Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points. So I created a script to mark files as interesting just to save time digging through the folder hierarchy. The File Marker module can be downloaded from GitHub at: https://github.com/jblukach/AutopsyModules
Listed the marked files with some of my favorite tools for parsing the artifacts too.
Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP
· bulk_extractor – https://github.com/simsong/bulk_extractor
· Volatility – http://www.volatilityfoundation.org
File System: $MFT, $LogFile and $UsnJrnl:$J
· Triforce ANJP Free Edition – https://www.gettriforce.com
Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve
· Registry Explorer – http://binaryforay.blogspot.com
· RegRipper – https://github.com/keydet89/RegRipper2.8
Event Logs: *.evtx
· python-evtx – https://github.com/williballenthin/python-evtx
Please comment and share additional disk artifacts or tools that you use for triage!