Automation Forensics Tool for Windows
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Automation FOrensics Tool

The Automation FOrensics Tool (AFOT) is an automation tool build in Python and used for Windows Forensics in order to combine the following tools:


The script makes use of Python version 2.7, but it will most likely work with Python 3. You will need to have PIP installed in your system. Please see python docs for details.

You should have your own a VirusTotal api key. Just create an account in VirusTotal website and grab the api key. Then add it as the __VIRUSTOTALAPIKEY__ value.


Just run python in your terminal.


So the procedure is pretty straight-forward:

  • The user provides the path, which will be used to analyze all the executables included in those folders/subfolders.
  • AnalyzePESig looks for signed executables, whom certificate will soon be revoked.
  • AFOT will collect all the non-signed executables and cross-check them with NSRL's hashset database, using the NSRL tool.
  • Last but not least, if any hashes were found to be in NSRL's hashset database too, we cross-check those hashes with VirusTotal, using the VirusTotal Search tool.


Please see CONTRIBUTING for details.


The MIT License (MIT). Please see License File for more information.