Windows Forensics

I’m always searching for Windows forensics software and here are some of the utilities I have found.


OSForensics is produced by PassMark Software. There are both a free and pro version.

OSForensics provides the ability to mount an image readonly, to ensure data does not get modified during any investigation. There are a number of utilities that are simple to operate for an inexperienced analyst. The utilities cover media handling, windows file management and analysis and case management.


I have not had a chance to look at Win-UFO. I came across it through the Caine forensics web site.

ADFS 3.0

Moving to ADFS 3.0 I have encountered a number of issues.  Here is a record of my issues and solutions, where available.


The first problem was for clients that don’t support SNI names when negotiating SSL connections (or from load balancers that don’t support SNI for monitoring services).  The solution is to create a default certificate for either the IP address ADFS is listening on, or a default certificate for all IP addresses:

netsh http add sslcert ipport= certhash= appid={5d89a20c-beab-4389-9447-324788eb944a}

Running the command as above produces a parameter incorrect, so I have found it necessary to go into netsh http context and then type the add cert… command.

The certificate has and appid can be retrieved by using the PowerShell command:

Get-AdfsSslCertificate | fl *

Home Realm Discovery

Home Realm Discovery on ADFS 3.0 seems to be less flexible than under ADFS 2.0. I have been unable to find the equivalent functionallity to modifyting the HomeRealmDiscovery.aspx page. It is possible to limit identity provider (Claims Provider) by service provider (Relying Party), but programmatically selecting the identity provider for a request does not seem to be possible, and, for me, it is not ideal to show all available identity providers to all users.

Customizing the AD FS Sign-in Pages

Set-AdfsclaimsProviderTrust -PromptLoginFederation ForwardPromptAndHintsOverWsFederation


Using AuthorizationServer with ADFS

OAuth identification with ADFS