{"id":13845075,"url":"https://github.com/Johnng007/Live-Forensicator","last_synced_at":"2025-07-12T01:31:46.859Z","repository":{"id":37914431,"uuid":"456664353","full_name":"Johnng007/Live-Forensicator","owner":"Johnng007","description":"A suite of Tools to aid Incidence Response and Live Forensics for - Windows (Powershell) | Linux (Bash) | MacOS (Shell) ","archived":false,"fork":false,"pushed_at":"2024-09-27T17:31:18.000Z","size":16845,"stargazers_count":542,"open_issues_count":0,"forks_count":84,"subscribers_count":22,"default_branch":"main","last_synced_at":"2024-11-21T18:37:14.482Z","etag":null,"topics":["bash","eventlog-analysis","eventlogs","forensicator","forensics","forensics-investigations","incident-response","linux","linux-shell","live-forensic","log4j","macos","powershell","ransomeware"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Johnng007.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-07T20:23:14.000Z","updated_at":"2024-11-18T09:13:54.000Z","dependencies_parsed_at":"2023-11-30T15:27:49.347Z","dependency_job_id":"7dcf92c1-a3cd-4fda-96d3-502fe9b5faa2","html_url":"https://github.com/Johnng007/Live-Forensicator","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/Johnng007/Live-Forensicator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Johnng007%2FLive-Forensicator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Johnng007%2FLive-Forensicator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Johnng007%2FLive-Forensicator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Johnng007%2FLive-Forensicator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Johnng007","download_url":"https://codeload.github.com/Johnng007/Live-Forensicator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Johnng007%2FLive-Forensicator/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264923080,"owners_count":23683716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","eventlog-analysis","eventlogs","forensicator","forensics","forensics-investigations","incident-response","linux","linux-shell","live-forensic","log4j","macos","powershell","ransomeware"],"created_at":"2024-08-04T17:03:09.887Z","updated_at":"2025-07-12T01:31:41.785Z","avatar_url":"https://github.com/Johnng007.png","language":"JavaScript","funding_links":["https://ko-fi.com/forensicator"],"categories":["JavaScript"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e📝 Forensicator 📝\u003c/h1\u003e\n\u003ch3 align=\"center\"\u003e\u003cp\u003e\u003cbr\u003eWINDOWS(PowerShell) | LINUX(Bash) | MacOS(Bash) \u003c/p\u003e\u003cbr\u003e\n  \u003cp\u003eSCRIPTS TO AID LIVE FORENSICS \u0026 INCIDENCE RESPONSE \u003c/p\u003e\u003c/h3\u003e\n                                               \n```bash\n\n\n___________                                .__               __                \n\\_   _____/__________   ____   ____   _____|__| ____ _____ _/  |_  ___________ \n |    __)/  _ \\_  __ \\_/ __ \\ /    \\ /  ___/  |/ ___\\\\__  \\\\   __\\/  _ \\_  __ \\\n |     \\(  \u003c_\u003e )  | \\/\\  ___/|   |  \\\\___ \\|  \\  \\___ / __ \\|  | (  \u003c_\u003e )  | \\/\n \\___  / \\____/|__|    \\___  \u003e___|  /____  \u003e__|\\___  \u003e____  /__|  \\____/|__|   \n     \\/                    \\/     \\/     \\/        \\/     \\/                    \n\n                                                                        v4.0.1        \n\n\n```\n\n\n# 🤔 ABOUT\n\nLive Forensicator is part of the Black Widow Toolbox, it aims to assist Forensic Investigators and Incident responders in carrying out a quick live forensic investigation.\n\u003cp\u003eIt achieves this by gathering different system information for further review for anomalous behavior or unexpected data entry, it also looks out for unusual files or activities and points it out to the investigator.\u003c/p\u003e\n\u003cp\u003eIt is paramount to note that these scripts have no inbuilt intelligence it's left for the investigator to analyze the output and decide on a conclusion or conduct a deeper investigation.\u003c/p\u003e\n\n# 🖳 Forensicator For WINDOWS\n\u003cp\u003eThe windows version of Forensicator is written in Powershell.\u003c/p\u003e\n\u003cp\u003e Forensicator for Windows has added the ability to analyze Event Logs, it queries the event logs for certain log IDs that might point to unusual activity or compromise. \u003c/p\u003e\n\n[Check out Forensicator for Windows](https://github.com/Johnng007/Live-Forensicator/tree/main/Windows)\n\n\n# 👨‍💻 Forensicator For MacOS\n\u003cp\u003eThe MacOS version is a shell script.\u003c/p\u003e\n\n[Check out Forensicator for MacOS](https://github.com/Johnng007/Live-Forensicator/tree/main/MacOS/)\n\n\n# 👩‍💻 Forensicator For LINUX\n\u003cp\u003eThe Linux version is written in Bash.\u003c/p\u003e\n\n[Check out Forensicator for Linux](https://github.com/Johnng007/Live-Forensicator/tree/main/Linux)\n\n\u003e #### NOTE: \n\u003e The Bash codes were written for cross-compatibility across Linux distros so therefore efforts were made to use OS native commands while avoiding secondary utilities like `net-tools`.\n\n\n\n## ✍ General Notes\n* Run the scripts as a privileged user to get value.\u003cbr\u003e\n\n* Forensicator Activities may be flagged by IDS or IPS Solutions so take note.\u003cbr\u003e\n\n* Forensicator results are output in nice-looking html files with an index file. You can find all extracted Artifacts in the script's working directory.\n\n* \u003cp\u003eForensicator Can Search through all the folders within a system looking for files with similar extensions as well-known Ransomware, Albeit this     search can take a long time, but is helpful if the Alert you received is related to a Ransomware attack\u003c/p\u003e\n\n* \u003cp\u003eForensicator can capture network traffic, this is useful when your investigation has to do with assets communicating with known malicious IPs,       this way you can parse the pcapng file to Wireshark and examine for C\u0026C servers.\u003c/p\u003e\n\n* \u003cp\u003eSometimes it may be paramount to maintain the integrity of the Artifacts, where lawyers may argue that they might have been compromised on transit to your lab.\n  Forensicator can encrypt the Artifact with a unique randomly generated key using the AES algorithm, you can specify this by using the -ENCRYPTED parameter. You can   decrypt it at will anywhere anytime even with another copy of Forensicator, just keep your key safe. This task is performed by the FileCryptography.psm1 file\n  \n  \u003e #### NOTE: \n  \u003e This feature is only currently available in the Windows Module..\n  \n  \u003c/p\u003e\n\n* \u003cp\u003eIn the Windows module Forensictor looks out for suspicious activities within the Event Log, it has a long list of malicious executables, and PowerShell commands which it queries the event log against.\u003c/p\u003e\n\n* \u003cp\u003eIn the Windows module Forensictor Matches hashes of executables within the system to malicious hash databases for malware detection, Also browsing history URLs are matched against a list of latest URLs from IOCs for detection.\u003c/p\u003e\n\n\n## Screenshot\n\u003cimg src=\"https://github.com/Johnng007/Live-Forensicator/blob/main/styles/vendors/images/Forensicator_Output.png?raw=true\" alt=\"Forensicator\"  /\u003e \u003cbr\u003e\n## HTML Output\n\u003cimg src=\"https://github.com/Johnng007/Live-Forensicator/blob/main/styles/vendors/images/Forensicator_HTML1.png?raw=true\" alt=\"Forensicator\"  /\u003e \u003cbr\u003e\n\u003cimg src=\"https://github.com/Johnng007/Live-Forensicator/blob/main/styles/vendors/images/Forensicator_HTML2.png?raw=true\" alt=\"Forensicator\"  /\u003e \u003cbr\u003e\n\u003cimg src=\"https://github.com/Johnng007/Live-Forensicator/blob/main/styles/vendors/images/Forensicator_HTML3.png?raw=true\" alt=\"Forensicator\"  /\u003e \u003cbr\u003e\n\u003cbr\u003e\u003c/br\u003e\n\n## ✨ ChangeLog\n[See Wiki](https://github.com/Johnng007/Live-Forensicator/wiki/Changelog) For full Changelog.\n```bash\n\nWindows: v4.0.2 07/08/2024\n1. Windows: Added hash check for malware detection.\n2. Windows: Minor Bug Fixes.\n3. Windows: Added a notification when Forensicator is not running as admin.\n\n```\n\n\n\n## 🤔 MORE TOOLS\nWant to check out other Black Widow Tools?\n1. [Anteater](https://github.com/Johnng007/Anteater) - A Python-based web reconnaissance tool.\n2. [Nessus Pro API](https://github.com/Johnng007/PowershellNessus) - A PowerShell Script to Export and Download Nessus Scan Results via Nessus API. \n\n## Contributing\nPull requests are welcome. For major changes, please open an issue first to discuss what you would like to change or add.\n\n\n\n## License\n[MIT](https://mit.com/licenses/mit/)\n\n\n\u003ch3 align=\"left\"\u003eSupport:\u003c/h3\u003e\n\u003cp\u003e\u003ca href=\"https://ko-fi.com/forensicator\"\u003e \u003cimg align=\"left\" src=\"https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png\" height=\"50\" width=\"210\" alt=\"ebuka\" /\u003e\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e\n\n\u003ch3 align=\"left\"\u003eConnect with me:\u003c/h3\u003e\n\u003cp align=\"left\"\u003e\n\u003ca href=\"https://www.linkedin.com/in/ebuka-john-onyejegbu\" target=\"blank\"\u003e\u003cimg align=\"center\" src=\"https://raw.githubusercontent.com/rahuldkjain/github-profile-readme-generator/master/src/images/icons/Social/linked-in-alt.svg\" alt=\"ebuka john onyejegbu\" height=\"30\" width=\"40\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJohnng007%2FLive-Forensicator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJohnng007%2FLive-Forensicator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJohnng007%2FLive-Forensicator/lists"}