├── .gitignore
├── 3rd_party
    ├── wget_autoruns.sh
    ├── wget_pescan.sh
    ├── wget_sigcheck.sh
    └── wget_tzworks_package.sh
├── LICENSE
├── README.md
├── conf
    ├── foremost.conf
    ├── ftriage.conf
    ├── image_export_targeted.txt
    ├── log2timeline_targeted.txt
    ├── md5deep
    │   ├── build_md5deep_idx.sh
    │   └── wget_md5deep.sh
    ├── nsrl
    │   ├── build_nsrl_idx.sh
    │   └── pull.sh
    ├── prefetch_hashes_lookup.txt
    ├── sorter
    │   ├── archives.sort
    │   ├── default.sort
    │   ├── exec.sort
    │   ├── exec.sort.bak
    │   ├── freebsd.sort
    │   ├── images.sort
    │   ├── images.sort.bak
    │   ├── linux.sort
    │   ├── openbsd.sort
    │   ├── solaris.sort
    │   ├── windows.sort
    │   └── windows.sort.bak
    └── timeline_reduce.txt
├── dependencies.sh
├── devtools
    ├── chown_outdir.sh
    ├── mount_host_shares.sh
    ├── nuke.sh
    ├── pkiller.sh
    ├── plaso_specs.sh
    └── rm_extra.sh
├── ftriage.sh
├── modlists
    ├── bulk.conf
    ├── disk_only_initial.conf
    ├── file_carve.conf
    ├── memory_only_initial.conf
    └── process_files.conf
├── modules
    ├── analysis
    │   ├── aggregate_carved_exes.sh
    │   ├── analyze_density_results.sh
    │   ├── densityscout.sh
    │   ├── get_mft_hunt_data.sh
    │   └── hash_aggregate_exes.sh
    ├── custom
    │   └── template.sh
    ├── disk
    │   ├── cold_image_export.sh
    │   ├── d_slack_foremost.sh
    │   ├── d_strings.sh
    │   ├── d_timeline.sh
    │   ├── d_unallocated_foremost.sh
    │   ├── hot_image_export.sh
    │   ├── sorter.sh
    │   ├── supertimeline.sh
    │   └── tsk_recover.sh
    ├── hybrid
    │   └── h_timeline.sh
    └── memory
    │   ├── apihooks.sh
    │   ├── cmdline.sh
    │   ├── cmdscan.sh
    │   ├── consoles.sh
    │   ├── dlldump.sh
    │   ├── dlllist.sh
    │   ├── driverirp.sh
    │   ├── dumpfiles_dll.sh
    │   ├── dumpfiles_exe.sh
    │   ├── filescan.sh
    │   ├── getsids.sh
    │   ├── handles.sh
    │   ├── hollowfind.sh
    │   ├── idt.sh
    │   ├── imageinfo.sh
    │   ├── ldrmodules.sh
    │   ├── m_strings.sh
    │   ├── m_timeline.sh
    │   ├── malfind.sh
    │   ├── malprocfind.sh
    │   ├── modscan.sh
    │   ├── modules.sh
    │   ├── mutantscan.sh
    │   ├── netscan.sh
    │   ├── prefetchparser.sh
    │   ├── ps.sh
    │   ├── psxview.sh
    │   ├── shimcache.sh
    │   ├── shimcachemem.sh
    │   └── ssdt.sh
├── test
    └── triage.sh
└── todo.txt


/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/.gitignore


--------------------------------------------------------------------------------
/3rd_party/wget_autoruns.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/3rd_party/wget_autoruns.sh


--------------------------------------------------------------------------------
/3rd_party/wget_pescan.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/3rd_party/wget_pescan.sh


--------------------------------------------------------------------------------
/3rd_party/wget_sigcheck.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/3rd_party/wget_sigcheck.sh


--------------------------------------------------------------------------------
/3rd_party/wget_tzworks_package.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/3rd_party/wget_tzworks_package.sh


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/LICENSE


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/README.md


--------------------------------------------------------------------------------
/conf/foremost.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/foremost.conf


--------------------------------------------------------------------------------
/conf/ftriage.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/ftriage.conf


--------------------------------------------------------------------------------
/conf/image_export_targeted.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/image_export_targeted.txt


--------------------------------------------------------------------------------
/conf/log2timeline_targeted.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/log2timeline_targeted.txt


--------------------------------------------------------------------------------
/conf/md5deep/build_md5deep_idx.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/md5deep/build_md5deep_idx.sh


--------------------------------------------------------------------------------
/conf/md5deep/wget_md5deep.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/md5deep/wget_md5deep.sh


--------------------------------------------------------------------------------
/conf/nsrl/build_nsrl_idx.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/nsrl/build_nsrl_idx.sh


--------------------------------------------------------------------------------
/conf/nsrl/pull.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/nsrl/pull.sh


--------------------------------------------------------------------------------
/conf/prefetch_hashes_lookup.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/prefetch_hashes_lookup.txt


--------------------------------------------------------------------------------
/conf/sorter/archives.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/archives.sort


--------------------------------------------------------------------------------
/conf/sorter/default.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/default.sort


--------------------------------------------------------------------------------
/conf/sorter/exec.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/exec.sort


--------------------------------------------------------------------------------
/conf/sorter/exec.sort.bak:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/exec.sort.bak


--------------------------------------------------------------------------------
/conf/sorter/freebsd.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/freebsd.sort


--------------------------------------------------------------------------------
/conf/sorter/images.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/images.sort


--------------------------------------------------------------------------------
/conf/sorter/images.sort.bak:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/images.sort.bak


--------------------------------------------------------------------------------
/conf/sorter/linux.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/linux.sort


--------------------------------------------------------------------------------
/conf/sorter/openbsd.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/openbsd.sort


--------------------------------------------------------------------------------
/conf/sorter/solaris.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/solaris.sort


--------------------------------------------------------------------------------
/conf/sorter/windows.sort:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/windows.sort


--------------------------------------------------------------------------------
/conf/sorter/windows.sort.bak:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/sorter/windows.sort.bak


--------------------------------------------------------------------------------
/conf/timeline_reduce.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/conf/timeline_reduce.txt


--------------------------------------------------------------------------------
/dependencies.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/dependencies.sh


--------------------------------------------------------------------------------
/devtools/chown_outdir.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/devtools/chown_outdir.sh


--------------------------------------------------------------------------------
/devtools/mount_host_shares.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/devtools/mount_host_shares.sh


--------------------------------------------------------------------------------
/devtools/nuke.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/devtools/nuke.sh


--------------------------------------------------------------------------------
/devtools/pkiller.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/devtools/pkiller.sh


--------------------------------------------------------------------------------
/devtools/plaso_specs.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/devtools/plaso_specs.sh


--------------------------------------------------------------------------------
/devtools/rm_extra.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/devtools/rm_extra.sh


--------------------------------------------------------------------------------
/ftriage.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/ftriage.sh


--------------------------------------------------------------------------------
/modlists/bulk.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modlists/bulk.conf


--------------------------------------------------------------------------------
/modlists/disk_only_initial.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modlists/disk_only_initial.conf


--------------------------------------------------------------------------------
/modlists/file_carve.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modlists/file_carve.conf


--------------------------------------------------------------------------------
/modlists/memory_only_initial.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modlists/memory_only_initial.conf


--------------------------------------------------------------------------------
/modlists/process_files.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modlists/process_files.conf


--------------------------------------------------------------------------------
/modules/analysis/aggregate_carved_exes.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/analysis/aggregate_carved_exes.sh


--------------------------------------------------------------------------------
/modules/analysis/analyze_density_results.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/analysis/analyze_density_results.sh


--------------------------------------------------------------------------------
/modules/analysis/densityscout.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/analysis/densityscout.sh


--------------------------------------------------------------------------------
/modules/analysis/get_mft_hunt_data.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/analysis/get_mft_hunt_data.sh


--------------------------------------------------------------------------------
/modules/analysis/hash_aggregate_exes.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/analysis/hash_aggregate_exes.sh


--------------------------------------------------------------------------------
/modules/custom/template.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/custom/template.sh


--------------------------------------------------------------------------------
/modules/disk/cold_image_export.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/cold_image_export.sh


--------------------------------------------------------------------------------
/modules/disk/d_slack_foremost.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/d_slack_foremost.sh


--------------------------------------------------------------------------------
/modules/disk/d_strings.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/d_strings.sh


--------------------------------------------------------------------------------
/modules/disk/d_timeline.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/d_timeline.sh


--------------------------------------------------------------------------------
/modules/disk/d_unallocated_foremost.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/d_unallocated_foremost.sh


--------------------------------------------------------------------------------
/modules/disk/hot_image_export.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/hot_image_export.sh


--------------------------------------------------------------------------------
/modules/disk/sorter.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/sorter.sh


--------------------------------------------------------------------------------
/modules/disk/supertimeline.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/supertimeline.sh


--------------------------------------------------------------------------------
/modules/disk/tsk_recover.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/disk/tsk_recover.sh


--------------------------------------------------------------------------------
/modules/hybrid/h_timeline.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/hybrid/h_timeline.sh


--------------------------------------------------------------------------------
/modules/memory/apihooks.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/apihooks.sh


--------------------------------------------------------------------------------
/modules/memory/cmdline.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/cmdline.sh


--------------------------------------------------------------------------------
/modules/memory/cmdscan.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/cmdscan.sh


--------------------------------------------------------------------------------
/modules/memory/consoles.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/consoles.sh


--------------------------------------------------------------------------------
/modules/memory/dlldump.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/dlldump.sh


--------------------------------------------------------------------------------
/modules/memory/dlllist.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/dlllist.sh


--------------------------------------------------------------------------------
/modules/memory/driverirp.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/driverirp.sh


--------------------------------------------------------------------------------
/modules/memory/dumpfiles_dll.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/dumpfiles_dll.sh


--------------------------------------------------------------------------------
/modules/memory/dumpfiles_exe.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/dumpfiles_exe.sh


--------------------------------------------------------------------------------
/modules/memory/filescan.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/filescan.sh


--------------------------------------------------------------------------------
/modules/memory/getsids.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/getsids.sh


--------------------------------------------------------------------------------
/modules/memory/handles.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/handles.sh


--------------------------------------------------------------------------------
/modules/memory/hollowfind.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/hollowfind.sh


--------------------------------------------------------------------------------
/modules/memory/idt.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/idt.sh


--------------------------------------------------------------------------------
/modules/memory/imageinfo.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/imageinfo.sh


--------------------------------------------------------------------------------
/modules/memory/ldrmodules.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/ldrmodules.sh


--------------------------------------------------------------------------------
/modules/memory/m_strings.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/m_strings.sh


--------------------------------------------------------------------------------
/modules/memory/m_timeline.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/m_timeline.sh


--------------------------------------------------------------------------------
/modules/memory/malfind.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/malfind.sh


--------------------------------------------------------------------------------
/modules/memory/malprocfind.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/malprocfind.sh


--------------------------------------------------------------------------------
/modules/memory/modscan.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/modscan.sh


--------------------------------------------------------------------------------
/modules/memory/modules.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/modules.sh


--------------------------------------------------------------------------------
/modules/memory/mutantscan.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/mutantscan.sh


--------------------------------------------------------------------------------
/modules/memory/netscan.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/netscan.sh


--------------------------------------------------------------------------------
/modules/memory/prefetchparser.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/prefetchparser.sh


--------------------------------------------------------------------------------
/modules/memory/ps.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/ps.sh


--------------------------------------------------------------------------------
/modules/memory/psxview.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/psxview.sh


--------------------------------------------------------------------------------
/modules/memory/shimcache.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/shimcache.sh


--------------------------------------------------------------------------------
/modules/memory/shimcachemem.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/shimcachemem.sh


--------------------------------------------------------------------------------
/modules/memory/ssdt.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/modules/memory/ssdt.sh


--------------------------------------------------------------------------------
/test/triage.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/test/triage.sh


--------------------------------------------------------------------------------
/todo.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewClarkMay/fTriage/HEAD/todo.txt


--------------------------------------------------------------------------------