Cross-platform Incident Response & Live Forensics Toolkit
Windows (PowerShell) | Linux (Bash) | macOS (Shell)
Built for fast, structured, and actionable forensic investigations.
___________ .__ __
\_ _____/__________ ____ ____ _____|__| ____ _____ _/ |_ ___________
| __)/ _ \_ __ \_/ __ \ / \ / ___/ |/ ___\\__ \\ __\/ _ \_ __ \
| \( <_> ) | \/\ ___/| | \\___ \| \ \___ / __ \| | ( <_> ) | \/
\___ / \____/|__| \___ >___| /____ >__|\___ >____ /__| \____/|__|
\/ \/ \/ \/ \/ \/
v4.1.6Forensicator is a cross-platform incident response and live forensics toolkit.
It is designed to help forensic investigators and incident responders rapidly collect, analyze, and interpret system artifacts during live investigations.
Forensicator:
- Collects system and user activity data
- Detects anomalous behavior and suspicious indicators
- Highlights potential compromise or misconfiguration
- Generates structured, investigation-ready HTML reports
- Advanced Event Log analysis
- Detection of suspicious activity via known Event IDs
- Sigma rule engine (1,400+ community rules) evaluated against Security/Sysmon Event Logs
- Malware hash matching (e.g., abuse.ch feeds)
- Browser history analysis with IOC matching
- Optional artifact encryption (AES)
- Detection Insight - a summary of the detection, why it matters, the detection logic, what to look for, and its MITRE mapping
- Investigation archive + structured JSON output for Forensicator Enterprise
👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Windows
- Detection engine covering reverse shells, SIP/Gatekeeper/kext tampering, PATH hijacking, deleted-binary execution, credential timestomping, and more
- Best-effort Sigma rule engine sourced from real SigmaHQ community rules, evaluated against the unified log
- Malware hash matching and browser history IOC matching, with auto-updating abuse.ch/URLhaus feeds
- FileVault, SIP, Gatekeeper, TCC, and Signed System Volume integrity checks
- Application code-signature verification
- Optional artifact encryption (AES)
- Investigation archive + structured JSON output for Forensicator Enterprise
👉 https://github.com/Johnng007/Live-Forensicator/tree/main/MacOS
⚠️ Note: macOS restricts real process-creation telemetry to its Endpoint Security Framework, which a plain script cannot access — so Sigma coverage is narrower here than on Windows/Linux. See the macOS README for specifics.
- Cross-distro compatible Bash scripts, no non-native dependencies
- Detection engine covering reverse shells, timestomping, PATH hijacking, deleted-binary execution, package integrity, and more
- Sigma rule engine sourced from real SigmaHQ community rules, evaluated against auditd and journald where available
- Malware hash matching and malicious URL matching, with auto-updating abuse.ch/URLhaus feeds
- LUKS disk-encryption status and credential-file tampering timeline
- Optional artifact encryption (AES)
- Structured JSON output for Forensicator Enterprise
👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Linux
⚠️ Note: Linux scripts are designed to avoid non-native utilities (e.g.,net-tools) for maximum compatibility. Sigma coverage depends on whetherauditdis already configured on the target box — see the Linux README.
- Cross-platform forensic artifact collection
- Detection of suspicious activity and anomalies on every platform
- Event Log analysis (Windows)
- Sigma rule integration on all three platforms — coverage and data source vary by OS; see each platform's section below and its own README
- Malware hash and IOC matching, with auto-updating threat-intel feeds
- Structured HTML reporting (with dashboards)
- Optional artifact encryption (Windows, Linux, and macOS)
- Detection Insight with Mitre Mapping
- Forensicator AI (Coming Soon!!!)
Forensicator generates:
- Clean, structured HTML report
- Indexed findings for easy navigation
- Extracted artifacts stored locally
- Detection insight into each finding.
- Suspicious activity statistics with Sigma Rules.
This enables fast transition from data collection → investigation → decision-making.
- Run scripts with elevated/privileged permissions for best results
- Activity may trigger IDS/IPS alerts — this is expected behavior
- External threat intelligence (hashes, IOCs) may be updated during execution
- Configuration can be customized via
config.json
Forensicator supports optional encryption of collected artifacts using AES.
This is useful when:
- Evidence must be transported securely
- Chain-of-custody concerns exist
- Legal integrity of artifacts must be preserved
⚠️ Available on Windows, Linux, and macOS⚠️ Not backward compatible prior to v4.1.1
Forensicator identifies suspicious activity through:
- Event Log analysis
- Sigma-based detections
- Malicious hash matching
- IOC-based URL analysis (browser history)
Full changelog: 👉 https://forensicator.io/changelog.html
Windows: v4.1.6 (May 2026)
- NEW: Added support for PowerShell v5.
- FIX: Improvements and bug fixes.
Linux: v4.1.6
- NEW: Sigma rule engine sourced from real SigmaHQ community rules, evaluated against auditd and journald.
- NEW: Detection engine expanded with deleted-binary execution, credential-file timestomping, world-writable PATH, and package integrity checks.
- NEW: Auto-updating malware hash and malicious URL feeds (abuse.ch, URLhaus).
- NEW: LUKS disk-encryption status check.
- NEW: JSON output for upload to Forensicator Enterprise.
- FIX: Portability and performance fixes across full-disk scans, auth log parsing, and IOC matching.
macOS: v4.1.6
- NEW: Best-effort Sigma rule engine sourced from real SigmaHQ community rules, evaluated against the unified log.
- NEW: Detection engine expanded with deleted-binary execution, kernel/kext integrity status, credential-file timestomping, world-writable PATH, and application code-signature verification checks.
- NEW: Auto-updating malware hash and malicious URL feeds (abuse.ch, URLhaus).
- NEW: Investigation archive + JSON output for upload to Forensicator Enterprise.
- FIX: Portability fixes for BSD-native tooling (stat, shasum) and full-disk scans.Contributions are welcome.
- Open an issue to discuss major changes
- Submit pull requests with clear descriptions
- Focus on accuracy, clarity, and usability
MIT License https://mit.com/licenses/mit/






