Tools

Astra

Volatility

It is a great tool for analysing memory dumps.

GitHub - volatilityfoundation/volatility3: Volatility 3.0 developmentGitHub

#Getting Image info
python3 volatility3/vol.py -f ./Image windows.info.Info

#List process
python3 volatility3/vol.py -f ./Image windows.pslist

#memory dump of a particular PID
python3 volatility3/vol.py -f ./Image windows.memmap --pid 3476 --dump

It also has a predecessor which was written in python2 and has more plugins.

GitHub - volatilityfoundation/volatility: An advanced memory forensics frameworkGitHub

#Getting Image info
python2 vol.py -f ./Image imageinfo

#Getting clipboard content
python2 vol.py -f ./Image --profile=Win7SP1x64 clipboard #profile value changes depending upon what image you have, you can get this information from previous command.

#scan file system
python2 vol.py --profile=Win7SP1x64 -f >/Image filescan 

#Dumping a file at particular location
python2 vol.py --profile=Win7SP1x64 -f Image dumpfiles -n — dump-dir=lol -Q 0x000...

LDAP Time

An AD timestamp (AKA LDAP time, WinTime or FileTime) is the number of 100-nanoseconds since the year 01/01/1601 @ 00:00

Use this online tool to convert

LDAP, Active Directory & Filetime Timestamp Converter

If you need to convert to AD timestamp from originalFileLastModifTimestamp and originalFileLastModifTimestampHigh in windows then use this formula.

e.g 
originalFileLastModifTimestamp="-1354503710"
originalFileLastModifTimestampHigh="31047188"

2^32*high+actual_low 

where 

actual_low=(2^32)-originalFileLastModifTimestamp #without sign just the value.