A high-performance digital forensics tool for automated system triage and artifact collection, built in Rust using The Sleuth Kit (TSK) bindings.
- Fast parallel processing of forensic images
- Support for E01, RAW, and virtual disk formats
- Windows and Linux artifact collection
- Registry analysis and parsing
- Automated system information extraction
- Artifact collection and hashing
- Progress tracking and detailed logging
- Rust 1.70 or higher
- The Sleuth Kit 4.12 or higher
- For Windows: Visual Studio 2019+ with Windows SDK
- For Linux: Development tools and headers
triage <image_path> [options]
Options:
-o, --output <dir> Output directory (default: ./output)
-t, --threads <num> Number of threads to use
-v, --verbose Enable verbose loggingtriage /path/to/image.E01 -o case_output -t 8- Registry hives
- Event logs
- Prefetch files
- User profiles
- Browser history
- System configuration
- System logs
- User data
- Configuration files
- Package information
forensic-triage/
├── src/
│ ├── image/ # Image handling
│ ├── artifacts/ # Artifact collection
│ ├── registry/ # Registry parsing
│ ├── filesystem/ # Filesystem operations
│ └── utils/ # Common utilities
- Fork the repository
- Create your feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request