Search Results for "forensic"

Plaso (Plaso Langar Að Safna Öllu), or "super timeline all the things," is a Python-based engine designed for automatic creation of timelines in digital forensic investigations. It processes various log files and artifacts to generate a chronological sequence of events, aiding analysts in understanding system activities.​

Rekall is a powerful memory forensics framework that turns raw RAM captures—or live system state—into structured artifacts investigators can query and script. It ships with a large collection of plugins that parse OS internals to recover processes, modules, sockets, registry hives, and file objects, even when rootkits try to hide them. The design emphasizes repeatability: investigators run well-defined analyses that produce timelines, indicators, and reports suitable for case work or...

...This is invaluable for post-mortem diagnosis of production daemons where reproducing a bug in a dev shell is impractical. pyringe can inject arbitrary Python into the target process, enabling on-the-spot logging, state dumps, or gentle patching to keep a system limping along while you gather evidence. It’s also useful for forensic snapshots: enumerate objects of a certain type, find reference cycles, or measure memory pressure without pre-instrumentation. While powerful, it’s designed for careful, auditable use—showing exactly what code runs and where—so teams can regain visibility when black-box processes go sideways.

The VAD tools are a set of scripts for working with Virtual Address Descriptor structures in dumps of Windows physical memory to provide detailed information about a process's memory allocations to a forensic investigator.