Windows Forensic Toolchest (WFT) – Live Response Toolkit

The Windows Forensic Toolchest (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system.

WFT is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.

Windows Forensic Toolchest (WFT) - Live Response Toolkit
Windows Forensic Toolchest (WFT) – Live Response Toolkit

Windows Forensic Toolchest (WFT) Include the following features:

  • Provides Structured And Repeatable Live Forensic Response, Incident Response.
  • Generation Of Both Raw Text And HTML Reports
  • User-Editable Config File Controls Execution
  • Ability To Run Locally, Via CD/DVD, Or Thumb Drive
  • Configurable Toolpath
  • Macros Which Expand Dynamically Based On Run-Time Values
  • Detailed Run-Time Logging
  • Verification Of All Executed Tools
  • Detailed Hashing Of Output
  • Support For MD5 Hash
  • Support For SHA1 Hash
  • Ability To Verify WFT Config Files
  • Automatic Updating Of WFT Hash Values For Tools
  • WFT’s Interactive Mode Provides Command-Line Alternative
  • Off-Line Report Generation Saves Time During Collection
  • Ability To Run SysInternals Tools Without ‘-accepteula’
  • Color Output Highlights Important Info
  • Automatic OS & Drive Detection
  • Ability To Run Commands Based On Run-Time OS
  • Ability To Fetch 3rd-Party Tools
  • Ability To Download Latest WFT

WFT produces output that is useful to the admin user, but is also appropriate for use in court proceedings. It provides extensive logging of all its actions along with computing the MD5/SHA1 checksums along the way to ensure that its output is verifiable.

The primary benefit of using WFT to perform incident responses or audit is that it provides a simplified way of scripting such activities using a sound methodology for data collection.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments