DriveFS Sleuth is a Python tool that automates investigating Google Drive File Stream disk artifacts, the tool has been developed based on research that has been performed by mounting different sce…

This repository serves as a place for community created Targets and Modules for use with KAPE.

Web browser forensics for Google Chrome/Chromium

Windows Event Log "Microsoft-Windows-Partition%4Diagnostic.evtx" parser and devices' VSNs extractor.

Gmail URL Decoder is an Open Source Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the …

A Windows registry file parser written in Rust

http://moaistory.blogspot.com/2018/10/winsearchdbanalyzer.html

OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file.

Windows.EDB Browser

(Sometimes partial) Python re-implementations of the technologies involved in reading various data sources in Chrome-esque applications.

Dumps all of the Key/Value pairs from a LevelDB database

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.

XstReader is an open source viewer for Microsoft Outlook’s .ost and .pst files (also those protected by unknown password). You can view and inspect all content and export messages and attachments (…

OneDrive log .ODL reader

This repository serves as a place for community created Targets and Modules for use with KAPE.

Win 10/11 related research

Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)

MemProcFS

Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images

Google Filestream Forensic Tool

A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.