fatcousin
// artifact family

authentication / identity

24 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.

tools
24
catalog slugs
24
processing
local · in browser

tools in this family

ordered as in the forensics catalog. every tool runs locally — no upload, no account.

  1. ad cs certificate template abuse detectordrop ad cs ca audit log · detect esc1-esc11 template abuse patterns
  2. ad cs shadow credentials detectordrop ad object diff + msds-keycredentiallink · detect shadow-cred attacks
  3. adminsdholder modification detectordrop ad replication + acl audit · detect adminsdholder tampering
  4. azure ad conditional access decision log forensic analyzerdrop entra id sign-in log · parse conditional access policy decisions
  5. azure ad fed trust modification detectordrop entra id federation config audit · detect rogue federated trust additions
  6. azure ad passwordless auth forensic analyzerdrop entra id auth log · parse fido2 + ms authenticator + tap usage
  7. dcshadow detection from dc event logdrop dc event log + replication state · detect rogue replication writes
  8. dcsync detection from dc event logdrop domain controller event log · detect drsuapi getncchanges replication abuse
  9. duo authentication log forensic analyzerdrop duo admin api auth log · parse push + bypass + denial events
  10. fido2 attestation statement forensic analyzerdrop fido2 attestation (packed/tpm/android-key) · parse aaguid + cert chain
  11. gpo sysvol modification detectordrop sysvol diff · parse gpo + gpttmpl + scripts changes
  12. jumpcloud event log forensic analyzerdrop jumpcloud directory event export · parse auth + admin events
  13. kerberos golden silver diamond sapphire ticket detectordrop event log + sysmon + zeek kerberos · detect all four ticket abuse classes
  14. lapsv2 password access audit analyzerdrop ad event 4662 + laps log · parse password reads
  15. oidc id token forensic analyzerdrop oidc id_token + userinfo · parse claims + acr + auth_time · timeline + findings export · runs locally
  16. okta system log forensic deep analyzerdrop okta system log json · parse authn + admin + policy events
  17. onelogin event log forensic analyzerdrop onelogin event log · parse user + app events
  18. ping identity audit log forensic analyzerdrop ping audit log · parse authn + admin events
  19. saml idp metadata forensic analyzerdrop saml idp metadata xml · parse signing certs + endpoints + history
  20. saml response forensic analyzerdrop saml response xml · parse assertions + attributes + signing · detect replay + audience mismatch · runs locally
  21. scim provisioning log forensic analyzerdrop idp scim provisioning log · parse user / group provisioning events
  22. sid history injection detectordrop ad object export · detect sidhistory abuse
  23. webauthn passkey audit forensic analyzerdrop webauthn registration + assertion log · parse authenticator data + counter
  24. yubikey usage log forensic analyzerdrop yubikey audit log (where available) · parse credential usage events
ready