Skip to content

SanketBaraiya/WAP

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
lib
lib
 
 
.gitattributes
.gitattributes
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
wap.py
wap.py
 
 

Repository files navigation

WAP - Windows Artifact Parser

WAP

The Windows Artifact Parser automates the process of parsing Windows artifacts, saving time and effort for forensic investigators. The tool processes the input data, extracts relevant information, and generates comprehensive reports for each artifact type.

Python

Table of Contents

📚 Introduction

The Windows Artifact Parser is a command line tool designed to automatically parse various Windows artifacts, providing valuable insights for forensic investigations. The tool supports the parsing of multiple artifact types, including registry hives, event logs, browser data, and more.

🚀 Features

  • Automatic parsing of multiple Windows artifacts:
    • Amcache
    • Browser data (Chrome, Firefox, Edge)
    • Jumplist
    • MFT
    • UsnJournal and LogFile
    • Prefetch
    • Recent Files
    • Recycle Bin
    • Shellbags (NTUSER and UsrClass.DAT)
    • Registry Hives
    • Windows Event Logs
  • Supports input as a zip file of collected data or a directory.

📋 Prerequisites

Before proceeding with the execution, make sure you have the following prerequisites:

  • .NET Framework (required for Eric Zimmerman's tools)

💻 Usage

To execute the tool, follow the steps below:

  1. Open Command Prompt as Administrator: Ensure you have administrative privileges to run the tool effectively.

  2. Run the Tool: Depending on whether you are using a zip file or a directory, use the appropriate command.

    • If using a ZIP file:

      • Basic ZIP file: 
        WAP.exe --zip [Path to ZIP]
      • Password-protected ZIP file: 
        WAP.exe --zip [Path to ZIP] --password [ZIP PASSWORD]

    • If using a directory:

      WAP.exe --directory [Path to DIRECTORY]

  3. Wait for Parsing to Complete: The tool will automatically process the input data and generate the output in the specified format. Once the parsing is complete, the output structure will be as follows:

    • For ZIP files:

      • Extracted data will be located in: 
        WAP_Extraction_[ZIP_NAME]\Extracted_Data
      • Results will be stored in: 
        WAP_Extraction_[ZIP_NAME]\Results

    • For Directories:

      • Results will be stored in: 
        Results_[DIRECTORY_NAME]

By following these steps, you can efficiently run the Windows Artifact Parser and obtain comprehensive reports on the parsed Windows artifacts. Download the executable from Releases Page.

Note: Some binaries used to parse the artifacts are unsigned and may be flagged by your AV. So please make sure that the tool is executed in environment where the binaries are not removed by AV, for proper execution.

Currently tested with following collections:

☕ Support

PayPal Google Pay Paytm

About

Windows Artifact Parser

Topics

windows parser incident-response dfir cybersecurity forensic-analysis dfir-automation forensics-tools

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0 Latest
Oct 31, 2024

Languages