Cross-platform DFIR toolkit for fast, structured incident response — Windows, Linux & macOS.
Whether you're responding to an incident on a Windows server, a hardened Linux box, or a macOS endpoint — Forensicator has you covered.
The flagship module. Full event log analysis, malware hash checks, IOC-matched browser history, RAM capture, PCAP tracing, and HTML report generation.
Written for maximum cross-distro compatibility using native OS commands only — no net-tools dependency. Malicious executable and shell command detection included.
Shell-based live forensics for Apple endpoints. Collects system artifacts, user activity, and network state with structured HTML output.
From volatile memory to browser history, every artifact matters in an investigation.
Queries Windows Event Logs for specific IDs linked to logon events, object access, process execution, and suspicious PowerShell commands.
Matches hashes of executables on disk against abuse.ch and public malicious hash databases to flag compromised binaries automatically.
Extracts browsing history from Chrome, Firefox, Edge, and IE — then cross-references URLs against known IOC lists for immediate threat detection.
Captures 120 seconds of live network traffic and converts it to PCAP format via etl2pcapng — ready for Wireshark analysis.
Integrates with WinPmem to take a full memory dump alongside your standard collection — critical for malware-in-memory investigations.
New in v4.1.1 — Forensicator now evaluates Windows event logs against Sigma detection rules, the industry standard for SIEM-agnostic detection.
AES-encrypt collected artifacts immediately after acquisition to maintain evidentiary integrity and secure chain of custody.
Output is a searchable, filterable HTML report with per-check tables. Export any section to Excel, PDF, or print — directly from the browser.
Recursively searches the filesystem for files matching known ransomware extensions — invaluable when your alert is a potential encryption event.
No bloated agent to install. Clone, execute with elevated privileges, get a report.
-ENCRYPTED ENCRYPTED before transport.
# --- Windows (PowerShell) ---
.\Forensicator.ps1 # Basic run
.\Forensicator.ps1 -EVTX EVTX -RAM RAM -PCAP PCAP -HASHCHECK HASHCHECK -WEBLOGS WEBLOGS # Full deep-dive
.\Forensicator.ps1 -OPERATOR "Jane Doe" -CASE IR-2026-001 # Unattended mode (for automation)
# --- Linux / macOS ---
chmod +x Forensicator.sh
sudo ./Forensicator.sh
Forensicator is actively maintained and growing. Here's what's on the horizon.
Industry-standard detection rules now evaluated against the hosts Windows event logs automatically.
Logs and Artifact exports can now be imported to Splunk, Elastic, and Microsoft Sentinel for integration into existing pipelines.
BitLocker recovery keys harvested during acquisition for encrypted drive analysis.
Curated, community-maintained & custom rule packs for APT groups, ransomware families, and insider threat patterns.
A web-based interface to upload, parse, and collaborate on Forensicator reports all self hosted within your environment.
Shared investigations, annotation, and case handoff features for multi-analyst teams.
Free, open-source, and actively maintained. By Raptormatics.