AndrewRathbun/DFIRArtifactMuseum AndrewRathbun/DFIRArtifactMuseum

  • Stars
    star
    522
  • Rank 84,811 (Top 2 %)
  • Language
    HTML
  • License
    MIT License
  • Created almost 3 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
AndrewRathbun/DFIRArtifactMuseum
github

AndrewRathbun

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.

Logo

DFIR Artifact Museum

Description

The DFIR Artifact Museum is a community-driven archive of DFIR-related artifacts. It was created to provide a centralized location for examples of artifacts from various operating systems.

Purpose

To increase accessibility to sample artifacts without individual researchers having to duplicate efforts to generate data that frankly should be done once and then shared with the community so more time and energy can be spent on analysis rather than artifact generation.

Benefits

Hopefully, with more exposure to artifacts from various operating systems centralized in a single location, someone who never uses Linux might gain more familiarity with what Linux artifacts look like. Same with someone who only uses Linux and doesn't use Windows.

Additionally, with more exposure to artifacts, hopefully those who enjoy creating tools will have sample data from which they can create a parser and share with the community. Having an artifact readily available as sample data takes one major hassle out of the way when it comes to having an idea for a parsing tool to actually creating it and sharing it.

DFIRArtifactMuseum Roadmap

Want to see what the future holds for the DFIRArtifactMuseum repo? Check out the project boards where the to-do lists can be found!

Contributing to DFIRArtifactMuseum

Please check out CONTRIBUTING.md if you want guidance on how you can contribute to the DFIRArtifactMuseum.

Other Projects of Interest

  • EVTX-ETW-Resources - This repo contains XML and CSV files that contain every Event ID, Event Message, etc for every Event Provider for nearly every major version of Windows 8, 10, and 11 and Windows Server 2016, 2019, and 2022. Did you know most Event Providers in Windows are disabled? Now you have visibility into every single one that ships with Windows. Additionally, you'll never have to wonder what an Event ID means for a Provider that's native to Windows. Just search the repo and your answer will be there! ETWProvidersManifests will have the raw XMLs generated from WEPExplorer and ETWEventsList will have the CSVs generated from those XMLs. One CSV per version of Windows will have all event Providers and associated event IDs enumerated.
  • VanillaWindowsRegistryHives - This repo contains zip files containing raw Registry hives post-clean install and JSON dumps of these Registry hives (from the topmost ROOT key) for nearly every major version of Windows 8, 10, and 11 and Windows Server 2016, 2019, and 2022. This is a great way for seeing what's normal within the Registry before user activity kicks in.
  • VanillaWindowsReference - This repo contains a CSV file that consists of a directory listing of every file that comes in a clean install for for nearly every major version of Windows 8, 10, and 11 and Windows Server 2016, 2019, and 2022. This includes filenames, parent folders, hash values, file sizes, etc for EVERY file. A perfect way to see where files are supposed to be located on Windows system. Also, once could technically generate an open source hash database of known good files from this dataset.
  • AboutDFIR - Tool Testing - AboutDFIR has a Tool Testing page which contains links to many other forensic images. Use them to tinker with for research or to validate your findings!

Acknowledgements

Special thank you to Kevin Pagano for the awesome logo!

Licensing/Source Attribution

Please see Digital Corpora's Research Paper on Bringing science to digital forensics with standardized forensic corpora

More Repositories

1

DFIRMindMaps

A repository of DFIR-related Mind Maps geared towards the visual learners!
460
star
2

Awesome-KAPE

A curated list of KAPE-related resources
126
star
3

VanillaWindowsReference

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
110
star
4

DFIRRegex

A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.
60
star
5

KAPE-EZToolsAncillaryUpdater

A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools
PowerShell
43
star
6

VanillaWindowsRegistryHives

A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.
40
star
7

DFIRPowerShellScripts

Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!
PowerShell
39
star
8

EventTranscript.db-Research

A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.
38
star
9

DirectoryOpus-DFIRConfig

A config file that's curated for DFIR examiners with shortcuts to common Windows artifacts and settings enabled that help make your life easier with various file management tasks.
28
star
10

Anti-Forensics-VHDX

A sample VHDX file with multiple verbose examples of forensic and anti-forensics artifacts. Meant to be basic and can be expanded upon. Please add a new issue if you have an idea for something to add.
HTML
24
star
11

SANSGoldPaperResearch_FOR500_Rathbun

A repository containing the research output from my GCFE Gold Paper which compared Windows 10 and Windows 11.
HTML
23
star
12

ForensicImageKAPEOutput

A repository of output using KAPE (!EZParser Module) for various publicly available forensic images!
12
star
13

SigHunter

A C# (.NET 6) tool to compare the file signature of files recursively and inform the user of matches and mismatches
C#
11
star
14

PCAParser

A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca
PowerShell
8
star
15

Windows11Research

A brain dump for any Windows 11 research that I may conduct
HTML
6
star
16

iOS_Test-Device_Photos.sqlite_Examples

This repo will contain several iOS Photos.sqlite databases, both Local Photo Library (LPL) db’s and Shared with You Syndication Photo Library (SWY) db’s that can be used to test Photos.sqlite queries.
3
star
17

KAPEPowerShellScripts

A working repo of PowerShell scripts that help extend KAPE's functionality
2
star
18

AndrewRathbun

2
star
19

CSVFileDetailsExtractor

A simple tool to enumerate useful details from CSV files recursively from a provided folder path
C#
2
star
20

CsvMerger

A simple program to merge CSV files together.
C#
1
star
21

CSVHeaderHunter

C# program to grab all CSV headers from a directory recursively and output to a CSV file
C#
1
star
22

MP3TagExtractor

A command-line application to extract (recursively, if needed) IDv3 metadata from audio files
C#
1
star
23

DFIRSQLiteSchemas

A repo containing schemas of commonly used SQLite databases in everyday DFIR analysis.
1
star