Forensic analysis workstation — NTFS/MFT parsing, file carving, SQLite inspection, encryption detection, timeline reconstruction & case management. Built with Tauri v2 + Rust + SvelteKit. 100% offline — all processing runs locally.
| Module | Status | Description |
|---|---|---|
| Case Manager | ✅ Ready | Create cases, assign operator, track evidence per investigation |
| NTFS Browser | ✅ Ready | Parse MFT from disk images (.dd, .raw, .img), browse folder tree, filter by parent record |
| Inspector | ✅ Ready | SHA-256 / SHA-1 / MD5 hashing, file preview, add to evidence chain |
| Timeline | ✅ Ready | Chronological event log from MFT loads, encryption scans, and manual entries |
| File Carving | ✅ Ready | Signature-based recovery (JPEG, PNG, PDF, ZIP, SQLite, ELF, …) with progress tracking |
| SQLite Manager | ✅ Ready | Browse tables, columns, paginated rows, custom SELECT queries |
| Keyword Search | ✅ Ready | Search evidence notes and findings within the active case |
| Key Findings | ✅ Ready | Bookmarks with tags and notes on files of interest |
| Encrypted Volumes | ✅ Ready | Detect LUKS, BitLocker indicators, and high-entropy regions |
| Report | ✅ Ready | Export HTML & PDF case reports with audit trail |
| About | ✅ Ready | Version info, feature list, offline/privacy statement |
| Module | Status | Description |
|---|---|---|
| Registry Analyzer | ✅ Ready | SAM/SYSTEM/SOFTWARE/NTUSER.DAT — USB history, UserAssist, Shellbags, MRU, Run keys |
| Windows Artifacts | ✅ Ready | Prefetch, LNK, Jump Lists — Windows execution traces |
| Windows EVTX Parser | ✅ Ready | Security event log — 4624/4625 logon, 4688 process, 4104 PowerShell, 7045 service |
| macOS Artifact Analyzer | ✅ Ready | KnowledgeC.db, Unified Log (.logarchive), plist, Spotlight, DataDetectors, TCC |
| Linux Artifacts | ✅ Ready | auth.log, audit.log, syslog, journal, cron, .bash_history |
| Browser Artifacts | ✅ Ready | Chrome/Firefox/Safari/Edge history, downloads from SQLite databases |
| Email Forensics | ✅ Ready | PST/OST mailbox header parsing, folder discovery, message stub extraction |
| Chat Artifacts | ✅ Ready | WhatsApp, Telegram, Signal SQLite message databases |
| Memory Bridge | ✅ Ready | Import Volatility 3 JSON — processes & network connections |
| YARA Scanner | ✅ Ready | Built-in malware rules + custom .yar loading, scan case evidence |
| Anti-Forensics | ✅ Ready | Timestomp, extension mismatch, NTFS ADS, zero-size anomalies, deleted MFT flags |
| Steganography | ✅ Ready | LSB ratio, χ² analysis, metadata anomaly scan on images |
| NSRL Lookup | ✅ Ready | NIST hash set import & known-good filtering |
| PCAP Network Analyzer | ✅ Ready | TCP/UDP/DNS/HTTP flow reconstruction from packet captures |
| Plugin SDK | ✅ Ready | Rust ForensicPlugin trait — hash, entropy, strings built-ins |
| Hex Search | ✅ Ready | Byte pattern search (hex:FF D8 FF) across evidence files |
| Cross-Platform Acquisition | ✅ Ready | Auto-detect Windows/Linux/macOS evidence folders — one-click scan all modules |
| Super Timeline | ✅ Ready | Multi-source correlated timeline (NTFS, registry, browser, YARA, memory, EVTX, PCAP) |
| Timeline Gantt | ✅ Ready | Gantt-style multi-source timeline with source-colored bars |
| Evidence Bundle Export | ✅ Ready | ZIP package — evidence files + SHA-256 manifest + HTML/PDF report |
| Deleted Recovery | ✅ Ready | Recover deleted files from NTFS browser via integrated carving |
| Theme Toggle | ✅ Ready | Light / dark mode (☀/☾ in titlebar) |
| Drag & Drop | ✅ Ready | Drop evidence files onto workspace — auto-hash in Inspector |
| OS | Artifacts Analyzed |
|---|---|
| Windows | NTFS/MFT, Registry hives, EVTX, Prefetch/LNK/Jump Lists, Anti-Forensics, BitLocker |
| Linux | auth.log, audit.log, syslog, journal, cron, .bash_history |
| macOS | KnowledgeC, plist, Unified Logs, TCC, Spotlight, Safari history |
| All platforms | Browser, Chat (WhatsApp/Telegram/Signal), Email (PST/OST), YARA, Carving, SQLite, PCAP |
┌─────────────────────────────────────────────────────────────┐
│ Titlebar — search, case pill, export │
├──────────┬──────────────────────────────┬───────────────────┤
│ Sidebar │ Main view (tabbed) │ Inspector │
│ Sources │ NTFS / SQLite / Carving … │ Hash + Evidence │
│ Views │ │ │
│ Evidence │ │ │
├──────────┴──────────────────────────────┴───────────────────┤
│ Status bar — case stats, file count, audit shortcut │
└─────────────────────────────────────────────────────────────┘
All forensic engines run inline in Rust (no external CLI dependencies).
Create and switch between forensic cases. Each case isolates evidence, timeline, bookmarks, and audit log.
 |
Load a disk image, parse the Master File Table, and browse the reconstructed directory tree. Deleted entries are flagged.
 |
How to use: Sidebar → Add Image → select .dd / .raw / .img → browse files in the main pane. Click a row to inspect hashes in the right panel.
Real-time hashing from the Rust backend. Add artifacts to the evidence chain with tags and notes.
The Inspector pane is visible on the right in the NTFS Browser screenshot above. Select any file or open an artifact via Open Artifact to populate hashes and preview metadata.
Reconstruct investigation chronology from automated and manual events.
 |
Scan raw images for embedded file signatures. Supports async carving with cancel and progress.
 |
How to use: Load a disk image in Sources → open Carved Files → set output directory → Start Carving.
Inspect SQLite databases found on disk or opened as standalone artifacts.
 |
How to use: Open a .db file via Open Artifact, or click a .db entry in the NTFS browser.
Search across evidence and findings in the active case.
 |
Tag and annotate files of interest with severity-colored bookmarks.
 |
Scan disk images for LUKS headers, BitLocker markers, and high-entropy encrypted regions.
 |
How to use: Load a disk image → open Encrypted → Scan for Encryption.
Parse Windows registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT) and surface USB history, UserAssist, MRU, and other forensic keys.
 |
How to use: Open Registry → point to a hive file or directory → Analyze Hive.
Built-in YARA engine with default rules plus custom .yar loading. Scan evidence paths and flag matches by severity.
 |
How to use: Open YARA Scanner → add paths or select from case evidence → Scan Evidence.
Detect timestomping, NTFS alternate data streams, and extension mismatches from MFT records or file paths.
 |
How to use: Load a disk image → open Anti-Forensics → Scan MFT Image.
Extract browsing history, downloads, and related SQLite artifacts from Chrome, Firefox, Safari, and Edge profiles.
 |
How to use: Open Browser Artifacts → Scan Browsers or point to a specific History / places.sqlite database.
Check file hashes against the NIST NSRL known-good database. Import custom NSRL sets or use the built-in seed.
 |
How to use: Select a file in the NTFS browser → open NSRL Lookup → Lookup Selected File.
Import Volatility 3 JSON output and browse processes, network connections, and plugin metadata without leaving the case.
 |
How to use: Open Memory Bridge → paste or browse to a Volatility JSON export → Parse JSON.
Generate HTML or PDF case reports including evidence list, findings, and audit trail.
 |
Application info, feature list, and chain-of-custody disclaimer.
 |
Prerequisites: Node.js 20+, Rust stable (1.85+), and platform build tools:
# macOS
xcode-select --install # if not already installed
rustc --version # install from https://rustup.rs if missing
# Linux (Ubuntu/Debian)
sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev \
patchelf libssl-dev build-essential pkg-config
# Windows
# Install Rust (https://rustup.rs) and WebView2 (included in Windows 10/11)git clone https://github.com/YSF-Studio/analysisloom.git
cd analysisloom
npm install
npm run dev # development (alias: npm run tauri:dev)
npm run tauri:build # production buildRun from the repository root — scripts are defined in the root package.json and delegate to packages/analysisloom.
AnalysisLoom is distributed as source only — build and run locally on Windows, macOS, or Linux. Pre-built binaries are not published.
Production binary location after build:
| Platform | Path |
|---|---|
| macOS | packages/analysisloom/src-tauri/target/release/analysisloom |
| Linux | packages/analysisloom/src-tauri/target/release/analysisloom |
| Windows | packages/analysisloom/src-tauri/target/release/analysisloom.exe |
Generate synthetic forensic test files and load them in the app:
npm run test:fixtures
npm run dev:analysisloom| Fixture | Use in app |
|---|---|
test-fixtures/random_ntfs.dd |
Sources → Add Image |
test-fixtures/messages.db |
Open Artifact or SQLite Manager |
test-fixtures/secret_password_log.txt |
Open Artifact → Inspector → Add to Evidence |
test-fixtures/carve_source.dd |
Add Image → Carved Files → Start Carving |
test-fixtures/luks_volume.dd |
Add Image → Encrypted → Scan |
- Click Case in the titlebar (or Case Manager in the sidebar).
- Enter case name and operator → + New Case.
- The active case is shown in the titlebar pill.
- In SOURCES, click Add Image.
- Select a raw disk image (
.dd,.raw,.img). - The MFT is parsed locally; the folder tree appears under the image name.
- Click folders to filter the file list; click files to inspect.
- Select a file in the NTFS browser, or use Open Artifact in the Inspector.
- SHA-256, SHA-1, and MD5 are computed by the Rust backend.
- Add tags/notes → Add to Evidence to record chain of custody.
- Open a
.db/.sqlitefile via Open Artifact, or selectmessages.dbfrom NTFS. - Switch to SQLite Manager tab.
- Browse tables, view columns, paginate rows, or run custom
SELECTqueries.
- Ensure a disk image is loaded in Sources.
- Open Carved Files → choose output folder → Start Carving.
- Progress appears in the status bar; results list recovered file offsets and types.
- Load a disk image.
- Open Encrypted → Scan for Encryption.
- Review LUKS / BitLocker / high-entropy findings with confidence scores.
- Type a keyword in the titlebar search → Enter (opens Search view).
- In Key Findings, add bookmarks with tags (
suspicious,malware, etc.) and notes.
- Open Report with an active case.
- Choose HTML or PDF format → Generate Report.
- Report includes evidence, findings, timeline summary, and audit log.
npm run test:full # fixtures + unit + integration + IPC + mock + E2E Playwright
npm run test:integration # all Tauri commands against random fixtures
npm run test:ipc # verify every #[tauri::command] is in generate_handler!
npm run test:mock # every invoke() has a handler in tauriMock.js (E2E backend)
npm run test:e2e # Playwright GUI — all sidebar views, case flow, IPC mock
npm run test:fixtures # export fixtures to test-fixtures/
npm run test:gui # validate production bundle strings
npm run export:types # Rust → TypeScript bindings (ts-rs)E2E specs live in e2e/:
| Spec | Coverage |
|---|---|
app.spec.ts |
Shell load, main navigation, theme toggle |
sidebar-views.spec.ts |
Every sidebar entry (26+ views) without IPC fatals |
case-manager.spec.ts |
Create case + YARA scanner panel |
Saat aplikasi Tauri berjalan (npm run dev / npm run tauri:build):
- Klik kanan jendela → Inspect Element, atau
Cmd+Option+I(macOS) /Ctrl+Shift+I(Windows/Linux) - Buka tab Console
- Cari error merah:
command 'nama_fungsi' not found→ fungsi Rust belum didaftarkan dilib.rs - Gunakan
tauriInvoke()darisrc/lib/tauriInvoke.jsagar error IPC tercatat otomatis di console
Screenshots are captured in light theme with the real Rust backend processing files from test-fixtures/ (disk image, SQLite, browser History, registry hive, Volatility JSON).
bash scripts/capture-screenshots.sh- Offline-first: no telemetry; all forensic processing runs locally
- CI gates:
cargo fmt,clippy -D warnings,cargo test, gitleaks, CodeQL,cargo audit - Dependency updates: Dependabot weekly for Cargo, npm, and GitHub Actions
- Distribution: source-only; no pre-built binary releases
- Reporting vulnerabilities: see SECURITY.md
npm run fmt:check && npm run lint && npm run test:all
npm run audit:rust && npm run audit:npm| Layer | Technology |
|---|---|
| Shell | Tauri v2 (Rust) |
| UI | SvelteKit 5, macOS-inspired three-pane layout |
| Forensic engine | Inline Rust — NTFS/MFT, carving, hashing, SQLite, encryption, PDF/HTML reports |
| Storage | SQLite (cases, evidence, timeline, audit, bookmarks) |
| Security | Strict CSP, minimal Tauri capabilities, offline-only |
packages/analysisloom/
src/App.svelte # Main shell (sidebar, tabs, inspector)
src/lib/components/ # Feature tabs (NTFS, SQLite, Carving, …)
src/lib/viewRegistry.js # Tab & navigation metadata
src-tauri/src/forensic/ # Rust forensic engines
src-tauri/src/commands.rs # Tauri IPC commands
scripts/
run-full-test.sh # Full test suite
capture-screenshots.sh # Headless screenshot capture
generate-test-fixtures.sh # Random fixture generator
test-fixtures/ # Generated sample files (gitignored)
screenshots/ # README screenshots
MIT — see LICENSE.