Artifact Analysis  Registry/Event Analysis  NTFS Analysis  Network Utilities  PE Utilities  Miscellaneous


Artifact Analysis  (top)

Windows Prefetch Parser (pf)
32-bit Version 64-bit Version
Windows:pf32.v.0.98.win.zippf64.v.0.98.win.zipmd5/sha1
Linux:pf32.v.0.98.lin.tar.gz*pf64.v.0.98.lin.tar.gzmd5/sha1
Mac OS X:pf.v.0.98.osx.tar.gzpf.v.0.98.osx.tar.gzmd5/sha1
Windows 'index.dat' Parser (id)
32-bit Version 64-bit Version
Windows:id32.v.0.57.win.zipid64.v.0.57.win.zipmd5/sha1
Linux:id32.v.0.57.lin.tar.gz*id64.v.0.57.lin.tar.gzmd5/sha1
Mac OS X:id.v.0.57.osx.tar.gzid.v.0.57.osx.tar.gzmd5/sha1
Windows LNK Parsing Utility (lp)
32-bit Version 64-bit Version
Windows:lp32.v.0.55.win.ziplp64.v.0.55.win.zipmd5/sha1
Linux:lp32.v.0.55.lin.tar.gz*lp64.v.0.55.lin.tar.gzmd5/sha1
Mac OS X:lp.v.0.55.osx.tar.gzlp.v.0.55.osx.tar.gzmd5/sha1
Windows USB Storage Parser (usp)
32-bit Version 64-bit Version
Windows:usp32.v.0.21.win.zipusp64.v.0.21.win.zipmd5/sha1
Linux:usp32.v.0.21.lin.tar.gz*usp64.v.0.21.lin.tar.gzmd5/sha1
Mac OS X:usp.v.0.21.osx.tar.gzusp.v.0.21.osx.tar.gzmd5/sha1
Windows Jump List Parser (jmp)
32-bit Version 64-bit Version
Windows:jmp32.v.0.20.win.zipjmp64.v.0.20.win.zipmd5/sha1
Linux:jmp32.v.0.20.lin.tar.gz*jmp64.v.0.20.lin.tar.gzmd5/sha1
Mac OS X:jmp.v.0.20.osx.tar.gzjmp.v.0.20.osx.tar.gzmd5/sha1

Registry and Event Log Analysis  (top)

Yet Another Registry Utility (yaru)
32-bit Version 64-bit Version
Windows:yaru32.v.1.25.win.zipyaru64.v.1.25.win.zipmd5/sha1
Linux:yaru32.v.1.25.lin.tar.gz *yaru64.v.1.25.lin.tar.gz md5/sha1
Mac OS X:Not Availableyaru.v.1.25.osx.tar.gzmd5/sha1
Windows Event Log Viewer (evtx_view)
32-bit Version 64-bit Version
Windows:evtx_view32.v.0.70.win.zipevtx_view64.v.0.70.win.zipmd5/sha1
Linux:evtx_view32.v.0.70.lin.tar.gz*evtx_view64.v.0.70.lin.tar.gzmd5/sha1
Mac OS X:Not Availableevtx_view.v.0.70.osx.tar.gzmd5/sha1
Windows ShellBag Parser (sbag)
32-bit Version 64-bit Version
Windows:sbag32.v.0.29.win.zipsbag64.v.0.29.win.zipmd5/sha1
Linux:sbag32.v.0.29.lin.tar.gz*sbag64.v.0.29.lin.tar.gzmd5/sha1
Mac OS X:sbag.v.0.29.osx.tar.gzsbag.v.0.29.osx.tar.gzmd5/sha1
Computer Account Forensic Artifact Extractor (cafae)
32-bit Version 64-bit Version
Windows:cafae32.v.0.14.win.zip cafae64.v.0.14.win.zipmd5/sha1
Linux:cafae32.v.0.14.lin.tar.gz*cafae64.v.0.14.lin.tar.gzmd5/sha1
Mac OS X:cafae.v.0.14.osx.tar.gzcafae.v.0.14.osx.tar.gzmd5/sha1
Windows Event Log Parser (evtwalk)
32-bit Version 64-bit Version
Windows:evtwalk32.v.0.11.win.zipevtwalk64.v.0.11.win.zipmd5/sha1
Linux:evtwalk32.v.0.11.lin.tar.gz*evtwalk64.v.0.11.lin.tar.gzmd5/sha1
Mac OS X:evtwalk.v.0.11.osx.tar.gzevtwalk.v.0.11.osx.tar.gzmd5/sha1

NTFS Filesystem Analysis  (top)

Windows Journal Parser (jp)
32-bit Version 64-bit Version
Windows:jp32.v.1.02.win.zipjp64.v.1.02.win.zipmd5/sha1
Linux:jp32.v.1.02.lin.tar.gz*jp64.v.1.02.lin.tar.gzmd5/sha1
Mac OS X:jp.v.1.02.osx.tar.gzjp.v.1.02.osx.tar.gzmd5/sha1
NTFS Directory Enumerator (ntfsdir)
32-bit Version 64-bit Version
Windows:ntfsdir32.v.1.04.win.zipntfsdir64.v.1.04.win.zipmd5/sha1
Linux:ntfsdir32.v.1.04.lin.tar.gz*ntfsdir64.v.1.04.lin.tar.gzmd5/sha1
Mac OS X:ntfsdir.v.1.04.osx.tar.gzntfsdir.v.1.04.osx.tar.gzmd5/sha1
NTFS File Copy Utility (ntfscopy)
32-bit Version 64-bit Version
Windows:ntfscopy32.v.0.72.win.zipntfscopy64.v.0.72.win.zipmd5/sha1
Linux:ntfscopy32.v.0.72.lin.tar.gz*ntfscopy64.v.0.72.lin.tar.gzmd5/sha1
Mac OS X:ntfscopy.v.0.72.osx.tar.gzntfscopy.v.0.72.osx.tar.gzmd5/sha1
Windows $MFT and NTFS Metadata Extractor Tool (ntfswalk)
32-bit Version 64-bit Version
Windows:ntfswalk32.v.0.44.win.zipntfswalk64.v.0.44.win.zipmd5/sha1
Linux:ntfswalk32.v.0.44.lin.tar.gz*ntfswalk64.v.0.44.lin.tar.gzmd5/sha1
Mac OS X:ntfswalk.v.0.44.osx.tar.gzntfswalk.v.0.44.osx.tar.gzmd5/sha1
Windows INDX Slack Parser (wisp)
32-bit Version 64-bit Version
Windows:wisp32.v.0.14.win.zipwisp64.v.0.14.win.zipmd5/sha1
Linux:wisp32.v.0.14.lin.tar.gz*wisp64.v.0.14.lin.tar.gzmd5/sha1
Mac OS X:wisp.v.0.14.osx.tar.gzwisp.v.0.14.osx.tar.gzmd5/sha1

Network Support Utilities  (top)

DNS Query Utility (dqu)
32-bit Version 64-bit Version
Windows:dqu32.v.0.15.win.zipdqu64.v.0.15.win.zipmd5/sha1
Linux:dqu32.v.0.15.lin.tar.gz*dqu64.v.0.15.lin.tar.gzmd5/sha1
Mac OS X:dqu.v.0.15.osx.tar.gzdqu.v.0.15.osx.tar.gzmd5/sha1
Packet Capture ICMP Carver (pic)
32-bit Version 64-bit Version
Windows:pic32.v.0.06.win.zippic64.v.0.06.win.zipmd5/sha1
Linux:pic32.v.0.06.lin.tar.gz*pic64.v.0.06.lin.tar.gzmd5/sha1
Mac OS X:Not AvailableNot Available
Network Xfer Client/Server Utility (nx)
32-bit Version 64-bit Version
Windows:nx32.v.0.09.win.zipnx64.v.0.09.win.zipmd5/sha1
Linux:nx32.v.0.09.lin.tar.gz*nx64.v.0.09.lin.tar.gzmd5/sha1
Mac OS X:nx.v.0.09.osx.tar.gznx.v.0.09.osx.tar.gzmd5/sha1

Portable Executable Utilities  (top)

Windows Portable Executable Viewer (pe_view)
32-bit Version 64-bit Version
Windows:pe_view32.v.0.86.win.zippe_view64.v.0.86.win.zipmd5/sha1
Linux:pe_view32.v.0.85.lin.tar.gz*pe_view64.v.0.85.lin.tar.gzmd5/sha1
Mac OS X:pe_view.v.0.86.osx.tar.gzpe_view.v.0.86.osx.tar.gzmd5/sha1
Portable Executable Scanner (pescan)
32-bit Version 64-bit Version
Windows:pescan32.v.0.18.win.zippescan64.v.0.18.win.zipmd5/sha1
Linux:pescan32.v.0.18.lin.tar.gz*pescan64.v.0.18.lin.tar.gzmd5/sha1
Mac OS X:pescan.v.0.18.osx.tar.gzpescan.v.0.18.osx.tar.gzmd5/sha1

Miscellaneous Tools  (top)

Windows Symbol Fetch Utility (sf)
32-bit Version 64-bit Version
Windows:sf32.v.0.26.win.zipsf64.v.0.26.win.zipmd5/sha1
Linux:Not AvailableNot Available
Mac OS X:Not AvailableNot Available
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.