In this section
Windows Forensic Tools: Open Source, Commercial, Forensic Distributions
No single tool covers every forensic need. A working examiner maintains a toolkit that spans artifact parsing, evidence acquisition, disk and memory analysis, and timeline construction. This section maps the complete landscape.
Estimated time: 30 minutes.
Open-source artifact parsers
Eric Zimmerman's tools
Eric Zimmerman's tool suite is the most widely used set of artifact parsers in Windows forensics. Each tool targets a specific artifact type and produces structured CSV output for analysis in Timeline Explorer. The tools are actively maintained, accepted in legal proceedings, and free.
TOOL WHAT IT PARSES MODULE
PECmd Prefetch (.pf files) WF2
AmcacheParser Amcache.hve registry hive WF2
AppCompatCacheParser Shimcache from SYSTEM hive WF2
SrumECmd SRUM database (SRUDB.dat) WF2, WF6
MFTECmd $MFT, $UsnJrnl:$J, $LogFile WF7
EvtxECmd Windows Event Logs (.evtx) WF2, WF4, WF5
RECmd Registry hives (batch processing) WF5
SBECmd ShellBags from NTUSER.DAT/UsrClass.dat WF3
LECmd LNK shortcut files WF3
JLECmd Jump Lists WF3
WxTCmd Windows Timeline database WF3
Timeline Explorer GUI for analysing CSV output from all tools All modulesTimeline Explorer is the analysis interface for most of the course. CSV files from PECmd, MFTECmd, EvtxECmd, and the other parsers open in Timeline Explorer where you can filter, sort, search, and colour-code entries. A parsed MFT from a typical workstation produces 500,000+ rows. Timeline Explorer handles this efficiently. Standard spreadsheet applications will struggle.
Download the full suite from https://ericzimmerman.github.io/#!index.md.
The Sleuth Kit (TSK)
The Sleuth Kit is a collection of command-line tools for filesystem analysis. Where EZ tools parse specific Windows artifacts, TSK operates at the filesystem layer: reading partition tables, examining file system structures, recovering deleted files, and extracting file content from disk images.
TSK supports NTFS, FAT, exFAT, EXT, HFS+, and other filesystem types. Key tools include fls (list files and directories including deleted entries), icat (extract file content by inode), mmls (display partition layout), and tsk_recover (recover deleted files). TSK is the engine that powers Autopsy's filesystem analysis.
TSK is essential when you need to work below the artifact layer. EZ tools parse Prefetch files, registry hives, and event logs. TSK lets you recover those files when they have been deleted, examine the raw filesystem structures, and access disk regions that artifact parsers do not touch.
Download from https://sleuthkit.org/.
Autopsy
Autopsy is a free, open-source digital forensics platform built on top of The Sleuth Kit. It provides a GUI-based investigation environment that combines filesystem browsing, keyword search, timeline analysis, hash lookup, and artifact extraction into a single interface.
Autopsy processes disk images and triage collections. Its ingest modules automatically extract web artifacts, email, registry data, recent documents, USB device history, and other forensic data. The keyword search module indexes all text content in the image, making it searchable. The timeline module provides a chronological view of file system activity.
For examiners who prefer a GUI workflow over command-line tools, Autopsy is a complete investigation platform. This course primarily uses command-line tools (EZ suite, TSK, RegRipper) because they produce output that is easier to script, filter, and combine across cases. Autopsy is valuable as a complementary platform for browsing evidence, running keyword searches, and validating findings from command-line analysis.
Download from https://www.autopsy.com/.
Bulk Extractor
Bulk Extractor scans disk images, memory dumps, and other data sources for specific data types: email addresses, URLs, credit card numbers, phone numbers, EXIF metadata, Windows Registry fragments, and network packet data. It operates without understanding the filesystem structure. It reads raw bytes and identifies patterns.
This makes Bulk Extractor useful for two specific tasks. First, recovering data from damaged or corrupted images where the filesystem is unreadable. Second, scanning memory dumps and pagefiles for artifacts that filesystem-aware tools cannot reach. If a disk image has a corrupted partition table, EZ tools and Autopsy cannot parse it. Bulk Extractor can still extract email addresses, URLs, and other data patterns from the raw bytes.
Download from https://github.com/simsong/bulk_extractor.
RegRipper
RegRipper extracts specific forensic data from Windows registry hives using a plugin architecture. Each plugin targets a specific registry key or set of keys and produces human-readable output.
HIVE WHAT REGRIPPER EXTRACTS MODULE
SYSTEM Services, network interfaces, USB history, WF5, WF6
shutdown time, computer name, timezone
NTUSER.DAT Run keys, MRU lists, UserAssist, TypedPaths, WF3, WF5
search history, recent documents
SAM Local user accounts, login history, password WF3
policy, failed login counts
SOFTWARE Installed software, network profiles, WF5, WF6
OS version, uninstall entriesRegRipper is faster than RECmd for targeted extraction. You point it at a hive and a plugin, and it returns the specific data that plugin is designed to find. RECmd is better for comprehensive registry analysis where you need to process every key in a hive. This course uses both.
Download from https://github.com/keydet89/RegRipper3.0.
Plaso (log2timeline)
Plaso creates super timelines by parsing dozens of artifact types and normalizing every timestamp into a single chronological view. A super timeline from a single workstation can contain millions of entries from Prefetch, event logs, MFT, registry, browser history, and other sources, all in one searchable timeline.
Module 9 teaches super timeline construction. Earlier modules teach individual artifact analysis first. You need to understand what each artifact contains before you can interpret a timeline that combines all of them. Processing time depends on evidence volume: a typical workstation triage takes 30 to 90 minutes. Full disk images can take several hours.
Download from https://plaso.readthedocs.io/en/latest/.
Evidence acquisition and collection tools
KAPE
KAPE (Kroll Artifact Parser and Extractor) handles both evidence collection and processing. It uses a target/module architecture: targets define what to collect, modules define what to process.
COLLECTION TARGETS WHAT THEY COLLECT
!SANS_Triage Registry hives, event logs, Prefetch, Amcache,
SRUM, browser DBs, MFT, USN Journal, LNK files,
Jump Lists, and more
EventLogs Only .evtx files (lightweight)
!BasicCollection Core hives + event logs (no browser/MFT)
PROCESSING MODULES WHAT THEY RUN
!EZParser All EZ tools against collected artifacts
!RECmd_AllBatchFiles Registry batch processingKAPE's target architecture is modular. !SANS_Triage is a compound target that includes dozens of individual targets. You can also run individual targets when you need only a specific artifact type. Module 1 covers when to use full triage versus targeted collection.
Download from https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape.
Velociraptor
Velociraptor is a remote forensic collection and monitoring tool built around VQL (Velociraptor Query Language). Where KAPE runs locally on the target system, Velociraptor deploys a lightweight agent that communicates with a central server. You write VQL queries or use pre-built artifact collectors to gather forensic data from one endpoint or thousands.
This course uses Velociraptor in two contexts: single-host remote collection (Module 1) and fleet-wide scoping with hunts (Module 1, Investigation scenarios). A hunt can check 500 endpoints for a specific indicator in minutes. VQL is expressive enough to build custom collectors for artifacts that do not have pre-built parsers.
Download from https://docs.velociraptor.app/.
Magnet RAM Capture
Magnet RAM Capture is a free memory acquisition tool that captures the physical memory of a running Windows system to a raw dump file. Memory contains data that exists nowhere on disk: decrypted credentials, injected code, active C2 sessions, process environment blocks, and private browsing content.
Magnet RAM Capture is lightweight and portable. It runs from a USB drive without installation. DumpIt and winpmem are alternatives that perform the same function. The choice between them is often environmental: some tools work better with specific hardware or endpoint protection configurations.
Download from https://www.magnetforensics.com/resources/magnet-ram-capture/.
Encrypted Disk Detector
Encrypted Disk Detector (EDD) checks a running system for full-disk encryption (BitLocker, TrueCrypt, VeraCrypt, PGP, Symantec Endpoint Encryption). Run this before powering down a system. If the drive is encrypted and you power off, you lose access unless you have the recovery key. EDD tells you whether you need to capture the encryption keys from memory before shutdown, or whether you can safely image the drive offline.
Download from https://www.magnetforensics.com/resources/encrypted-disk-detector/.
FTK Imager
FTK Imager is the standard tool for creating forensic disk images. It produces E01 (EnCase format) or raw images with SHA256/MD5 hash verification. It supports write-blocking, evidence item creation, and can mount images for browsing. FTK Imager also includes a lightweight registry viewer and a capability to export individual files from a mounted image.
Download from https://www.exterro.com/ftk-imager.
Arsenal Image Mounter
Arsenal Image Mounter mounts forensic images (E01, raw, VMDK, VHD) as read-only drives in Windows. You can browse the mounted filesystem in Explorer and run tools against it as if it were a live drive. This is useful for tools that expect a drive letter rather than an evidence file path, and for manual examination of directory structures.
Download from https://arsenalrecon.com/downloads.
Commercial forensic platforms
Commercial tools provide integrated workflows, vendor support, and capabilities that open-source tools do not always match. This course teaches with open-source and free tools so every student can follow along without licensing costs. In professional practice, many examiners use commercial tools alongside the open-source toolkit.
Magnet Axiom Cyber. Cloud-native evidence acquisition and analysis. Acquires from endpoints, cloud services (M365, Google Workspace, AWS), and mobile devices. Integrated timeline, artifact analysis, and reporting. The cloud acquisition capability is its primary differentiator. Where KAPE and Velociraptor collect from endpoints, Axiom Cyber can pull directly from cloud service APIs.
Cellebrite Digital Collector / Inspector. Originally built for mobile forensics, Cellebrite has expanded into endpoint and cloud collection. Strong in mobile device acquisition and parsing. Used heavily in law enforcement.
X-Ways Forensics. A low-level forensic analysis tool with deep filesystem support. Extremely efficient with large evidence sets. Preferred by examiners who work at the disk and filesystem level rather than the artifact parsing level. Less intuitive than Autopsy but significantly faster on large images.
EnCase Forensic. One of the oldest commercial forensic platforms. Produces E01 image format (now an industry standard). Comprehensive artifact analysis with EnScript automation. Common in law enforcement and large consultancies.
The open-source tools in this course produce output that is compatible with these commercial platforms. PECmd CSV output can be imported into Axiom for combined analysis. KAPE triage collections can be processed by X-Ways or EnCase. The skills transfer.
Forensic Linux distributions
Forensic Linux distributions are pre-configured operating systems with forensic tools installed, write-blocking configured by default, and workflows optimized for evidence handling. They are useful as bootable analysis environments and for cases where you need to examine a system without modifying its disk.
CAINE (Computer Aided Investigative Environment). Ubuntu-based. All drives mounted read-only by default. Includes Autopsy, TSK, Bulk Extractor, RegRipper, and dozens of other tools pre-installed. Good for bootable forensic analysis where you need a complete environment on a USB drive.
PALADIN. Ubuntu-based forensic distribution designed for ease of use. Includes a forensic toolbox GUI that organizes tools by task (imaging, analysis, reporting). Built-in disk imaging with hash verification. Designed for examiners who prefer a GUI workflow.
CSI Linux. Focused on OSINT and cyber investigations alongside traditional forensics. Includes Autopsy, Wireshark, Maltego, and other investigation tools. Useful when your investigation spans both endpoint forensics and online intelligence gathering.
These distributions are not required for this course. The course is built around a Windows analysis workstation because the primary evidence type is Windows artifacts, and many of the tools (EZ suite, Timeline Explorer, KAPE) are Windows-native. Forensic Linux distributions are an alternative or complementary environment. If your workflow includes Linux-based analysis, the artifact parsing skills from this course apply directly because the evidence format is the same regardless of which operating system your analysis workstation runs.
Memory analysis frameworks
Volatility. The standard open-source memory analysis framework. Processes RAM dumps captured by Magnet RAM Capture, DumpIt, or winpmem. Identifies running processes, network connections, loaded modules, injected code, registry hives in memory, and decrypted data. Volatility 3 is the current version (Python 3, plugin-based architecture).
MemProcFS. A memory analysis tool that presents memory contents as a virtual filesystem. Mount a memory dump and browse it like a disk: processes as directories, modules as files, network connections as structured data. Faster than Volatility for many operations and easier to integrate into scripted workflows.
Memory analysis appears in this course where it intersects with specific investigation questions: credential theft artifacts in Module 4, malware identification in Module 2, and encrypted data recovery in Module 8. Module 1 covers memory acquisition.
Next: Section 0.4 covers where forensic analysis is applied in practice: corporate investigations, incident response, law enforcement, civil litigation, malware analysis, and educational settings.