect malware anti-analysis behaviors · identify sleep-based and environment-check evasion patterns · surface processes that checked for vm or debugger presence · runs locally
  72. memory credential theft artifact detectordrop security evtx csv and sysmon evtx csv · detect credential dumping from memory · identify lsass access patterns · surface mimikatz and other credential dumper indicators · runs locally
  73. process doppelganging and herpaderping artifact detectordrop sysmon evtx csv · detect process doppelganging and herpaderping artifacts · identify transacted ntfs file writes followed by execution · surface advanced in-memory evasion techniques · runs locally
  74. process hollowing artifact analyzerdrop sysmon evtx csv or 4688 evtx csv · detect process hollowing indicators · identify processes with suspicious memory allocation patterns · surface unmapped PE sections and known hollowing tool signatures · runs locally
  75. reflective DLL load indicator detectordrop sysmon evtx csv · detect reflective dll loading patterns · identify modules loaded without corresponding file on disk · surface in-memory only dll execution · runs locally
  76. DNS query log gap analyzerdrop dns debug log csv or sysmon dns evtx csv · detect gaps in dns resolution logging · identify windows where dns activity was not recorded · surface dns logging disable events · runs locally
  77. HOSTS file modification detectordrop hosts file content or paste text · analyze hosts file for suspicious entries · detect dns hijacking and security tool blocking entries · surface anti-forensic and evasion-related host overrides · runs locally
  78. MAC address spoofing artifact detectordrop system evtx csv or registry export · detect network adapter mac address changes · identify locally administered mac addresses indicating spoofing · surface adapter reconfiguration events · runs locally
  79. network share access log clearing detectordrop security evtx csv · detect smb network share access log gaps · identify share access audit disable events · surface lateral movement that was logged then cleared · runs locally
  80. remote desktop log clearing and gap detectordrop rdp evtx csvs · detect rdp session log gaps · identify rdp channel clearing · surface rdp session reconstruction with cleared log indicators · runs locally
  81. anti-forensic tool signature scannerdrop prefetch shimcache amcache or 4688 evtx csv · detect execution of known anti-forensic tools · identify cleaners wipers and evidence destruction utilities · surface when and how evidence destruction occurred · runs locally
  82. counter-investigation behavioral pattern detectordrop multiple evtx csvs shimcache prefetch and registry exports · detect behaviors indicating suspect is aware of investigation · identify evidence of surveillance detection and counter-forensic activity · surface systematic investigation evasion · runs locally
  83. evidence of evidence deletion detectordrop mft usn journal prefetch shimcache and evtx csvs · detect coordinated multi-artifact evidence destruction · identify systematic cleanup campaigns · score the overall anti-forensic effort · surface the full picture of what was removed · runs locally
  84. forensic imaging tool artifact detectordrop prefetch shimcache amcache or mft csv · detect forensic imaging tool execution on the suspect machine · identify when the machine was imaged · surface imaging artifacts and write blocker evidence · runs locally
  85. forensic tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect forensic investigation tools run on the suspect machine · identify who ran forensic tools and when · surface examiner or attacker tool reconnaissance on the machine · runs locally
  86. duplicate event record detectordrop evtx csv · detect exact duplicate event records · identify injected synthetic duplicates · surface events that appear twice with identical content but different record IDs · runs locally
  87. event log file and channel ACL modification detectordrop security evtx csv · detect permission changes on evtx log files or channels · identify access restrictions preventing forensic reading · surface acl modifications locking investigators out of log data · runs locally
  88. event log backup artifact analyzerdrop evtx csv or system evtx · detect automatic event log backup events · identify backup files created before log clearing · surface evidence that backups were taken then destroyed · runs locally
  89. event log computer name spoofing detectordrop evtx csv from multiple sources · detect events claiming to originate from unexpected computer names · identify log injection using spoofed source computer names · surface events inconsistent with the machine that generated them · runs locally
  90. event log export timing anomaly detectordrop security evtx csv · detect evidence of event log export operations · identify logs that were exported then cleared · surface wevtutil epl and other export commands preceding clearing · runs locally
  91. event log record overwrite pattern detectordrop evtx csv · detect evidence that log records were overwritten due to size constraints · identify intentionally triggered overwrite attacks · surface evidence of forced log rotation destroying historical records · runs locally
  92. event log sequence number deep gap analyzerdrop multiple evtx csvs · cross-channel sequence number analysis · detect record ID gaps across all loaded channels simultaneously · identify coordinated multi-channel deletion · surface which channels were targeted · runs locally
  93. event log source registration tampering detectordrop registry export · detect modified event log source registrations · identify providers removed or added to hide or inject events · surface manipulation of the event provider registry · runs locally
  94. event log thread ID and process ID anomaly detectordrop security evtx csv · detect events with impossible or anomalous process and thread IDs · identify synthetic events with invalid PID/TID values · surface fabricated log entries detectable by process context · runs locally
  95. event log time source conflict detectordrop evtx csvs from multiple channels · detect timestamp inconsistencies between channels that should be synchronized · identify events that contradict each other temporally · surface clock manipulation artifacts across log sources · runs locally
  96. PE compile timestamp vs filesystem timestamp conflict detectordrop mft csv or file listing with pe headers · extract compile timestamps from pe headers · detect files with filesystem timestamps earlier than their compile timestamp · surface impossible binaries indicating timestomping · runs locally
  97. document metadata vs filesystem timestamp conflict detectordrop document files or metadata csv · extract internal document timestamps · compare against filesystem creation and modification times · detect document timestamps inconsistent with filesystem evidence · runs locally
  98. sub-second timestamp suppression detectordrop mft csv · detect systematic loss of sub-second timestamp precision across file populations · identify files where 100ns ntfs precision was stripped · surface the boundary between natural and tool-written timestamps · runs locally
  99. timestamp rounding pattern detectordrop mft csv · detect files whose timestamps have been rounded to the nearest second minute or hour · identify specific rounding patterns indicating timestomping tool quantization · surface systematic rounding across file populations · runs locally
  100. USN journal vs MFT timestamp conflict detectordrop usn journal csv and mft csv · detect timestamp values in usn journal that contradict current mft timestamps · surface files whose timestamps were modified after they were last journaled · runs locally
  101. boot sector modification artifact detectordrop system evtx csv or bcdedit output · detect boot sector and bcd modification events · identify bootkit installation artifacts · surface unauthorized boot configuration changes · runs locally
  102. deliberate fragmentation pattern detectordrop mft csv with cluster run data · detect files with unusual fragmentation patterns · identify deliberate fragmentation used to slow forensic analysis · surface files spread across abnormally many clusters · runs locally
  103. EFS encrypted file cluster pattern analyzerdrop mft csv · detect encrypted file system usage patterns · identify mass efs encryption events · surface encryption used to hide data before investigation · correlate with certificate and key evidence · runs locally
  104. file extension vs magic byte mismatch scannerdrop file listing with hashes or paste file paths and first bytes · detect files with extensions inconsistent with their actual content type · identify renamed malware and hidden payloads · surface extension-based camouflage · runs locally
  105. file size vs content mismatch detectordrop file listing with sizes or mft csv · detect files with logical size inconsistent with their type · identify zero-byte executables and oversized text files indicating hidden or replaced content · runs locally
  106. NTFS file system tunneling artifact detectordrop mft csv · detect file system tunnel cache artifacts · identify files that inherited timestamps from deleted predecessors · surface anti-forensic timestamp inheritance exploitation · runs locally
  107. hard link abuse artifact detectordrop mft csv · detect files with unusual numbers of hard links · identify hard link creation patterns used to complicate forensic analysis · surface files accessible from multiple paths to hide their true location · runs locally
  108. hidden and unaccounted partition detectordrop disk layout text or diskpart output · detect partitions not visible in windows explorer · identify hidden volumes and unaccounted disk space · surface potential truecrypt veracrypt hidden volumes · runs locally
  109. MFT slack space artifact detectordrop mft binary or slack extraction csv · detect artifacts hidden in mft record slack · identify residual data from previous file occupants · surface hidden data and historical file metadata in unused mft space · runs locally
  110. orphaned MFT entry detectordrop mft csv · detect mft entries whose parent directory no longer exists · reconstruct orphaned file paths · surface files that survived directory deletion and identify hidden file locations · runs locally
  111. sparse file artifact detectordrop mft csv · detect sparse files used to hide data or create dummy large files · identify sparse file patterns inconsistent with legitimate use · surface anti-forensic use of ntfs sparse file feature · runs locally
  112. COM object hijack residue detectordrop registry export · detect user-level com registrations overriding system com objects · identify com hijacking artifacts used for persistence or uac bypass · surface hkcu com entries that shadow hklm entries · runs locally
  113. execution time vs login session conflict detectordrop security evtx csv and shimcache or prefetch csv · detect execution evidence occurring outside known login sessions · identify executions that cannot be attributed to any user session · surface phantom execution gaps indicating anti-forensic log manipulation · runs locally
  114. known DLL hijack residue detectordrop mft csv or file listing · detect dll files placed in application directories to shadow system dlls · identify dll search order hijacking artifacts · surface ghost dlls that loaded instead of legitimate system libraries · runs locally
  115. prefetch hash anomaly and collision detectordrop prefetch file listing csv · detect multiple prefetch files for the same executable name · identify prefetch hash collisions indicating execution from multiple paths · surface hash manipulation and path-based execution hiding · runs locally
  116. recent documents vs LNK file consistency checkerdrop ntuser.dat reg export and lnk file listing csv · identify documents in recent docs registry key with no corresponding lnk file · detect selective lnk clearing while registry entries remain · surface inconsistencies between artifact sources · runs locally
  117. RunOnce and run key clearing artifact detectordrop security evtx csv or registry export · detect run and runonce key value deletion · identify persistence mechanism removal · surface autorun entries that existed and were then deleted during the investigation window · runs locally
  118. startup approved entries manipulation detectordrop registry export · detect changes to startup approved keys controlling which startup items are enabled · identify startup items disabled or removed via startup approved registry · surface manipulation of startup item visibility · runs locally
  119. startup folder artifact gap detectordrop mft csv and prefetch or shimcache csv · detect missing startup folder entries for processes known to have run at startup · identify startup folder clearing · surface execution evidence without corresponding startup artifacts · runs locally
  120. task scheduler transaction log gap detectordrop microsoft-windows-taskscheduler operational evtx csv · detect gaps in task scheduler event records · identify task history clearing and channel disablement · surface scheduled task execution windows that were erased · runs locally
  121. jump list selective clearing detectordrop automaticDestinations file listing and mft csv · detect cleared or emptied jump list files · identify applications with cleared jump lists despite evidence of use · surface selective jump list destruction targeting specific applications · runs locally
  122. recent documents registry clearing artifact detectordrop ntuser.dat reg export · detect cleared recent documents registry entries · identify gaps in the recent document history · surface bulk clearing of document access records · runs locally
  123. registry hive size anomaly detectordrop registry hive file listing or disk inventory csv · detect registry hives that are unusually small or large · identify hives that were truncated or padded · surface hive size inconsistencies indicating tampering or replacement · runs locally
  124. registry key name collision and spoofing detectordrop registry export · detect registry key names that closely mimic legitimate key names · identify homoglyph and whitespace tricks in key names · surface attacker persistence hidden in look-alike key names · runs locally
  125. registry key ownership anomaly detectordrop registry export with security descriptors · detect registry keys owned by unexpected accounts · identify attacker-owned registry keys that survived cleanup · surface ownership anomalies indicating unauthorized key creation · runs locally
  126. registry last write time regression detectordrop registry export with timestamps from multiple snapshots · detect registry keys whose last write time regressed between snapshots · identify impossible timestamp rollbacks in registry key history · surface offline editing and hive restoration artifacts · runs locally
  127. registry hive slack space artifact detectordrop registry hive binary or slack extraction output · detect artifacts hidden in registry hive slack space · identify residual data from deleted keys in hive free cells · surface historical registry content from slack · runs locally
  128. registry transaction log gap analyzerdrop registry hive and transaction log files · detect gaps or corruption in registry transaction logs · identify hive states inconsistent with their transaction history · surface evidence of offline hive editing bypassing transactions · runs locally
  129. registry value data entropy analyzerdrop registry export · detect registry values with abnormally high entropy indicating encoded or encrypted content · identify shellcode or payloads stored in registry values · surface obfuscated persistence payloads · runs locally
  130. SYSTEM hive rollback indicator detectordrop system evtx csv and registry export · detect evidence that the system hive was restored to a previous state · identify service and driver configurations inconsistent with event log history · surface rollback attacks hiding configuration changes · runs locally
  131. browser cookie clearing pattern detectordrop chrome cookies sqlite csv · detect cookie clearing events · identify gaps in cookie history · surface session token deletion indicating deliberate authentication evidence destruction · runs locally
  132. browser download history gap analyzerdrop chrome or firefox downloads history sqlite csv · detect gaps in download records · identify cleared download history · surface downloads that occurred but are not in the history · runs locally
  133. browser profile deletion artifact detectordrop mft csv · detect deleted browser profile directories · identify evidence of entire browser profile removal · surface remnant artifacts proving a browser was used despite profile deletion · runs locally
  134. browser saved password clearing detectordrop chrome login data sqlite csv or mft csv · detect cleared browser saved passwords · identify evidence of credential store access or wiping · surface password store access by unauthorized processes · runs locally
  135. browser search history gap analyzerdrop chrome history sqlite csv or firefox places sqlite csv · detect gaps in search query history · identify periods of active browsing with no search terms recorded · surface selective search history deletion · runs locally
  136. browser session restore suppression detectordrop mft csv or browser profile directory listing · detect deletion of browser session restore files · identify suppression of session data that would have preserved browsing state · surface last session reconstruction from remnants · runs locally
  137. browser typed URL clearing artifact detectordrop chrome history sqlite csv · detect cleared typed url records · identify gaps between typed urls and visit history · surface deliberate removal of directly typed navigation evidence · runs locally
  138. IndexedDB and web storage clearing detectordrop mft csv filtered to browser profile paths · detect cleared indexeddb and local storage databases · identify web application data stores that were selectively wiped · surface web app session evidence in storage remnants · runs locally
  139. BITSAdmin and BITS transfer artifact detectordrop 4688 evtx csv and bits operational evtx csv · detect bitsadmin used for malicious file transfer · identify bits jobs downloading attacker content · surface persistence via bits job scheduling · runs locally
  140. CertUtil abuse artifact detectordrop 4688 or sysmon evtx csv · detect certutil used as downloader or decoder · identify base64 decode and url cache operations · surface all certutil abuse patterns with decoded content · runs locally
  141. PowerShell constrained language mode bypass detectordrop powershell operational evtx csv · detect constrained language mode bypass attempts · identify techniques used to escape powershell restrictions · surface clm bypass artifacts in script block logs · runs locally
  142. MSHTA abuse artifact detectordrop 4688 or sysmon evtx csv · detect mshta hta execution abuse · identify inline script execution via mshta · surface remote hta loading and vbscript javascript abuse patterns · runs locally
  143. powershell module logging disable detectordrop powershell operational evtx csv and registry export · detect module logging disabled or never configured · identify gaps in powershell pipeline logging · surface periods with no module execution records · runs locally
  144. PowerShell transcription disable and gap detectordrop registry export and powershell operational evtx csv · detect transcription logging disabled · identify missing transcript files · surface gaps in powershell session recording · runs locally
  145. regsvr32 Squiblydoo and COM scriptlet abuse detectordrop 4688 or sysmon evtx csv · detect regsvr32 used to execute remote com scriptlets · identify squiblydoo technique and inline script execution · surface regsvr32 abuse patterns bypassing applocker · runs locally
  146. WScript and CScript execution artifact detectordrop 4688 or sysmon evtx csv · detect wscript and cscript execution patterns · identify script execution without corresponding script files · surface encoded and obfuscated script execution · runs locally
  147. crash dump and minidump suppression detectordrop registry export and mft csv · detect crash dump generation disabled or dumps deleted · identify processes that crashed without leaving minidumps · surface kernel crash dump configuration tampering · runs locally
  148. Credential Guard and VBS disable artifact detectordrop system evtx csv and registry export · detect virtualization based security disabled · identify credential guard removal enabling credential theft · surface vbs configuration changes · runs locally
  149. firewall rule deletion burst detectordrop security evtx csv · detect bulk firewall rule deletion · identify removal of network monitoring rules · surface firewall configuration destruction enabling unmonitored network communication · runs locally
  150. safe boot registry modification detectordrop security evtx csv and registry export · detect safe boot configuration changes · identify services added to safe boot mode bypassing security software · surface safe boot abuse for anti-forensic purposes · runs locally
  151. secure boot violation and bypass artifact detectordrop system evtx csv and registry export · detect secure boot disabled or bypassed · identify code integrity violations at boot · surface bootkit and rootkit enablement through secure boot manipulation · runs locally
  152. security descriptor tampering detectordrop security evtx csv · detect changes to security descriptors on forensically significant objects · identify permission modifications locking out investigators · surface acl changes enabling attacker persistence or data access · runs locally
  153. token privilege abuse and manipulation detectordrop security evtx csv · detect token privilege abuse for privilege escalation or anti-forensic purposes · identify sebackupprivilege and serestoreprivilege abuse accessing restricted files · surface token manipulation events · runs locally
  154. Windows Error Reporting suppression detectordrop system evtx csv and registry export · detect windows error reporting disabled or suppressed · identify crash dump suppression hiding evidence of crashing malware · surface wer configuration changes · runs locally
  155. windows defender detection history clearing detectordrop windows defender operational evtx csv · detect clearing of defender threat detection history · identify removal of malware detection records · surface evidence that detection events were erased · runs locally
  156. Windows Activity History collection suppression detectordrop registry export · detect activity history collection disabled across all collection mechanisms · identify policy-level activity suppression · compute an overall activity collection suppression score · runs locally
  157. cortana and windows search query artifact gap detectordrop mft csv and registry export · detect cortana search history cleared or disabled · identify windows search query gaps · surface suppression of local search activity evidence · runs locally
  158. readyboost usb cache artifact and deletion detectordrop mft csv and registry export · detect readyboost cache files deleted from usb devices · identify evidence of usb-based memory cache destruction · surface emDMgmt registry entries for previously connected readyboost devices · runs locally
  159. shadow copy creation disable and suppression detectordrop registry export and system evtx csv · detect volume shadow copy service disabled or shadow copy creation suppressed · identify configuration changes preventing future shadow copy creation · surface vss service manipulation · runs locally
  160. windows timeline vs search history cross-reference detectordrop activitiescache db csv and wordwheelquery reg export · detect gaps between windows timeline activity and local search history · identify selective clearing of one artifact while other remains · surface timeline consistency anomalies · runs locally
  161. artifact absence anomaly scoring detectordrop any combination of evtx mft prefetch shimcache registry and browser csvs · score the overall pattern of absent expected artifacts · identify which evidence sources are missing and why · surface artifact absence as a forensic finding in itself · runs locally
  162. disk imaging and acquisition tool execution detectordrop prefetch shimcache or 4688 evtx csv and mft csv · detect disk imaging tool execution · identify when disk images were created · surface forensic image files and acquisition method · runs locally
  163. forensic boot media usage artifact detectordrop system evtx csv and registry export · detect evidence of booting from external media · identify usb boot events and alternate os boot artifacts · surface forensic live boot or attacker bootable media usage · runs locally
  164. forensic investigator account artifact detectordrop security evtx csv · detect accounts created for forensic examination purposes · identify investigator logon sessions · surface examination timeline and investigator account activity · runs locally
  165. live response tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect live response and triage collection tool execution · identify when and how live response was performed · surface kape triage collector and incident response tool artifacts · runs locally
  166. log wiping pattern and tool attribution detectordrop any evtx csv mft csv or prefetch csv · detect signatures of known log wiping tools and techniques · identify automated vs manual wiping patterns · surface coordinated log destruction with tool attribution · runs locally
  167. memory acquisition tool artifact detectordrop prefetch shimcache or 4688 evtx csv and mft csv · detect memory imaging tool execution · identify when ram was acquired · surface memory dump files and acquisition method · runs locally
  168. remote forensic collection artifact detectordrop security evtx csv and system evtx csv · detect remote forensic collection agent activity · identify velociraptor grr and edrmdr collection artifacts · surface evidence of remote live response operations · runs locally
  169. write blocker configuration and bypass artifact detectordrop registry export and system evtx csv · detect write blocker configuration in registry · identify attempts to write to a read-only protected device · surface write blocker bypass attempts · runs locally
  170. NTFS compressed file anomaly detectordrop mft csv · detect files with NTFS compression applied anomalously · identify compressed executables and unusual compressed file populations · surface compression used to obscure file sizes and evade detection · runs locally
  171. directory entry slack artifact extractordrop directory entry export or mft csv with slack · extract artifacts from directory entry slack space · recover historical filenames and timestamps from directory index slack · surface evidence of deleted files from NTFS index slack · runs locally
  172. MFT record slack residue deep extractordrop mft binary or mft slack csv · extract and analyze residual data from mft record slack fields · recover previous attribute fragments from unused record space · surface historical file metadata hidden in mft slack · runs locally
  173. NTFS USN journal wrap and evidence loss detectordrop usn journal csv · detect journal wrap events where oldest records were overwritten · estimate how much file activity history was lost · identify intentionally triggered journal wraps destroying evidence · runs locally
  174. ntfs filesystem metadata anomaly detectordrop mft csv or ntfs metadata export · detect anomalies in core ntfs metadata files · identify tampered boot sector volume header or mft mirror · surface filesystem-level anti-forensic modifications · runs locally
  175. partition table and MBR anomaly detectordrop mbr binary paste or diskpart output · detect partition table anomalies indicating tampering · identify non-standard partition configurations · surface MBR modification and bootkit artifacts in partition layout · runs locally
  176. recycle bin restoration and bypass artifact detectordrop mft csv and usn journal csv · detect files restored from the recycle bin · identify files sent to recycle bin then immediately restored (suspicious cycling) · surface recycle bin bypass using shift-delete · runs locally
  177. secure delete overwrite pattern remnant scannerdrop binary sample of file slack or unallocated space · identify overwrite patterns from specific secure delete tools · fingerprint the wipe method used · assess what if anything is recoverable · runs locally
  178. unallocated space artifact scannerdrop raw unallocated space binary or carved strings export · scan for file headers and forensic artifacts in unallocated clusters · identify deleted file remnants · surface file types recoverable from unallocated space · runs locally
  179. audit subcategory coverage gap deep analyzerdrop security evtx csv · perform deep analysis of all audit subcategory disable events · map exact forensic blind spots created by each disable · surface the cumulative coverage loss across the investigation window · runs locally
  180. browser crash report artifact and suppression detectordrop mft csv filtered to browser crash paths · detect deleted or absent browser crash reports · identify crash report suppression hiding browser activity · surface crash report content for forensic value · runs locally
  181. browser telemetry and crash reporting disable detectordrop registry export or browser policy files · detect browser telemetry and usage statistics disabled · identify crash reporting suppression preventing cloud-side evidence · surface browser privacy hardening used to reduce forensic footprint · runs locally
  182. covert channel communication artifact detectordrop sysmon network evtx csv or dns cache export · detect covert channel communication patterns · identify dns tunneling icmp tunneling and protocol abuse · surface data exfiltration hidden in legitimate protocol traffic · runs locally
  183. forensic acquisition method and timeline reconstructordrop prefetch shimcache mft and security evtx csvs · reconstruct the complete forensic acquisition timeline · identify what was collected when and by whom · surface the investigation method and any collection gaps · runs locally
  184. subject investigation awareness behavioral detectordrop prefetch shimcache browser history and registry exports · detect behavioral patterns indicating the subject is aware of or responding to an investigation · identify forensic tool scanning and evidence scrubbing triggered by external events · surface reactive anti-forensic behavior · runs locally
  185. malware sandbox and VM environment evasion detectordrop sysmon evtx csv · detect malware performing environment checks for vm sandbox and analysis detection · identify registry and wmi queries probing for virtual machine artifacts · surface systematic evasion behavior · runs locally
  186. memory artifact suppression via large page detectordrop sysmon evtx csv and registry export · detect large page allocation and memory locking used to prevent pagefile evidence · identify techniques avoiding memory artifact creation · surface memory management abuse for anti-forensic purposes · runs locally
  187. NetBIOS name spoofing and LLMNR poisoning artifact detectordrop system evtx csv and sysmon evtx csv · detect netbios and llmnr poisoning artifacts · identify name resolution anomalies used for credential capture · surface nbt-ns and llmnr abuse patterns · runs locally
  188. NTLM credential capture and relay artifact detectordrop security evtx csv and system evtx csv · detect ntlm relay attack artifacts · identify responder and inveigh execution remnants · surface forced authentication attempts and credential capture patterns · runs locally
  189. program compatibility assistant artifact gap detectordrop mft csv and registry export · detect program compatibility assistant database gaps · identify pca artifact clearing · surface execution evidence recorded in pca that was then wiped · runs locally
  190. windows defender cloud protection disable detectordrop windows defender operational evtx csv and registry export · detect cloud protection and maps reporting disabled · identify spynet telemetry suppression · surface defender intelligence feed disconnection hiding malware from cloud detection · runs locally
ready