labgeek / VFAE
VMDK Forensic Artifact Extractor (VFAE) is windows based tool written in C++ that extracts files with a known location from VMDK images running the Windows operating system. The tool utilizes the VDDK (Virtual Disk Development Kit) API for the heavy lifting such as mounting, opening, and reading the VMDK selected. When vfae.exe is executed, i…
☆15Updated 9 years ago
Related projects ⓘ
Alternatives and complementary repositories for VFAE
- Parses the WMI object database....looking for persistence☆31Updated 4 years ago
- $MFT parser (from live systems or a copy of the $MFT) and raw file copy utility☆36Updated 3 months ago
- A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of eve…☆43Updated last year
- Windows registry samples☆23Updated 5 years ago
- Binary commandline executable to parse ETL files☆67Updated 6 years ago
- Decode security descriptors in $Secure on NTFS☆20Updated 2 years ago
- A Microsoft Windows service to provide telemetry on Windows executable memory page changes to facilitate threat detection☆28Updated 4 years ago
- ☆60Updated last week
- It's not just UsnJrnl (USN Journal Records/Change Journal Records) parser.☆23Updated 5 years ago
- ☆91Updated 2 years ago
- Links to malware-related YARA rules☆14Updated 2 years ago
- NTFS parser, plus linking capabilites between MFT LogFile and UsnJrnl☆36Updated 8 years ago
- Automatic/Custom Destinations & LNK (MS-SHLLINK) Browser☆30Updated 8 months ago
- Command line access to the Registry☆130Updated last week
- NTFS samples☆25Updated 4 years ago
- ProcDot Malware Sandbox☆21Updated 6 years ago
- Windows link file (shortcuts) examiner☆67Updated 5 months ago
- Repository containing malware analysis filters for the Windows SysInternals' - Process Monitor tool☆13Updated 4 years ago
- Parses RecentFileCacheParser.bcf files☆24Updated 2 months ago
- Library and tools to access the Windows Prefetch File (SCCA) format.☆71Updated 2 months ago
- Parse Microsoft shim databases☆28Updated 2 months ago
- Babel-Shellfish deobfuscates and scans Powershell scripts on real-time right before each line execution.☆41Updated 6 years ago
- Endpoint monitoring stack.☆18Updated 9 years ago
- Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process E…☆35Updated 8 years ago
- Extract common Windows artifacts from source images and VSCs☆65Updated 3 years ago
- A repository that maps API calls to Sysmon Event ID's.☆116Updated last year
- Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family.☆31Updated 11 years ago
- Generate YARA rules for OOXML documents.☆37Updated last year
- Get USB Devices from Registry hives☆21Updated 2 years ago