___________ .__ __
\_ _____/__________ ____ ____ _____|__| ____ _____ _/ |_ ___________
| __)/ _ \_ __ \_/ __ \ / \ / ___/ |/ ___\\__ \\ __\/ _ \_ __ \
| \( <_> ) | \/\ ___/| | \\___ \| \ \___ / __ \| | ( <_> ) | \/
\___ / \____/|__| \___ >___| /____ >__|\___ >____ /__| \____/|__|
\/ \/ \/ \/ \/ \/
v4.0.1
Live Forensicator is part of the Black Widow Toolbox, its aim is to assist Forensic Investigators and Incidence responders in carrying out a quick live forensic investigation.
It achieves this by gathering different system information for further review for anomalous behaviour or unexpected data entry, it also looks out for unusual files or activities and points it out to the investigator.
It is paramount to note that these scripts have no inbuilt intelligence its left for the investigator to analyse the output and decide on a conclusion or decide on carrying out more deeper investigation.
The windows version of Forensicator is written in Powershell.
Forensicator for Windows has added ability to analysis Event Logs, it querries the event logs for certain log IDs that might point to an unusual activity or compromise.
[Check out Forensicator for Windows](https://github.com/Johnng007/Live-Forensicator/tree/main/Windows)The MacOS version is a shell script.
[Check out Forensicator for MacOS](https://github.com/Johnng007/Live-Forensicator/tree/main/MacOS)The Linux version is written in Bash.
[Check out Forensicator for Linux](https://github.com/Johnng007/Live-Forensicator/tree/main/Linux)The Bash codes were written for cross compatibility accross linux distros so therefore efforts were made to use OS native commands avoid secoundary utitlities like
net-tools.
-
Run the scripts as a priviledged user to get value.
-
Forensicator Activities may be flagged by IDS or IPS Solutions so take note.
The results are outputed in nice looking html files with an index file. -
You can find all extracted Artifacts in the script's working directory.
-
Forensicator Has the ability to Search through all the folders within a system looking for files with similar extensions as well known Ransomwares, Albeit this search takes long but its helpful if the Alert you recieved is related to a Ransomware attack
-
Forensicator can capture network traffic, this is useful when your investigation has to do with asset communicating with known malicious IPs, this way you can parse the pcapng file to wireshark and examine for C&C servers.
-
Sometimes it may be paramount to maintain the integrity of the Artifacts, where lawyers may argue that it might have been compromised on transit to your lab. Forensicator can encrypt the Artifact with a unique randomely generated key using AES algorithm, you can specify this by using the -ENCRYPTED parameter. You can decrypt it at will anywhere anytime even with another copy of Forensicator, just keep your key safe. This task is performed by the FileCryptography.psm1 file
This feature is only currently available in the Windows Module..
-
In the Windows module Forensictor looks out for suspicious activities within the Event Log, it has a long list of malicious executables, and powershell commands which it queries the event log against.
Want to check out other Black Widow Tools?
- Anteater - A python based web reconnaisence tool. https://github.com/Johnng007/Anteater
- Nessus Pro API - A powershell Script to Export and Download Nessus Scan Results via Nessus API. https://github.com/Johnng007/PowershellNessus
Windows: v4.0.1 09/06/2024
1. Windows: Adjusted Static file references to adapt to the new Forensicator Github structure.
2. Linux: Created Forensicator for Linux machines.
3. Re-arranged the Directory to show that Forensicator has moved from just a powershell tool to a suite of tools.
V4.0 13/02/2024 - Big Update
1. General Code Improvement and Standardization.
2. Output HTML File has been improved greatly.
3. Ability to search individual checks in a table from the html output.
4. Ability to export each check to excel, pdf or print. from the html output.
5. A new visually stunning HTML output.
6. Added RDP logon History (Outgoing & Incoming)
7. changed the config file from config.yml to config.json so the script can use default powershell json manipulation.
v3.3.2 13/05/2023
Fixed Windows Defender warning while running Forensicator.
Added config.yml to handle malicious file names, executable names and powershell commands.
In the future config.yml may hold more configuration information.
v3.3.1 22/02/2023
Updated The UI
Added Eventlog Analysis for {Logon Events, Object Access, Process Execution & Suspicious Activities}
Added auto checking of update.
v3.2.1 29/06/2022
Updated The UI
Added EventLog Analysis
v3.1.0 27/05/2022
Moved all the Binary Helpers to a folder.
Added an inbuilt powershell based browser history extractor.
Added a flag for calling Nirsoft Based browser history extractor in case you need a robust extraction.
Added a usage switch to show usage options.
Minor Bug fixes.
v2.0 25/04/2022
Minor Bug Fixes
Added the possiblity of encrypting the Artifact after acquiring it to maintain integrity.
v1.4 14/04/2022
Added Ability perform network tracing using netsh trace, the subsequent et1 is converted to pcapng
Minor Bug Fixes in Script Update.
Added Weblogs as an option parameter.
v1.3 11/04/2022
Added a feature to check for files that has similar extensions with known ransomware encrypted files.
You can now check for updates within the script.
UI update
v1.2 29/03/2022
Added unattended Mode Feature
Added Ability to grab browsing history of all users
Minor Bug Fix
v1 28/01/2022
Initial Release
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change or add.
