v4.1.1 — Sigma Rule Support Now Live

Live
Forensicator

Cross-platform DFIR toolkit for fast, structured incident response — Windows, Linux & macOS.

forensicator — PowerShell — 80×24
# Clone and run — it's that simple
PS C:\Investigations> git clone https://github.com/Johnng007/Live-Forensicator.git
PS C:\Investigations> cd Live-Forensicator\Windows
PS C:\Investigations> .\Forensicator.ps1 -EVTX EVTX -RAM RAM -PCAP PCAP

[FORENSICATOR v4.1.1] Starting investigation...
[USER ACCOUNTS] Collected 12 entries
[EVENT LOG ANALYSIS] Querying suspicious activity IDs...
! [HASH CHECK] Malicious executable match found → malware_loader.exe
[BROWSER HISTORY] IOC URL detected in Chrome history
[SIGMA RULES] 3 rules triggered
Report written → DESKTOP-J7KX2\index.html
PS C:\Investigations>
⭐ Star on GitHub Forensicator Enterprise 📖 Walkthrough
622+
GitHub Stars
90+
Forks
3
Platforms
4.1
Latest Version

// 01 — Platforms

One toolkit.
Every OS.

Whether you're responding to an incident on a Windows server, a hardened Linux box, or a macOS endpoint — Forensicator has you covered.

🪟
Windows
PowerShell

The flagship module. Full event log analysis, malware hash checks, IOC-matched browser history, RAM capture, PCAP tracing, and HTML report generation.

Event Logs Hash Check RAM Capture Sigma Rules BitLocker
🐧
Linux
Bash

Written for maximum cross-distro compatibility using native OS commands only — no net-tools dependency. Malicious executable and shell command detection included.

Native Commands Malicious Exec Shell Cmd Check Cross-distro
🍎
macOS
Shell Script

Shell-based live forensics for Apple endpoints. Collects system artifacts, user activity, and network state with structured HTML output.

Shell Script System Artifacts HTML Output Network State

// 02 — Capabilities

What Forensicator
pulls for you.

From volatile memory to browser history, every artifact matters in an investigation.

📋
Event Log Analysis

Queries Windows Event Logs for specific IDs linked to logon events, object access, process execution, and suspicious PowerShell commands.

🦠
Malware Hash Detection

Matches hashes of executables on disk against abuse.ch and public malicious hash databases to flag compromised binaries automatically.

🌐
Browser History + IOC Match

Extracts browsing history from Chrome, Firefox, Edge, and IE — then cross-references URLs against known IOC lists for immediate threat detection.

📡
PCAP Network Tracing

Captures 120 seconds of live network traffic and converts it to PCAP format via etl2pcapng — ready for Wireshark analysis.

🧠
RAM Acquisition

Integrates with WinPmem to take a full memory dump alongside your standard collection — critical for malware-in-memory investigations.

Sigma Rule Support

New in v4.1.1 — Forensicator now evaluates Windows event logs against Sigma detection rules, the industry standard for SIEM-agnostic detection.

🔐
Artifact Encryption

AES-encrypt collected artifacts immediately after acquisition to maintain evidentiary integrity and secure chain of custody.

📊
Structured HTML Reports

Output is a searchable, filterable HTML report with per-check tables. Export any section to Excel, PDF, or print — directly from the browser.

🔍
Ransomware Extension Scan

Recursively searches the filesystem for files matching known ransomware extensions — invaluable when your alert is a potential encryption event.


// 03 — Usage

Up and running
in seconds.

No bloated agent to install. Clone, execute with elevated privileges, get a report.

  • 01 Clone the repo to the target machine or a trusted USB.
  • 02 Run as Administrator (Windows) or root (Linux/macOS) for full artifact access.
  • 03 Pass your flags — mix and match EVTX, RAM, PCAP, HASHCHECK, and more.
  • 04 Open index.html from the output directory — your full investigation report is ready.
  • 05 Optionally encrypt the artifact folder with -ENCRYPTED ENCRYPTED before transport.
# --- Windows (PowerShell) ---
.\Forensicator.ps1 # Basic run
.\Forensicator.ps1 -EVTX EVTX -RAM RAM -PCAP PCAP -HASHCHECK HASHCHECK -WEBLOGS WEBLOGS # Full deep-dive
.\Forensicator.ps1 -OPERATOR "Jane Doe" -CASE IR-2026-001 # Unattended mode (for automation)
# --- Linux / macOS ---
chmod +x Forensicator.sh
sudo ./Forensicator.sh

// 04 — Roadmap

What's next.

Forensicator is actively maintained and growing. Here's what's on the horizon.

✔ Shipped — v4.1.1
Sigma Rule Support

Industry-standard detection rules now evaluated against the hosts Windows event logs automatically.

✔ Shipped — v4.1.1
SIEM Export

Logs and Artifact exports can now be imported to Splunk, Elastic, and Microsoft Sentinel for integration into existing pipelines.

✔ Shipped — v4.1.1
BitLocker Key Collection

BitLocker recovery keys harvested during acquisition for encrypted drive analysis.

✔ Shipped — v4.1.5
Advanced Detection Packs

Curated, community-maintained & custom rule packs for APT groups, ransomware families, and insider threat patterns.

✔ Shipped
Forensicator Enterprise

A web-based interface to upload, parse, and collaborate on Forensicator reports all self hosted within your environment.

✔ Shipped with Enterprise
Team Collaboration

Shared investigations, annotation, and case handoff features for multi-analyst teams.


// Get Forensicator

Start your
investigation now.

Free, open-source, and actively maintained. By Raptormatics.

⭐ View on GitHub Forensicator Enterprise 📖 Walkthrough