DFIR-focused bulk archiving, hashing, validation, and reporting for repeatable digital evidence workflows.
ForensicPack helps forensic labs package evidence collections into verifiable archive sets with manifest generation, integrity checks, and report-ready outputs through both GUI and CLI workflows.
ForensicPack is designed to feel like a real lab utility, not just a script bundle. The interface keeps the intake path, archive settings, hash selections, queue state, and live logging visible in one place so analysts can package and validate evidence with less context switching.
Digital evidence packaging is often pieced together with manual prep, separate hash tools, archive utilities, and inconsistent reporting. ForensicPack turns that into a cleaner, repeatable workflow:
- package evidence sets into investigator-friendly formats
- generate manifests during the same job
- verify output before treating the package as complete
- emit TXT, CSV, and optional JSON reports for handoff and documentation
- resume interrupted sessions from a SQLite-backed state store
- run the same underlying process through GUI or scripted CLI execution
| Capability | What it gives you |
|---|---|
| GUI + CLI parity | One shared engine for analyst use, repeatable SOPs, and automation |
| Multiple archive formats | 7z, ZIP, TAR.GZ, and TAR.BZ2 support |
| Manifest generation | Inventory and hash outputs captured during packaging |
| Archive verification | Post-build integrity validation before closeout |
| Resume support | SQLite-backed recovery for interrupted jobs |
| Dry-run mode | Inventory and planning without creating archive output |
| JSON reporting | Structured output for downstream review or automation |
| Windows EXE path | PyInstaller build support for lab deployment |
Package folders, collections, or selected child items into consistent archive outputs without rebuilding the process from scratch every time.
Validate finished packages before handoff and document what was created, how it was hashed, and whether verification succeeded.
Produce outputs that are easier to reference in notes, transfer documentation, or internal lab reporting.
Use the GUI for day-to-day analyst operations and the CLI when you want the same workflow embedded into a scripted process.
| Format | Password support | Split archives | Verification method |
|---|---|---|---|
7z |
Yes | Yes | 7z t |
ZIP |
No | No | zipfile.testzip() |
TAR.GZ |
No | No | Full member readback |
TAR.BZ2 |
No | No | Full member readback |
cd src
python forensicpack.pyor:
cd src
python forensicpack.py guicd src
python forensicpack.py pack --source .\TestCases --output .\TestOutput --format zip --hash SHA256cd src
python forensicpack.py verify --input .\TestOutput --hash SHA256 --report-jsonpython forensicpack.py pack ^
--source .\Input ^
--output .\Output ^
--format 7z ^
--compression "Normal (5)" ^
--hash SHA256 ^
--hash SHA512 ^
--split ^
--split-size 4 ^
--resume ^
--report-json ^
--examiner "Examiner Name" ^
--case-id "2026-001" ^
--evidence-id "Item-1"- finished archive output for each source item
- embedded manifest text file inside each archive
ForensicPack_Report_<timestamp>.txtForensicPack_Report_<timestamp>.csvForensicPack_Report_<timestamp>.jsonwhen--report-jsonis enabledforensicpack_state.dbwhen resume/state tracking is used
- Python 3.10+
- 7-Zip installed when using
7zoutput or7zverification - Windows + PowerShell for the packaged EXE workflow
Expected 7-Zip paths:
C:\Program Files\7-Zip\7z.exeC:\Program Files (x86)\7-Zip\7z.exe
cd src
python -m pip install -r requirements-dev.txt.
├── .github/workflows/ # CI and release automation
├── checksums/ # SHA256 checksum artifacts
├── docs/ # Distribution and operational notes
├── release/windows/ # Built Windows EXE package
└── src/ # Python source, tests, scripts, assets
├── forensicpack.py
├── cli.py
├── core.py
├── gui.py
├── scripts/build_windows.ps1
└── TestCases/
Run the suite with:
cd src
pytest -qThis package revision currently passes:
Run `cd src && pytest -q` to validate in your environment.
.\src\scripts\build_windows.ps1Expected build output:
src\dist\ForensicPack\ForensicPack.exe
- improved handling for locked or inaccessible files
- richer report summaries and lab-facing output templates
- stronger GUI polish and workflow affordances
- drag-and-drop intake improvements
- more operational metadata presets for evidence packaging
- Password protection is only supported for
7zoutput. - Split archives are only supported for
7zoutput. - The packaged EXE does not bundle
7z.exe; the host still needs a local 7-Zip installation for7zoperations. gui_settings.jsonstores UI preferences, but passwords are not persisted.
ForensicPack is intended for lawful DFIR, digital evidence handling, packaging, transfer, and verification workflows.
Released under the MIT License. See LICENSE.txt.