Artifact Analysis Registry/Event Analysis NTFS Analysis Network Utilities PE Utilities Miscellaneous
Artifact Analysis (top)
Windows Prefetch Parser (pf)
| 32-bit Version | 64-bit Version | |||
| Windows: | pf32.v.1.30.win.zip | pf64.v.1.30.win.zip | md5/sha1 | |
| Linux: | pf32.v.1.30.lin.tar.gz* | pf64.v.1.30.lin.tar.gz | md5/sha1 | |
| Mac OS X: | pf.v.1.30.osx.tar.gz | pf.v.1.30.osx.tar.gz | md5/sha1 | |
Windows 'index.dat' Parser (id)
| 32-bit Version | 64-bit Version | |||
| Windows: | id32.v.0.83.win.zip | id64.v.0.83.win.zip | md5/sha1 | |
| Linux: | id32.v.0.83.lin.tar.gz* | id64.v.0.83.lin.tar.gz | md5/sha1 | |
| Mac OS X: | id.v.0.83.osx.tar.gz | id.v.0.83.osx.tar.gz | md5/sha1 | |
Windows LNK Parsing Utility (lp)
| 32-bit Version | 64-bit Version | |||
| Windows: | lp32.v.0.98.win.zip | lp64.v.0.98.win.zip | md5/sha1 | |
| Linux: | lp32.v.0.98.lin.tar.gz* | lp64.v.0.98.lin.tar.gz | md5/sha1 | |
| Mac OS X: | lp.v.0.98.osx.tar.gz | lp.v.0.98.osx.tar.gz | md5/sha1 | |
Windows USB Storage Parser (usp)
| 32-bit Version | 64-bit Version | |||
| Windows: | usp32.v.0.71.win.zip | usp64.v.0.71.win.zip | md5/sha1 | |
| Linux: | usp32.v.0.71.lin.tar.gz* | usp64.v.0.71.lin.tar.gz | md5/sha1 | |
| Mac OS X: | usp.v.0.71.osx.tar.gz | md5/sha1 | ||
Timeline ActivitiesCache Parser (tac)
| 32-bit Version | 64-bit Version | |||
| Windows: | tac32.v.0.24.win.zip | tac64.v.0.24.win.zip | md5/sha1 | |
| Linux: | tac32.v.0.24.lin.tar.gz* | tac64.v.0.24.lin.tar.gz | md5/sha1 | |
| Mac OS X: | tac.v.0.24.osx.tar.gz | tac.v.0.24.osx.tar.gz | md5/sha1 | |
Windows Jump List Parser (jmp)
| 32-bit Version | 64-bit Version | |||
| Windows: | jmp32.v.0.54.win.zip | jmp64.v.0.54.win.zip | md5/sha1 | |
| Linux: | jmp32.v.0.54.lin.tar.gz* | jmp64.v.0.54.lin.tar.gz | md5/sha1 | |
| Mac OS X: | jmp.v.0.54.osx.tar.gz | jmp.v.0.54.osx.tar.gz | md5/sha1 | |
Windows Shim Database (SDB) Parser (shims)
| 32-bit Version | 64-bit Version | |||
| Windows: | shims32.v.0.35.win.zip | shims64.v.0.35.win.zip | md5/sha1 | |
| Linux: | shims32.v.0.35.lin.tar.gz* | shims64.v.0.35.lin.tar.gz | md5/sha1 | |
| Mac OS X: | shims.v.0.35.osx.tar.gz | shims.v.0.35.osx.tar.gz | md5/sha1 | |
Trash Inspection & Analysis (tia)
| 32-bit Version | 64-bit Version | |||
| Windows: | tia32.v.0.27.win.zip | tia64.v.0.27.win.zip | md5/sha1 | |
| Linux: | tia32.v.0.27.lin.tar.gz* | tia64.v.0.27.lin.tar.gz | md5/sha1 | |
| Mac OS X: | tia.v.0.27.osx.tar.gz | tia.v.0.27.osx.tar.gz | md5/sha1 | |
Windows Push Notification DB Parser (wpn)
| 32-bit Version | 64-bit Version | |||
| Windows: | wpn32.v.0.20.win.zip | wpn64.v.0.20.win.zip | md5/sha1 | |
| Linux: | wpn32.v.0.20.lin.tar.gz* | wpn64.v.0.20.lin.tar.gz | md5/sha1 | |
| Mac OS X: | wpn.v.0.20.osx.tar.gz | wpn.v.0.20.osx.tar.gz | md5/sha1 | |
MS Office Backstage Parser (bs)
| 32-bit Version | 64-bit Version | |||
| Windows: | bs32.v.0.13.win.zip | bs64.v.0.13.win.zip | md5/sha1 | |
| Linux: | bs32.v.0.13.lin.tar.gz* | bs64.v.0.13.lin.tar.gz | md5/sha1 | |
| Mac OS X: | bs.v.0.13.osx.tar.gz | bs.v.0.13.osx.tar.gz | md5/sha1 | |
Chromium Parser (cp)
| 32-bit Version | 64-bit Version | |||
| Windows: | cp32.v.0.15.win.zip | cp64.v.0.15.win.zip | md5/sha1 | |
| Linux: | cp32.v.0.15.lin.tar.gz* | cp64.v.0.15.lin.tar.gz | md5/sha1 | |
| Mac OS X: | cp.v.0.15.osx.tar.gz | cp.v.0.15.osx.tar.gz | md5/sha1 | |
Mozilla SQLite Parser (msp)
| 32-bit Version | 64-bit Version | |||
| Windows: | msp32.v.0.10.win.zip | msp64.v.0.10.win.zip | md5/sha1 | |
| Linux: | msp32.v.0.10.lin.tar.gz* | msp64.v.0.10.lin.tar.gz | md5/sha1 | |
| Mac OS X: | msp.v.0.10.osx.tar.gz | msp.v.0.10.osx.tar.gz | md5/sha1 | |
Mozilla Cache Parser (mcp)
| 32-bit Version | 64-bit Version | |||
| Windows: | mcp32.v.0.12.win.zip | mcp64.v.0.12.win.zip | md5/sha1 | |
| Linux: | mcp32.v.0.12.lin.tar.gz* | mcp64.v.0.12.lin.tar.gz | md5/sha1 | |
| Mac OS X: | mcp.v.0.12.osx.tar.gz | mcp.v.0.12.osx.tar.gz | md5/sha1 | |
Registry and Event Log Analysis (top)
Yet Another Registry Utility (yaru)
| 32-bit Version | 64-bit Version | |||
| Windows: | yaru32.v.1.79.win.zip | yaru64.v.1.79.win.zip | md5/sha1 | |
| Linux: | yaru32.v.1.79.lin.tar.gz* | yaru64.v.1.79.lin.tar.gz | md5/sha1 | |
| Mac OS X: | Not Available | yaru.v.1.79.osx.tar.gz | md5/sha1 | |
Windows Event Log Viewer (evtx_view)
| 32-bit Version | 64-bit Version | |||
| Windows: | evtx_view32.v.1.11.win.zip | evtx_view64.v.1.11.win.zip | md5/sha1 | |
| Linux: | evtx_view32.v.1.11.lin.tar.gz* | evtx_view64.v.1.11.lin.tar.gz | md5/sha1 | |
| Mac OS X: | Not Available | evtx_view.v.1.11.osx.tar.gz | md5/sha1 | |
Windows ShellBag Parser (sbag)
| 32-bit Version | 64-bit Version | |||
| Windows: | sbag32.v.0.70.win.zip | sbag64.v.0.70.win.zip | md5/sha1 | |
| Linux: | sbag32.v.0.70.lin.tar.gz* | sbag64.v.0.70.lin.tar.gz | md5/sha1 | |
| Mac OS X: | sbag.v.0.70.osx.tar.gz | sbag.v.0.70.osx.tar.gz | md5/sha1 | |
Computer Account Forensic Artifact Extractor (cafae)
| 32-bit Version | 64-bit Version | |||
| Windows: | cafae32.v.0.70.win.zip | cafae64.v.0.70.win.zip | md5/sha1 | |
| Linux: | cafae32.v.0.70.lin.tar.gz* | cafae64.v.0.70.lin.tar.gz | md5/sha1 | |
| Mac OS X: | cafae.v.0.70.osx.tar.gz | cafae.v.0.70.osx.tar.gz | md5/sha1 | |
Windows Event Log Parser (evtwalk)
| 32-bit Version | 64-bit Version | |||
| Windows: | evtwalk32.v.0.55.win.zip | evtwalk64.v.0.55.win.zip | md5/sha1 | |
| Linux: | evtwalk32.v.0.55.lin.tar.gz* | evtwalk64.v.0.55.lin.tar.gz | md5/sha1 | |
| Mac OS X: | evtwalk.v.0.55.osx.tar.gz | evtwalk.v.0.55.osx.tar.gz | md5/sha1 | |
Windows AppCompatibility Cache Utility (wacu)
| 32-bit Version | 64-bit Version | |||
| Windows: | wacu32.v.0.43.win.zip | wacu64.v.0.43.win.zip | md5/sha1 | |
| Linux: | wacu32.v.0.43.lin.tar.gz* | wacu64.v.0.43.lin.tar.gz | md5/sha1 | |
| Mac OS X: | wacu.v.0.43.osx.tar.gz | wacu.v.0.43.osx.tar.gz | md5/sha1 | |
Event Log MessageTables Offline (elmo)
| 32-bit Version | 64-bit Version | |||
| Windows: | elmo32.v.0.35.win.zip | elmo64.v.0.35.win.zip | md5/sha1 | |
| Linux: | elmo32.v.0.35.lin.tar.gz* | elmo64.v.0.35.lin.tar.gz | md5/sha1 | |
| Mac OS X: | elmo.v.0.35.osx.tar.gz | elmo.v.0.35.osx.tar.gz | md5/sha1 | |
Trace Event Log and Analysis (tela)
| 32-bit Version | 64-bit Version | |||
| Windows: | tela32.v.0.22.win.zip | tela64.v.0.22.win.zip | md5/sha1 | |
| Linux: | tela32.v.0.22.lin.tar.gz* | tela64.v.0.22.lin.tar.gz | md5/sha1 | |
| Mac OS X: | tela.v.0.22.osx.tar.gz | md5/sha1 | ||
NTFS Filesystem Analysis (top)
Windows Journal Parser (jp)
| 32-bit Version | 64-bit Version | |||
| Windows: | jp32.v.1.39.win.zip | jp64.v.1.39.win.zip | md5/sha1 | |
| Linux: | jp32.v.1.39.lin.tar.gz* | jp64.v.1.39.lin.tar.gz | md5/sha1 | |
| Mac OS X: | jp.v.1.39.osx.tar.gz | jp.v.1.39.osx.tar.gz | md5/sha1 | |
NTFS Directory Enumerator (ntfsdir)
| 32-bit Version | 64-bit Version | |||
| Windows: | ntfsdir32.v.1.35.win.zip | ntfsdir64.v.1.35.win.zip | md5/sha1 | |
| Linux: | ntfsdir32.v.1.35.lin.tar.gz* | ntfsdir64.v.1.35.lin.tar.gz | md5/sha1 | |
| Mac OS X: | ntfsdir.v.1.35.osx.tar.gz | ntfsdir.v.1.35.osx.tar.gz | md5/sha1 | |
NTFS File Copy Utility (ntfscopy)
| 32-bit Version | 64-bit Version | |||
| Windows: | ntfscopy32.v.1.04.win.zip | ntfscopy64.v.1.04.win.zip | md5/sha1 | |
| Linux: | ntfscopy32.v.1.04.lin.tar.gz* | ntfscopy64.v.1.04.lin.tar.gz | md5/sha1 | |
| Mac OS X: | ntfscopy.v.1.04.osx.tar.gz | ntfscopy.v.1.04.osx.tar.gz | md5/sha1 | |
Windows $MFT and NTFS Metadata Extractor Tool (ntfswalk)
| 32-bit Version | 64-bit Version | |||
| Windows: | ntfswalk32.v.0.85.win.zip | ntfswalk64.v.0.85.win.zip | md5/sha1 | |
| Linux: | ntfswalk32.v.0.85.lin.tar.gz* | ntfswalk64.v.0.85.lin.tar.gz | md5/sha1 | |
| Mac OS X: | ntfswalk.v.0.85.osx.tar.gz | ntfswalk.v.0.85.osx.tar.gz | md5/sha1 | |
Windows INDX Slack Parser (wisp)
| 32-bit Version | 64-bit Version | |||
| Windows: | wisp32.v.0.48.win.zip | wisp64.v.0.48.win.zip | md5/sha1 | |
| Linux: | wisp32.v.0.48.lin.tar.gz* | wisp64.v.0.48.lin.tar.gz | md5/sha1 | |
| Mac OS X: | wisp.v.0.48.osx.tar.gz | wisp.v.0.48.osx.tar.gz | md5/sha1 | |
Graphical Engine for NTFS Analysis (gena)
| 32-bit Version | 64-bit Version | |||
| Windows: | gena32.v.0.49.win.zip | gena64.v.0.49.win.zip | md5/sha1 | |
| Linux: | gena32.v.0.49.lin.tar.gz* | gena64.v.0.49.lin.tar.gz | md5/sha1 | |
| Mac OS X: | Not Available | gena.v.0.49.osx.tar.gz | md5/sha1 | |
$MFT and $LogFile Analysis (mala)
| 32-bit Version | 64-bit Version | |||
| Windows: | mala32.v.0.13.win.zip | mala64.v.0.13.win.zip | md5/sha1 | |
| Linux: | mala32.v.0.13.lin.tar.gz* | mala64.v.0.13.lin.tar.gz | md5/sha1 | |
| Mac OS X: | mala.v.0.13.osx.tar.gz | mala.v.0.13.osx.tar.gz | md5/sha1 | |
Network Support Utilities (top)
DNS Query Utility (dqu)
| 32-bit Version | 64-bit Version | |||
| Windows: | dqu32.v.0.39.win.zip | dqu64.v.0.39.win.zip | md5/sha1 | |
| Linux: | dqu32.v.0.39.lin.tar.gz* | dqu64.v.0.39.lin.tar.gz | md5/sha1 | |
| Mac OS X: | dqu.v.0.39.osx.tar.gz | dqu.v.0.39.osx.tar.gz | md5/sha1 | |
Packet Capture ICMP Carver (pic)
| 32-bit Version | 64-bit Version | |||
| Windows: | pic32.v.0.30.win.zip | pic64.v.0.30.win.zip | md5/sha1 | |
| Linux: | pic32.v.0.30.lin.tar.gz* | pic64.v.0.30.lin.tar.gz | md5/sha1 | |
| Mac OS X: | Not Available | Not Available | md5/sha1 | |
Network Xfer Client/Server Utility (nx)
| 32-bit Version | 64-bit Version | |||
| Windows: | nx32.v.0.33.win.zip | nx64.v.0.33.win.zip | md5/sha1 | |
| Linux: | nx32.v.0.33.lin.tar.gz* | nx64.v.0.33.lin.tar.gz | md5/sha1 | |
| Mac OS X: | nx.v.0.33.osx.tar.gz | nx.v.0.33.osx.tar.gz | md5/sha1 | |
Modular Inspection Network Xfer Agent (minx)
| 32-bit Version | 64-bit Version | |||
| Windows: | minx32.v.0.19.win.zip | minx64.v.0.19.win.zip | md5/sha1 | |
| Linux: | minx32.v.0.19.lin.tar.gz* | minx64.v.0.19.lin.tar.gz | md5/sha1 | |
| Mac OS X: | minx.v.0.19.osx.tar.gz | minx.v.0.19.osx.tar.gz | md5/sha1 | |
Portable Executable Utilities (top)
Windows Portable Executable Viewer (pe_view)
| 32-bit Version | 64-bit Version | |||
| Windows: | pe_view32.v.1.17.win.zip | pe_view64.v.1.17.win.zip | md5/sha1 | |
| Linux: | pe_view32.v.1.17.lin.tar.gz* | pe_view64.v.1.17.lin.tar.gz | md5/sha1 | |
| Mac OS X: | Not Available | pe_view.v.1.17.osx.tar.gz | md5/sha1 | |
Portable Executable Scanner (pescan)
| 32-bit Version | 64-bit Version | |||
| Windows: | pescan32.v.0.56.win.zip | pescan64.v.0.56.win.zip | md5/sha1 | |
| Linux: | pescan32.v.0.56.lin.tar.gz* | pescan64.v.0.56.lin.tar.gz | md5/sha1 | |
| Mac OS X: | pescan.v.0.56.osx.tar.gz | pescan.v.0.56.osx.tar.gz | md5/sha1 | |
Miscellaneous Tools (top)
Volume Shadow Snapshot Enumerator (vssenum)
| 32-bit Version | 64-bit Version | |||
| Windows: | vssenum32.v.0.28.win.zip | vssenum64.v.0.28.win.zip | md5/sha1 | |
| Linux: | Not Available | Not Available | ||
| Mac OS X: | Not Available | Not Available | ||
Windows Symbol Fetch Utility (sf)
| 32-bit Version | 64-bit Version | |||
| Windows: | sf32.v.0.54.win.zip | sf64.v.0.54.win.zip | md5/sha1 | |
| Linux: | Not Available | Not Available | ||
| Mac OS X: | Not Available | Not Available | ||
CSV Data eXchange (csvdx)
| 32-bit Version | 64-bit Version | |||
| Windows: | csvdx32.v.0.32.win.zip | csvdx64.v.0.32.win.zip | md5/sha1 | |
| Linux: | csvdx32.v.0.32.lin.tar.gz* | csvdx64.v.0.32.lin.tar.gz | md5/sha1 | |
| Mac OS X: | csvdx.v.0.32.osx.tar.gz | csvdx.v.0.32.osx.tar.gz | md5/sha1 | |
Disk Utility & Packer (dup)
| 32-bit Version | 64-bit Version | |||
| Windows: | dup32.v.0.34.win.zip | dup64.v.0.34.win.zip | md5/sha1 | |
| Linux: | Not Available | dup64.v.0.34.lin.tar.gz | md5/sha1 | |
| Mac OS X: | Not Available | dup.v.0.34.osx.tar.gz | md5/sha1 | |
Package Builds (top)
Nov 2020 build (package)
| 32-bit Version | 64-bit Version | |||
| Windows: | 2020.11.12.win32.zip | 2020.11.12.win64.zip | md5/sha1 | |
| Linux: | Not Available | 2020.11.12.lin64.zip | md5/sha1 | |
| Mac OS X: | Not Available | 2020.11.12.osx.zip | md5/sha1 | |
| *32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present. |