├── .gitignore ├── .vs ├── IRCoreForensicFramework │ └── v16 │ │ └── .suo ├── ProjectSettings.json ├── VSWorkspaceState.json └── slnx.sqlite ├── Actions ├── CloudStoragePreparation │ └── Compress-AllForensicArtefacts.psm1 ├── CreateStagingLocation │ ├── New-CurrentStateStagingLocation.psm1 │ ├── New-EndpointForensicStorageLocation.psm1 │ ├── New-LocalDataStagingLocation.psm1 │ ├── New-ProcessedArtefactsStagingLocation.psm1 │ └── New-RemoteStagingLocation.psm1 ├── EventCapture │ └── Out-Events.psm1 ├── RemoveRemoteArtifacts │ └── Remove-RemoteStagingLocation.psm1 ├── WindowsCurrentStateDetailsRetrieval │ ├── Get-CurrentProcesses.psm1 │ └── Invoke-GetCurrentStateDetails.psm1 ├── WindowsEventLogProcessing │ ├── Export-ProcessStartEvents.psm1 │ ├── Export-ProcessStopEvents.psm1 │ └── Invoke-EventLogProcessing.psm1 ├── WindowsEventLogandSRURetrieval │ ├── Copy-RemoteEventLogging.psm1 │ ├── Get-RemoteEventLogging.psm1 │ └── Invoke-GetRemoteEventLogsandSRU.psm1 ├── WindowsMemoryProcessing │ ├── Format-VolatilityOutput.psm1 │ ├── Invoke-VolatilityCmdline.psm1 │ ├── Invoke-VolatilityPSList.psm1 │ ├── Invoke-VolatilityPSScan.psm1 │ └── Invoke-WindowsMemoryImageProcessing.psm1 ├── WindowsMemoryRetrieval │ ├── Compare-MemoryHashes.psm1 │ ├── Get-ExtractedMemoryHash.psm1 │ ├── Get-MemoryDump.psm1 │ ├── Get-RemoteMemoryHash.psm1 │ ├── Invoke-GetRemoteMemory.psm1 │ ├── Invoke-MemoryDump.psm1 │ └── Move-WinPMEM.psm1 ├── WindowsPrefetchProcessing │ └── Format-WindowsPrefetch.psm1 ├── WindowsPrefetchRetrieval │ ├── Copy-WindowsPrefetch.psm1 │ ├── Get-WindowsPrefetch.psm1 │ └── Invoke-GetWindowsPrefetch.psm1 ├── WindowsProcessPostProcessing │ ├── Join-WIndowsProcessStartProcessStopLogs.psm1 │ └── Join-WindowsProcessArtefacts.psm1 ├── WindowsRegistryRetrieval │ ├── Copy-WindowsRegistry.psm1 │ ├── Get-WindowsRegistryFiles.psm1 │ ├── Invoke-GetWindowsRegistry.psm1 │ └── New-RegistryFileFolder.psm1 └── WindowsSRUProcessing │ ├── Format-SRUDBtoJSON.psm1 │ ├── Format-SRUDBtoXLSX.psm1 │ └── Format-SrumDumptoJson.psm1 ├── CoreEndpointInteraction ├── Get-TargetList.psm1 ├── Get-TargetSessions.psm1 ├── Invoke-HostCommand.psm1 ├── Invoke-HostHunterCommand.psm1 ├── New-EndpointSession.psm1 ├── New-Target.psm1 ├── Remove-EndpointSession.psm1 ├── Remove-Target.psm1 └── Update-Credentials.psm1 ├── DockerVolume └── Copy-ToDockerVolume.psm1 ├── Dockerfile ├── Executeables ├── PECmd.exe ├── PECmd.zip ├── SRUM_TEMPLATE2.xlsx ├── WinPmem.exe ├── executeablemanifest.json ├── srum_dump2.exe └── volatility3.zip ├── LICENSE ├── Playbooks ├── Invoke-CoreForensicArtifactGatheringPlaybook.psm1 ├── Invoke-CoreForensicArtifactProcessingPlaybook.psm1 ├── artefactgatheringmodules.txt └── artefactprocessingmodules.txt ├── README.md ├── SetupModules ├── Copy-Volatility.psm1 ├── Expand-PrefetchParser.psm1 ├── Get-Executeable.psm1 ├── Get-SetupExecuteables.psm1 ├── Import-VolatilitySymbols.psm1 └── Set-PythonAnalysisList.psm1 ├── UnifiedMessaging ├── New-TooltipNotification.psm1 └── Write-HostHunterInformation.psm1 ├── loadIRCore.ps1 └── modulemanifest.txt /.gitignore: -------------------------------------------------------------------------------- 1 | /PythonAnalysisList/volatility3 -------------------------------------------------------------------------------- /.vs/IRCoreForensicFramework/v16/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/.vs/IRCoreForensicFramework/v16/.suo -------------------------------------------------------------------------------- /.vs/ProjectSettings.json: -------------------------------------------------------------------------------- 1 | { 2 | "CurrentProjectSetting": null 3 | } -------------------------------------------------------------------------------- /.vs/VSWorkspaceState.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/.vs/VSWorkspaceState.json -------------------------------------------------------------------------------- /.vs/slnx.sqlite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/.vs/slnx.sqlite -------------------------------------------------------------------------------- /Actions/CloudStoragePreparation/Compress-AllForensicArtefacts.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/CloudStoragePreparation/Compress-AllForensicArtefacts.psm1 -------------------------------------------------------------------------------- /Actions/CreateStagingLocation/New-CurrentStateStagingLocation.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/CreateStagingLocation/New-CurrentStateStagingLocation.psm1 -------------------------------------------------------------------------------- /Actions/CreateStagingLocation/New-EndpointForensicStorageLocation.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/CreateStagingLocation/New-EndpointForensicStorageLocation.psm1 -------------------------------------------------------------------------------- /Actions/CreateStagingLocation/New-LocalDataStagingLocation.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/CreateStagingLocation/New-LocalDataStagingLocation.psm1 -------------------------------------------------------------------------------- /Actions/CreateStagingLocation/New-ProcessedArtefactsStagingLocation.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/CreateStagingLocation/New-ProcessedArtefactsStagingLocation.psm1 -------------------------------------------------------------------------------- /Actions/CreateStagingLocation/New-RemoteStagingLocation.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/CreateStagingLocation/New-RemoteStagingLocation.psm1 -------------------------------------------------------------------------------- /Actions/EventCapture/Out-Events.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/EventCapture/Out-Events.psm1 -------------------------------------------------------------------------------- /Actions/RemoveRemoteArtifacts/Remove-RemoteStagingLocation.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/RemoveRemoteArtifacts/Remove-RemoteStagingLocation.psm1 -------------------------------------------------------------------------------- /Actions/WindowsCurrentStateDetailsRetrieval/Get-CurrentProcesses.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsCurrentStateDetailsRetrieval/Get-CurrentProcesses.psm1 -------------------------------------------------------------------------------- /Actions/WindowsCurrentStateDetailsRetrieval/Invoke-GetCurrentStateDetails.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsCurrentStateDetailsRetrieval/Invoke-GetCurrentStateDetails.psm1 -------------------------------------------------------------------------------- /Actions/WindowsEventLogProcessing/Export-ProcessStartEvents.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsEventLogProcessing/Export-ProcessStartEvents.psm1 -------------------------------------------------------------------------------- /Actions/WindowsEventLogProcessing/Export-ProcessStopEvents.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsEventLogProcessing/Export-ProcessStopEvents.psm1 -------------------------------------------------------------------------------- /Actions/WindowsEventLogProcessing/Invoke-EventLogProcessing.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsEventLogProcessing/Invoke-EventLogProcessing.psm1 -------------------------------------------------------------------------------- /Actions/WindowsEventLogandSRURetrieval/Copy-RemoteEventLogging.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsEventLogandSRURetrieval/Copy-RemoteEventLogging.psm1 -------------------------------------------------------------------------------- /Actions/WindowsEventLogandSRURetrieval/Get-RemoteEventLogging.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsEventLogandSRURetrieval/Get-RemoteEventLogging.psm1 -------------------------------------------------------------------------------- /Actions/WindowsEventLogandSRURetrieval/Invoke-GetRemoteEventLogsandSRU.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsEventLogandSRURetrieval/Invoke-GetRemoteEventLogsandSRU.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryProcessing/Format-VolatilityOutput.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryProcessing/Format-VolatilityOutput.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryProcessing/Invoke-VolatilityCmdline.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryProcessing/Invoke-VolatilityCmdline.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryProcessing/Invoke-VolatilityPSList.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryProcessing/Invoke-VolatilityPSList.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryProcessing/Invoke-VolatilityPSScan.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryProcessing/Invoke-VolatilityPSScan.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryProcessing/Invoke-WindowsMemoryImageProcessing.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryProcessing/Invoke-WindowsMemoryImageProcessing.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryRetrieval/Compare-MemoryHashes.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryRetrieval/Compare-MemoryHashes.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryRetrieval/Get-ExtractedMemoryHash.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryRetrieval/Get-ExtractedMemoryHash.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryRetrieval/Get-MemoryDump.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryRetrieval/Get-MemoryDump.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryRetrieval/Get-RemoteMemoryHash.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryRetrieval/Get-RemoteMemoryHash.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryRetrieval/Invoke-GetRemoteMemory.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryRetrieval/Invoke-GetRemoteMemory.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryRetrieval/Invoke-MemoryDump.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryRetrieval/Invoke-MemoryDump.psm1 -------------------------------------------------------------------------------- /Actions/WindowsMemoryRetrieval/Move-WinPMEM.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsMemoryRetrieval/Move-WinPMEM.psm1 -------------------------------------------------------------------------------- /Actions/WindowsPrefetchProcessing/Format-WindowsPrefetch.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsPrefetchProcessing/Format-WindowsPrefetch.psm1 -------------------------------------------------------------------------------- /Actions/WindowsPrefetchRetrieval/Copy-WindowsPrefetch.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsPrefetchRetrieval/Copy-WindowsPrefetch.psm1 -------------------------------------------------------------------------------- /Actions/WindowsPrefetchRetrieval/Get-WindowsPrefetch.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsPrefetchRetrieval/Get-WindowsPrefetch.psm1 -------------------------------------------------------------------------------- /Actions/WindowsPrefetchRetrieval/Invoke-GetWindowsPrefetch.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsPrefetchRetrieval/Invoke-GetWindowsPrefetch.psm1 -------------------------------------------------------------------------------- /Actions/WindowsProcessPostProcessing/Join-WIndowsProcessStartProcessStopLogs.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsProcessPostProcessing/Join-WIndowsProcessStartProcessStopLogs.psm1 -------------------------------------------------------------------------------- /Actions/WindowsProcessPostProcessing/Join-WindowsProcessArtefacts.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsProcessPostProcessing/Join-WindowsProcessArtefacts.psm1 -------------------------------------------------------------------------------- /Actions/WindowsRegistryRetrieval/Copy-WindowsRegistry.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsRegistryRetrieval/Copy-WindowsRegistry.psm1 -------------------------------------------------------------------------------- /Actions/WindowsRegistryRetrieval/Get-WindowsRegistryFiles.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsRegistryRetrieval/Get-WindowsRegistryFiles.psm1 -------------------------------------------------------------------------------- /Actions/WindowsRegistryRetrieval/Invoke-GetWindowsRegistry.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsRegistryRetrieval/Invoke-GetWindowsRegistry.psm1 -------------------------------------------------------------------------------- /Actions/WindowsRegistryRetrieval/New-RegistryFileFolder.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsRegistryRetrieval/New-RegistryFileFolder.psm1 -------------------------------------------------------------------------------- /Actions/WindowsSRUProcessing/Format-SRUDBtoJSON.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsSRUProcessing/Format-SRUDBtoJSON.psm1 -------------------------------------------------------------------------------- /Actions/WindowsSRUProcessing/Format-SRUDBtoXLSX.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsSRUProcessing/Format-SRUDBtoXLSX.psm1 -------------------------------------------------------------------------------- /Actions/WindowsSRUProcessing/Format-SrumDumptoJson.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Actions/WindowsSRUProcessing/Format-SrumDumptoJson.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/Get-TargetList.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/Get-TargetList.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/Get-TargetSessions.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/Get-TargetSessions.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/Invoke-HostCommand.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/Invoke-HostCommand.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/Invoke-HostHunterCommand.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/Invoke-HostHunterCommand.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/New-EndpointSession.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/New-EndpointSession.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/New-Target.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/New-Target.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/Remove-EndpointSession.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/Remove-EndpointSession.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/Remove-Target.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/Remove-Target.psm1 -------------------------------------------------------------------------------- /CoreEndpointInteraction/Update-Credentials.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/CoreEndpointInteraction/Update-Credentials.psm1 -------------------------------------------------------------------------------- /DockerVolume/Copy-ToDockerVolume.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/DockerVolume/Copy-ToDockerVolume.psm1 -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Dockerfile -------------------------------------------------------------------------------- /Executeables/PECmd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Executeables/PECmd.exe -------------------------------------------------------------------------------- /Executeables/PECmd.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Executeables/PECmd.zip -------------------------------------------------------------------------------- /Executeables/SRUM_TEMPLATE2.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Executeables/SRUM_TEMPLATE2.xlsx -------------------------------------------------------------------------------- /Executeables/WinPmem.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Executeables/WinPmem.exe -------------------------------------------------------------------------------- /Executeables/executeablemanifest.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Executeables/executeablemanifest.json -------------------------------------------------------------------------------- /Executeables/srum_dump2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Executeables/srum_dump2.exe -------------------------------------------------------------------------------- /Executeables/volatility3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Executeables/volatility3.zip -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/LICENSE -------------------------------------------------------------------------------- /Playbooks/Invoke-CoreForensicArtifactGatheringPlaybook.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Playbooks/Invoke-CoreForensicArtifactGatheringPlaybook.psm1 -------------------------------------------------------------------------------- /Playbooks/Invoke-CoreForensicArtifactProcessingPlaybook.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Playbooks/Invoke-CoreForensicArtifactProcessingPlaybook.psm1 -------------------------------------------------------------------------------- /Playbooks/artefactgatheringmodules.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Playbooks/artefactgatheringmodules.txt -------------------------------------------------------------------------------- /Playbooks/artefactprocessingmodules.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/Playbooks/artefactprocessingmodules.txt -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/README.md -------------------------------------------------------------------------------- /SetupModules/Copy-Volatility.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/SetupModules/Copy-Volatility.psm1 -------------------------------------------------------------------------------- /SetupModules/Expand-PrefetchParser.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/SetupModules/Expand-PrefetchParser.psm1 -------------------------------------------------------------------------------- /SetupModules/Get-Executeable.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/SetupModules/Get-Executeable.psm1 -------------------------------------------------------------------------------- /SetupModules/Get-SetupExecuteables.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/SetupModules/Get-SetupExecuteables.psm1 -------------------------------------------------------------------------------- /SetupModules/Import-VolatilitySymbols.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/SetupModules/Import-VolatilitySymbols.psm1 -------------------------------------------------------------------------------- /SetupModules/Set-PythonAnalysisList.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/SetupModules/Set-PythonAnalysisList.psm1 -------------------------------------------------------------------------------- /UnifiedMessaging/New-TooltipNotification.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/UnifiedMessaging/New-TooltipNotification.psm1 -------------------------------------------------------------------------------- /UnifiedMessaging/Write-HostHunterInformation.psm1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/UnifiedMessaging/Write-HostHunterInformation.psm1 -------------------------------------------------------------------------------- /loadIRCore.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/loadIRCore.ps1 -------------------------------------------------------------------------------- /modulemanifest.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jimtin/IRCoreForensicFramework/HEAD/modulemanifest.txt --------------------------------------------------------------------------------