{"id":21610896,"url":"https://github.com/ashemery/windowsdfir","last_synced_at":"2025-07-01T13:07:56.425Z","repository":{"id":41139130,"uuid":"238811261","full_name":"ashemery/WindowsDFIR","owner":"ashemery","description":"Repository for different Windows DFIR related CMDs, PowerShell CMDlets, etc, plus workshops that I did for different conferences or events.","archived":false,"fork":false,"pushed_at":"2021-07-13T01:56:39.000Z","size":28,"stargazers_count":78,"open_issues_count":0,"forks_count":7,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-06-08T10:03:50.953Z","etag":null,"topics":["cmd","cmdlets","dfir","investigations","powershell","scripts","windows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ashemery.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-07T00:11:53.000Z","updated_at":"2025-05-20T09:43:42.000Z","dependencies_parsed_at":"2022-09-08T00:51:46.117Z","dependency_job_id":null,"html_url":"https://github.com/ashemery/WindowsDFIR","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ashemery/WindowsDFIR","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashemery%2FWindowsDFIR","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashemery%2FWindowsDFIR/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashemery%2FWindowsDFIR/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashemery%2FWindowsDFIR/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ashemery","download_url":"https://codeload.github.com/ashemery/WindowsDFIR/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashemery%2FWindowsDFIR/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262969885,"owners_count":23392530,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cmd","cmdlets","dfir","investigations","powershell","scripts","windows"],"created_at":"2024-11-24T21:09:59.088Z","updated_at":"2025-07-01T13:07:56.394Z","avatar_url":"https://github.com/ashemery.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Windows DFIR\nRepository for different Windows DFIR related CMDs, PowerShell CMDlets, etc, plus workshops that I did for different conferences or events.\n\n### Timestamps in UTC\n```Get-ChildItem \\\u003cPATH\\\u003e -Force | Select-Object FullName, CreationTimeUTC, LastAccessTimeUTC, LastWriteTimeUTC```\n  \n### Timestamps in local time\n```Get-ChildItem \\\u003cPATH\\\u003e -Force | Select-Object FullName, CreationTime, LastAccessTime, LastWriteTime```\n\n### Hash Values (MD5, SHA1, and SHA256)\n```Get-FileHash \\\u003cPATH\\\u003e -Algorithm MD5 | Format-List```\n\n```Get-FileHash \\\u003cPATH\\\u003e -Algorithm SHA1 | Format-List```\n\n```Get-FileHash \\\u003cPATH\\\u003e -Algorithm SHA256 | Format-List```\n\n### Find location of executable in PATH (similar to which on Linux Systems)\n```where executablename```\n\n### Merge two CSV files\n```Get-Content LNK_User1.csv, LNK_User2.csv | Select-Object -Unique | Set-Content -Encoding ASCII LNK_Users.csv```\n\n### Create Symbolic Links to Multiple files. Useful to process files that reside in Known Folders\n- Check the file \"createSymLinks.ps1\" and from where it was found.\n- More info about Known Folders: [URL](https://docs.microsoft.com/en-us/windows/win32/shell/known-folders)\n\n## Workshops\n- BSides Amman 2021, all files here: [URL](https://github.com/ashemery/WindowsDFIR/tree/master/Workshops/BSidesAmman21)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashemery%2Fwindowsdfir","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fashemery%2Fwindowsdfir","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashemery%2Fwindowsdfir/lists"}