Cross-platform Incident Response & Live Forensics Toolkit
Windows (PowerShell) | Linux (Bash) | macOS (Shell)
Built for fast, structured, and actionable forensic investigations.
___________ .__ __
\_ _____/__________ ____ ____ _____|__| ____ _____ _/ |_ ___________
| __)/ _ \_ __ \_/ __ \ / \ / ___/ |/ ___\\__ \\ __\/ _ \_ __ \
| \( <_> ) | \/\ ___/| | \\___ \| \ \___ / __ \| | ( <_> ) | \/
\___ / \____/|__| \___ >___| /____ >__|\___ >____ /__| \____/|__|
\/ \/ \/ \/ \/ \/
v4.1.3
Forensicator is a cross-platform incident response and live forensics toolkit.
It is designed to help forensic investigators and incident responders rapidly collect, analyze, and interpret system artifacts during live investigations.
Forensicator:
- Collects system and user activity data
- Detects anomalous behavior and suspicious indicators
- Highlights potential compromise or misconfiguration
- Generates structured, investigation-ready HTML reports
- Advanced Event Log analysis
- Detection of suspicious activity via known Event IDs
- Integration with Sigma rules
- Malware hash matching (e.g., abuse.ch feeds)
- Browser history analysis with IOC matching
- Optional artifact encryption (AES)
- Detection Insight - A summary of the detection, why the detection matters, the detection logic code, what to look pout for in the detection and the Mitre Mapping.
- Signma Rule Integration for malicious activity detection
👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Windows
- Lightweight artifact collection
- System and user activity inspection
👉 https://github.com/Johnng007/Live-Forensicator/tree/main/MacOS
- Cross-distro compatible Bash scripts
- Uses native system utilities (no heavy dependencies)
- Focus on portability and reliability
👉 https://github.com/Johnng007/Live-Forensicator/tree/main/Linux
⚠️ Note: Linux scripts are designed to avoid non-native utilities (e.g.,net-tools) for maximum compatibility.
- Cross-platform forensic artifact collection
- Detection of suspicious activity and anomalies
- Event Log analysis (Windows)
- Sigma rule integration
- Malware hash and IOC matching
- Structured HTML reporting (with dashboards)
- Optional artifact encryption (Windows module)
- Detection Insight with Mitre Mapping
- Forensicator AI (Coming Soon!!!)
Forensicator generates:
- Clean, structured HTML report
- Indexed findings for easy navigation
- Extracted artifacts stored locally
- Detection insight into each finding.
- Suspicious activity statistics with Sigma Rules.
This enables fast transition from data collection → investigation → decision-making.
- Run scripts with elevated/privileged permissions for best results
- Activity may trigger IDS/IPS alerts — this is expected behavior
- External threat intelligence (hashes, IOCs) may be updated during execution
- Configuration can be customized via
config.json
Forensicator supports optional encryption of collected artifacts using AES.
This is useful when:
- Evidence must be transported securely
- Chain-of-custody concerns exist
- Legal integrity of artifacts must be preserved
⚠️ Currently available only in the Windows module⚠️ Not backward compatible prior to v4.1.1
Forensicator identifies suspicious activity through:
- Event Log analysis
- Sigma-based detections
- Malicious hash matching
- IOC-based URL analysis (browser history)
Terminal Output
HTML Dashboard
Full changelog: 👉 https://forensicator.io/changelog.html
Windows: v4.1.3 (May 2026)
- NEW: Improved Dashboard UI/UX.
- IMPROVED: Sigma Rule Support.
- IMPROVED: Script Readability.
Contributions are welcome.
- Open an issue to discuss major changes
- Submit pull requests with clear descriptions
- Focus on accuracy, clarity, and usability
MIT License https://mit.com/licenses/mit/
