Skip to content
Forensic script currently in development
Branch: master
Clone or download
manta0101 New version, tested. with more error handling.
This is the Newest version of Yet Another Forensic Tool(YAFORTO). 
Yaforto-version .05 A highly commented PowerShell script to automate Forensics. To learn more about it you can see my SANS.org Paper https://www.sans.org/reading-room/whitepapers/automation/putting-automation-38928
Latest commit be9f9b9 May 10, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CallRegRunKeys-function.ps1 Add files via upload Feb 11, 2019
CallRegistryForUserProfile.ps1 Add files via upload Feb 11, 2019
Get-ComputerServices.ps1 Add files via upload Feb 11, 2019
README.md Update README.md Feb 11, 2019
Yaforto-0_5_9_2019.ps1
cylrpull.ps Create cylrpull.ps Dec 6, 2018
get-localFirewallRules-10-30-18.ps1
getLastWriteTime-recursive.ps1 Add files via upload Feb 11, 2019
working regrip function 1-16-2019.ps1 Update working regrip function 1-16-2019.ps1 May 9, 2019
wsave working-01-24-2019.ps1 Add files via upload Feb 11, 2019

README.md

Yet Another Forensic Tool (YAFORTO) Welcome the starting part of the Yet another Forensic tool script (YAFORTO). This repository is the ‘in development’ new home of the Script. It will also be where the finished script will be published and referenced. Having earned the Giac Certified Forensic Engineer certification, I saw an opportunity to combine some initial steps taken, and fulfill a need to remotely capture information. This is part of my paper that is being developed for SANS.org which will reference this location also.
The script is being written in PowerShell. I must acknowledge the goal of the script is to use other Forensic engineer’s windows executables to: -Gather a remote forensic triage image -Gather a remote Memory dump -Ask the Forensic examiner about what type of investigation this is -Use that information to comb through the forensic image and memory dump to give the examiner some starting information.

This script is not meant to replace any tools. Rather, it’s more designed for the growing avenue of Forensic response inside a Incident response framework. Ideally the forensic analyst would take a full disk image, a full memory image, and bring both into a Forensic Platform for investigation using multiple tools. So the use of this tool is to help the forensic examiner determine if the effort and time needed matches the initial information found. *11-27-18 --update Still coding.. 1-15-19 -update Initial coding and testing completed. Will post code later.

You can’t perform that action at this time.