Live-Forensicator is a toolkit intended for live forensic collection and initial triage on Windows machines. It automates the capture of volatile information—running processes, network connections, loaded drivers, account sessions, and in-memory artifacts—into a consistent artifact set that investigators can analyze offline. The tool tries to be non-invasive while collecting sensitive data quickly and logs the collection steps to preserve chain-of-custody details and to help auditors understand potential collection side effects. Because live collection can alter system state, Live-Forensicator includes options to limit intrusive actions and to capture hashes, timestamps, and provenance metadata to aid later validation. The output bundles are often compatible with other forensic parsers and workflows, which helps teams move from initial triage to deep-dive forensic analysis without re-running collection tasks.
Features
- For Windows: PowerShell module that retrieves system info, event logs (looking for particular IDs), hashes of executables, PowerShell commands, browsing history, etcetera
- For Linux/macOS: Bash/shell scripts using native commands to gather similar forensic-relevant info, hunting for unusual files, collecting system config, logs etcetera
- Option to encrypt collected artifacts using AES with a randomly generated key (on Windows) to preserve confidentiality/integrity during transport etcetera
- Ability to capture network traffic (pcapng) for further analysis in tools like Wireshark
- HTML report output including an index file, so the collected artifacts are organized in working directory with easy navigation
- Ability to search through the system for files with certain extensions like known ransomware file types, looking for anomalies or possible malicious files etcetera
Project Samples
