Skip to content

Johnng007/Live-Forensicator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

315 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

🛡️ Forensicator 🛡️

Cross-platform Incident Response & Live Forensics Toolkit
Windows (PowerShell) | Linux (Bash) | macOS (Shell)

Built for fast, structured, and actionable forensic investigations.

___________                                .__               __                
\_   _____/__________   ____   ____   _____|__| ____ _____ _/  |_  ___________ 
 |    __)/  _ \_  __ \_/ __ \ /    \ /  ___/  |/ ___\\__  \\   __\/  _ \_  __ \
 |     \(  <_> )  | \/\  ___/|   |  \\___ \|  \  \___ / __ \|  | (  <_> )  | \/
 \___  / \____/|__|    \___  >___|  /____  >__|\___  >____  /__|  \____/|__|   
     \/                    \/     \/     \/        \/     \/                    

                                                                        v4.1.6

image


🤔 About

Forensicator is a cross-platform incident response and live forensics toolkit.

It is designed to help forensic investigators and incident responders rapidly collect, analyze, and interpret system artifacts during live investigations.

Forensicator:

  • Collects system and user activity data
  • Detects anomalous behavior and suspicious indicators
  • Highlights potential compromise or misconfiguration
  • Generates structured, investigation-ready HTML reports

⚙️ Platform Support

🖳 Windows (PowerShell)

  • Advanced Event Log analysis
  • Detection of suspicious activity via known Event IDs
  • Sigma rule engine (1,400+ community rules) evaluated against Security/Sysmon Event Logs
  • Malware hash matching (e.g., abuse.ch feeds)
  • Browser history analysis with IOC matching
  • Optional artifact encryption (AES)
  • Detection Insight - a summary of the detection, why it matters, the detection logic, what to look for, and its MITRE mapping
  • Investigation archive + structured JSON output for Forensicator Enterprise

👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Windows


🍎 macOS (Shell)

  • Detection engine covering reverse shells, SIP/Gatekeeper/kext tampering, PATH hijacking, deleted-binary execution, credential timestomping, and more
  • Best-effort Sigma rule engine sourced from real SigmaHQ community rules, evaluated against the unified log
  • Malware hash matching and browser history IOC matching, with auto-updating abuse.ch/URLhaus feeds
  • FileVault, SIP, Gatekeeper, TCC, and Signed System Volume integrity checks
  • Application code-signature verification
  • Optional artifact encryption (AES)
  • Investigation archive + structured JSON output for Forensicator Enterprise

👉 https://github.com/Johnng007/Live-Forensicator/tree/main/MacOS

⚠️ Note: macOS restricts real process-creation telemetry to its Endpoint Security Framework, which a plain script cannot access — so Sigma coverage is narrower here than on Windows/Linux. See the macOS README for specifics.


🐧 Linux (Bash)

  • Cross-distro compatible Bash scripts, no non-native dependencies
  • Detection engine covering reverse shells, timestomping, PATH hijacking, deleted-binary execution, package integrity, and more
  • Sigma rule engine sourced from real SigmaHQ community rules, evaluated against auditd and journald where available
  • Malware hash matching and malicious URL matching, with auto-updating abuse.ch/URLhaus feeds
  • LUKS disk-encryption status and credential-file tampering timeline
  • Optional artifact encryption (AES)
  • Structured JSON output for Forensicator Enterprise

👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Linux

⚠️ Note: Linux scripts are designed to avoid non-native utilities (e.g., net-tools) for maximum compatibility. Sigma coverage depends on whether auditd is already configured on the target box — see the Linux README.


🔍 Key Features

  • Cross-platform forensic artifact collection
  • Detection of suspicious activity and anomalies on every platform
  • Event Log analysis (Windows)
  • Sigma rule integration on all three platforms — coverage and data source vary by OS; see each platform's section below and its own README
  • Malware hash and IOC matching, with auto-updating threat-intel feeds
  • Structured HTML reporting (with dashboards)
  • Optional artifact encryption (Windows, Linux, and macOS)
  • Detection Insight with Mitre Mapping
  • Forensicator AI (Coming Soon!!!)

📊 Output

Forensicator generates:

  • Clean, structured HTML report
  • Indexed findings for easy navigation
  • Extracted artifacts stored locally
  • Detection insight into each finding.
  • Suspicious activity statistics with Sigma Rules.

This enables fast transition from data collection → investigation → decision-making.


⚠️ Important Notes

  • Run scripts with elevated/privileged permissions for best results
  • Activity may trigger IDS/IPS alerts — this is expected behavior
  • External threat intelligence (hashes, IOCs) may be updated during execution
  • Configuration can be customized via config.json

🔐 Artifact Integrity & Encryption

Forensicator supports optional encryption of collected artifacts using AES.

This is useful when:

  • Evidence must be transported securely
  • Chain-of-custody concerns exist
  • Legal integrity of artifacts must be preserved

⚠️ Available on Windows, Linux, and macOS ⚠️ Not backward compatible prior to v4.1.1


🧠 Detection Capabilities

Forensicator identifies suspicious activity through:

  • Event Log analysis
  • Sigma-based detections
  • Malicious hash matching
  • IOC-based URL analysis (browser history)

📸 Screenshots

Terminal Output Image image
HTML Dashboard image
image
image
image
image

✨ Changelog

Full changelog: 👉 https://forensicator.io/changelog.html

Windows: v4.1.6 (May 2026)
- NEW: Added support for PowerShell v5.
- FIX: Improvements and bug fixes.

Linux: v4.1.6
- NEW: Sigma rule engine sourced from real SigmaHQ community rules, evaluated against auditd and journald.
- NEW: Detection engine expanded with deleted-binary execution, credential-file timestomping, world-writable PATH, and package integrity checks.
- NEW: Auto-updating malware hash and malicious URL feeds (abuse.ch, URLhaus).
- NEW: LUKS disk-encryption status check.
- NEW: JSON output for upload to Forensicator Enterprise.
- FIX: Portability and performance fixes across full-disk scans, auth log parsing, and IOC matching.

macOS: v4.1.6
- NEW: Best-effort Sigma rule engine sourced from real SigmaHQ community rules, evaluated against the unified log.
- NEW: Detection engine expanded with deleted-binary execution, kernel/kext integrity status, credential-file timestomping, world-writable PATH, and application code-signature verification checks.
- NEW: Auto-updating malware hash and malicious URL feeds (abuse.ch, URLhaus).
- NEW: Investigation archive + JSON output for upload to Forensicator Enterprise.
- FIX: Portability fixes for BSD-native tooling (stat, shasum) and full-disk scans.

🤝 Contributing

Contributions are welcome.

  • Open an issue to discuss major changes
  • Submit pull requests with clear descriptions
  • Focus on accuracy, clarity, and usability

📄 License

MIT License https://mit.com/licenses/mit/


☕ Full Usage & WalkThrough

image

🔗 Project Home

image

About

Cross-platform incident response and live forensics toolkit with built-in detection, structured analysis, and report generation — designed for fast, actionable security investigations.

Topics

Resources

Stars

626 stars

Watchers

19 watching

Forks

Packages

 
 
 

Contributors