Hands-on projects for beginners to learn and practice Windows forensics and essential cybersecurity skills

Cross-platform registry browser for raw Windows registry files

ExeSpy is a cross-platform PE viewer for EXE and DLL files

Windows forensics Engine

Vault of Windows Registry forensic artifacts

A DFIR Incident Response AI bot using local Ollama LLM to derrive automated findings from logs

Tools and Techniques for Digital Forensics and Incident Response

A comprehensive MCP server for Windows digital forensics on KALI Linux

Command Spy is a utility for monitoring the command line arguments of new processes on Windows. Made for CCDC.

Python module for forensic analysis of Windows shortcuts (LNK files). You can install this package using pip install lnkanalyser

A comprehensive repository for CyberOps documentation, Blue Team playbooks, and open-source forensic tools like Cerberus and Chimera.

When conducting an investigation on a Windows machine there are 8 phase to go through, today we’ll discuss the first ‘Collecting Volatile Information’, and the rest will be explained in future topics

AWMFA - Automated Windows Memory Forensics Analysis. Python automation framework for Volatility 2 that streamlines memory analysis. Features: automated plugin execution with threading, intelligent threat detection using 28+ heuristics, no deep Windows internals knowledge required, multi-format reports (TXT/HTML/PDF).

Search artifact paths, build collection scripts, and convert Sigma rules. All in one place.

RDP Bitmap Cache Praser A lightweight forensic utility to extract and reconstruct images from the RDP Bitmap Cache (bmc, bin, dat) files. Useful for identifying visual remnants of a remote desktop session, even after it ends. Ideal for forensic investigations and RDP activity analysis.

Blue-team portfolio: SOC detection engineering, malware analysis, vulnerability management.

Modular, agent-less forensic triage framework for rapid Windows & Linux artifact collection and memory acquisition

Windows Event Log forensic timeline and incident response analysis tool (EVTX triage)

FAEP is an automated tool to extract and parse forensic artifacts from .E01 images automatically, with a clean GUI and minimal manual effort.

From Shadows to Sun: A high-resolution forensics suite for absolute coordinate determination, from triage to testimony.

Useful tools for (not only) digital forensics

Understanding what forensic artifacts are present in the Windows and Linux Operating Systems, how to collect them, and leverage them to investigate security incidents.

Windows-first DFIR triage collector that gathers live-response artifacts, exports EVTX logs, and generates integrity-verified evidence packages for incident response investigations

Automatic extraction, transcription and translation of audio/video evidence for DFIR investigations.

SOC Analyst portfolio with real Windows attack simulations. Labs cover the full attack chain—recon, execution, credential access, lateral movement, and persistence—using Sysmon + Splunk, with MITRE ATT&CK mapping and custom detection rules.

This journal documents my progress and learnings from different TryHackMe rooms. Each entry contains key takeaways, commonly used commands, and practical applications. My experience with TryHackMe has enhanced my understanding of Linux and Windows fundamentals, network protocols, incident handling, and log analysis.

A lightweight digital forensics tool for extracting and analyzing NTFS $MFT data using CSV-based workflows. MFT Analyzer offers a fast, stable GUI with powerful filters to investigate millions of file records without heavy databases, making forensic triage simple and efficient.

Powerful investigation toolkit for deeper forensic analysis

Repository for my journey through the CDAC Windows Forensics Analysis Bootcamp. Covers forensic evidence acquisition, Windows Registry analysis, Event Logs, memory forensics, timeline analysis, and other digital investigation concepts.

This repository documents real-world forensic triage cases involving the abuse of legitimate Windows binaries—also known as LOLBins—for malicious purposes.