capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, shellcode file, or a sandbox report and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
Examples:
capa.exe suspicious.exe -vv
capa 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.json
The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically extract and deobfuscate all strings from malware binaries.
Examples:
floss malware.exe
floss --only stack tight -- suspicious.exe
The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment.
BrowsingHistoryView is a utility that reads the history data of different Web browsers (Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera) and displays the browsing history of all these Web browsers in one table. The browsing history table includes the following information: Visited URL, Title, Visit Time, Visit Count, Web browser and User Profile. BrowsingHistoryView allows you to watch the browsing history of all user profiles in a running system, as well as to get the browsing history from external hard drive.
ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, and more.
ChromeCookiesView is an alternative to the standard internal cookies viewer of Google Chrome Web browser. it displays the list of all cookies stored by Google Chrome Web browser, and allows you to easily delete unwanted cookies. It also allows you export the cookies into text/csv/html/xml file.
x64dbg is an open-source x64/x32 debugger for windows.
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan.
Examples:
hayabusa.exe search -d ../hayabusa-sample-evtx -k "mimikatz"
hayabusa.exe search -d ../hayabusa-sample-evtx -r "(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
hayabusa.exe search -d ../hayabusa-sample-evtx -r ".*" -F WorkstationName:"kali"
Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.
Examples:
chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml
chainsaw search mimikatz -i evtx_attack_samples/
chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/
chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json
EvtxECmd is an event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
Examples:
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --csvf MyOutputFile.csv
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out"
EvtxECmd.exe -f "C:\Temp\Application.evtx" --json "c:\temp\jsonout"
HashCalc is a free calculator to compute multiple hashes, checksums and HMACs for files, text and hex strings.
Hasher is an utility to calculate hashes for files.
Simple batch script for getting MD5, SHA-1, and SHA-256 hashes.
Examples:
GetHashes file.exe
HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
MailView is an utility for viewing Outlook Express, Windows Mail/Windows Live Mail and Mozilla Thunderbird message databases as well as single EML files.
Volatility Workbench is a free open source tool that provides a graphic user interface for the Volatility memory analysis forensics tool.
MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.
Examples:
memprocfs.exe -device c:\temp\win10x64-dump.raw
memprocfs.exe -device c:\temp\win10x64-dump.raw -forensic 1 -forensic-yara-rules c:\yara\rules\windows_malware_index.yar
memprocfs.exe -device unknown-x64-dump.raw -pagefile0 pagefile.sys -pagefile1 swapfile.sys
MFTECmd is a $MFT, $Boot, $J, $SDS, $I30, and $LogFile parser. Handles locked files.
Examples:
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5
MFTExplorer is an graphical $MFT viewer.
UPX is a free, secure, portable, extendable, high-performance executable packer for several executable formats.
Examples:
upx -o packed_file.exe original_file.exe
upx -d packed_file.exe
Xvolkolak is an unpacker emulator. Unlike programs of this type, it does not use DebugAPI and other features of the operating system.
Hash Suite is a Windows program to test security of password hashes.
hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.
Examples:
hashcat -m 0 -a 0 hash.txt wordlist.txt
hashcat -m 1000 ntlmhash.txt -a 0 rockyou.txt
Ophcrack is a Windows Password cracker based on Rainbow Tables.
RECmd is a powerful command line Registry tool searching, multi-hive support, plugins, and more.
Examples:
RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl
RECmd.exe --f "D:\temp\UsrClass 1.dat" --StartDate "11/13/2014 15:35:01"
RECmd.exe --f "D:\temp\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
Registry Explorer is a registry viewer with searching, multi-hive support, plugins, and more. Handles locked files.
The Sleuth Kit® is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
Examples:
fsstat -i raw evidence.dd
fls -i raw evidence.dd
istat -f ext4 -i raw evidence.dd
mmls evidence.dd
fsstat evidence.dd
img_stat evidence.dd
bstrings is an advanced strings search program.
Examples:
bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls URL
bstrings.exe -f "C:\Temp\someFile.txt" --lr guid
bstrings.exe -f "C:\Temp\aBigFile.bin" --fs c:\temp\searchStrings.txt --fr c:\temp\searchRegex.txt -s
bstrings.exe -d "C:\Temp" --mask "*.dll"
bstrings.exe -d "C:\Temp" --ar "[\x20-\x37]"
bstrings.exe -d "C:\Temp" --cp 10007
bstrings.exe -d "C:\Temp" --ls test
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa -m 15 -x 22
bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls mui --sl
BusyBox is a software suite that provides several Unix utilities in a single executable file.
Examples:
busybox.exe sh
busybox.exe sha1sum file.exe
busybox grep test myfile.txt
dd command reads one block of input and process it and writes it into an output file.
Examples:
dd if=\\.\Volume{c18588c0-02e9-11d8-853f-00902758442b} of=c:\temp\usb1.img bs=1M
dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress
exiftool is a command-line application and Perl library for reading and writing EXIF, GPS, IPTC, XMP, makernotes and other meta information in image, audio and video.
Examples:
exiftool image.jpg
Timeline Explorer is tool for viewing CSV and Excel files, as well as aplying filters.
YARA is an open-source tool designed to help malware researchers identify and classify malware samples. It makes it possible to create descriptions (or rules) for malware families based on textual and/or binary patterns. YARA is multi-platform, running on Linux, Windows and Mac OS X. It can be used through its command-line interface or from Python scripts with the YARA-Python extension.
Examples:
yara /foo/bar/rules1 /foo/bar/rules2 .
yara -t Packer -t Compiler /foo/bar/rules bazfile
yara -r /foo
OfficeMalScanner is a Ms Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. Found files are being extracted to disk. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files.
Examples:
OfficeMalScanner.exe "C:\File.xls" scan brute debug
OfficeMalScanner.exe "C:\File.xls" info
SQLECmd is a tool to find and process SQLite files according to your needs with maps.
Examples:
SQLECmd.exe -f "C:\Temp\someFile.db" --csv "c:\temp\out"
SQLECmd.exe -d "C:\Temp\" --csv "c:\temp\out"
SQLECmd.exe -d "C:\Temp\" --hunt --csv "c:\temp\out"
Steghide is a steganography program that is able to hide data in various kinds of image and audio files.
Examples:
steghide info image.jpg
steghide embed -ef file.txt -cf image.jpg
steghide extract -sf image.jpg
$I Parse is a tool for parsing $I (index) files from the Recycle Bin of Windows Vista and later.
AmcacheParser is an Amcache.hve parser with lots of extra features. Handles locked files.
Examples:
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" --csv C:\temp
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -i on --csv C:\temp --csvf foo.csv
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -w "c:\temp\whitelist.txt" --csv C:\temp
AppCompatCacheParser is an AppCompatCache aka ShimCache parser.
Examples:
AppCompatCacheParser.exe --csv c:\temp -t -c 2
AppCompatCacheParser.exe --csv c:\temp --csvf results.csv
JLECmd is a Jump List parser.
Examples:
JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.customDestinations-ms" --mp
JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.automaticDestinations-ms" --json "D:\jsonOutput" --jsonpretty
JLECmd.exe -d "C:\CustomDestinations" --csv "c:\temp" --html "c:\temp" -q
JLECmd.exe -d "C:\Users\e\AppData\Roaming\Microsoft\Windows\Recent" --dt "ddd yyyy MM dd HH:mm:ss.fff"
JumpListExplorer is a GUI based Jump List viewer.
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more.
LECmd is a tool for parsing lnk files.
Examples:
LECmd.exe -f "C:\Temp\foobar.lnk"
LECmd.exe -f "C:\Temp\somelink.lnk" --json "D:\jsonOutput" --pretty
LECmd.exe -d "C:\Temp" --csv "c:\temp" --html c:\temp --xml c:\temp\xml -q
LECmd.exe -f "C:\Temp\some other link.lnk" --nid --neb
LECmd.exe -d "C:\Temp" --all
PECmd is a Prefetch parser.
Examples:
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf"
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf" --json "D:\jsonOutput" --jsonpretty
PECmd.exe -d "C:\Temp" -k "system32, fonts"
PECmd.exe -d "C:\Temp" --csv "c:\temp" --csvf foo.csv --json c:\temp\json
PECmd.exe -d "C:\Windows\Prefetch"
RBCmd is a Recycle Bin artifact (INFO2/$I) parser.
Examples:
RBCmd.exe -f "C:\Temp\INFO2"
RBCmd.exe -f "C:\Temp\$I3VPA17" --csv "D:\csvOutput"
RBCmd.exe -d "C:\Temp" --csv "c:\temp"
RecentFileCache parser.
Examples:
RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --csv "c:\temp"
RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --json "D:\jsonOutput" --jsonpretty
SBECmd is a command line edition for exporting shellbag data.
Examples:
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --tz "US Eastern Standard Time"
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --dedupe
SDBExplorer is a Shim database GUI tool.
Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_*.db and iconcache_*.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 11.
WFA decodes and analyzes some special files used by Windows OS.
WinPrefetchView is a small utility that reads the Prefetch files stored in your system and displays the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.