🧰 Forensic Toolbox

A comprehensive suite for parsing Windows artifacts and Memory Analysis

GitHub Stars GitHub Forks GitHub Issues License
View on GitHub Download

✨ Key Features

🔍

Registry Analysis

Comprehensive Windows Registry parser supporting multiple hive types:

  • SOFTWARE, SYSTEM, SAM, NTUSER.DAT
  • SECURITY, UsrClass.dat
  • Autorun extraction
  • USB device history

Prefetch Parsing

Parse Windows Prefetch files with full version support:

  • Windows XP through Windows 11
  • Compressed and uncompressed formats
  • Execution timestamps
  • Run count tracking
🔗

LNK File Analysis

Parse Windows shortcut files for forensic artifacts:

  • Target file information
  • Creation, modification, access times
  • Volume and network data
  • Command line arguments
📋

EVTX Parsing

Windows Event Log analysis with advanced features:

  • Event ID mapping
  • Timeline generation
  • Custom filters
  • CSV/JSON export
🧠

Memory Analysis

Volatility 3 integration for memory forensics:

  • Process listing and analysis
  • Network connections
  • DLL and handle enumeration
  • Cross-platform support

🚀 Installation

# Clone the repository
git clone https://github.com/Prof-GP/forensic-toolbox.git
cd forensic-toolbox

# Install dependencies
pip install -r requirements.txt

📖 Usage Examples

CLI Usage

# Parse a registry hive
python forensic_toolbox.py --registry SOFTWARE --output results.json

# Parse prefetch files
python forensic_toolbox.py --prefetch C:\Windows\Prefetch --output prefetch_results.csv

# Analyze LNK files
python forensic_toolbox.py --lnk shortcuts.lnk --verbose

# Parse EVTX logs
python forensic_toolbox.py --evtx Security.evtx --event-ids 4624,4625

# Memory analysis
python forensic_toolbox.py --memory memdump.raw --profile Win10x64

Python API

from forensic_toolbox import RegistryParser, PrefetchParser

# Registry analysis
parser = RegistryParser('SOFTWARE')
autorun_data = parser.get_autoruns()
usb_history = parser.get_usb_devices()

# Prefetch parsing
prefetch = PrefetchParser('CALC.EXE-3FBEF7FD.pf')
execution_info = prefetch.get_execution_info()

📁 Supported File Types

Registry Hives: SOFTWARE, SYSTEM, SAM, NTUSER.DAT, SECURITY, UsrClass.dat
Prefetch: .pf files (Windows XP - Windows 11)
Shortcuts: .lnk files
Event Logs: .evtx files
Memory Dumps: .raw, .mem, .dmp files

🤝 Contributing

Contributions are welcome! Feel free to submit issues, fork the repository, and create pull requests.

Report an Issue Fork Repository