fatcousin
// artifact family

windows artifacts

73 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.

tools
73
catalog slugs
73
processing
local · in browser

tools in this family

ordered as in the forensics catalog. every tool runs locally — no upload, no account.

  1. windows event log parserdrop a .evtx file · parse Windows event log · filter by event ID · level · source · export CSV · runs locally
  2. windows event log deep divedrop EVTX · map event IDs to attack techniques · 4624 logon · 4688 process creation · 7045 service install · 4698 scheduled task · Kerberoasting · lateral movement chains · runs locally
  3. windows event log attack chain mapperdrop evtx csvs · map event ids to mitre attack techniques · reconstruct lateral movement chains · credential access · persistence · discovery · flag sequences not just individual events · runs locally
  4. sam account change timelinedrop sam registry export or security evtx csv · timeline account creates disables password changes · correlate with logon events · runs locally
  5. dpapi artifact analyzerdrop dpapi blob export or registry csv · identify master key scope · flag credential vault entries · correlate user sids · runs locally
  6. windows credential manager forensicsdrop credman export or vault csv · list stored credentials · flag generic vs domain · surface target anomalies · runs locally
  7. token manipulation artifact analyzerdrop security evtx csv · detect token impersonation and privilege events · 4624 type 2/3 anomalies · special privileges assigned · runs locally
  8. admin share access timelinedrop security evtx csv · timeline admin$ ipc$ c$ share access · 5140 5145 events · correlate source ips · runs locally
  9. privilege escalation timeline reconstructordrop security evtx csv · reconstruct privilege changes · 4672 special privileges · 4673 privileged service calls · 4674 operations on privileged objects · token elevation events · runs locally
  10. password spray & brute force detectordrop security evtx csv · analyze authentication failure patterns · detect low-and-slow password spray · high-speed brute force · credential stuffing patterns · flag attacker ips · runs locally
  11. prefetch analyzerdrop a Windows .pf prefetch file · last run time · run count · referenced files and volumes · export CSV · runs locally
  12. prefetch deep correlatordrop multiple pf files · execution timeline · inferred process edges · shared paths · deleted exe hints · hash dupes · uncompressed scca only · runs locally
  13. lnk file parserdrop a Windows .lnk shortcut · target path · timestamps · machine ID · volume serial · network share info · runs locally
  14. windows lnk deep analyzerdrop Windows .lnk shortcut files · parse full shell link structure · target path · command line · machine GUID · volume serial · timestamps · network share · tracker block · export CSV · runs locally
  15. windows jump list parserdrop .automaticDestinations-ms or .customDestinations-ms · parse OLE structure · extract recently accessed files per app · timestamps · AppIDs · export CSV · runs locally
  16. recycle bin analyzerdrop Windows Recycle Bin $I index files · decode original path · deleted timestamp · file size · export CSV · runs locally
  17. shellbags analyzerdrop a Windows registry hive · extract shellbag entries · folder browsing history · paths · timestamps · export CSV · runs locally
  18. registry hive parserdrop a Windows registry hive · NTUSER.DAT · SOFTWARE · SYSTEM · browse keys and values · export CSV · runs locally
  19. registry autoruns & services parserdrop NTUSER.DAT · SOFTWARE · or SYSTEM hive · parse Run keys · services · scheduled load points · flag suspicious paths · export CSV · runs locally
  20. userassist decoderdrop ntuser.dat or paste userassist registry exports · decode rot13 · run counts · filetimes · execution timeline · flags · csv export · runs locally
  21. mui cache analyzerdrop ntuser.dat or software hive · shell muicache · friendly exe names · company strings · mismatch flags · runs locally
  22. wmi repository analyzerdrop windows wmi repository files · parse objects data · extract classes instances · event subscriptions · persistence detection · runs locally
  23. srum analyzerdrop srudb.dat windows system resource usage monitor · 30-60 days of app network energy timeline activity · ese database · runs locally
  24. shimcache parserdrop SYSTEM hive · parse AppCompatCache · execution traces · deleted binary detection · timestamps · heuristic · export CSV · runs locally
  25. amcache parserdrop Amcache.hve · parse executed binaries · SHA1 hashes · file paths · first run timestamps · program inventory · export CSV · runs locally
  26. thumbcache viewerdrop Windows Thumbs.db or thumbcache_*.db · extract all thumbnail images · original filename metadata · export all as ZIP · runs locally
  27. pagefile extractordrop Windows pagefile.sys or hiberfil.sys · extract strings · URLs · file paths · credentials artifacts · runs locally
  28. windows wi-fi profile parserdrop Windows wireless XML profiles · extract SSID · authentication type · encryption · saved credentials (if present) · detect open networks · export CSV · runs locally
  29. windows scheduled tasks parserdrop Windows Task Scheduler .xml files · parse triggers · actions · principals · detect persistence · suspicious executables · network paths · runs locally
  30. windows scheduled task analyzerdrop task scheduler xml · triggers · actions · principals · suspicion score · encoded powershell decode · persistence hints · runs locally
  31. timestamp manipulation detectorcsv manifest or browser file timestamps · mace anomalies · bulk clones · scatter + heatmap · timestomp hints · export csv · runs locally
  32. windows event log gap analyzerdrop multiple evtx · merged timeline · logging gaps · clearing events · ransomware prep chains · service persistence hints · runs locally
  33. bam dam parserdrop software hive · background activity moderator · desktop activity moderator · sid · last run filetime · sequence · filter · csv · runs locally
  34. activities cache analyzerdrop activitiescache.db · windows timeline activity table · types · clipboard · duration · summary · csv export · runs locally
  35. wordwheelquery parserntuser.dat or reg paste · explorer wordwheelquery · mru search terms · ordered list · csv export · runs locally
  36. typedpaths extractorntuser.dat or reg paste · explorer typedpaths · ie typedurls · filetime timestamps · mru rank · csv export · runs locally
  37. cortana db analyzerdrop cortana sqlite db · search history tables · row counts · timeline · device search · csv export · runs locally
  38. lnk timeline correlatordrop multiple Windows .lnk shortcuts · unified FILETIME timeline · machine GUID · volume serial · dedupe targets · CSV export · runs locally
  39. rdp cache parserdrop .bmc/.bin cache files · RDP8 magic or legacy BGRA tiles · thumbnail grid · hide uniform tiles · export zip · runs locally
  40. windows search index parserdrop Windows.edb · ESE catalog btree · SystemIndex paths · search terms · raw tables · filter · csv export · runs locally
  41. sticky notes forensic analyzerdrop plum.sqlite or legacy snt · extract notes including deleted · timestamps · sensitive content flags · export csv · runs locally
  42. windows clipboard history forensic analyzerdrop clipboard history sqlite or activitiescache db · credential and sensitive data detection · timeline · export csv · runs locally
  43. recentdocs mru deep analyzerdrop ntuser.dat reg export · parse recentdocs mru · office file mru · sensitive file type flags · export csv · runs locally
  44. windows error reporting forensic analyzerdrop wer report files or registry exports · decode exception codes · exploit risk scoring · export csv · runs locally
  45. print spooler artifact forensic analyzerdrop shd spool files evtx csv registry exports · print job history · printnightmare indicators · export csv · runs locally
  46. print spool job content reconstructordrop windows print spool spl files · parse emf and raw spool formats · reconstruct document content from spool fragments · extract text from emf records · recover what was printed even after deletion · runs locally
  47. jump list cross-application timeline correlatordrop multiple jlecmd csv exports · unified timeline · cross-app document access · network and removable flags · export csv · runs locally
  48. taskbar pinned items forensic analyzerdrop taskband registry export or taskbar lnk listing · pinned and removed items · unusual security tool flags · export csv · runs locally
  49. office add-in persistence analyzerdrop registry exports or add-in directory listing · com xll vsto add-ins · untrusted dll paths · export csv · runs locally
  50. windows notification database forensic parserdrop wpndatabase.db sqlite · extract push notification history · app notifications · message previews · alert content · reconstruct what notifications user received · identify communication patterns · runs locally
  51. windows installer artifact analyzerdrop msi log files or software registry exports · reconstruct software installation history · identify recently installed tools · detect silent installations · msiexec evidence · flag security-relevant installs · runs locally
  52. crash dump batch triage analyzerdrop multiple windows minidump files · batch parse all dumps · extract faulting module · exception codes · process names · compile timestamps · surface exploit patterns across the collection · runs locally
  53. image file execution options hijack detectordrop software hive reg export · detect debugger hijacks via ifeo · silentprocessexit hijacks · accessibility feature backdoors · process execution redirection · runs locally
  54. port monitor and print processor persistence detectordrop system registry hive export · detect persistence via port monitor dlls · print processor dlls · time provider dlls · loaded by system on boot with high privileges · runs locally
  55. netsh helper dll and winsock persistence detectordrop software and system hive reg exports · detect persistence via netsh helper dlls · winsock layered service providers · name service providers · filter driver persistence · runs locally
  56. office template injection & dde detectordrop docx xlsx pptx files · detect template injection via relationships · remote template urls · dde payloads · excel 4.0 xlm macros · ole object injection · external data connections · runs locally
  57. metadata scrubbing tool artifact detectordrop file listings · mft csv · registry exports · detect use of exiftool mat2 or similar metadata strippers · they leave their own traces · identify files that were processed by scrubbing tools · runs locally
  58. event log channel manipulation detectordrop evtx csvs and system registry exports · detect disabled event log channels · reduced log maximum sizes · custom channel configurations · identify logging gaps caused by deliberate channel manipulation · runs locally
  59. file carving anti-detection pattern detectordrop a disk image or binary file · detect deliberate partial overwrite of file headers to prevent carving · identify files with valid bodies but corrupted magic bytes · surface anti-carving techniques · runs locally
  60. registry deleted key recovery tooldrop a raw registry hive binary · scan hive for deleted but not overwritten key and value structures · recover key names · value names · value data · creation timestamps · forensic registry carving · runs locally
  61. registry hive carver from disk imagedrop a raw disk image or memory dump · scan for registry hive fragments by regf signature · extract and reconstruct partial hives · identify additional registry hives beyond the standard locations · runs locally
  62. application focus timeline reconstructordrop srum csv · windows accessibility event logs · ui interaction logs · reconstruct exactly which application had focus at every point in time · builds minute by minute user activity reconstruction · proves user presence or absence · runs locally
  63. search query to file access intent correlatordrop windows search query exports · browser search history · file access logs · correlate what the user searched for with what they subsequently accessed · establish search intent behind file access · build evidence of deliberate targeting · runs locally
  64. document hidden print history extractordrop docx xlsx pptx doc xls ppt · hidden print audit trail · printer name · print timestamp · page count · every print job · runs locally
  65. thumbnail reverse lookup and orphan matcherdrop a windows thumbcache database and an image collection · compute perceptual hashes of all thumbnails · match each thumbnail to its original file · identify orphaned thumbnails whose originals were deleted · runs locally
  66. lnk file batch timeline correlatordrop hundreds of lnk shortcut files or lnk csv exports · build single unified recently-accessed timeline · deduplicate · surface deleted source files · correlate access times across all shortcuts · runs locally
  67. recycle bin deep correlation analyzerdrop recycle bin $i files · mft csv · browser history · process execution csvs · correlate each deletion with the process that caused it · establish why each file was deleted · timeline of deletion activity · runs locally
  68. windows installer cache forensic analyzerdrop c windows installer directory listing or mft entries for that path · analyze cached msi msp files · reconstruct software installation history · identify what was installed even after uninstall · extract installer metadata · runs locally
  69. ese extensible storage engine database forensic analyzerdrop ese jet database files · parse table schema · extract records · recover deleted rows · windows search bits · runs locally
  70. onenote forensic analyzerdrop onenote one or onepkg files · extract notebook structure · embedded files · revision history · malware delivery detection · runs locally
  71. sysmon configuration coverage auditordrop sysmon xml configuration file · score detection coverage · identify blind spots · flag missing event types · compare against community best-practice configs · produce gap analysis with specific recommendations · runs locally
  72. windows audit policy completeness scorerdrop auditpol csv export or security evtx showing 4719 events · score current audit policy against cis benchmark · identify what attack techniques are invisible due to missing audit categories · produce gap analysis with recommendations · runs locally
  73. password manager artifact forensic analyzerdrop keepass kdbx files · bitwarden local vault json · 1password local artifacts · no decryption attempted · extract metadata · database size · last modified · entry count hints · access patterns · runs locally
ready