Windows Prefetch Files:
is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
WinPrefetchView doesn't require any installation process or additional DLL files. In order to start using it, simply run the executable file - WinPrefetchView.exe
The main window of WinPrefetchView contains 2 panes: The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.
These is also special Prefetch file, with 'NTOSBOOT-B00DFAAD.pf' filename, which can show you the list of files that are loaded during Windows boot process.
WinPrefetchView also allows you to delete the selected Prefetch files. However, be aware that even when your delete a Prefetch file, it'll be created again by the operating system when you run the same program again.
Download Link : http://www.nirsoft.net/utils/winprefetchview.zip
Windows Registry Hives:
is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
RegRipper consists of two basic tools, both of which provide similar capability. The RegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it's activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).
RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it's activity.
RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.
Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.
Download Link : http://code.google.com/p/regripper/downloads/list
auto_rip is a wrapper script for RegRipper. The script automates
the execution of the RegRipper plug-ins according to the categories below: all gets information from all categories os gets General Operating System Information users gets User Account Information software gets Installed Software Information network gets Networking Configuration Information storage gets Storage Information execution gets Program Execution Information autoruns gets Autostart Locations Information log gets Logging Information web gets Web Browsing Information user_config gets User Account Configuration Information user_act gets User Account General Activity user_network gets User Account Network Activity user_file gets User Account File/Folder Access Activity user_virtual gets User Account Virtualization Access Activity comm gets Communication Software Information
Download Link : http://regripper.googlecode.com/files/auto_rip-5-16-2013.zip
AnalyzeMFTanalyzeMFT.py is designed to fully parse the MFT file from an NTFS
filesystem and present the results as accurately as possible in multiple formats.
Documentation : http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf
Download Link : https://github.com/dkovar/analyzeMFT
Windows Journal Parser (jp) :
jp is a command line tool that targets NTFS change log journals. The change journal is a component of NTFS that will, when enabled, record changes made to files. The change journal is located in the $UsnJrnl MFT entry, and the journal entries are located in the alternate data stream $J. Each entry is of variable size and its internal structure is documented in the MSDN.The change journal will record amongst other things: (a) time of the change, (b) affected file/directory, (c) change type - delete, rename, size extend, etc, and therefore makes a useful tool when looking at a computer forensically.