Autopsy Python File Marker Module

Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points.  So I created a script to mark files as interesting just to save time digging through the folder hierarchy.  The File Marker module can be downloaded from GitHub at: https://github.com/jblukach/AutopsyModules
File Marker Module
Listed the marked files with some of my favorite tools for parsing the artifacts too.    
Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP
·             bulk_extractor – https://github.com/simsong/bulk_extractor
·             Volatility – http://www.volatilityfoundation.org
File System: $MFT, $LogFile and $UsnJrnl:$J
·             Triforce ANJP Free Edition – https://www.gettriforce.com
Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve
·             Registry Explorer – http://binaryforay.blogspot.com
·             RegRipper – https://github.com/keydet89/RegRipper2.8
Event Logs: *.evtx
·             python-evtx – https://github.com/williballenthin/python-evtx
Prefetch: *.pf
Please comment and share additional disk artifacts or tools that you use for triage!
File Marker Output

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s