This repository contains support files for the DFiR Galaxy Workstation — a preconfigured forensic virtual machine built to streamline Digital Forensics and Incident Response (DFIR) workflows.
All files in this repo are located within the VM at: C:\ForensicPrograms\DFIR_Toolbar
| File Name | Description |
|---|---|
| ChangeCurrentEvidenceName.bat | Changes the current evidence name when you click on Cases → Add Evidence Name. |
| ForensicsHandler.bat | AI-generated batch file used to parse evidence automatically based on its extension. |
| ForensicsTools.reg | Registry file that configures the Windows Explorer context menu for forensic tools. |
| ForensicsTools_v2.reg | Improved version of the context menu registry file. It addresses the Windows Explorer submenu limit (≈13 visible items). |
| menu_config | Configuration file for the DFIR Toolbar interface. |
| PlasoAddTimelineHelper.bat | Helper script for running Plaso timeline creation. |
| plasoHelper.bat / plasoHelper.ps1 / plasoHelperGUI.ps1 / plasoHelperNoGUI.ps1 | A set of helper scripts used by Plaso to process evidence with or without a GUI. |
| PlasoRunPsortHelper.bat / PlasoRunPsortHelper.ps1 | Plaso post-processing helper scripts for psort operations. |
Windows Explorer limits submenus in the context menu to around 13 visible items.
To make all tools accessible, ForensicsTools_v2.reg introduces a reorganized structure.
To update:
- Double-click
ForensicsTools_v2.reg. - Confirm the registry changes when prompted.
- Restart Windows Explorer (or reboot).
You can download the DFiR Galaxy Workstation VM from: Note: this is the link for v1.2 (latest)
🔗 https://1024terabox.com/s/1a0J5uOpxptTSb175sqCxnw
Learn more about the DFiR Galaxy Workstation and its setup:
- 🛰️ DFiR Galaxy Workstation: A Swiss Army Knife for DFIR Investigations
- 🚀 Getting Started with The DFiR Galaxy Workstation
- 🧰 Available Tools in DFiR Galaxy Workstation
Mahmoud Soheem
Digital Forensics & Incident Response Engineer
LinkedIn • Medium