WINDOWS FORENSIC TOOLCHEST™ (WFT)


"Wow. I have to tell ya, I am very impressed. There are many spiffy enhancements, esp for the incident responder who has a bit of a clue. Great output, much improved config file, lots of command line options. Wow."
-- Don Murdoch (Author of SANS First Responder - Windows Course)

Windows Forensic Toolchest (WFT)

WFT News
2014-03-16 WFT v3.0.08 released v3.0.08 download
2012-09-05 WFT v3.0.07 released  
2011-09-17 WFT v3.0.06 released  
2010-07-11 WFT v3.0.05 released  
2009-07-02 WFT v3.0.04 released  
2008-07-03 WFT v3.0.03 released  
2007-07-30 SANSfire 2007 BOF: What Is New With Windows Forensic Toolchest™ (WFT) v3.0 PDF download
2007-06-03 WFT v3.0.01 released  
2006-06-10 WFT presentation presented at the June 10th, 2006 North Texas Snort Users Group meeting. PDF download

The Windows Forensic Toolchest™ (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.

A knowledgeable security professional can use WFT to help look for signs of an incident, intrusion, or to confirm computer misuse or configuration. WFT produces output that is useful to the admin user, but is also appropriate for use in court proceedings. It provides extensive logging of all its actions along with computing the MD5/SHA1 checksums along the way to ensure that its output is verifiable. The primary benefit of using WFT to perform incident responses or audit is that it provides a simplified way of scripting such activities using a sound methodology for data collection.

I welcome any suggested features or changes or additional tool suggestions. Feedback from users of WFT would be greatly appreciated.