___________ .__ __
\_ _____/__________ ____ ____ _____|__| ____ _____ _/ |_ ___________
| __)/ _ \_ __ \_/ __ \ / \ / ___/ |/ ___\\__ \\ __\/ _ \_ __ \
| \( <_> ) | \/\ ___/| | \\___ \| \ \___ / __ \| | ( <_> ) | \/
\___ / \____/|__| \___ >___| /____ >__|\___ >____ /__| \____/|__|
\/ \/ \/ \/ \/ \/
v4.0.1
Live Forensicator is part of the Black Widow Toolbox, it aims to assist Forensic Investigators and Incident responders in carrying out a quick live forensic investigation.
It achieves this by gathering different system information for further review for anomalous behavior or unexpected data entry, it also looks out for unusual files or activities and points it out to the investigator.
It is paramount to note that these scripts have no inbuilt intelligence it's left for the investigator to analyze the output and decide on a conclusion or conduct a deeper investigation.
The windows version of Forensicator is written in Powershell.
Forensicator for Windows has added the ability to analyze Event Logs, it queries the event logs for certain log IDs that might point to unusual activity or compromise.
Check out Forensicator for Windows
The MacOS version is a shell script.
Check out Forensicator for MacOS
The Linux version is written in Bash.
Check out Forensicator for Linux
The Bash codes were written for cross-compatibility across Linux distros so therefore efforts were made to use OS native commands while avoiding secondary utilities like
net-tools
.
-
Run the scripts as a privileged user to get value.
-
Forensicator Activities may be flagged by IDS or IPS Solutions so take note.
-
Forensicator results are output in nice-looking html files with an index file. You can find all extracted Artifacts in the script's working directory.
-
Forensicator Can Search through all the folders within a system looking for files with similar extensions as well-known Ransomware, Albeit this search can take a long time, but is helpful if the Alert you received is related to a Ransomware attack
-
Forensicator can capture network traffic, this is useful when your investigation has to do with assets communicating with known malicious IPs, this way you can parse the pcapng file to Wireshark and examine for C&C servers.
-
Sometimes it may be paramount to maintain the integrity of the Artifacts, where lawyers may argue that they might have been compromised on transit to your lab. Forensicator can encrypt the Artifact with a unique randomly generated key using the AES algorithm, you can specify this by using the -ENCRYPTED parameter. You can decrypt it at will anywhere anytime even with another copy of Forensicator, just keep your key safe. This task is performed by the FileCryptography.psm1 file
This feature is only currently available in the Windows Module..
-
In the Windows module Forensictor looks out for suspicious activities within the Event Log, it has a long list of malicious executables, and PowerShell commands which it queries the event log against.
-
In the Windows module Forensictor Matches hashes of executables within the system to malicious hash databases for malware detection, Also browsing history URLs are matched against a list of latest URLs from IOCs for detection.
See Wiki For full Changelog.
Windows: v4.0.2 07/08/2024
1. Windows: Added hash check for malware detection.
2. Windows: Minor Bug Fixes.
3. Windows: Added a notification when Forensicator is not running as admin.
Want to check out other Black Widow Tools?
- Anteater - A Python-based web reconnaissance tool.
- Nessus Pro API - A PowerShell Script to Export and Download Nessus Scan Results via Nessus API.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change or add.