Andrew Rathbun

DFIR @ Unit 42, Admin of the Digital Forensics Discord Server, AboutDFIR.com Contributor, USMC Veteran, Former LE.

Website
GitHub
Twitter
Location: Michigan

Ecosystems: Windows, PowerShell, C#, Awesome Lists, Android, Linux, macOS

Projects

DFIRArtifactMuseum

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.

HTML - Released: 31 Jan 2022 - 533

VanillaWindowsReference

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!

Released: 13 Nov 2021 - 133

EVTX-ETW-Resources

Event Tracing For Windows (ETW) Resources

Released: 07 Aug 2021 - 342

DFIRPowerShellScripts

Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!

PowerShell - Released: 22 Jan 2022 - 40

SigHunter

A C# (.NET 6) tool to compare the file signature of files recursively and inform the user of matches and mismatches

C# - Released: 12 Mar 2023 - 15

KAPE-EZToolsAncillaryUpdater

A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools

PowerShell - Released: 05 Jul 2021 - 50

VanillaWindowsRegistryHives

A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.

Released: 23 Nov 2021 - 41

EventTranscript.db-Research

A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.

Released: 02 May 2021 - 38

MP3TagExtractor

A command-line application to extract (recursively, if needed) IDv3 metadata from audio files

C# - Released: 26 Jun 2023 - 1

PCAParser

A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca

PowerShell - Released: 18 Jun 2023 - 8

CSVFileDetailsExtractor

A simple tool to enumerate useful details from CSV files recursively from a provided folder path

C# - Released: 31 Aug 2023 - 2