DFIR  ·  DISK IMAGING  ·  MEMORY FORENSICS  ·  v2.1.0

Enterprise-Grade
Digital Forensics Suite

Physical disk cloning, live volatile triage, deep memory analysis, IOC scanning, and automated chain-of-custody reporting — all in one write-blocked investigation suite built in Rust.

Windows 10 / 11 (64-bit) Ubuntu 20.04+ · Debian · Arch macOS 11 Big Sur+
openforensic — acquisition log
$ openforensic --cli acquire --source \\.\PhysicalDrive0 --dest D:\evidence\disk.e01 --format e01 --hashes sha256,sha512
[2026-07-09 11:02:14] Acquiring sector-by-sector  ⟶  E01 (zstd compressed)
[2026-07-09 11:02:14] Write-blocker engaged  ·  GENERIC_READ only
[2026-07-09 11:18:42] Progress: 512.00 GB / 512.00 GB  ·  100%
SHA-256   e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA-512   cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
STATUS   ✓ VERIFIED — Stream hash matches acquisition hash. Chain of custody sealed.

Core Modules

Complete Forensic Investigation Suite

Every tool an investigator needs — from first evidence capture to court-ready reporting — in a single write-blocked Rust application.

📂 Disk Imaging

Sector-by-sector physical and logical acquisition. Supports Raw (.dd), E01, and AFF formats with multi-threaded zstd / gzip compression and sparse zero-block skipping.

E01 Raw .dd AFF YARA-X

🔴 Live Acquisition

Zero-downtime live evidence collection via VSS Shadow Copy on Windows. Safely captures NTFS MFT, Registry Hives (SAM, SYSTEM, SECURITY), and Event Logs.

VSS WinPmem LiME

⚡ System Triage

Instant extraction of volatile state: running processes, network connections, browser histories, and EVTX event logs. Includes an interactive Triage SQL Workbench for in-app SQLite queries.

SQL Workbench EVTX

🧠 RAM Analysis

Built-in Native Rust Volatility Engine — no Python, no pip. Analyzes .raw, .vmem, .dmp dumps with real-time log streaming. Supports pslist, malfind, netstat, cmdline, filescan.

Rust Native No Python Malfind

🛡️ Threat Intelligence

Real-time IOC enrichment via AbuseIPDB reputation scores and VirusTotal hash lookups during memory analysis. Direct SIEM ingestion to Splunk HEC and Wazuh.

AbuseIPDB VirusTotal Splunk HEC Wazuh

🔐 Cryptographic Integrity

Single-pass multi-threaded SHA-256, SHA-512, MD5, and SHA-1 hashing. HMAC-SHA256 keyed integrity manifests generate tamper-evident .manifest / .sig seals for court admissibility.

SHA-256 SHA-512 HMAC-SHA256

Defense-in-Depth Architecture

Capture Mode vs. Analysis Mode

OpenForensic enforces a strict forensic boundary between data acquisition and post-acquisition analysis to guarantee chain-of-custody integrity.

Capture Mode Default

Read-only acquisition. Active on launch. No network connections, no evidence modification.

  • Physical & logical disk acquisition (Raw, E01, AFF)
  • Hardware & software write-blocking
  • Multi-algorithm hashing (SHA-256, SHA-512, MD5, SHA-1)
  • YARA-X rule scanning during imaging
  • Case management & chain-of-custody logging
Click to
unlock
Analysis Mode Requires confirmation

Unlocks post-acquisition investigative suites, external network connections, and deep analytical tools.

  • Interactive Triage SQL Workbench
  • Native Rust Volatility RAM analysis
  • Timeline Generator (NTFS MFT, Ext4 journals)
  • AbuseIPDB & VirusTotal IOC enrichment
  • Splunk HEC & Wazuh real-time SIEM streaming

ⓘ   Every mode transition is cryptographically logged in the SQLite audit_logs table for court admissibility.

Architecture

Asynchronous Tokio Pipeline

OpenForensic separates disk reading, cryptographic hashing, IOC scanning, and file writing into distinct asynchronous processing streams managed by Tokio runtime channels — achieving maximum I/O throughput without blocking.

  • #![deny(clippy::unwrap_used)] — Zero-panic forensic reliability guarantee at compile time
  • Extensible native plugin platform with .so / .dll / .dylib lifecycle hooks
  • Autopsy-style unified case folder architecture with portable SQLite per-case databases
headless CLI mode — analysis pipeline
# Enumerate block devices
openforensic --cli list-devices
# E01 imaging with SHA-256
openforensic --cli acquire \
--source \\.\PhysicalDrive0 \
--dest D:\evidence\disk.e01 \
--format e01 --hashes sha256
# RAM analysis (Analysis Mode)
openforensic --cli --mode analysis \
ram --dump memory.raw \
--profile windows.malfind.Malfind \
--ioc-enrich
v2.1.0
Latest Stable Release
Windows · Linux · macOS
Cross-Platform Support
#![deny(unwrap_used)]
Zero-Panic Guarantee
Pure Rust
No Python Dependencies

Ready to start your investigation?

Download OpenForensic v2.1.0 and start your first case in minutes.

Read the Docs FAQs Download Free