Chainsaw

Chainsaw offers a robust 'first-response' capability that enables rapid identification of threats within Windows forensic artifacts, including Event Logs and the Master File Table (MFT) file.

It provides a versatile and efficient approach to searching through event logs for keywords. It identifies threats by utilizing built-in support for Sigma detection rules, as well as custom Chainsaw detection rules.

Features include hunting for threats using Sigma detection rules and custom Chainsaw detection rules. It also involves searching for and extracting forensic artefacts through string matching and regex patterns. Additionally, it creates execution timelines by analyzing Shimcache artefacts and enhancing them with Amcache data. The analysis of the SRUM database is included, along with the ability to dump the raw content of forensic artefacts such as MFT, registry hives, and ESE databases. The tool offers lightning-fast performance, ensures clean and lightweight execution, and provides various output formats. Document tagging is facilitated by the TAU Engine Library, and results can be outputted in several formats including ASCII table, CSV, and JSON.