ArtifactParsers

A repo that aims to centralize a current, running list of relevant parsers/tools for known DFIR artifacts.

What makes this different from any other list of DFIR tools?

Ideally, the community will maintain this as tools come and go from relevance. If a tool is listed below, the community is vouching for it that it still works and is an excellent option to solve whatever problem you may be facing with a particular artifact.

Commercial Tool Disclaimer

It's not that commercial tools aren't welcome in this list, but the table would become pretty bloated when you have 5+ tools duplicated in many cells. At the very minimum, this project aims to highlight single-purpose tools made by the DFIR community members to allow for greater visibility at the options (often at no cost) for those looking to solve problems in their everyday investigations.

Much love for the commercial vendors, their efforts, and their contributions to the community, but it would be ideal for anyone looking to learn more about the capabilities of a commercial tool to reach out to the vendor themselves or visit their official website for more information.

Analyzers vs. Parsers

In the instance of Windows Event Logs, the Windows Registry, and possibly other artifacts, there is a distinct difference between a tool that analyzes an artifact and parses the artifact. Generally speaking, an analysis tool would do something similar to running YARA or SIGMA rules against a set of artifacts and provide meaningful output based on the rulesets used. A parser would provide raw output without any predetermined rulesets or logic applied to the set of artifacts, leaving the analysis and interpretation to the end examiner.

This is an important distinction to make with this project because, in the example of Windows Event Logs, it would be troublesome to lead an examiner looking for a tool to parse Windows Event Logs to think that a tool like Chainsaw, Hayabusa, or Zircolite will parse event logs when in reality they analyze the event logs using rulesets and logic created by threat researchers. Those tools do not PARSE the event logs like EvtxECmd, etc.

Contributing

Please contribute to this list if any artifacts and their corresponding tools still need to be included!

Windows

DFIR Artifact	CLI Tool(s)	GUI Tool(s)
$I30	go-ntfs<br>Index2Csv<br>IndexCarver<br>MFTECmd
$J	dfir_ntfs<br>ExtractUsnJrnl<br>go-ntfs<br>MFTECmd	NTFS Log Tracker
$LogFile	dfir_ntfs<br>go-ntfs<br>LogFileParser<br>RcrdCarver	NTFS Log Tracker
$MFT	dfir_ntfs<br>Mft2Csv<br>MftCarver<br>MFTECmd<br>MftRcrd	MFT_Browser<br>MFTExplorer<br>NTFS Log Tracker
$SDS	MFTECmd<br>Secure2Csv
Amcache	AmcacheParser	Registry Explorer
AppCompatCache (ShimCache)	AppCompatCacheParser	Registry Explorer
AppCompatCache PCA (Windows 11 only)	PCAParser
Browsing History	BrowsingHistoryView<br>Hindsight - Chromium only<br>SQLECmd - SQLite only	BrowsingHistoryView<br>Browser History Viewer
CSV Files		Modern CSV<br>Timeline Explorer
Email (MBOX)	mbox-web-viewer	mboxviewer
Email (OST/PST)	XstExporter	XstReader
ESE Databases (General)	WindowsEDB-to-CSV	ESEDatabaseView<br>WinEDB
ETL Files	ETLParser
Event Logs (.evtx) - Analyzers	Chainsaw<br>EvtxHussar<br>Hayabusa<br>Zircolite
Event Logs (.evtx) - Parsers	Events-Ripper<br>EvtxECmd	Event Log Explorer<br>Event Log Observer<br>Evtx_Log_Browser<br>FullEventLogView<br>LogViewPlus
Google Drive	gMetaDataParse	gMetaDataParse
IIS Logs	IISGeoLocate	LogViewPlus
Image Mounting	Arsenal Image Mounter	Arsenal Image Mounter
IP Address GeoLocation	Abeebus
JumpLists	JLECmd	Jumplist-Browser<br>JumpList Explorer
LevelDB	LevelDBDumper	LevelDB Recon
LNK Files	LECmd	Jumplist-Browser
MalwareBytes Logs	MBAMServiceLogParser.ps1
NetWire Logs	NetWireLogDecoder
OneDrive	OneDrive .ODL Parser<br>OneDriveExplorer	OneDriveExplorer
Prefetch	PECmd	Prefetch-Browser<br>WinPrefetchView
RAM (Memory)	Memory-Baseliner<br>Volatility	MemProcFS<br>Volatility Workbench
RDP Bitmap Cache	BMC-Tools
Recycle Bin	RBCmd
RecentFileCache	RecentFileCacheParser
Registry - Analyzers	reg_hunter
Registry - Comparison Tools		RegistryChangesView<br>RegShot-Advanced
Registry - Parsers	jarp<br>RECmd<br>Registry Recon<br>RegRipper<br>yarp	Registry Explorer
Shellbags	SBECmd	Shellbags Explorer
Shim Databases		SDB Explorer
SQLite Databases	SQLECmd	DB Browser for SQLite<br>FQLite<br>Navicat for SQLite<br>SQLiteStudio
SRUM Database (ESE)	SrumECmd<br>srum-dump
SUM Database (ESE)	SumECmd
Symantec AV Logs	SEParser	SEParser
Thumbcache	Thumbcache Viewer (CMD)	Thumbcache Viewer
Volume Shadow Copies	VSCMount	ShadowExplorer
Windows Timeline	WxTCmd<br>Windows Timeline PowerShell Scripts	Clippy.exe<br>WindowsTimeline.exe
WBEM (WMI)	flare-wmi<br>PyWMIPersistenceFinder<br>WMIParserStr<br>WMI-Parser	WMI-Explorer
Windows Defender Logs	DHParser
Windows Search Index Database	SIDR<br>WinEDB	WinSearchDBAnalyzer<br>WinEDB

Android

DFIR Artifact	CLI Tool(s)	GUI Tools(s)
Android Artifacts	ALEAPP<br>Andriller	ALEAPP<br>Andriller<br>Avilla Forensics
SQLite Databases	SQLECmd	DB Browser for SQLite<br>FQLite

iOS

DFIR Artifact	CLI Tool(s)	GUI Tools(s)
iOS Artifacts	iLEAPP	ArtEx<br>iLEAPP
PList Files		Mushy<br>plist Editor Pro
SQLite Databases	SQLECmd	DB Browser for SQLite<br>FQLite
Advanced logical backup & acquisition		UFADE

macOS

DFIR Artifact	CLI Tool(s)	GUI Tools(s)
macOS Artifacts	mac_apt