Skip to content

OpenForensic v1.0.0-alpha

Pre-release
Pre-release

Choose a tag to compare

@rootwithkhandal rootwithkhandal released this 02 Jul 09:10
f5044cb

OpenForensic : Forensic Software for Systems & Disk

1. Disk Imaging & Acquisition

  • Physical sector-by-sector disk imaging
  • Logical file-level acquisition
  • Output formats: Raw (.dd), Expert Witness Format (.e01), Advanced Forensic Format (.aff)
  • Automatic sparse zero-block skipping
  • Multi-threaded compression: zstd, gzip
  • Configurable block size (KB)
  • Read-verification pass after imaging
  • Acquisition checkpointing — pause/resume long imaging jobs without corruption
  • Software write-blocking enforced at OS kernel boundary:
    • Windows: CreateFileW with GENERIC_READ only
    • Linux: BLKROSET / O_DIRECT
    • macOS: /dev/rdiskX read-only device access

2. Live & Volatile Acquisition

  • Volume Shadow Copy Service (VSS) live acquisition (Windows) — zero-downtime snapshotting
  • OS-locked artifact capture while system is running:
    • NTFS $MFT
    • Registry hives: SAM, SYSTEM, SECURITY, SOFTWARE
    • Windows Event Logs (EVTX)
  • Physical RAM capture via winpmem (Windows), avml (Linux), LiME kernel modules (Linux, x86_64/aarch64)
  • Auto-cleanup of VSS snapshots post-acquisition
  • Optional VSS-backed physical image creation

3. Rapid System Triage

  • One-click volatile state extraction:
    • Running processes
    • Network connections/sockets
    • Loaded kernel modules
  • Chrome/Edge browser history database collection
  • EVTX / syslog event record collection
  • Skip-flags for selective collection (--no-volatile, --no-registry, --no-browsers, --no-eventlogs)

4. Headless CLI Mode

Full clap-based CLI (--cli flag) for scripted/SOAR/EC2 use, independent of GUI:

Command Purpose
list-devices Enumerate physical block devices
list-volumes Enumerate logical OS volumes/mount points
acquire Physical/logical imaging with format, compression, hash, YARA, keyword options
triage Rapid live system collection with optional SIEM export
live VSS live acquisition + RAM capture + locked-file collection
pgp-keygen Generate RSA-4096/Ed25519 signing keypair
pgp-sign Create detached signature for evidence/manifest
pgp-verify Verify detached signature against evidence

Windows console auto-attach (AttachConsole) for clean stdin/stdout/stderr when invoked from a terminal.

5. Memory Forensics

  • Native Volatility 3 integration (subprocess orchestration + real-time log streaming)
  • Supported dump formats: .raw, .vmem, .dmp
  • Cross-OS profile support: Windows, Linux, macOS
  • Profiles: pslist, netstat, cmdline, filescan, malfind, printkey, etc.
  • Threat intelligence enrichment during analysis:
    • AbuseIPDB IP reputation scoring
    • VirusTotal file/process hash lookups

6. Encryption Detection & Key Extraction

  • Detection during acquisition (keep in OpenForensic):
    • BitLocker (-FVE-FS-)
    • LUKS v1 / v2
    • Apple FileVault (APFS/CoreStorage)
    • Android FBE (Ext4/F2FS fscrypt)

7. Timeline Generation

  • Chronological artifact reconstruction from an already-acquired disk image
  • Parses NTFS $MFT, $LogFile, Ext4 journal timestamps
  • Exports unified master timeline as CSV / JSON

8. YARA & Keyword Scanning

  • Pure-Rust YARA-X engine
  • Real-time pattern matching against custom .yar rulesets
  • Simultaneous regex keyword searching
  • Runs inline in the broadcast pipeline during disk/memory streaming (acquisition-time alerting, not a separate analysis pass)

9. SIEM & SOC Integration

  • Splunk HTTP Event Collector (HEC): structured JSON over HTTPS, HEC bearer token auth
  • Wazuh Agent Socket / Syslog: TCP/UDP streaming (default port 1514) or local log queue append
  • One-click IR triage: auto-enable SIEM emission during acquisition/triage without slowing collection
  • Configurable index/sourcetype/tag, endpoint, and transport type
  • Connection test + persisted SIEM config

10. Extensible Plugin Platform

  • Native shared library loading: .so / .dll / .dylib via libloading + FFI symbol (_openforensic_plugin_create)
  • Sandboxed WebAssembly modules via wasmtime (runtime + cranelift + component-model)
  • Standardized lifecycle hooks:
    • pre_acquisition — inspect case metadata, volume geometry, init resources
    • on_block — invoked per data chunk, non-blocking dispatch to workers
    • post_acquisition — return custom metrics/hashes embedded into reports
  • Plugin management commands: load, list, unload, scan-directory

11. Cryptographic Hashing

  • Single-pass, simultaneous 4-algorithm hashing: MD5, SHA-1, SHA-256, SHA-512
  • Computed in the same read pass as imaging (no double I/O)
  • Checkpointed alongside acquisition state

12. PGP Cryptographic Manifests

  • Built-in RFC 4880 OpenPGP engine (no GnuPG dependency) via sequoia-openpgp
  • Keypair generation: RSA-4096, Ed25519
  • Detached tamper-evident signatures (.manifest / .sig)
  • Manifest contents: case metadata, device geometry, SHA-256/SHA-512 digests
  • One-click verification: re-hashes evidence, validates against examiner public key

13. Case Management & Reporting

  • SQLite case database: evidence tags, investigator notes, device metadata, hashes
  • Historical acquisition job review
  • Court-admissible report export: HTML and PDF (printpdf)
  • Embedded cryptographic verification tables in reports

14. Platform Support

OS Minimum Version Privilege Required
Windows (per README) Administrator (UAC elevation)
Linux root (sudo)
macOS 11.0 Big Sur+ root + Full Disk Access

Minimum hardware: 4+ cores (parallel SHA-512/YARA compilation), 4GB RAM (8GB+ for Volatility workloads — drops once Analysis Suite split happens), NVMe/SSD destination recommended.


Summary: Post-Split Feature Set

OpenForensic 3.0.0 (acquisition-only) retains: Disk imaging, live/VSS acquisition, RAM capture, triage collection, inline YARA/keyword scanning, SIEM streaming, plugin platform, 4-algorithm hashing, PGP manifests, case management/reporting, CLI (minus ram subcommand), encryption detection (not key extraction).

Migrates to Analysis Suite: Volatility 3 integration, AbuseIPDB/VirusTotal enrichment, RAM master-key extraction, timeline reconstruction, Triage SQL Workbench.