is there an extension for osquery that includes forensics capabilities? for eg, a table that shows appcompat results?

Polylogyx was making some osquery windows extensions with additional capabilities. Sorry I can't give you more details.

thanks.

Thanks @zwass. @Vijay, please feel welcome to look at some of the example scripts at https://github.com/polylogyx/plgx-esp-sdk/tree/master/example_scripts/advance_scripts You will find one for appcompat cache parsing too... feel welcome to move the PolyLogyx related discussion to #polylogyx-extension channel.

@Vijay we also wrote an NTFS metadata table extension https://github.com/trailofbits/osquery-extensions/tree/master/ntfs_forensics

is there a release version of it?

There hasn't been a recent binary tagged as a release, no, but it should build from source

great. thanks