- 🌱 I’m currently learning C# and PowerShell
- 👯 I’m looking to collaborate on anything related to DFIR
- 🤔 I’m looking for help with KAPE Targets/Modules, EvtxECmd Maps, SQLECmd Maps, RECmd Batch Files, Registry Explorer Bookmarks, Registry Explorer Plugins, and Timeline Explorer Plugins
Check out my repositories as I have a lot going on all the time!
My most actively maintained projects can be found here.
I enjoy finding abandoned DFIR tools/projects on GitHub and performing basic updates to keep them relevant and useful to the DFIR community. Check out all the tools I've forked and updated (to varying degrees) here. If you have any ideas of tools or scripts that are long overdue for a tuneup, please let me know!
If you think the Forked/Updated DFIR Tools list is cool, here is a list of tool repositories that may be transferred to that list someday! Think of this list as a to-do list for me to add more tools to the Forked/Updated DFIR Tools list. Check out my Projects That Need Updating list here.
Join the Digital Forensics Discord Server! Check out my beginner's guide here! Also, check out the Digital Forensics Discord Server's GitHub Organization here where there's lots of cool ongoing projects!
The Digital Forensics Discord Server produced a crowdsourced book on August 15, 2022. Check it out here!
Eric Zimmerman and I co-authored and published the EZ Tools Manuals on Leanpub! Check it out here!
Eric Zimmerman's posts from his Binary Foray blog are now in PDF and EPUB format. Check it out here!
- Forensically Unpacking EventTranscript.db: An Investigative Series
- New Windows 11 Pro (22H2) Evidence of Execution Artifact!
- Kroll Artifact Parser and Extractor (KAPE) Official Demo
- SANS DFIR Summit 2021: EZ Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions
- How to Use KAPE and SQLECmd with EventTranscript.db
- Enhancing Event Log Analysis with EvtxEcmd using KAPE
- How to Identify Timestomping using KAPE
- EZ Tools Manuals Interview with Andrew Rathbun
- EventTranscript.db Deep Dive - New Windows Forensic Artifact!
- Forensic Happy Hour Episode 127
- CTF Episode 8: Turn Up and Follow Through with special guest Andrew Rathbun
- Cellebrite: The Digital Forensics Series - EP 4
- Unit 42's Andrew Rathbun on the Sysmon Configuration Mistake Enterprises Are Making
- My Take on Preparing for GIAC Certification Exams
- Introducing the AboutDFIR RSS Starter Pack!
- A General Overview of DFIR Resources
- A Beginner’s Guide to the Digital Forensics Discord Server
- AboutDFIR RSS Starter Pack v2 released!
- Introducing AboutDFIR’s KAPE Guide
- Introducing AboutDFIR’s Timeline Explorer Guide
- Introducing the AboutDFIR LinkedIn Page!
- Introducing AboutDFIR’s MFT Explorer/MFTECmd Guide
- A Conversation about Transitioning to Incident Response
- Preservation Letter/Search Warrant Templates
- DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2)