Due to some of the constraints in managing the source URL's in Powershell, I'd like to link to the great work by @digitalsleuth - https://github.com/digitalsleuth/winfor-salt as per PR #38 we have reached feature parity there.
Choco packages that are broken #18
regripper- Maintainer Contacted - (Also part of autospy) nimi places not launching, may not show tools by category. All shortcuts are under Forensics tools on the desktop
- Dcode DCode-x86-EN-5.2.20195.4.exe seems to be crashing on launch in a VM. Developer contacted
Shortcuts may not be showing in category with nimi places. A workaround can be conducted by changing your profile directory username and user directory to user
i.e C:\users\user\
Initial WSL2 Implimentation Initial GUI Implimentation
GUI Replication that categorises each tool, similar to the Windows SIFT VM. Implimentation of further tools upon request.
Please raise an issue for extra tools. Or, reopen #17
Attempting to reach out too Kroll again for Kape... requested numourous times
This script Is designed for non-commercial use, By installing these scripts, you agree to be bound by the vendors own licence agreement. No responsibility will be taken for licence misuse.
If you wish to use this script for commercial-use the following software requires licencing
- Arsenal Image Mounter
- FTK (With marketing sign up, by user consent popup at end of script)
- Event Log Explorer
- Kape #23 #10 (Waiting for vendor support from kroll)
64 Bit Windows 10 1904 or above setup as default with username user
so profiles direct to C:\users\user
(Failure to do so results in shortcuts and nimiplaces not mapping correctly)
Virtualisation enabled in you're VM if you wish to use WSL
Right click on the start menu, and select Administrative Command Prompt
Set the powershell execution policy with
Set-ExecutionPolicy Unresticted
Change to the downloaded directory i.e
cd $home\Downloads
Install Chocolatey with
.\Get-Chocolatey.ps1
Install Git with
.\Get-Git.ps1
-
If Desired Install WSL(Bash For Windows) with
-
.\Get-WSL.ps1
-
Then, Reboot
-
After reboot, install ubuntu with
-
.\Get-Ubuntu
-
-
If Desired Install experimental windows terminal feature
.\Get-Terminal.ps1
Install Forensics Tools with
.\Get-Forensics-Tools.ps1
Note if you want full system indexing, thanks to garbage windows search, you can either use everything, or change the indexing options to C:\ at this time, this is an issue thats beyond the scope of this project, as it requires a windows SDK Dll. See #32
An open source project aimed to replicate the Windows SIFT Machine used during SANS Courses minus any payware software. This aims to install the same tools forensics analysts have trained with during their SANS Course, or to quickly prepare for a CTF, as there does not appear to be a similar VM available Open Source.
- 4n6time
- Blacklight
- Browser History Examiner
- CSC Parser
- EnCase v7
- Findevil
- Foxtron Browser History Examiner
- FTK
- Hibrec
- Internet Evidence Finder
- PRTK
- Recycle Bin Parser
- Registry Recon
- TZWorks $USNJrnl Parser (JP)
- TZWorks Cafae
- TZWorks Event Log Viewer (evtx view)
- TZWorks GENA
- TZWorks Index.dat Parser (id64)
- TZWorks INDX Slack Parser (wisp64)
- TZWorks Jump List Parser (jmp64)
- TZWorks LNK File Parser
- TZWorks NTFS Directory Enum
- TZWorks NTFS Walk
- TZWorks PEView
- TZWorks Prefetch Parser
- TZWorks SBag x64 (Shellbags)
- TZWorks USB Storage Parser
- TZWorks YARU
- Chocolately GUI
- Chocolately Installer
- amcacheparser
- AppCompatCacheParser
- bstrings
- ESEDatabase View
- ExifDataView
- Hasher
- issGeolocate
- Jump List Explorer (JLECmd)
- LNK Explorer (LECmd)
- NirLauncher
- Prefetch Explorer (PECmd)
- RegFromApp
- Registry Explorer
- Shellbags Explorer
- TimeApp
- Sleuth Kit
- SysInternals Suite
- strings
- PhotoRec GUI
- Plaso
- Network Miner
- ExifTool
- ExifTool GUI
- Testdisk / PhotoRec
- Dcode Date
- Python2.7
- Python3.8
- Autopsy
- Rekall Forensics
- oclHashcat-plus
- wireshark
- yara
- HXD Hex Editor
- WinDBG
- Volatility Stand Alone Exe
- Unix Utils + 14-04-03 Updates
- sqlitebrowser
- SQLite Expert
- Shadow Explorer
- RegRipper
- Process Hacker
- prefetchparser (pecmd)
- winprefetchview
- Log Parser
- Disk2VHD
- Active State Active Perl
- GPG4Win
- Image Magick
- skypelogview
- skypecontactsview
- Universal Extractor
- WinMerge
- AgentRansack
- Thumbcache Viewer
- ExifToolGUI
- Thunderbird
- JRE8
- 7-Zip #9
- AbobeAIR #9
- Adobe Reader #9
- FireFox #9
- Flash Player Activex #9
- Flash Player Plugin #9
- Google Chrome #9
- Java Runtime #9
- Notepad++ #9
- OpenOffice 4 #9
- OpenVPN GUI #9
If you have any suggestions or feedback, or; Are the developer or copyright holder of a package you do not want included in this script, please raise an issue.