Tools

Astra

Volatility

It is a great tool for analysing memory dumps.

GitHub - volatilityfoundation/volatility3: Volatility 3.0 developmentGitHub

#Getting Image info
python3 volatility3/vol.py -f ./Image windows.info.Info

#List process
python3 volatility3/vol.py -f ./Image windows.pslist

#List process tree
python3 volatility3/vol.py -f ./Image windows.pstree

#Get exact command line
python3 volatility3/vol.py -f ./Image windows.cmdline | grep <process_name>

#Get network state
python3 volatility3/vol.py -f ./Image windows.netscan

#Get filesystem scan
python3 volatility3/vol.py -f ./Image windows.filescan

#memory dump of a particular PID
python3 volatility3/vol.py -f ./Image windows.memmap --pid 3476 --dump

It also has a predecessor which was written in python2 and has more plugins.

GitHub - volatilityfoundation/volatility: An advanced memory forensics frameworkGitHub

#Getting Image info
python2 vol.py -f ./Image imageinfo

#Getting clipboard content
python2 vol.py -f ./Image --profile=Win7SP1x64 clipboard #profile value changes depending upon what image you have, you can get this information from previous command.

#scan file system
python2 vol.py --profile=Win7SP1x64 -f >/Image filescan 

#Dumping a file at particular location
python2 vol.py --profile=Win7SP1x64 -f Image dumpfiles -n — dump-dir=lol -Q 0x000...

LDAP Time

An AD timestamp (AKA LDAP time, WinTime or FileTime) is the number of 100-nanoseconds since the year 01/01/1601 @ 00:00

Use this online tool to convert

LDAP, Active Directory & Filetime Timestamp Converter

If you need to convert to AD timestamp from originalFileLastModifTimestamp and originalFileLastModifTimestampHigh in windows then use this formula.

e.g 
originalFileLastModifTimestamp="-1354503710"
originalFileLastModifTimestampHigh="31047188"

2^32*high+actual_low 

where 

actual_low=(2^32)-originalFileLastModifTimestamp #without sign just the value.

Sherlock

Sherlock is a tool which can search for all website using a username if its used anywhere else to perform osint with username.

ALEAPP (Android Logs, Events, and Protobuf Parser (ALEAPP)

a forensic tool designed specifically for parsing Android file systems. ALEAPP is capable of analyzing Android artifacts such as application data, user activities, and system logs. This tool is particularly useful in reconstructing a device’s state and understanding the behavior of its user. By directing ALEAPP to the extracted file system of the victim's phone, we configured it to extract and process data from all available modules, including accounts, notifications, app interactions, and installed applications.

Link: https://github.com/abrignoni/ALEAPP I found windows executable pretty striaghtforward to work with.