The Automatic FOrensics Tool (AFOT) is an automation tool build in Python and used for Windows Forensics in order to combine the following tools:
+ AnalyzePESig (http://didierstevens.com/files/software/AnalyzePESig_V0_0_0_2.zip)
+ National Software Reference Library reduced set (http://www.nsrl.nist.gov/RDS/rds_2.52/rds_252m.zip)
+ NSRL Tool (http://didierstevens.com/files/software/nsrl_V0_0_2.zip)
+ VirusTotal Search Tool (http://didierstevens.com/files/software/virustotal-search_V0_1_2.zip)Requirement:
– Python 2.7.x
– VirusTotal API key
So the procedure is pretty straight-forward:
+ The user provides the path, which will be used to analyze all the executables included in those folders/subfolders.
+ AnalyzePESig looks for signed executables, whom certificate will soon be revoked.
+ AFOT will collect all the non-signed executables and cross-check them with NSRL’s hashset database, using the NSRL tool.
+ Last but not least, if any hashes were found to be in NSRL’s hashset database too, we cross-check those hashes with VirusTotal, using the VirusTotal Search tool.
Usage & Download:
git clone https://github.com/harris21/afot && cd afot
python afot.py (be sure you have VirusTotal API KEY then edit afot.py before run)