Open Source Tool 
🧰 Forensic Toolbox
A comprehensive Python suite for parsing Windows artifacts and memory analysis — registry, prefetch, LNK, EVTX, and more.
Key Features
Registry Analysis
Parse SOFTWARE, SYSTEM, SAM, NTUSER.DAT, SECURITY, UsrClass.dat. Extract autoruns and USB device history.
Prefetch Parsing
Full Windows XP–11 support. Compressed/uncompressed formats, execution timestamps, run count tracking.
LNK File Analysis
Parse Windows shortcut files for target info, creation/access times, volume data, and command line args.
EVTX Parsing
Event log analysis with Event ID mapping, timeline generation, custom filters, and CSV/JSON export.
Memory Analysis
Volatility 3 integration for process listing, network connections, DLL and handle enumeration.
Installation
bash
# Clone the repository
git clone https://github.com/Prof-GP/forensic-toolbox.git
cd forensic-toolbox
# Install dependencies
pip install -r requirements.txtUsage Examples
CLI
bash
# Parse a registry hive
python forensic_toolbox.py --registry SOFTWARE --output results.json
# Parse prefetch files
python forensic_toolbox.py --prefetch C:\Windows\Prefetch --output prefetch.csv
# Analyze LNK files
python forensic_toolbox.py --lnk shortcuts.lnk --verbose
# Parse EVTX logs
python forensic_toolbox.py --evtx Security.evtx --event-ids 4624,4625
# Memory analysis
python forensic_toolbox.py --memory memdump.raw --profile Win10x64Python API
python
from forensic_toolbox import RegistryParser, PrefetchParser
# Registry analysis
parser = RegistryParser('SOFTWARE')
autorun_data = parser.get_autoruns()
usb_history = parser.get_usb_devices()
# Prefetch parsing
prefetch = PrefetchParser('CALC.EXE-3FBEF7FD.pf')
execution_info = prefetch.get_execution_info()Supported File Types
Registry Hives SOFTWARE, SYSTEM, SAM, NTUSER.DAT, SECURITY, UsrClass.dat
Prefetch .pf files (Windows XP – Windows 11)
Shortcuts .lnk files
Event Logs .evtx files
Memory Dumps .raw, .mem, .dmp files
Want to contribute?
Submit issues, fork the repo, or open a pull request.