OpenForensic v1.0.0-alpha
Pre-releaseOpenForensic : Forensic Software for Systems & Disk
1. Disk Imaging & Acquisition
- Physical sector-by-sector disk imaging
- Logical file-level acquisition
- Output formats: Raw (
.dd), Expert Witness Format (.e01), Advanced Forensic Format (.aff) - Automatic sparse zero-block skipping
- Multi-threaded compression:
zstd,gzip - Configurable block size (KB)
- Read-verification pass after imaging
- Acquisition checkpointing — pause/resume long imaging jobs without corruption
- Software write-blocking enforced at OS kernel boundary:
- Windows:
CreateFileWwithGENERIC_READonly - Linux:
BLKROSET/O_DIRECT - macOS:
/dev/rdiskXread-only device access
- Windows:
2. Live & Volatile Acquisition
- Volume Shadow Copy Service (VSS) live acquisition (Windows) — zero-downtime snapshotting
- OS-locked artifact capture while system is running:
- NTFS
$MFT - Registry hives:
SAM,SYSTEM,SECURITY,SOFTWARE - Windows Event Logs (EVTX)
- NTFS
- Physical RAM capture via
winpmem(Windows),avml(Linux),LiMEkernel modules (Linux, x86_64/aarch64) - Auto-cleanup of VSS snapshots post-acquisition
- Optional VSS-backed physical image creation
3. Rapid System Triage
- One-click volatile state extraction:
- Running processes
- Network connections/sockets
- Loaded kernel modules
- Chrome/Edge browser history database collection
- EVTX / syslog event record collection
- Skip-flags for selective collection (
--no-volatile,--no-registry,--no-browsers,--no-eventlogs)
4. Headless CLI Mode
Full clap-based CLI (--cli flag) for scripted/SOAR/EC2 use, independent of GUI:
| Command | Purpose |
|---|---|
list-devices |
Enumerate physical block devices |
list-volumes |
Enumerate logical OS volumes/mount points |
acquire |
Physical/logical imaging with format, compression, hash, YARA, keyword options |
triage |
Rapid live system collection with optional SIEM export |
live |
VSS live acquisition + RAM capture + locked-file collection |
pgp-keygen |
Generate RSA-4096/Ed25519 signing keypair |
pgp-sign |
Create detached signature for evidence/manifest |
pgp-verify |
Verify detached signature against evidence |
Windows console auto-attach (AttachConsole) for clean stdin/stdout/stderr when invoked from a terminal.
5. Memory Forensics
- Native Volatility 3 integration (subprocess orchestration + real-time log streaming)
- Supported dump formats:
.raw,.vmem,.dmp - Cross-OS profile support: Windows, Linux, macOS
- Profiles:
pslist,netstat,cmdline,filescan,malfind,printkey, etc. - Threat intelligence enrichment during analysis:
- AbuseIPDB IP reputation scoring
- VirusTotal file/process hash lookups
6. Encryption Detection & Key Extraction
- Detection during acquisition (keep in OpenForensic):
- BitLocker (
-FVE-FS-) - LUKS v1 / v2
- Apple FileVault (APFS/CoreStorage)
- Android FBE (Ext4/F2FS fscrypt)
- BitLocker (
7. Timeline Generation
- Chronological artifact reconstruction from an already-acquired disk image
- Parses NTFS
$MFT,$LogFile, Ext4 journal timestamps - Exports unified master timeline as CSV / JSON
8. YARA & Keyword Scanning
- Pure-Rust YARA-X engine
- Real-time pattern matching against custom
.yarrulesets - Simultaneous regex keyword searching
- Runs inline in the broadcast pipeline during disk/memory streaming (acquisition-time alerting, not a separate analysis pass)
9. SIEM & SOC Integration
- Splunk HTTP Event Collector (HEC): structured JSON over HTTPS, HEC bearer token auth
- Wazuh Agent Socket / Syslog: TCP/UDP streaming (default port 1514) or local log queue append
- One-click IR triage: auto-enable SIEM emission during acquisition/triage without slowing collection
- Configurable index/sourcetype/tag, endpoint, and transport type
- Connection test + persisted SIEM config
10. Extensible Plugin Platform
- Native shared library loading:
.so/.dll/.dylibvialibloading+ FFI symbol (_openforensic_plugin_create) - Sandboxed WebAssembly modules via
wasmtime(runtime + cranelift + component-model) - Standardized lifecycle hooks:
pre_acquisition— inspect case metadata, volume geometry, init resourceson_block— invoked per data chunk, non-blocking dispatch to workerspost_acquisition— return custom metrics/hashes embedded into reports
- Plugin management commands: load, list, unload, scan-directory
11. Cryptographic Hashing
- Single-pass, simultaneous 4-algorithm hashing: MD5, SHA-1, SHA-256, SHA-512
- Computed in the same read pass as imaging (no double I/O)
- Checkpointed alongside acquisition state
12. PGP Cryptographic Manifests
- Built-in RFC 4880 OpenPGP engine (no GnuPG dependency) via
sequoia-openpgp - Keypair generation: RSA-4096, Ed25519
- Detached tamper-evident signatures (
.manifest/.sig) - Manifest contents: case metadata, device geometry, SHA-256/SHA-512 digests
- One-click verification: re-hashes evidence, validates against examiner public key
13. Case Management & Reporting
- SQLite case database: evidence tags, investigator notes, device metadata, hashes
- Historical acquisition job review
- Court-admissible report export: HTML and PDF (
printpdf) - Embedded cryptographic verification tables in reports
14. Platform Support
| OS | Minimum Version | Privilege Required |
|---|---|---|
| Windows | (per README) | Administrator (UAC elevation) |
| Linux | — | root (sudo) |
| macOS | 11.0 Big Sur+ | root + Full Disk Access |
Minimum hardware: 4+ cores (parallel SHA-512/YARA compilation), 4GB RAM (8GB+ for Volatility workloads — drops once Analysis Suite split happens), NVMe/SSD destination recommended.
Summary: Post-Split Feature Set
OpenForensic 3.0.0 (acquisition-only) retains: Disk imaging, live/VSS acquisition, RAM capture, triage collection, inline YARA/keyword scanning, SIEM streaming, plugin platform, 4-algorithm hashing, PGP manifests, case management/reporting, CLI (minus ram subcommand), encryption detection (not key extraction).
Migrates to Analysis Suite: Volatility 3 integration, AbuseIPDB/VirusTotal enrichment, RAM master-key extraction, timeline reconstruction, Triage SQL Workbench.