Help & Documentation

Complete guides for installation, disk imaging, live acquisition, RAM analysis, case management, and CLI automation.

Getting Started with OpenForensic

OpenForensic v2.1.0 is an enterprise-grade, cross-platform digital forensics and incident response (DFIR) desktop application. This guide will help you install, launch, and perform your first evidence acquisition.

Administrator Required: OpenForensic interacts directly with raw block storage and kernel memory. It must always be launched with elevated administrative privileges.

System Requirements

PlatformRequirementPrivilege
🪟 Windows 10 / 11 (64-bit)Bundled winpmem_mini_x64Administrator (UAC)
🐧 Ubuntu 20.04+ / Debian / ArchRaw block device access (/dev/sdX)root / sudo
🍎 macOS 11 Big Sur+Full Disk Access in Privacy settingsroot + Full Disk Access

Minimum Hardware: 4+ CPU cores · 4 GB RAM (8 GB+ for large RAM dumps) · NVMe SSD recommended for acquisition destination.

Installation on Windows

1

Download openforensic.exe from the GitHub Releases page.

2

Launch the application. The embedded UAC manifest will prompt for Administrator elevation. Click Yes.

3

The app opens to the Case Management tab by default. Create or select a case folder before starting acquisition.

4

Navigate to Disk Imaging to select a source device and begin your first acquisition.

Installation on Linux

sudo ./target/release/openforensic
Note: Raw block device access requires root. Ensure your user has permission to access /dev/sdX or /dev/nvme0n1.

Building from Source

git clone https://github.com/rootwithkhandal/OpenForensic.git
cd OpenForensic
npm install
npm run tauri dev      # Development mode with live reload

Uses mise for reproducible Rust 1.85+ and Node.js toolchain management. See mise.toml for task definitions.

Disk Imaging

OpenForensic's Disk Imaging module performs forensically sound, bit-for-bit sector-by-sector and logical file acquisition. The engine enforces read-only access at the OS kernel boundary.

Write-Blocking: On Windows, devices are opened with strictly GENERIC_READ via CreateFileW. On Linux, O_RDONLY | O_DIRECT bypasses page caches and BLKROSET ioctls verify read-only enforcement.

Supported Output Formats

FormatExtensionFeatures
Raw.dd / .imgFlat bit-for-bit copy. Container hash matches stream hash.
EnCase E01.e01Compressed segments with metadata. Industry standard.
Advanced Forensic Format.affCompressed with embedded case metadata and hashes.

Step-by-Step: Acquire a Disk Image

1

Navigate to the 📂 Disk Imaging tab in the sidebar.

2

Select your physical source device from the Source Selector dropdown (e.g., \\.\PhysicalDrive0 on Windows or /dev/sda on Linux).

3

Choose the destination path and output format (Raw, E01, or AFF).

4

Enable desired hash algorithms: SHA-256 (required), SHA-512, MD5, SHA-1. Enable compression (zstd recommended) and sparse zero-block skipping if desired.

5

Optionally attach YARA rulesets (.yar) for real-time IOC alerting during imaging.

6

Click Start Acquisition. Monitor real-time progress, hash computation, and log output. The integrity manifest is automatically generated upon completion.

Understanding Container vs. Stream Hashes

When acquiring to AFF or E01 format, the Post-Acquisition (container) hash will NOT match the stream hash. This is normal — AFF/E01 files include metadata, compressed data, and internal structures that change the file's binary composition.

Integrity of evidence is verified via the acquisition stream hash embedded inside the container. Analysis tools like Autopsy re-compute this hash on decompressed data to confirm integrity.

Live Acquisition

The Live Acquisition module enables zero-downtime evidence collection from a running system. It uses Volume Shadow Copy Service (VSS) on Windows to freeze filesystem state, capturing OS-locked artifacts without rebooting.

Memory First: Always capture RAM before running heavy triage scripts or disk imaging. Running software overwrites unallocated physical memory, destroying volatile evidence.

RAM Capture Process

1

Navigate to 🔴 Live Acquisition tab.

2

Specify an output path. Never write to the target machine's system drive (C:\). Use an external forensic USB drive or network share. When a case workspace is active, output paths are pre-populated to <CaseRoot>/<CaseNumber>/Export/.

3

Check "Capture Physical Memory (RAM)". OpenForensic auto-detects and invokes the appropriate kernel driver: WinPmem (winpmem_mini_x64.exe) on Windows, LiME (lime.ko) on Linux.

4

Click Start Live Acquisition. The driver loads temporarily, reads physical address space, and streams it to a .raw / .img file, then unloads the driver.

Why is My RAM Dump Larger Than Installed RAM?

A system with 16 GB RAM may produce a 16.5–17 GB dump. This is expected behavior caused by Memory-Mapped I/O (MMIO): PCIe devices, ACPI tables, and GPU VRAM are mapped into the CPU's physical address space, pushing the highest physical address past the 16 GB boundary. WinPmem pads these hardware holes with zeros to preserve accurate file offsets for memory analysis tools.

System Triage

The System Triage module provides instantaneous extraction of volatile system state from a running or acquired system. Results are stored in an SQLite database for querying.

What Gets Collected

  • Running processes and their command-line arguments
  • Active and listening network connections (TCP/UDP)
  • Loaded kernel modules and drivers
  • Chrome and Edge browser history databases
  • Windows Event Logs (EVTX) and syslog event records

Triage SQL Workbench

Analysis Mode Required: The interactive SQL Workbench is gated behind Analysis Mode. Click "Switch to Analysis Mode" in the navigation bar to unlock.

Once in Analysis Mode, the SQL Workbench allows you to execute queries directly against the acquired triage_results.db:

-- Find all processes with network connections
SELECT p.name, p.pid, n.remote_addr, n.remote_port
FROM processes p
JOIN network_connections n ON p.pid = n.pid
WHERE n.state = 'ESTABLISHED';

-- Recent browser history
SELECT url, title, visit_time FROM browser_history
ORDER BY visit_time DESC LIMIT 50;

RAM Analysis — Native Rust Volatility Engine

OpenForensic includes a proprietary native Rust memory forensics engine in the volatility/ workspace. It replaces Python-based Volatility 3 with a standalone, in-process analyzer featuring zero external dependencies, in-process real-time streaming, and Rust memory safety guarantees.

Analysis Mode Required: All RAM analysis features are gated behind Analysis Mode to protect active acquisition sessions.

Supported Analysis Profiles

ProfileOSDescription
windows.pslist.PsListWindows x64/x86Enumerates processes via EPROCESS doubly-linked list traversal
windows.netstat.NetStatWindows x64/x86Lists open TCP/UDP connections and listening ports
windows.cmdline.CmdLineWindows x64/x86Extracts process command-line arguments from PEB
windows.filescan.FileScanWindows x64/x86Scans memory pools for open FILE_OBJECT structures
windows.malfind.MalfindWindows x64/x86Detects injected DLLs and hollowed processes via VAD inspection
linux.pslist.PsListLinux x64/ARM64Enumerates kernel tasks via task_struct traversal
mac.pslist.PsListmacOS x64/Apple SiliconEnumerates Darwin kernel processes

Running RAM Analysis

1

Switch to Analysis Mode via the navigation bar toggle.

2

Navigate to the 🧠 RAM Analysis tab.

3

Select your acquired memory dump (.raw, .vmem, .dmp).

4

Choose an analysis profile from the dropdown.

5

Optionally enable AbuseIPDB and VirusTotal API enrichment to flag malicious IPs and suspicious hashes in real time.

6

Click Run Analysis. Results stream in real-time to the UI and are saved to <CaseRoot>/ModuleOutput/.

Case Management & Unified Case Architecture

OpenForensic implements a native Unified Forensic Case Folder Architecture, ensuring every disk image, triage database, timeline, and report for a single case resides in one standardized, central directory.

Case Directory Structure

📁 <CaseRoot>/<CaseNumber>/
├── 📁 Cache/         # Temporary indexing, YARA artifacts, scratch space
├── 📁 Export/        # Disk images (.dd, .e01), carved files, timeline CSVs
├── 📁 Log/           # Acquisition logs, audit trails, hash records
├── 📁 ModuleOutput/  # Triage SQLite DBs, Volatility outputs, RAM analysis
├── 📁 Reports/       # HTML, JSON, PDF forensic reports
├── 📄 <CaseName>.ofc # JSON case container manifest (v2.1.0)
└── 🗄️ openforensic.db # Portable per-case SQLite database

Creating a New Case

1

The app opens to 📁 Case Management by default. Click "+ New Case Folder".

2

Enter Case Number, Case Name, and Examiner Name. Browse to a destination root directory.

3

Click Create. The standardized folder tree is created instantly.

4

Click "Set Active Workspace" to bind the case. All subsequent acquisition and analysis outputs are automatically routed to the correct subdirectories.

Portable by Design: The entire case folder can be copied to an encrypted USB drive or network share. Another investigator can open it on a different workstation — no database import scripts required. The openforensic.db inside the case folder is fully self-contained.

Capture Mode vs. Analysis Mode

OpenForensic enforces a strict defense-in-depth boundary between data acquisition and post-acquisition analysis to protect chain-of-custody and prevent evidence modification during active field collections.

Default: Capture Mode 🟢

On launch, the application operates in read-only Capture Mode. Only non-invasive physical/logical acquisition, cryptographic hashing, and general utilities are active. External network connections are blocked.

Switching to Analysis Mode 🔴

1

Look at the top navigation bar — the status badge shows 🟢 Capture Mode.

2

Click "Switch to Analysis Mode". A confirmation dialog appears: "Switching to Analysis Mode unlocks deep analysis features... Do you wish to proceed?"

3

Click Confirm. The badge updates to 🔴 Analysis Mode Active and all analysis tabs unlock.

Analysis Mode Features Unlocked

  • ⚡ Triage SQL Workbench
  • 🧠 Native Rust Volatility RAM Analysis
  • ⏱️ Timeline Generator (NTFS MFT, Ext4 journals)
  • 🛡️ AbuseIPDB & VirusTotal IOC enrichment
  • 🛡️ Splunk HEC & Wazuh SIEM streaming
  • 🔑 RAM Master-Key extraction (BitLocker VMK, LUKS)
Audit Logging: Every mode transition is recorded in the SQLite audit_logs table with timestamp and examiner ID for court-admissible chain-of-custody compliance.

Cryptographic Hash Verification

OpenForensic performs simultaneous multi-algorithm streaming hash verification at three stages of the acquisition lifecycle to ensure bit-for-bit evidence integrity.

The Three Hashing Stages

StageWhenPurpose
Pre-AcquisitionBefore imaging startsBaseline fingerprint of the source device before any copy operations
Acquisition (Stream)During read, block-by-blockHash of raw uncompressed data stream — the true evidence hash
Post-Acquisition (Container)After image is writtenHash of the resulting file on disk — verifies file integrity during storage/transfer

Why AFF/E01 Container Hashes Differ from Stream Hashes

This is normal and expected. AFF and E01 containers include compressed data, embedded case metadata, internal segment headers, and the stream hash itself — all of which change the file's binary composition vs. a flat raw copy.

  • To verify evidence integrity: Use the acquisition stream hash embedded inside the container. Analysis tools (Autopsy, EnCase) verify this automatically.
  • To verify file integrity: Use the container hash to confirm the file wasn't corrupted during storage or network transfer.

CLI Reference

OpenForensic includes a native command-line interface for headless forensic automation — ideal for AWS EC2 cloud triage, remote SSH investigations, or SOAR pipeline integration.

Common Commands

# List detected physical block devices
openforensic --cli list-devices

# E01 acquisition with zstd compression and SHA-256/SHA-512 hashing
openforensic --cli acquire \
  --source \\.\PhysicalDrive0 \
  --dest D:\evidence\disk.e01 \
  --format e01 \
  --compression zstd \
  --hashes md5,sha256,sha512

# Rapid live triage with Splunk HEC SIEM streaming (Analysis Mode)
openforensic --cli --mode analysis triage \
  --dest C:\triage_output \
  --siem-export \
  --siem-type splunk_hec \
  --siem-endpoint https://splunk.example.com:8088 \
  --siem-token <HEC_TOKEN>

# RAM analysis with AbuseIPDB enrichment (Analysis Mode)
openforensic --cli --mode analysis ram \
  --dump memory.raw \
  --profile windows.pslist.PsList \
  --ioc-enrich

# Generate and sign an integrity manifest
openforensic --cli acquire \
  --source /dev/sda \
  --dest /mnt/evidence/drive.raw \
  --format raw \
  --hashes md5,sha1,sha256,sha512 \
  --sign-manifest \
  --key /keys/openforensic_hmac.key

# Verify a manifest
openforensic --cli verify-manifest \
  --manifest /mnt/evidence/drive.raw.sig \
  --pubkey /keys/openforensic_hmac.pub
SIEM Validation: When --siem-export is activated, supplying a target --siem-endpoint is strictly required by clap (required_if_eq). SIEM endpoints default to empty strings in compiled binaries to prevent accidental leakage.

Keyed Cryptographic Integrity Manifests

OpenForensic generates HMAC-SHA256 keyed integrity manifests that mathematically bind evidence containers to the investigating examiner — producing tamper-evident signatures for court admissibility without requiring heavy OpenPGP tooling.

What a Manifest Contains

  • Case ID, Evidence Tag, Examiner Name, Agency Name, and acquisition timestamps
  • Source device path, serial number, sector size, and total byte count
  • Cryptographic hashes (MD5, SHA-1, SHA-256, SHA-512) of the acquired image
  • HMAC-SHA256 integrity seal generated with the investigator's 256-bit secret key

Generating a Keypair

1

Navigate to the 🔑 PGP Keys & Manifests tab.

2

Enter your Investigator Name and Agency Email, then click ⚡ Generate Keypair.

3

The ASCII-armored secret key and verification token appear instantly. The key fingerprint is shown for reference.

Key Security: Back up openforensic_hmac.key to a secure encrypted offline USB. Never distribute your secret key — provide only the Verification Token (openforensic_hmac.pub) to external parties.

Verifying a Manifest

1

Load the Verification Token from the acquiring investigator in the Key Management panel.

2

In the Manifest Verification panel, browse to the .manifest or .sig file.

3

Click 🛡️ Verify Manifest. OpenForensic displays VALID INTEGRITY SEAL or INTEGRITY VIOLATION.