Categories /

Security - Forensic Tools (7)

pestudio standard v9.34 Updated

Andrew Lee on 14 May 2022
  • 4MB (uncompressed)
  • Released on 12 May 2022
  • Suggested by joby_toss

pestudio shows details about applications and other system files (.exe, .dll, .cpl, .ocx, .ax, .sys etc.) without starting them including:

  • Libraries that are used by an application
  • Functions that are imported by an application
  • Functions (also anonymous) that are exported by an application
  • All functions that are forwarded to other libraries
  • Obsolete Functions that are exported and imported by an application
  • If Data Execution Prevention (DEP) Windows security mechanism is used
  • If Address Space Layout Randomization (ASLR) Windows security mechanism is used
  • If Windows security mechanism Structured Exception Handling (SEH) is used
  • Whether some sections are compressed

pestudio standard lacks some features of pro version.

Category:
Runs on:Win2K / WinXP / Vista / Win7 / Win8 / Win10
Writes settings to: Application folder
Stealth: ? Yes
Unicode support: Yes
License: Free for personal use/Liteware
How to extract: Download the ZIP package and extract to a folder of your choice. Delete AddToShell.reg and RemoveFromShell.reg. Launch pestudio.exe.
Similar/alternative apps: PPEE, PE Anatomist
What's new? See: https://www.winitor.com/tools/pestudio/changes.log
Latest comments
__philippe on 2017-11-26 21:39

All righty,... next time round,

the undersigned hereby pledge to abide by the recommendations, protocols,
procedures and regulations set forth by my Right Honourable Friend Midas,
the Member for TPFC's constituency,... cross my heart and hope to die... ;-)

__philippe

Special on 2019-09-14 18:16

Looks like with 8.98 they've removed even more features from the previous 9.87 free version (detect well-known whitelisted libraries/blacklisted resources), funny they don't mention that in the changelog.

MoisheP on 2021-08-15 03:13

v. 9.15 elicits numerous warnings.

See all

PEAnatomist v0.2.10 Updated

Andrew Lee on 17 Apr 2022
  • 438KB (uncompressed)
  • Released on 17 Apr 2022
  • Suggested by billon

PEAnatomist shows almost all known data structures inside a PE file and makes some analytics.
Current version provides an entropy histogram possibly handy for cursory PE forensics

Category:
Runs on:WinXP / Vista / Win7 / Win8 / Win10
Writes settings to: Application folder
Stealth: ? Yes
Unicode support: Yes
License: MIT License
How to extract: Download the ZIP package and extract to a folder of your choice. Launch PEAnatomist.exe.
Similar/alternative apps: PPEE, MiTeC EXE Explorer, pestudio
What's new? See: https://rammerlabs.alidml.ru/changelog-eng.html
Latest comments
__philippe on 2019-12-28 12:07

PE Anatomist changelog history:

https://rammerlabs.alidml.ru/changelog-eng.html

__philippe on 2021-11-05 10:42

PEanatomist notably includes (since v0.2.4) a colorful byte-level entropy(*) histogram of the file under analysis, possibly handy for inquiring minds dabbling in PE forensics ?

* Everything you always wanted to know about entropy histograms but were scared to ask...;-)
https://crucialsecurity.wordpress.com/tag/entropy/

Add comment

DataProtectionDecryptor v1.11

Andrew Lee on 2 Jan 2022
  • 143KB (uncompressed)
  • Released on 1 Jan 2022
  • Suggested by billon

DataProtectionDecryptor allows you to decrypt passwords and other information encrypted by the DPAPI (Data Protection API) system of Windows operating system, such as passwords of Microsoft Outlook accounts, credentials files of Windows, wireless network keys, passwords in some versions of Internet Explorer, passwords and cookies of Chrome Web browser.

Category:
Runs on:WinXP / Vista / Win7 / Win8 / Win10
Writes settings to: Application folder
License: Freeware
How to extract: Download the ZIP package and extract to a folder of your choice. Launch DataProtectionDecryptor.exe.
Similar/alternative apps: EncryptedRegView
What's new?
  • Fixed the external drive feature to work properly if you sign in with Microsoft account.
  • Be aware that in order to decrypt DPAPI-encrypted information created while you signed in with Microsoft account (On Windows 10 or Windows 11), you have to provide the random DPAPI password generated for your Microsoft account instead of the actual login password. You can find this DPAPI password with the MadPassExt tool.

Windows File Analyzer v2.10.0

Andrew Lee on 28 Sep 2021
  • 4MB (uncompressed)
  • Released on 27 Sep 2021
  • Suggested by I am Baas

Windows File Analyzer decodes and analyzes to provide cached information for forensic analysis. Includes a tabbed interface with a multiple-document window and horizontal/vertical/cascade view settings. Analysis results can be printed in user-friendly form. The program includes a variety of analysis tools useful for seeing how much information your computer leaves behind that could represent a privacy risk or for trying to detect nefarious activity.

Features include thumbnail viewers available for Windows XP, ACDSee, Google Picasa, FastStone Viewer, and HP Digital Imaging files, displaying content with stored data and image preview. A Prefetch Analyzer looks at recent programs run and stored in the Prefetch folder while the Shortcut Analyzer for all shortcut files in specified folder and data stored in them. An Index.DAT Analyzer looks at Internet Explorer cookies, temporary files or history while a Recycle Bin decoding tool displays Info2 files that hold recycle bin content (Win2k and XP only).

A PDF-format help file is available from the author website.

Category:
Runs on:Win2K / WinXP / Vista / Win7 / Win8 / Win10
Writes settings to: None
Unicode support: Yes
License: Free for personal use
How to extract: Download the ZIP package and extract to a folder of your choice. Launch WFA.exe.
What's new?
  1. Fixed FastStone thumbnail database reading
  2. Added searchbox to FastStone analyzer
Latest comments
__philippe on 2013-07-08 20:53

Categories classification:

Currently, WindowsFileAnalyser can be looked up under 2 categories
- Files -> Miscellaneous (25)
- Security -> Privacy Tools (42)

Would it be appropriate to expand the list with the newly created "Security -> "Forensic Tools" subcategory ?

__philippe

AndTheWolf on 2021-06-18 12:36

Now at version 2.9.0 (The download link at the site is still labeled "MiTeC Windows File Analyzer 2.8.0", but the executable within the zip file shows as 2.9.0)

Add comment

PPEE v1.12

__philippe on 6 Nov 2021
  • 1MB (uncompressed)
  • Released on 17 Aug 2018
  • Suggested by billon

PPEE (Professional PE file Explorer) allows analysis of malformed and crafted PE files, making it handy for reverse-engineering, malware researchers and more. The program includes PE Export, Import, Resource, Exception, Certificate (relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR.

The program includes a HEX editor and supports Virustotal and OPSWAT's Metadefender query reports.

Category:
Runs on:WinXP / Vista / Win7 / Win8 / Win10 / Wine
Writes settings to: Application folder
Unicode support: Yes
License: Freeware
How to extract: Download the ZIP package and extract to a folder of your choice. Delete Plugin folder. Launch PPEE.exe.
Similar/alternative apps: pestudio, MiTeC EXE Explorer
What's new?
  • Rich Header supported (experimental).
  • Resolve ordinal to name in imported APIs.
  • Added:
    • Filter/Search box for listview;
    • PE type icon in statusbar;
    • SHA256 and ImpHash in FileInfo plugin.
  • .ini file converted to UTF.
  • Bugfixes.
Latest comments
smaragdus on 2018-04-12 09:27

@doctor__philippe
What other kind of maladies do you cure? Or only software ones?

__philippe on 2018-04-12 17:50

Now that you mention it, I have been known to cure images hosting service broken links...;-)
https://www.portablefreeware.com/forums/viewtopic.php?p=89747#p89747

smaragdus on 2018-04-13 00:12

@@doctor__philippe
Thanks for the new cure!

See all