Skip to content

Johnng007/Live-Forensicator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

296 Commits
Linux
Linux
 
 
MacOS
MacOS
 
 
Windows
Windows
 
 
styles
styles
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

🛡️ Forensicator 🛡️

Cross-platform Incident Response & Live Forensics Toolkit
Windows (PowerShell) | Linux (Bash) | macOS (Shell)

Built for fast, structured, and actionable forensic investigations. 

___________                                .__               __                
\_   _____/__________   ____   ____   _____|__| ____ _____ _/  |_  ___________ 
 |    __)/  _ \_  __ \_/ __ \ /    \ /  ___/  |/ ___\\__  \\   __\/  _ \_  __ \
 |     \(  <_> )  | \/\  ___/|   |  \\___ \|  \  \___ / __ \|  | (  <_> )  | \/
 \___  / \____/|__|    \___  >___|  /____  >__|\___  >____  /__|  \____/|__|   
     \/                    \/     \/     \/        \/     \/                    

                                                                        v4.1.2

🤔 About

Forensicator is a cross-platform incident response and live forensics toolkit, part of the Black Widow Toolbox.

It is designed to help forensic investigators and incident responders rapidly collect, analyze, and interpret system artifacts during live investigations.

Forensicator:

  • Collects system and user activity data
  • Detects anomalous behavior and suspicious indicators
  • Highlights potential compromise or misconfiguration
  • Generates structured, investigation-ready HTML reports

⚙️ Platform Support

🖳 Windows (PowerShell)

  • Advanced Event Log analysis
  • Detection of suspicious activity via known Event IDs
  • Integration with Sigma rules
  • Malware hash matching (e.g., abuse.ch feeds)
  • Browser history analysis with IOC matching
  • Optional artifact encryption (AES)
  • Detection Insight - A summary of the detection, why the detection matters, the detection logic code, what to look pout for in the detection and the Mitre Mapping.
  • Forensicator AI - This is aimed to give you tailored insight on the detection (Coming Soon!!!)

👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Windows

🍎 macOS (Shell)

  • Lightweight artifact collection
  • System and user activity inspection

👉 https://github.com/Johnng007/Live-Forensicator/tree/main/MacOS

🐧 Linux (Bash)

  • Cross-distro compatible Bash scripts
  • Uses native system utilities (no heavy dependencies)
  • Focus on portability and reliability

👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Linux

⚠️ Note: Linux scripts are designed to avoid non-native utilities (e.g., net-tools) for maximum compatibility.

🔍 Key Features

  • Cross-platform forensic artifact collection
  • Detection of suspicious activity and anomalies
  • Event Log analysis (Windows)
  • Sigma rule integration
  • Malware hash and IOC matching
  • Structured HTML reporting (with dashboards)
  • Optional artifact encryption (Windows module)
  • Detection Insight with Mitre Mapping
  • Forensicator AI (Coming Soon!!!)

📊 Output

Forensicator generates:

  • Clean, structured HTML reports
  • Indexed findings for easy navigation
  • Extracted artifacts stored locally
  • Detection insight into each finding.

This enables fast transition from data collection → investigation → decision-making.

⚠️ Important Notes

  • Run scripts with elevated/privileged permissions for best results
  • Activity may trigger IDS/IPS alerts — this is expected behavior
  • External threat intelligence (hashes, IOCs) may be updated during execution
  • Configuration can be customized via config.json

🔐 Artifact Integrity & Encryption

Forensicator supports optional encryption of collected artifacts using AES.

This is useful when:

  • Evidence must be transported securely
  • Chain-of-custody concerns exist
  • Legal integrity of artifacts must be preserved

⚠️ Currently available only in the Windows module ⚠️ Not backward compatible prior to v4.1.1

🧠 Detection Capabilities

Forensicator identifies suspicious activity through:

  • Event Log analysis
  • Sigma-based detections
  • Malicious hash matching
  • IOC-based URL analysis (browser history)

📸 Screenshots

Terminal Output
HTML Dashboard


image
image

✨ Changelog

Full changelog: 👉 https://github.com/Johnng007/Live-Forensicator/wiki/Changelog

Windows: v4.1.2 (13/04/2026)
- NEW: Added Forensicator Insights with Mitre Mapping.
- IMPROVED: Sigma Rule Support.
- IMPROVED: Script Readability.

Windows: v4.1.1 (23/03/2026)

- NEW: Sigma rule support
- NEW: Malware hash updates (abuse.ch)
- NEW: Script execution logging
- NEW: BitLocker key collection
- IMPROVED: Encryption/Decryption
- IMPROVED: Browser history & IOC detection
- IMPROVED: Updated to modern commands

Linux v4.1.1 (31/03/2026)

- IMPROVED: Fixed some carriage return errors.
- NEW: Added malicious executable check.
- NEW: Added malicious shell commands check.

🧰 More Tools (Black Widow Toolbox)

🤝 Contributing

Contributions are welcome.

  • Open an issue to discuss major changes
  • Submit pull requests with clear descriptions
  • Focus on accuracy, clarity, and usability

📄 License

MIT License https://mit.com/licenses/mit/

☕ Support

🔗 Connect

LinkedIn

About

Cross-platform incident response and live forensics toolkit with built-in detection, structured analysis, and report generation — designed for fast, actionable security investigations.

Topics

macos linux bash log4j powershell incident-response forensics linux-shell forensics-investigations eventlogs ransomeware live-forensic forensicator eventlog-analysis

Resources

Readme
Activity

Stars

617 stars

Watchers

19 watching

Forks

90 forks
Report repository

Releases 9

Nightingale Release Latest
Mar 23, 2026
+ 8 releases

Packages

 
 
 

Contributors

Languages