stack catalog — fatcousin

filter by pipeline-ready stackables vs standalone tools

lists are derived automatically: stackable slugs = STACKABLES in lib/stacks/registry.ts; everything else in lib/tools.ts without a matching stackable lands under not stackable — no separate catalog tags.

stackable · 1203

these tools are stackable: ports, options, and a local run path. add them from the stack editor or /stack/new.

.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
file (any type) → file (any type)
access pattern analyzerdrop nginx · apache · auth.log · or browser history logs · detect request spikes · rare endpoints · off-hours access · anomaly scoring · export CSV · runs locally
file (any type) → file (any type)
activities cache analyzerdrop activitiescache.db · windows timeline activity table · types · clipboard · duration · summary · csv export · runs locally
file (any type) → file (any type)
add audioadd or replace a video's audio track · mix volumes · runs locally
file (any type) → video
admin share access timelinedrop security evtx csv · timeline admin$ ipc$ c$ share access · 5140 5145 events · correlate source ips · runs locally
file (any type) → file (any type)
admin share access timelinedrop security evtx csv · parse 5140 and 5145 events · reconstruct who accessed which admin shares c$ admin$ ipc$ · when · from where · flag bulk access · runs locally
file (any type) → file (any type)
ai chatbot multi-account correlation analyzercorrelate AI chatbot accounts, sessions, and devices across platforms · detect multi-account usage, shared devices, account switching · runs locally
file (any type) → file (any type)
ai coding assistant artifact forensic analyzercursor · copilot · windsurf logs · accept/reject · code provenance score · export csv · runs locally
file (any type) → file (any type)
ai conversation deletion artifact detectordetect evidence of deleted or missing AI conversations across platforms · timeline gaps, orphaned attachments, missing conversation IDs, cache remnants · runs locally
file (any type) → file (any type)
ai conversation timeline reconstructormerge AI conversations from multiple platforms into a unified interaction timeline · ChatGPT, Claude, Gemini, Copilot · normalize timestamps and accounts · runs locally
file (any type) → file (any type)
ai generated code provenance analyzeranalyze source code and identify possible AI-assisted generation provenance · boilerplate fingerprints, naming conventions, template reuse · runs locally
file (any type) → file (any type)
ai generated image metadata stripper detectordetect removal or stripping of AI image generation metadata · missing metadata blocks, recompression, PNG chunk anomalies · runs locally
file (any type) → file (any type)
ai generated image provenance analyzerpng tEXt chunk inventory · sd metadata · stripped metadata flag · provenance csv · runs locally
file (any type) → file (any type)
ai generated text fingerprint analyzerlinguistic metrics · burstiness · repetition · ai likelihood score · export csv · runs locally
file (any type) → file (any type)
ai model download and execution artifact analyzerreconstruct AI model downloads, installations, and execution history · correlate download logs, manifests, and filesystem artifacts · detect execution bursts and deleted models · runs locally
file (any type) → file (any type)
ai output manipulation and editing detectordetect post-generation editing and manipulation of AI-generated text or images · metadata inconsistencies, style shifts, recompression, edit boundaries · runs locally
file (any type) → file (any type)
ai prompt history forensic analyzernormalize chatgpt · claude · gemini exports and logs · prompt timeline · model usage · export csv · runs locally
file (any type) → file (any type)
ai synthetic voice generation artifact analyzeranalyze synthetic voice generation artifacts and identify possible AI-generated speech characteristics · spectrogram consistency, prosody, splice boundaries · runs locally
file (any type) → file (any type)
ai transcription artifact forensic analyzeranalyze AI-generated transcription artifacts and identify transcription engine characteristics and edit history · Whisper, SRT, VTT, diarization · runs locally
file (any type) → file (any type)
airpods artifact forensic extractorparse AirPods pairing, connection, and proximity artifacts and reconstruct accessory usage history · runs locally
file (any type) → file (any type)
alexa voice history forensic extractordrop alexa activity json csv or zip export · categorize voice commands · build timeline · infer usage presence windows · csv json export · runs locally
file (any type) → file (any type)
alternate data stream forensic scannerdrop ads inventory csv or ntfs file listing · detect files with alternate data streams · identify hidden data in NTFS streams · surface stream names indicating zone identifier manipulation or hidden payloads · runs locally
file (any type) → file (any type)
amcache parserdrop Amcache.hve · parse executed binaries · SHA1 hashes · file paths · first run timestamps · program inventory · export CSV · runs locally
file (any type) → file (any type)
amcache vs prefetch conflict detectordrop amcache csv and prefetch csv · identify conflicts between amcache and prefetch execution records · detect selective artifact deletion · surface executables where one artifact was removed but the other remains · runs locally
file (any type) → file (any type)
AMSI bypass artifact detectordrop powershell evtx csv or script block content · detect amsi bypass attempts · identify known bypass patterns · surface memory patch attempts and reflection-based amsi disabling · runs locally
file (any type) → file (any type)
android accelerometer artifact forensic extractordrop Android accelerometer logs, sensor CSVs, app databases, or bugreport sensor output · parse x/y/z acceleration samples, timestamps, sampling frequency, and derived motion events · detect movement bursts, impacts, orientation changes, and sensor gaps · runs locally
file (any type) → file (any type)
android activity recognition artifact forensic analyzerdrop Android activity recognition logs, Google Play Services artifacts, fitness exports, or app databases · parse inferred user activity states such as walking, running, cycling, driving, still, and tilting · reconstruct activity timelines and correlate movement states with location evidence · runs locally
file (any type) → file (any type)
android adb backup forensic analyzerdrop an android adb backup file (.ab) · parse the backup header · decompress and extract the tar archive · enumerate all backed-up app packages, files, and databases · surface device metadata, backup flags, and encryption status · reconstruct the full backup manifest · runs locally
file (any type) → file (any type)
android adb logcat forensic extractordrop an android logcat output file (text or binary) · parse all log entries · extract timestamps, pid, tid, log level, tag, and message · detect forensically significant events · surface app crashes, permission grants, package installs/uninstalls, and network events · reconstruct device activity timeline · runs locally
file (any type) → file (any type)
android anonymous messaging app artifact detectordrop Android packages.xml, usage stats, logcat, or filesystem listings · detect anonymous and untraceable messaging applications · surface usage evidence and residual artifacts · identify apps requiring no phone number or identity verification · assess anonymous communication footprint · runs locally
file (any type) → file (any type)
android apk downgrade artifact detectordrop android apk files, logcat output, or package manager dump text · detect apk downgrade installation artifacts · identify version regression indicators · surface forensic tool signatures associated with downgrade-based extraction (oxygen, cellebrite, ufed) · assess whether downgrade was used for forensic data extraction · runs locally
file (any type) → file (any type)
android apk permissions auditordrop an .apk · parse AndroidManifest.xml · list all declared permissions · flag dangerous permissions · detect unusual API combinations · runs locally
file (any type) → file (any type)
android app cloner artifact forensic detectordrop Android packages.xml, filesystem listing, or logcat · detect app cloner framework installations · identify cloned app instances · surface dual-space and multi-account artifacts · detect usage of cloned messaging apps that may contain additional communication accounts · runs locally
file (any type) → file (any type)
android backup analyzerdrop an android backup ab file · browse app data · extract databases · files · shared preferences · runs locally
file (any type) → file (any type)
android burner app artifact forensic detectordrop Android packages.xml, logcat, usage stats database, or filesystem listing · detect installed and previously deleted burner phone number and anonymous communication apps · surface usage timestamps and residual artifacts from deleted apps · identify patterns of ephemeral identity use · runs locally
file (any type) → file (any type)
android call log parserdrop Android contacts2.db or calllog.db · parse incoming · outgoing · missed calls · contacts · duration · timestamps · export CSV · runs locally
file (any type) → file (any type)
android cell tower location artifact analyzerdrop Android telephony databases, radio logs, dumpsys outputs, or logcat excerpts · parse cell tower identifiers, network operator data, signal strength, and timestamped radio events · reconstruct coarse location history from cellular infrastructure · surface roaming, SIM changes, and tower handoff patterns · runs locally
file (any type) → file (any type)
android chipset-specific extraction artifact analyzerdrop getprop bugreport or extraction logs · identify chipset family · extraction capability matrix · device model lookup · runs locally
file (any type) → file (any type)
android chrome browsing history forensic analyzerdrop an Android Chrome History SQLite database · parse all browsing history, visits, and keyword search terms · reconstruct browsing sessions · detect deleted history gaps · surface forensically significant domains and search queries · runs locally
file (any type) → file (any type)
android chrome download artifact forensic extractordrop an Android Chrome History SQLite database · parse all download records · extract source URLs, local paths, file sizes, and completion timestamps · detect partial and dangerous downloads · surface forensically significant downloaded content · runs locally
file (any type) → file (any type)
android device encryption artifact analyzerdrop getprop fstab logcat or path listings · fbe vs fde detection · de vs ce accessibility matrix · metadata encryption · runs locally
file (any type) → file (any type)
android discord artifact forensic extractordrop Android Discord database files from the app data directory · parse cached messages, server memberships, DM threads, and user identity · surface deleted message local cache content · decode Discord snowflake timestamps · reconstruct Discord communication timeline · runs locally
file (any type) → file (any type)
android edl artifact analyzerdrop edl extraction logs, qpst output files, or qualcomm emergency download metadata · parse edl session artifacts · identify programmer (firehose) version and capabilities · surface partition table from gpt artifacts · detect edl-based extraction tool signatures · assess forensic integrity of edl extraction · runs locally
file (any type) → file (any type)
android encrypted vault app artifact detectordrop Android packages.xml, filesystem listing, or usage stats · detect installed or deleted encrypted vault and secret hiding apps · surface vault app usage evidence · identify content types stored in vaults (from metadata) · detect vault apps designed to disguise themselves as other apps · runs locally
file (any type) → file (any type)
android facebook artifact forensic extractordrop Android Facebook app database files · parse Messenger threads, feed cache, search history, and account artifacts · surface message content, unsent message envelopes, and media references · reconstruct Facebook activity timeline · runs locally
file (any type) → file (any type)
android factory reset artifact detectordrop recovery logs logcat getprop or path listings · detect factory reset evidence · recovery wipe timeline · mdm remote wipe · boot count · runs locally
file (any type) → file (any type)
android factory reset protection bypass artifact detectordrop frp partition logcat getprop or accounts data · detect frp bypass artifacts · identify bypass method · bootloader unlock · account setup forensics · runs locally
file (any type) → file (any type)
android file-based encryption artifact extractordrop fbe key blobs vold listings getprop or keystore files · parse key blob v1/v2 · secdiscardable alerts · de vs ce inventory · runs locally
file (any type) → file (any type)
android full disk encryption artifact analyzerdrop fde crypto footer binary getprop or logcat · parse kdf scrypt parameters · keymaster binding · brute-force matrix · hashcat hints · runs locally
file (any type) → file (any type)
android full filesystem extraction artifact analyzerdrop an android filesystem extraction manifest or directory listing · parse the filesystem structure · enumerate partitions, key directories, and forensically significant files · surface extraction method artifacts · assess completeness of the extraction · identify files requiring further analysis · runs locally
file (any type) → file (any type)
android geofence artifact forensic extractordrop Android geofencing databases, Google Play Services artifacts, app preference files, or logcat excerpts · parse registered geofences, trigger events, radius, dwell transitions, and app ownership · identify which apps monitored which physical locations · runs locally
file (any type) → file (any type)
android gmail artifact forensic extractordrop Android Gmail database files · parse email envelope metadata, snippets, label assignments, and account information · surface thread structures · detect deleted and trashed emails · reconstruct email activity timeline · runs locally
file (any type) → file (any type)
android google assistant query artifact extractordrop Android Google Assistant database files or activity logs · parse Assistant query records · extract spoken commands, device control actions, and conversation context · surface Assistant interaction history and responses · detect sensitive query patterns · runs locally
file (any type) → file (any type)
android google drive artifact forensic extractordrop Android Google Drive database files · parse file metadata, sync records, activity logs, and shared item artifacts · surface file names, owners, share recipients, and access timestamps · detect file deletion and trash events · reconstruct Drive activity timeline · runs locally
file (any type) → file (any type)
android google fit forensic artifact extractordrop Google Fit Takeout exports, fitness databases, Health Connect files, or related JSON/CSV artifacts · parse workouts, steps, distance, calories, heart rate, activity segments, and source devices · reconstruct fitness activity timelines and identify device/source inconsistencies · runs locally
file (any type) → file (any type)
android google maps artifact forensic extractordrop Android Google Maps database files · parse search history, saved places, navigation history, and offline map artifacts · surface destination searches and routing events · reconstruct location search and travel history · runs locally
file (any type) → file (any type)
android google photos artifact forensic extractordrop Android Google Photos database files · parse photo and video metadata · extract GPS coordinates, capture timestamps, and album memberships · surface shared album participants · detect deleted photo tombstones · reconstruct photo activity timeline · runs locally
file (any type) → file (any type)
android google search artifact forensic extractordrop Android Google Search app database files · parse search query history, autocomplete suggestions, and Google feed activity · surface search patterns and topics of interest · detect deleted searches · reconstruct Google search timeline · runs locally
file (any type) → file (any type)
android google timeline artifact forensic extractordrop Google Timeline JSON, Takeout location history files, semantic location history exports, or Maps activity artifacts · parse places, visits, activity segments, coordinates, confidence values, and edit metadata · reconstruct Google-derived movement history · runs locally
file (any type) → file (any type)
android gps location history forensic extractordrop Android location databases, GNSS logs, fused location provider artifacts, or app location exports · parse GPS coordinates, timestamps, accuracy, altitude, speed, and provider metadata · reconstruct a chronological movement trail · flag high-confidence GPS fixes and suspicious location gaps · runs locally
file (any type) → file (any type)
android instagram artifact forensic extractordrop Android Instagram database files from the app data directory · parse direct messages, search history, and account artifacts · surface ephemeral media tombstones and cached interaction data · reconstruct Instagram activity timeline · runs locally
file (any type) → file (any type)
android logcat analyzerdrop android logcat output · parse log levels · crash detection · anr · security exceptions · network activity · timeline · runs locally
file (any type) → file (any type)
android logcat forensic parserdrop android logcat txt or log · threadtime brief time auto-detect · crash selinux install security panels · runs locally
file (any type) → file (any type)
android mtk preloader artifact extractordrop mtk sp flash tool logs scatter files or nvram · parse brom extraction artifacts · imei mac identity · critical write alerts · runs locally
file (any type) → file (any type)
android notification history forensic analyzerdrop notification db or log exports · reconstruct alerts · message previews · communication timeline · runs locally
file (any type) → file (any type)
android ota and system image inspectordrop android ota zip files or system img files · parse sparse image format · extract partition table · browse installed app list · detect modifications from stock · extract build fingerprint · identify rooting indicators · runs locally
file (any type) → file (any type)
android qualcomm sahara artifact forensic analyzerdrop qualcomm sahara edl logs or hex captures · parse handshake packets · msm chipset oem pk hash · command timeline csv · runs locally
file (any type) → file (any type)
android root residue forensic analyzerdrop getprop filesystem listing or logcat · detect past rooting residue · knox bit bootloader unlock · magisk cleanup artifacts · runs locally
file (any type) → file (any type)
android rooting method artifact detectordrop filesystem listing getprop or logcat · detect magisk kernelsu supersu frida · root path database · confidence scoring · runs locally
file (any type) → file (any type)
android samsung bixby artifact forensic extractordrop Android Samsung Bixby database files · parse Bixby Voice query history, Bixby Routines, and Bixby Vision artifacts · extract spoken commands, app launch actions, and automated routine triggers · surface Bixby interaction timeline · runs locally
file (any type) → file (any type)
android samsung knox artifact forensic analyzerdrop Android Samsung Knox database files, log files, or getprop output · parse Knox workspace enrollment state · surface Knox warranty bit status · analyze Knox Vault and Keystore artifacts · detect Knox Secure Folder presence and content metadata · assess forensic implications of Knox security architecture · runs locally
file (any type) → file (any type)
android samsung messages forensic analyzerdrop Android Samsung Messages database files · parse SMS, MMS, and RCS message records · extract sender, recipient, content, timestamps, and delivery status · surface deleted message gaps · reconstruct SMS/RCS conversation timeline · runs locally
file (any type) → file (any type)
android signal database forensic extractordrop Android Signal database files (signal.db or backup files) · parse conversations, messages, and attachment metadata · extract disappearing message settings, contact identifiers, and draft messages · surface registered phone number from database · detect deleted message gaps · runs locally
file (any type) → file (any type)
android significant motion artifact forensic extractordrop Android significant motion sensor logs, motion trigger events, activity recognition artifacts, or app databases · parse wake/motion triggers that indicate the device changed from stationary to moving · reconstruct motion-start events and correlate them with location and activity evidence · runs locally
file (any type) → file (any type)
android sms database parserdrop Android mmssms.db · parse SMS and MMS threads · contacts · timestamps · export conversations as CSV · runs locally
file (any type) → file (any type)
android snapchat artifact forensic extractordrop Android Snapchat database files from the app data directory · parse snap metadata, chat records, and friend lists · surface snap open timestamps and screenshot events · detect expired snap tombstones · reconstruct Snapchat activity timeline · runs locally
file (any type) → file (any type)
android snapchat cache forensic extractordrop Android Snapchat cache directory listings or database files · parse cached snap media metadata · surface Snap map location cache · detect saved content from ephemeral snaps · identify cache clearing patterns · runs locally
file (any type) → file (any type)
android sparse imagesparse .img 0xED26FF3A · RAW FILL DONT_CARE CRC32 · chunk map · ext4 f2fs detect · OTA warn · CSV · runs locally
file (any type) → file (any type)
android sqlite app database browserdrop android app sqlite db · schema discovery · table heuristics · credential column masking · runs locally
file (any type) → file (any type)
android step counter artifact forensic extractordrop Android sensor logs, Google Fit exports, Samsung Health exports, fitness app databases, or step counter CSVs · parse step counts, cadence, timestamps, device source, and daily totals · reconstruct walking activity and detect anomalies in step accumulation · runs locally
file (any type) → file (any type)
android telegram cache artifact forensic extractordrop Android Telegram cache database files and media cache listings · parse cached media metadata and file references · surface contact profile photo caches · extract recently accessed media CDN URLs · detect cache clearing events · reconstruct media interaction history · runs locally
file (any type) → file (any type)
android telegram database forensic extractordrop Android Telegram database files · parse messages, chats, channels, and contacts · extract forwarding metadata, edit timestamps, and media references · surface disappearing message timer settings · detect deleted message ROWID gaps · reconstruct Telegram communication timeline · runs locally
file (any type) → file (any type)
android tiktok artifact forensic extractordrop Android TikTok database files from the app data directory · parse direct messages, search history, video view records, and account identity · surface content interaction patterns and deleted message residue · reconstruct TikTok activity timeline · runs locally
file (any type) → file (any type)
android vpn app artifact forensic extractordrop Android VPN app database files, configuration files, or logcat output · parse VPN connection session logs, server configurations, and account artifacts · surface kill switch, obfuscation, and split tunnel settings · detect VPN usage gaps and anti-forensic patterns · runs locally
file (any type) → file (any type)
android whatsapp call log forensic analyzerdrop an Android WhatsApp msgstore.db · parse WhatsApp voice and video call records · extract caller, callee, duration, call type, and timestamps · detect missed and rejected calls · surface group call events · cross-reference with message timeline · runs locally
file (any type) → file (any type)
android whatsapp database forensic analyzerdrop an Android WhatsApp msgstore.db · parse all messages, chats, groups, and media metadata · reconstruct conversation timelines · surface message delivery status, forwarding metadata, location shares, and contact cards · detect deleted message gaps · runs locally
file (any type) → file (any type)
android whatsapp deleted message recovery artifact detectordrop an Android WhatsApp msgstore.db (one or two versions) · detect deleted message artifacts via ROWID gaps, revoked message placeholders, and WAL recovery · surface media residue from deleted messages · detect bulk deletion patterns before acquisition · runs locally
file (any type) → file (any type)
android whatsapp key and crypt file forensic extractordrop WhatsApp key file and/or .crypt12/.crypt14/.crypt15 backup files · parse the key file structure · analyze backup encryption parameters · attempt decryption if key and crypt file are both provided · surface backup metadata and assess forensic accessibility · runs locally
file (any type) → file (any type)
android whatsapp status artifact forensic extractordrop an Android WhatsApp msgstore.db and/or status database files · parse WhatsApp Status (Stories) artifacts · extract status posts viewed, own status history, status media references, and view timestamps · surface contact status viewing patterns · runs locally
file (any type) → file (any type)
android wifi location artifact forensic extractordrop Android WiFi configuration files, scan result logs, network suggestion databases, or connectivity bugreports · parse SSIDs, BSSIDs, signal strength, connection timestamps, and saved network metadata · reconstruct WiFi-based location history and proximity evidence · runs locally
file (any type) → file (any type)
anti-analysis and sandbox evasion artifact detectordrop 4688 or sysmon evtx csv · detect malware anti-analysis behaviors · identify sleep-based and environment-check evasion patterns · surface processes that checked for vm or debugger presence · runs locally
file (any type) → file (any type)
anti-forensic tool identifierdrop registry prefetch evtx csv · 50+ wiper secure-delete privacy signatures · findings table · confidence severity · csv export · runs locally
file (any type) → file (any type)
anti-forensic tool signature scannerdrop prefetch shimcache amcache or 4688 evtx csv · detect execution of known anti-forensic tools · identify cleaners wipers and evidence destruction utilities · surface when and how evidence destruction occurred · runs locally
file (any type) → file (any type)
antimalware real-time protection disable detectordrop windows defender operational evtx csv or registry export · detect real-time protection disablement · identify antimalware coverage gaps · surface periods where no active scanning was occurring · runs locally
file (any type) → file (any type)
apfs readerdrop an APFS disk image · locate container and volume superblocks · parse block size · UUID · volume name · role · feature flags · runs locally
file (any type) → file (any type)
apk analyzerdrop an android apk · permissions · activities · services · manifest · certificates · embedded urls · strings · no disassembly · runs locally
file (any type) → file (any type)
appcompat cache timelinedrop shimcache csv · sort by last modified · gaps >7d · burst clusters · same-hour correlation · suspicious paths · csv export · runs locally
file (any type) → file (any type)
AppCompatCache / ShimCache gap analyzerdrop shimcache csv · detect missing entries indicating selective cache clearing · identify time windows with no shimcache activity · surface gaps between shimcache and other execution artifacts · runs locally
file (any type) → file (any type)
apple pay artifact forensic extractordrop iOS Wallet/PassKit database files, Apple Pay keychain items, or powerlog data · parse Apple Pay enrollment state and transaction artifacts · surface Device Account Numbers (DANs), provisioning timestamps, and NFC payment events · identify enrolled cards and payment activity · runs locally
file (any type) → file (any type)
apple watch artifact forensic extractorparse Apple Watch pairing records, sync artifacts, backup files, and watch databases · reconstruct watch pairing history, device ownership, sync state, and cross-device interactions · runs locally
file (any type) → file (any type)
apple watch fall and crash detection artifact extractorparse Apple Watch fall detection and crash detection artifacts and reconstruct emergency trigger timelines · runs locally
file (any type) → file (any type)
apple watch health and activity forensic analyzerparse Apple Watch health, workout, and activity records and reconstruct movement, exercise, and biometric activity timelines · runs locally
file (any type) → file (any type)
application focus timeline reconstructordrop srum csv · windows accessibility event logs · ui interaction logs · reconstruct exactly which application had focus at every point in time · builds minute by minute user activity reconstruction · proves user presence or absence · runs locally
file (any type) → file (any type)
AppLocker and WDAC policy disable detectordrop security evtx csv and registry export · detect application whitelisting policy removal · identify applocker rules deleted · surface wdac policy bypasses and removals · runs locally
file (any type) → file (any type)
archivezip files & folders · structure preserved
file (any type) → file (any type)
archive manifestdrop a ZIP archive · list all files without decompressing · sizes · paths · detect hidden executables inside archives · export CSV · runs locally
file (any type) → file (any type)
archive password auditordrop a password-protected ZIP · test a custom wordlist locally · no data leaves your device · runs locally
file (any type) → file (any type)
ARP spoofing artifact detectordrop pcap or pcapng file · detect arp cache poisoning and spoofing artifacts · identify conflicting mac-to-ip mappings · surface mitm enablement and arp flood patterns · runs locally
file (any type) → file (any type)
arp table timeline and mac change detectordrop multiple arp table dumps or pcap with arp traffic · reconstruct the history of which mac was at which ip · detect mac address changes indicating spoofing or device swap · identify arp poisoning attempts · runs locally
file (any type) → file (any type)
artifact absence anomaly scoring detectordrop any combination of evtx mft prefetch shimcache registry and browser csvs · score the overall pattern of absent expected artifacts · identify which evidence sources are missing and why · surface artifact absence as a forensic finding in itself · runs locally
file (any type) → file (any type)
as-rep roasting detectordrop security evtx csv · identify 4768 events for accounts with pre-authentication disabled · as-rep roasting attack indicators · bulk requests · unusual requestor ips · runs locally
file (any type) → file (any type)
aslr base address forensic reconstructordrop crash dump or module list export · reconstruct aslr base addresses · pointer attribution · cross-dump correlation · rva section lookup · runs locally
file (any type) → file (any type)
attacker dwell time calculatordrop multiple forensic artifact csvs · identify earliest attacker artifact · calculate total dwell time · map attack phase timeline · identify detection gap · compare to industry benchmarks · runs locally
file (any type) → file (any type)
attacker tool inventory builderdrop all detection csvs from other fatcousin tools · aggregate every detected tool into unified attacker toolkit profile · map to mitre attack · identify sophistication level · infer threat actor type · runs locally
file (any type) → file (any type)
audio compressordynamic range compression · threshold · ratio · attack · release · preview and export · runs locally
audio → audio
audio denoiseremove background noise · RNNoise · runs locally
audio → audio
audio edit detectordrop a WAV file · analyze spectral discontinuities · RMS energy shifts · noise floor changes · DC offset jumps · flag suspected splice points · runs locally
file (any type) → file (any type)
audio equalizer10-band parametric eq · live preview · export eq-processed audio · runs locally
audio → audio
audio fingerprintidentify any song from its audio · chromaprint fingerprint generated locally · only a tiny hash sent to acoustid · batch mode for cataloging unlabeled files
audio → audio
audio infoduration · channels · sample rate · peak · loudness
audio → audio
audio lsb steganography extractordrop wav or aiff · extract lsb from pcm samples · bit depth · channel select · magic detect · entropy · download payload · runs locally
file (any type) → file (any type)
audio metadata deep forensic extractordrop mp3 flac wav ogg m4a aiff files · extract all metadata from id3v1 id3v2 apev2 vorbis comments riff info chunks itunes atoms · detect metadata tampering · creation tool fingerprinting · forensic timestamp analysis · runs locally
file (any type) → file (any type)
audio splice detectordrop audio · spectral flux discontinuities · candidate splice timestamps · timeline table · runs locally
file (any type) → file (any type)
audio steganography detectordrop an audio file · lsb analysis · echo hiding detection · phase coding detection · statistical anomalies · runs locally
file (any type) → file (any type)
audit policy modification detectordrop security evtx csv · detect audit policy changes · identify subcategories disabled · surface reduction in logging coverage · correlate with attack timeline · runs locally
file (any type) → file (any type)
audit subcategory coverage gap deep analyzerdrop security evtx csv · perform deep analysis of all audit subcategory disable events · map exact forensic blind spots created by each disable · surface the cumulative coverage loss across the investigation window · runs locally
file (any type) → file (any type)
auth log analyzerdrop Linux auth.log · Windows Security EVTX CSV · parse failed logins · SSH attempts · sudo events · successful auth · flag brute force IPs · export · runs locally
file (any type) → file (any type)
auto redactssn · dob · phone · email · cards · custom regex · destructive raster
pdf → pdf
autoit script analyzercompiled autoit exe or au3 · script extraction · risky calls · persistence · download-run · anti-analysis · iocs · runs locally
file (any type) → file (any type)
automatic1111 artifact forensic extractorextract a1111 config · extensions · checkpoints · png parameters block · export csv · runs locally
file (any type) → file (any type)
autonomous driving telemetry analyzertesla/dmv csv · autopilot sessions · disengagement causes · 30s incident windows · sessions csv · runs locally
file (any type) → file (any type)
aws cloudtrail analyzerdrop cloudtrail json logs · api timeline · iam changes · security events · errors · runs locally
file (any type) → file (any type)
aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally
file (any type) → file (any type)
aws cloudtrail log forensic analyzerdrop aws cloudtrail json log files or csv export · parse api call records across all aws services · surface credential abuse privilege escalation data exfiltration and infrastructure manipulation · reconstruct attacker activity timeline · runs locally
file (any type) → file (any type)
aws guardduty finding parserdrop guardduty json findings export · normalize findings · extract iocs · prioritize by severity · timeline · affected resources · runs locally
file (any type) → file (any type)
aws iam credential report analyzerdrop iam credential report csv · flag unused credentials · old access keys · accounts without mfa · root account usage · compliance score · runs locally
file (any type) → file (any type)
aws iam policy analyzerpaste iam policy json · effective permissions · wildcard expansion · risks · escalation hints · plain english · runs locally
file (any type) → file (any type)
azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
file (any type) → file (any type)
azure ad audit log analyzerdrop azure ad audit log json · role assignments · admin consent · conditional access policy changes · suspicious modifications · risk scores · runs locally
file (any type) → file (any type)
azure ad sign-in log analyzerdrop azure ad sign-in log json · detect impossible travel · legacy protocol use · mfa failures · brute force patterns · conditional access failures · runs locally
file (any type) → file (any type)
backup deletion artifact analyzerdrop evtx csvs and vss registry exports · parse deliberate backup deletion across windows backup · veeam artifacts · backup exec artifacts · correlate with ransomware timeline · runs locally
file (any type) → file (any type)
bad sector mapperdrop a disk image · scan every sector for byte-pattern anomalies · zero-fills · repeating-fill sectors · visualize sector health map · export sector report CSV · runs locally
file (any type) → file (any type)
bake transformsflatten node hierarchy · apply world matrix into vertices
3d → 3d
bam and dam entry absence detectordrop bam dam registry export and shimcache or 4688 csv · identify executables that ran but have no BAM/DAM entry · detect selective BAM clearing · surface execution evidence gaps in background activity monitor · runs locally
file (any type) → file (any type)
bam dam parserdrop software hive · background activity moderator · desktop activity moderator · sid · last run filetime · sequence · filter · csv · runs locally
file (any type) → file (any type)
barcodegenerate and read barcodes · code128 · ean-13 · ean-8 · upc-a · upc-e · code39 · itf-14 · runs locally
file (any type) → image
base64encode & decode · text & files · standard or url-safe
file (any type) → file (any type)
base64 mass decoderdrop any file or paste text · detect and decode all base64 blobs · recursive decoding · hex decode · URL decode · PowerShell gzip · reveal hidden payloads · runs locally
file (any type) → file (any type)
bash history analyzerdrop .bash_history or .zsh_history · parse commands · timestamps · frequency analysis · detect suspicious commands · sudo usage · network activity · runs locally
file (any type) → file (any type)
bates stampsequential numbering across one file or a whole batch
pdf → pdf
beaconing pattern detectordrop pcap or zeek conn log · periodic c2 beacon intervals · regularity and jitter scores · export csv · runs locally
file (any type) → file (any type)
bgp log analyzercisco ios · quagga frr · juniper text · mrt binary · update withdrawal peer · hijack more-specific as loop flapping · export csv · runs locally
file (any type) → file (any type)
binary compiler and language identifierdrop pe elf or macho binaries · identify compiled language · go rust nim python compiled dlang zig · detect compiler version · extract build metadata · language-specific string patterns · runs locally
file (any type) → file (any type)
binary development environment fingerprinterdrop compiled binaries · extract compiler version · ide · sdk · linker · pdb paths · build profile of developer workstation · runs locally
file (any type) → file (any type)
binary execution gap analyzerdrop execution artifact csvs · identify periods with no execution activity · distinguish system-off gaps from suspicious quiet periods · flag anomalous gaps · runs locally
file (any type) → file (any type)
binary provenance & build metadata analyzerdrop pe elf mach-o · build timestamp · linker · rich header · pdb · go buildinfo · json export · runs locally
file (any type) → file (any type)
binary stringsextract readable strings from any binary · ASCII · UTF-16 · minimum length filter · export · runs locally
file (any type) → file (any type)
binary structural similarity scorerdrop two or more binaries · structural and syntactic similarity · malware variant families · shared imports and strings · runs locally
file (any type) → file (any type)
bitcoin address clusteringpaste or drop csv · extract btc addresses · common-input heuristic clustering · cluster table · export csv · runs locally
file (any type) → file (any type)
bitcoin transaction decoderpaste raw transaction hex · decode inputs outputs scripts · fees · locktime · segwit · p2pkh p2sh p2wpkh · runs locally
file (any type) → file (any type)
BITSAdmin and BITS transfer artifact detectordrop 4688 evtx csv and bits operational evtx csv · detect bitsadmin used for malicious file transfer · identify bits jobs downloading attacker content · surface persistence via bits job scheduling · runs locally
file (any type) → file (any type)
blockchain timestamp verifierdocument sha-256 · merkle proof json · bitcoin block header · inclusion walk · verified failed verdict · runs locally
file (any type) → file (any type)
bluetooth accessory pairing timeline forensic analyzerreconstruct Bluetooth pairing and connection history across wearables and accessories · runs locally
file (any type) → file (any type)
bluetooth beacon environment reconstructorios bluetooth plist · android btsnoop hci · apple 0x004c manufacturer tlv · ibeacon uuid/major/minor · optional pcap link hint · venue uuid geolocation note · csv+json · runs locally
file (any type) → file (any type)
bluetooth pairing history forensic extractordrop iOS bluetooth plist · android bt_config.conf · logcat · CoD decode · pairing timeline · OUI lookup · runs locally
file (any type) → file (any type)
blur imagegaussian blur · motion blur · radius & angle control · batch · runs locally
image → image
booklet pdfsaddle-stitch imposition · print duplex · fold · staple
pdf → pdf
bookmarksview · edit · auto-generate pdf navigation outlines
pdf → pdf
boot & pre-os persistence detectordrop mbr sector dump or disk image start · parse mbr vbr · boot signature check · bootkit string scan · json export · runs locally
file (any type) → file (any type)
boot sector modification artifact detectordrop system evtx csv or bcdedit output · detect boot sector and bcd modification events · identify bootkit installation artifacts · surface unauthorized boot configuration changes · runs locally
file (any type) → file (any type)
bootkit mbr vbr deep analyzerdrop a disk image or raw mbr vbr sector dump · deep parse mbr and vbr · compare against known-good templates · flag deviations · detect bootkits · identify infected bootstrap code · runs locally
file (any type) → file (any type)
border · canvascolor · gradient · blur fill · optional crop · polaroid preset
image → image
breach format identifierdrop breach file · detect csv json sql pipe tab · first 100kb sniff · runs locally
file (any type) → file (any type)
breach ioc normalizerextract classify dedup iocs from breach dumps · stix 2.1 export · runs locally
file (any type) → file (any type)
breach pattern analyzerpassword corpus patterns · keyboard walks · leet · hashcat rules export · runs locally
file (any type) → file (any type)
browser autofill artifact extractordrop chrome web data sqlite or firefox formhistory sqlite · extract autofill form field data · reconstruct what the user typed into web forms · surface names addresses phone numbers and custom field values from autofill history · runs locally
file (any type) → file (any type)
browser cache clearing burst detectordrop mft csv or browser cache file listing · detect sudden bulk deletion of cached browser files · identify cache clearing events and their timestamps · surface deliberate cache destruction · runs locally
file (any type) → file (any type)
browser cookie analyzerdrop Chrome or Firefox cookies SQLite · parse domains · flags · expiry · SameSite · detect tracking cookies · session vs persistent · export CSV · runs locally
file (any type) → file (any type)
browser cookie clearing pattern detectordrop chrome cookies sqlite csv · detect cookie clearing events · identify gaps in cookie history · surface session token deletion indicating deliberate authentication evidence destruction · runs locally
file (any type) → file (any type)
browser crash report artifact and suppression detectordrop mft csv filtered to browser crash paths · detect deleted or absent browser crash reports · identify crash report suppression hiding browser activity · surface crash report content for forensic value · runs locally
file (any type) → file (any type)
browser download history correlatordrop chrome history sqlite and optional mft csv · parse download records · correlate against filesystem evidence · identify downloaded files that were deleted · surface download chain from referrer to file to execution · runs locally
file (any type) → file (any type)
browser download history gap analyzerdrop chrome or firefox downloads history sqlite csv · detect gaps in download records · identify cleared download history · surface downloads that occurred but are not in the history · runs locally
file (any type) → file (any type)
browser extension analyzerdrop Chrome or Firefox extension folder or .crx · parse manifest · permissions · background scripts · content scripts · flag dangerous permissions · export report · runs locally
file (any type) → file (any type)
browser extension forensics analyzerdrop chrome or firefox extension directory or manifest json · analyze extension permissions and capabilities · identify high-risk extensions · surface extensions with credential access network interception or tab monitoring capabilities · runs locally
file (any type) → file (any type)
browser extension persistence & forensics mapperdrop chrome or firefox extension directories or crx files · map all installed extensions · detect persistence via extensions · suspicious permissions · obfuscated background scripts · data exfiltration capabilities · runs locally
file (any type) → file (any type)
browser extension removal burst detectordrop chrome extensions directory listing or mft csv · detect sudden bulk extension removal · identify forensic or security extensions targeted for removal · surface extension deletion covering investigative tracks · runs locally
file (any type) → file (any type)
browser geolocation history extractordrop chrome preferences json or firefox permissions sqlite · extract sites granted geolocation permission · identify location-aware web app usage · surface geolocation permission grants with timestamps and usage patterns · runs locally
file (any type) → file (any type)
browser history clearing pattern detectordrop chrome firefox or edge sqlite history db csv · detect history clearing events · identify gaps in browsing timeline · surface clearing timestamps and what was removed · runs locally
file (any type) → file (any type)
browser history extractordrop a Chrome or Firefox SQLite history DB · extract URLs · visit counts · timestamps · typed URLs · export CSV · runs locally
file (any type) → file (any type)
browser login event timeline builderdrop chrome history sqlite and login data sqlite · reconstruct login and authentication events from browser data · correlate password form submissions with visit history · surface account access timeline across all sites · runs locally
file (any type) → file (any type)
browser media history analyzerdrop chrome media history sqlite · parse video and audio playback records · reconstruct what media was watched or listened to · surface media engagement times origin sites and playback positions · runs locally
file (any type) → file (any type)
browser password store forensic parserdrop chrome login data sqlite or firefox logins json · parse stored credential metadata · reconstruct which sites had saved passwords · identify password store access events and modification history · runs locally
file (any type) → file (any type)
browser profile deletion artifact detectordrop mft csv · detect deleted browser profile directories · identify evidence of entire browser profile removal · surface remnant artifacts proving a browser was used despite profile deletion · runs locally
file (any type) → file (any type)
browser saved password clearing detectordrop chrome login data sqlite csv or mft csv · detect cleared browser saved passwords · identify evidence of credential store access or wiping · surface password store access by unauthorized processes · runs locally
file (any type) → file (any type)
browser search history gap analyzerdrop chrome history sqlite csv or firefox places sqlite csv · detect gaps in search query history · identify periods of active browsing with no search terms recorded · surface selective search history deletion · runs locally
file (any type) → file (any type)
browser search query extractor and timelinedrop chrome history sqlite or firefox places sqlite · extract all search queries across all search engines · build a complete search timeline · identify search topics patterns and sensitive searches · runs locally
file (any type) → file (any type)
browser service worker forensic analyzerdrop service worker scripts or cache exports · persistent scripts · exfiltration · push abuse · offline attack vectors · runs locally
file (any type) → file (any type)
browser session file reconstructordrop chrome current session current tabs last session or last tabs files · reconstruct open tabs and windows at time of capture · surface urls titles and navigation state from binary session files · runs locally
file (any type) → file (any type)
browser session reconstructordrop browser history + cookie CSVs from other tools · cluster into sessions · reconstruct activity flow per domain · timeline view · export · runs locally
file (any type) → file (any type)
browser session recovery from unallocated spacedrop a disk image or raw binary · scan unallocated space for browser session remnants · sqlite page fragments · leveldb entries · partial history records · recover browsing sessions that were deleted · runs locally
file (any type) → file (any type)
browser session restore suppression detectordrop mft csv or browser profile directory listing · detect deletion of browser session restore files · identify suppression of session data that would have preserved browsing state · surface last session reconstruction from remnants · runs locally
file (any type) → file (any type)
browser storage forensic correlatordrop indexeddb leveldb · localstorage json · cookies sqlite · cache exports · correlate session · auth tokens · pii · runs locally
file (any type) → file (any type)
browser telemetry and crash reporting disable detectordrop registry export or browser policy files · detect browser telemetry and usage statistics disabled · identify crash reporting suppression preventing cloud-side evidence · surface browser privacy hardening used to reduce forensic footprint · runs locally
file (any type) → file (any type)
browser typed URL clearing artifact detectordrop chrome history sqlite csv · detect cleared typed url records · identify gaps between typed urls and visit history · surface deliberate removal of directly typed navigation evidence · runs locally
file (any type) → file (any type)
c2 callback interval analyzerdrop pcap or zeek conn log · deep interval stats · c2 framework timing profiles · jitter estimation · export csv · runs locally
file (any type) → file (any type)
c2 framework traffic fingerprinterdrop pcap files or http log exports · fingerprint cobalt strike sliver havoc brute ratel metasploit c2 traffic · beacon interval analysis · malleable c2 profiles · jarm fingerprints · uri patterns · runs locally
file (any type) → file (any type)
calendar invite and meeting forensic analyzerdrop ics files or calendar exports · meeting history · attendees · recurrence · organizer graph · suspicious patterns · csv export · runs locally
file (any type) → file (any type)
carousel splitterwide image → n seamless carousel panels · custom px · ig presets · flush left or centred · canvas colour · gap preview · zip · runs locally
image → image
carplay android auto forensic analyzerios carplay plist · google takeout android auto · infotainment sqlite/csv · navigation destinations · session timeline · csv/json export · runs locally
file (any type) → file (any type)
carrier CDR forensic analyzerparse carrier call detail records and reconstruct calls, SMS, sessions, and subscriber activity · runs locally
file (any type) → file (any type)
carrier tower location forensic reconstructorreconstruct approximate subscriber movement from carrier tower records and sector transitions · runs locally
file (any type) → file (any type)
casecamel · pascal · snake · kebab · title · 14 formats
file (any type) → file (any type)
case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
file (any type) → file (any type)
center / pivotreset origin and re-center any 3d model
3d → 3d
CertUtil abuse artifact detectordrop 4688 or sysmon evtx csv · detect certutil used as downloader or decoder · identify base64 decode and url cache operations · surface all certutil abuse patterns with decoded content · runs locally
file (any type) → file (any type)
chain of custody gap detectorpaste custody log csv · time gaps over threshold · missing signatures · export findings csv · runs locally
file (any type) → file (any type)
change speedspeed up or slow down · keep pitch (time-stretch) or shift pitch
audio → audio
channel toolsstereo ↔ mono · split left/right · swap stereo channels
audio → audio
ChatGPT conversation export forensic analyzerparse ChatGPT exports, conversation JSON, uploaded file references, and account metadata · reconstruct AI conversation timelines, deleted thread evidence, uploaded file usage, and prompt evolution · runs locally
file (any type) → file (any type)
checksum verifierdrop a file · paste expected MD5 · SHA1 · SHA256 · SHA512 · verify download integrity · runs locally
file (any type) → file (any type)
chromatic aberrationrgb channel offset · directional or radial
image → image
Chrome / Firefox / Edge SQLite history parserdrop chrome firefox or edge sqlite history database file · parse visit history search terms and download records · reconstruct browsing timeline · identify high-risk domains and visit patterns · runs locally
file (any type) → file (any type)
chrome extension analyzerdrop crx or manifest.json · permissions audit · content scripts · risk score · script patterns · runs locally
file (any type) → file (any type)
chrome history analyzerdrop chrome history sqlite database · browsing timeline · top sites · searches · downloads · typed urls · timeline gaps · runs locally
file (any type) → file (any type)
Chrome Omnibox typed URL and shortcut extractordrop chrome history sqlite and shortcuts sqlite · extract all urls typed directly into the chrome address bar · reconstruct deliberate navigation separate from link clicks · surface omnibox shortcut history and keyword shortcuts · runs locally
file (any type) → file (any type)
Chrome sync artifact analyzerdrop chrome sync data leveldb directory or sync sqlite · analyze synchronized browser data · reconstruct what was synced to google account · surface bookmarks history extensions and settings that persisted across devices · runs locally
file (any type) → file (any type)
Chromium disk cache entry decoderdrop chromium cache directory files (index data_0 data_1 data_2 data_3) · decode cached http responses · reconstruct cached web content · surface cached api responses credentials set-cookie headers and response bodies · runs locally
file (any type) → file (any type)
ci/cd build artifact inspectordrop zip/tar artifact · optional checksum manifest · sha-256 · unexpected binaries · entropy · .git in release · export csv · runs locally
file (any type) → file (any type)
cipher identifierpaste ciphertext or encoded data · identify base64 · hex · XOR · caesar · vigenere · rot13 · morse · and more · runs locally
file (any type) → file (any type)
Claude conversation export forensic analyzerparse Claude exports and reconstruct prompt history, project usage, and AI interaction timelines · runs locally
file (any type) → file (any type)
cloudflare waf & access log analyzerdrop logpush json or csv · scanning · waf blocks · scanner ua · geo anomalies · path traversal · export csv · runs locally
file (any type) → file (any type)
cluster allocation order timeline reconstructordrop an mft csv and bitmap · reconstruct the approximate order in which disk clusters were allocated · builds a rough file creation timeline even when timestamps are unavailable or have been tampered · runs locally
file (any type) → file (any type)
cobalt strike config extractordrop beacon binary · xor keys 0x69 0x2e 0x00 · tlv config settings 1-70 · c2 sleep watermark flags · export json csv · runs locally
file (any type) → file (any type)
code signing certificate analyzerdrop signed pe or mach-o · pkcs#7 cert chain · expired self-signed flags · json text export · runs locally
file (any type) → file (any type)
color laser printer microdot forensic decoderdrop high-res scan · yellow microdot detection · xerox grid heuristics · serial/date decode when possible · runs locally
file (any type) → file (any type)
color space converterdetect icc profile · convert srgb · display p3 · batch · resize · tiff · heic · zip · runs locally
image → image
com hijack detectordrop hkcu and hklm classes registry exports · cross-reference clsid registrations · detect active com hijacks · csv export · runs locally
file (any type) → file (any type)
com object & hijack analyzerdrop hkcr or classes .reg · clsid hijack flags · hkcu vs hklm compare · top 30 known targets · csv export · runs locally
file (any type) → file (any type)
COM object hijack residue detectordrop registry export · detect user-level com registrations overriding system com objects · identify com hijacking artifacts used for persistence or uac bypass · surface hkcu com entries that shadow hklm entries · runs locally
file (any type) → file (any type)
combine files → pdfmix pdfs and images into one pdf in any order
file (any type) → pdf
combine imagesstack · grid · contact sheet · png / jpg / webp
image → image
comfyui workflow forensic analyzerparse comfyui workflow json from png metadata or exports · node graph · prompts · checkpoints · export csv · runs locally
file (any type) → file (any type)
company name normalizerstrip legal suffixes · deduplicate · fuzzy cluster similar names · runs locally
file (any type) → file (any type)
compare pdfdiff two pdfs visually · side-by-side · per-page percentage
pdf → file (any type)
compile time timezone analyzerdrop pe file · read pe timestamp · map to timezone bands · business hours inference · runs locally
file (any type) → file (any type)
compress imagereduce file size
image → image
compress pdfreduce file size · raster-flatten
pdf → pdf
compress videoshrink video · resolution · fps · quality presets · keeps audio
video → video
container escape indicator detectordrop k8s audit · docker logs · falco alerts · detect privileged abuse · hostpath · capability escape patterns · csv export · runs locally
file (any type) → file (any type)
container image secret scannerdrop docker image tar · scan layers for api keys · private keys · env files · credentials · layer attribution · csv export · runs locally
file (any type) → file (any type)
convert 3dglb · gltf · obj · stl · fbx · 3mf · usdz · dae · ply
3d → 3d
convert audiouniversal audio converter · wav · aiff · flac · mp3 · aac · ogg · opus · in also: m4a · webm · mp4 · 3gp · amr · ac3 · au · caf
audio → audio
convert imageuniversal image converter · jpg · png · webp · avif · bmp · gif · ico · tiff · in also: svg · heic · tga
image → image
convert videotranscode containers · mp4 · webm · mkv · mov · keeps audio · runs locally
video → video
copy-move forgery detectordrop an image · block-matching copy-move scan · suspicious region overlay · heuristic clone map · runs locally
file (any type) → file (any type)
copy-paste behavior and data lineage tracerdrop clipboard history exports · lnk file access times · recently opened files csvs · correlate what was copied from where and pasted where · trace data lineage across applications · build evidence of deliberate data extraction · runs locally
file (any type) → file (any type)
corrupt image detectorbatch drop photos · check every file for corruption · truncation · bad EXIF · mismatched dimensions · export report · runs locally
file (any type) → file (any type)
cortana and windows search query artifact gap detectordrop mft csv and registry export · detect cortana search history cleared or disabled · identify windows search query gaps · surface suppression of local search activity evidence · runs locally
file (any type) → file (any type)
cortana db analyzerdrop cortana sqlite db · search history tables · row counts · timeline · device search · csv export · runs locally
file (any type) → file (any type)
counter-investigation behavioral pattern detectordrop multiple evtx csvs shimcache prefetch and registry exports · detect behaviors indicating suspect is aware of investigation · identify evidence of surveillance detection and counter-forensic activity · surface systematic investigation evasion · runs locally
file (any type) → file (any type)
cover prependdrop a generated cover sheet on the front of a pdf
pdf → pdf
covert channel communication artifact detectordrop sysmon network evtx csv or dns cache export · detect covert channel communication patterns · identify dns tunneling icmp tunneling and protocol abuse · surface data exfiltration hidden in legitimate protocol traffic · runs locally
file (any type) → file (any type)
crash dump and minidump suppression detectordrop registry export and mft csv · detect crash dump generation disabled or dumps deleted · identify processes that crashed without leaving minidumps · surface kernel crash dump configuration tampering · runs locally
file (any type) → file (any type)
crash dump batch triage analyzerdrop multiple windows minidump files · batch parse all dumps · extract faulting module · exception codes · process names · compile timestamps · surface exploit patterns across the collection · runs locally
file (any type) → file (any type)
created-before-parent directory anomaly detectordrop mft csv · files created before parent directory · si and fn checks · directory clusters · runs locally
file (any type) → file (any type)
credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
file (any type) → file (any type)
Credential Guard and VBS disable artifact detectordrop system evtx csv and registry export · detect virtualization based security disabled · identify credential guard removal enabling credential theft · surface vbs configuration changes · runs locally
file (any type) → file (any type)
credential harvesting tool artifact detectordrop prefetch csv · appcompat csv · evtx csv · file listing · detect mimikatz · lazagne · rubeus · certipy · impacket and 40+ credential tools from their artifacts · runs locally
file (any type) → file (any type)
credential list normalizerbreach dump format detection · dedup · normalized csv · runs locally
file (any type) → file (any type)
credential to lateral movement tracerdrop credential dumping evidence csvs · logon event csvs · admin share access · service install events · trace a specific credential from dump through use and propagation across systems · reconstruct the attack chain · runs locally
file (any type) → file (any type)
cron job analyzerdrop crontab files or paste cron entries · parse schedule expressions · detect persistence · suspicious commands · network callbacks · export CSV · runs locally
file (any type) → file (any type)
crop imageaspect ratio presets · drag to set · runs locally
image → image
crop pdftrim margins · pt / in / cm / mm · uniform or per page
pdf → pdf
cross-device clipboard artifact forensic extractordrop iOS clipboard plist · android logcat · samsung clipboard db · universal clipboard sync · snooping detection · runs locally
file (any type) → file (any type)
crypto transaction graphdrop tx list csv · build adjacency · node edge counts · export nodes edges csv · runs locally
file (any type) → file (any type)
crypto tx graphpaste json csv btc hex · directed graph · hub peel fan patterns · ascii viz · stats · csv json export · runs locally
file (any type) → file (any type)
crypto wallet classifierpaste any crypto address · identify blockchain · validate checksum · address type · derivation format · runs locally
file (any type) → file (any type)
cryptocurrency mixer and tumbler detectordrop bitcoin transaction csv · apply statistical analysis to detect mixing service patterns · equal output detection · timing patterns · coinjoin identification · peel chain vs mixed funds · estimate mixing confidence · runs locally
file (any type) → file (any type)
csv → xlsxbundle one or more csv files into one multi-sheet xlsx · auto-type cells
spreadsheet → spreadsheet
csv ↔ jsonconvert csv ↔ json · auto-detect · header row · pretty
spreadsheet → file (any type)
csv columnspick · reorder · rename · drop columns · live preview
spreadsheet → spreadsheet
csv deduperemove duplicate rows · all columns or by key · keep first or last
spreadsheet → spreadsheet
csv file provenance and origin fingerprinterdrop csv files · identify which software generated them · excel vs python csv module vs mysql export vs postgres copy vs pandas vs r · detect generator from quoting style · line ending · bom · encoding · column header conventions · runs locally
file (any type) → file (any type)
csv forensics toolpii detection · duplicate rows · column quality · data quality score · runs locally
file (any type) → file (any type)
csv joinvlookup-style join · inner · left · right · outer · key by column
spreadsheet → spreadsheet
csv mergestack csv files vertically · align by header name · optional source column
spreadsheet → spreadsheet
csv repairdrop a malformed CSV · detect encoding · delimiter · misaligned columns · fix and preview · export clean file · runs locally
file (any type) → file (any type)
csv statsdescribe a csv · per-column type · missing · unique · sum · mean · min · max
spreadsheet → spreadsheet
csv validatorcheck for malformed rows · inconsistent columns · encoding issues · duplicate headers · type warnings
spreadsheet → file (any type)
Cursor editor forensic analyzeranalyze Cursor IDE artifacts including AI chat history, project interactions, prompt history, and generated code evidence · runs locally
file (any type) → file (any type)
custom xml part artifact parserdrop docx xlsx pptx file · extract all custom xml parts · parse structured data bound to document content · surface hidden organizational metadata server paths schema namespaces and injected data · runs locally
file (any type) → file (any type)
dashcam metadata forensic analyzerembedded nmea · 36-byte gps structs · gpx/csv · g-force impact heuristics · waypoints csv · route json · runs locally
file (any type) → file (any type)
data access pattern anomaly detectordrop file access logs or security evtx with object access events · compute per-user access baselines · detect bulk access · off-hours access · cross-department access · unusual file type access · statistical outlier sessions · runs locally
file (any type) → file (any type)
data correlation enginedrop two csv files · fuzzy column match · jaccard overlap · join keys · matched record pairs · pearson correlation · export joined csv · runs locally
file (any type) → file (any type)
database transaction log forensic analyzerdrop sql server ldf files or mysql binary log exports · parse transaction logs · recover insert update delete · rebuild modification history · runs locally
file (any type) → file (any type)
daylight saving time artifact analyzerdrop event log or forensic csvs · skipped and repeated hour detection · dst transition calendar · export csv · runs locally
file (any type) → file (any type)
debug symbol extractordwarf strings · pdb path · go buildinfo · rust panic hints · source paths · runs locally
file (any type) → file (any type)
decimate meshreduce polygon count · meshoptimizer quadric · any 3d format
3d → 3d
defender tamper protection bypass detectordrop windows defender operational evtx csv and security evtx csv · detect tamper protection bypass attempts · identify unauthorized defender configuration changes · surface methods used to modify defender despite tamper protection · runs locally
file (any type) → file (any type)
deleted binary execution detectordrop execution artifact csvs plus a current file listing · identify binaries referenced in execution history that no longer exist on disk · high-value cleanup indicator · runs locally
file (any type) → file (any type)
deleted file timelinedrop a disk image · extract all file timestamps including deleted entries · render interactive timeline · filter by type · date range · export CSV · runs locally
file (any type) → file (any type)
deleted registry key remnant scannerdrop registry hive binary or reg export · scan for remnants of deleted registry keys in hive slack space · recover key names and values from deleted cells · surface what was removed from the registry · runs locally
file (any type) → file (any type)
deliberate fragmentation pattern detectordrop mft csv with cluster run data · detect files with unusual fragmentation patterns · identify deliberate fragmentation used to slow forensic analysis · surface files spread across abnormally many clusters · runs locally
file (any type) → file (any type)
dependency confusion attack detectordrop package.json requirements.txt go.mod · internal naming patterns · wildcard/0.0.0 versions · risk scores · csv export · runs locally
file (any type) → file (any type)
device tree blob parserdrop .dtb fdt binary · node tree · compatible strings · memory map · cpu info · bootargs · json csv export · runs locally
file (any type) → file (any type)
dex inspectordrop .dex or .apk · string pool · classes methods imports · flag suspicious android APIs · csv · runs locally
file (any type) → file (any type)
dhcp log analyzerdhcpd dnsmasq windows dhcp csv · ip mac hostname timeline · oui hints · starvation reuse anomalies · csv export · runs locally
file (any type) → file (any type)
dicom medical imaging metadata forensic analyzerdrop dicom files · parse metadata tags · extract patient equipment data · detect anonymization failures · runs locally
file (any type) → file (any type)
directory entry slack artifact extractordrop directory entry export or mft csv with slack · extract artifacts from directory entry slack space · recover historical filenames and timestamps from directory index slack · surface evidence of deleted files from NTFS index slack · runs locally
file (any type) → file (any type)
discord chat parserdrop a Discord data package ZIP · browse servers · channels · message history · attachments · reactions · export CSV · runs locally
file (any type) → file (any type)
disk image hasherdrop any disk image · compute MD5 · SHA1 · SHA256 · SHA512 · sector-by-sector hash log · forensic chain of custody report · export PDF · runs locally
file (any type) → file (any type)
disk imaging and acquisition tool execution detectordrop prefetch shimcache or 4688 evtx csv and mft csv · detect disk imaging tool execution · identify when disk images were created · surface forensic image files and acquisition method · runs locally
file (any type) → file (any type)
disk wipe pattern identifierdrop binary sample of unallocated space or paste hex · identify wiping tool signatures · detect overwrite patterns · classify wipe method · surface partial file recovery prospects · runs locally
file (any type) → file (any type)
dkim verifierpaste raw email and DKIM public key · relaxed canonicalization · body bh hash · WebCrypto RSA verify · step-by-step results · runs locally
file (any type) → file (any type)
dkom hidden process detectordrop memory dump strings or process list exports from multiple sources · compare eprocess pspcidtable and handle table views · surface hidden processes · dkom rootkit detection · runs locally
file (any type) → file (any type)
dll injection detectordrop a memory dump · find PE headers at unexpected offsets · detect RWX regions · mismatched module names · hollow process indicators · runs locally
file (any type) → file (any type)
dll injection indicator analyzerdrop volatility dlllist or ldrmodules or malfind output · detect injected dlls and module anomalies · suspicious paths · cross-plugin correlation · runs locally
file (any type) → file (any type)
dll search order hijack detectordrop file listing and optional sysmon imageload csv · dlls loaded from unexpected paths · known hijack targets · csv export · runs locally
file (any type) → file (any type)
dns over tls and dns over https detectordrop pcap · dot on 853 · doh sni patterns · encrypted dns clients · c2 beaconing hints · csv export · runs locally
file (any type) → file (any type)
dns query analyzerdrop a PCAP or paste DNS log · extract queries · detect DGA patterns · DNS tunneling · high-frequency domains · suspicious TLDs · export CSV · runs locally
file (any type) → file (any type)
dns query log analyzerdrop dns server logs · query frequency · dga detection · beaconing · nxdomain patterns · top domains · runs locally
file (any type) → file (any type)
DNS query log gap analyzerdrop dns debug log csv or sysmon dns evtx csv · detect gaps in dns resolution logging · identify windows where dns activity was not recorded · surface dns logging disable events · runs locally
file (any type) → file (any type)
dns query timeline builderdrop pcap or dns log · parse queries and responses · build timeline · nxdomain and dga patterns · export csv · runs locally
file (any type) → file (any type)
dns tunneling detectordrop pcap or dns log · high-entropy subdomains · long query names · dns c2 and exfil channels · export csv · runs locally
file (any type) → file (any type)
docker forensic artifact analyzerdrop docker daemon logs · container inspect json exports · image history · volume listings · network configurations · reconstruct container lifecycle · detect suspicious containers · data exfiltration via volumes · runs locally
file (any type) → file (any type)
docker image analyzerdrop a docker image tar · layer structure · filesystem changes · sensitive files · build history · runs locally
file (any type) → file (any type)
docker image inspectordrop a docker save .tar · parse layers · manifest · config · view file changes per layer · detect secrets in history · show build commands · runs locally
file (any type) → file (any type)
docker image layer diff analyzerdrop two docker image tars · compare layers · files added modified deleted · suid cron ssh backdoor flags · csv export · runs locally
file (any type) → file (any type)
document comment and annotation extractordrop docx xlsx pptx or pdf file · extract all comments annotations and notes · reconstruct reviewer identities and timestamps · surface deleted comments and resolve comment threads · runs locally
file (any type) → file (any type)
document embedded object extractordrop DOCX · XLSX · PDF · extract embedded OLE objects · images · linked files · hidden streams · download all found objects · runs locally
file (any type) → file (any type)
document geolocation metadata extractordrop docx xlsx pptx pdf or any office file · extract gps coordinates embedded in document images and metadata · reconstruct where the document was created or edited · surface all location-bearing artifacts · runs locally
file (any type) → file (any type)
document hidden print history extractordrop docx xlsx pptx doc xls ppt · hidden print audit trail · printer name · print timestamp · page count · every print job · runs locally
file (any type) → file (any type)
document language and authorship fingerprinterdrop text files · stylometry · dialect · native language hints · authorship similarity matrix · runs locally
file (any type) → file (any type)
document language and locale forensic analyzerdrop docx xlsx pptx or pdf file · extract all language and locale settings · identify mismatches between claimed and actual language · surface locale artifacts revealing author's system settings · runs locally
file (any type) → file (any type)
document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
file (any type) → file (any type)
document metadata vs filesystem timestamp conflict detectordrop document files or metadata csv · extract internal document timestamps · compare against filesystem creation and modification times · detect document timestamps inconsistent with filesystem evidence · runs locally
file (any type) → file (any type)
document recovery artifact extractordrop docx xlsx or doc file · extract auto-recovery and backup metadata · identify document recovery file paths · surface machine names and usernames embedded in recovery artifact information · runs locally
file (any type) → file (any type)
document template origin tracerdrop docx or dotx file · extract template attachment information · trace document lineage to original template · identify template server paths revealing organizational infrastructure · surface template metadata for attribution · runs locally
file (any type) → file (any type)
document thumbnail forensic extractordrop docx xlsx pptx or doc xls ppt pdf file · extract embedded thumbnail images · recover document preview snapshots · surface thumbnail content that may differ from the current document state · runs locally
file (any type) → file (any type)
document total editing time forensic analyzerdrop office documents · extract total editing time in minutes embedded by office · compare against claimed creation date and context · detect documents that were heavily worked on despite claiming to be quick drafts · surface time anomalies · runs locally
file (any type) → file (any type)
docx revision trackerdrop a .docx file · extract tracked changes · revision history · author metadata · comments · deleted text · insertion dates · runs locally
file (any type) → file (any type)
domain analyzerpunycode idn · homoglyph warnings · dga score · typosquat compare · runs locally
file (any type) → file (any type)
domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
file (any type) → file (any type)
dotnet assembly inspectordrop .exe/.dll · PE CLR header · BSJB metadata · typedef methoddef assemblyref · flag P/Invoke APIs · csv · runs locally
file (any type) → file (any type)
double extortion evidence collectordrop mft csv · evtx csv · proxy logs · identify data staging directories · compression artifacts · cloud upload indicators · estimate what data was stolen before encryption · runs locally
file (any type) → file (any type)
download history analyzerdrop Chrome or Firefox history SQLite · extract downloaded files · source URLs · referrers · timestamps · flag suspicious domains · export CSV · runs locally
file (any type) → file (any type)
dpapi artifact analyzerdrop dpapi blob export or registry csv · identify master key scope · flag credential vault entries · correlate user sids · runs locally
file (any type) → file (any type)
drone flight log analyzerparse dji csv or gpx · gps track · home point · camera triggers · runs locally
file (any type) → file (any type)
dual SIM artifact forensic analyzeranalyze dual-SIM Android devices and reconstruct per-slot carrier, usage, and identity evidence · runs locally
file (any type) → file (any type)
duotonetwo-tone color grade · shadows + highlights · presets
image → image
duplicate event record detectordrop evtx csv · detect exact duplicate event records · identify injected synthetic duplicates · surface events that appear twice with identical content but different record IDs · runs locally
file (any type) → file (any type)
duplicate file finderhash manifest csv · duplicate groups · md5 sha1 sha256 · path clustering · runs locally
file (any type) → file (any type)
e01 image readerdrop .E01/.E02 segments · parse EWF sections · disk params · chunk table · MBR hex · sample MD5 · metadata export · runs locally
file (any type) → file (any type)
EFS encrypted file cluster pattern analyzerdrop mft csv · detect encrypted file system usage patterns · identify mass efs encryption events · surface encryption used to hide data before investigation · correlate with certificate and key evidence · runs locally
file (any type) → file (any type)
electric network frequency audio authenticatordrop wav/mp3 · extract enf drift · splice checks · starter reference correlation · investigative only · runs locally
file (any type) → file (any type)
elf analyzerdrop a Linux binary · parse ELF headers · sections · dynamic symbols · dependencies · section entropy · detect suspicious attributes · runs locally
file (any type) → file (any type)
elf binary analyzerdrop a linux elf executable or library · architecture · sections · imports · exports · strings · packer detection · security flags · runs locally
file (any type) → file (any type)
email attachment hash extractor and analyzerdrop eml files or mbox · extract all attachments · compute md5 sha1 sha256 hashes · identify file types by magic bytes · surface suspicious attachment types and hash-based threat intel lookup links · runs locally
file (any type) → file (any type)
email attachment scannerdrop .eml or .msg · extract every attachment · check MIME type vs actual content · flag macro-enabled docs · executables disguised as other formats · export inventory · runs locally
file (any type) → file (any type)
email bounce and ndr forensic analyzerdrop bounced eml or ndr messages · delivery failure codes · mail infrastructure map · valid vs invalid recipients · csv export · runs locally
file (any type) → file (any type)
email carverdrop any binary · disk image · memory dump · scan for rfc 2822 email headers · extract complete emails · reconstruct eml files · runs locally
file (any type) → file (any type)
email client fingerprint deep analyzerdrop eml files · perform deep multi-signal fingerprinting of the email client or service · cross-reference message-id mime structure encoding and header patterns · produce a confidence-ranked list of likely senders · runs locally
file (any type) → file (any type)
email delay anomaly detectordrop multiple eml files or mbox · detect unusual delays in email delivery · identify emails that sat in queues longer than expected · surface time manipulation and retrograde timestamp anomalies across message batches · runs locally
file (any type) → file (any type)
email encoding anomaly detectordrop eml files or paste raw email · detect unusual or inconsistent encoding in email headers and body · surface charset mismatches double encoding and deliberate encoding obfuscation · identify encoding used to bypass filters · runs locally
file (any type) → file (any type)
email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
file (any type) → file (any type)
email HTML payload extractor and analyzerdrop eml files · extract html body from mime · analyze html structure for malicious patterns · surface embedded scripts iframes tracking pixels and obfuscated content · runs locally
file (any type) → file (any type)
email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
file (any type) → file (any type)
email metadata stripping detectordrop eml files or paste headers · detect evidence that metadata was stripped from the email before sending · identify missing headers that should be present · surface privacy-enhancing metadata removal indicating deliberate anonymization · runs locally
file (any type) → file (any type)
email pattern analyzerextract emails · validate format · disposable providers · pattern inference · runs locally
file (any type) → file (any type)
email reply-chain reconstructordrop eml files or mbox · extract and reconstruct quoted reply chains from email bodies · surface original messages hidden in reply threads · identify content added at each reply stage · detect reply chain manipulation · runs locally
file (any type) → file (any type)
email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
file (any type) → file (any type)
email thread reconstructordrop multiple eml files or mbox · reconstruct conversation threads using message-id in-reply-to and references headers · visualize reply chains · surface missing messages in threads and identify thread hijacking · runs locally
file (any type) → file (any type)
email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
file (any type) → file (any type)
email timezone inference tooldrop multiple eml files or mbox · infer sender timezone from email date headers and received timestamps · reconstruct sender working hours · surface timezone inconsistencies across a correspondence set · runs locally
file (any type) → file (any type)
embedded ole object extractordrop docx xlsx pptx or doc xls ppt file · extract all embedded ole objects · identify embedded documents executables and packages · compute hashes · surface embedded objects with suspicious types or contents · runs locally
file (any type) → file (any type)
embedded script detectordrop any file · scan for embedded JavaScript · VBA · PowerShell · Python · shell · eval chains · base64 decode sequences · suspicious URLs · runs locally
file (any type) → file (any type)
embedding cache forensic extractorparse local embedding cache json · chunk previews · dimensions · export csv · runs locally
file (any type) → file (any type)
eml / msg parserdrop a .eml or .msg file · extract headers · body · attachments · MIME parts · metadata · runs locally
file (any type) → file (any type)
eml deep analyzerdrop an eml file · full mime parsing · routing headers · spf dkim dmarc · attachment extraction · ioc extraction · spoofing detection · runs locally
file (any type) → file (any type)
encoding forensics extractorfile drop · embedded base64 · hex · url scan · iterative decode tree · runs locally
file (any type) → file (any type)
encrypted communication detectordrop network logs pcap or connection data · detect encrypted channels · non-standard ports · tunneling · covert channels · runs locally
file (any type) → file (any type)
encrypted volume detectordrop a disk image · detect veracrypt truecrypt bitlocker luks · identify encrypted partitions · entropy analysis · header signatures · runs locally
file (any type) → file (any type)
entropy mappervisualize entropy across any file · heatmap by block · find encrypted regions · embedded files · corruption boundaries · runs locally
file (any type) → file (any type)
environmental keying and sandbox evasion detectordrop pe binaries or shellcode · vm detection · sleep evasion · anti-debug · domain and user checks · runs locally
file (any type) → file (any type)
escapeescape · unescape · json · html · url · sql · regex · shell · c
file (any type) → file (any type)
ese extensible storage engine database forensic analyzerdrop ese jet database files · parse table schema · extract records · recover deleted rows · windows search bits · runs locally
file (any type) → file (any type)
esim provisioning artifact forensic extractorparse Android eSIM provisioning artifacts and reconstruct profile download, activation, and carrier provisioning history · runs locally
file (any type) → file (any type)
ethereum transaction decoderpaste raw ethereum transaction hex · rlp decode · from to value gas · erc20 calldata · runs locally
file (any type) → file (any type)
etw provider disable and tampering detectordrop system evtx csv or autologger registry export · detect event tracing for windows provider disablement · identify autologger session tampering · surface removal of telemetry and forensic data sources · runs locally
file (any type) → file (any type)
ev charging session forensic analyzerchargepoint · evgo · tesla · ea csv · session timeline · home/work inference · dcfc road-trip segments · csv/json export · runs locally
file (any type) → file (any type)
event log backup artifact analyzerdrop evtx csv or system evtx · detect automatic event log backup events · identify backup files created before log clearing · surface evidence that backups were taken then destroyed · runs locally
file (any type) → file (any type)
event log channel disable detectordrop system evtx csv or wevtutil output · detect individual log channels disabled · identify forensically significant channels that were turned off · surface evidence collection blind spots created · runs locally
file (any type) → file (any type)
event log channel manipulation detectordrop evtx csvs and system registry exports · detect disabled event log channels · reduced log maximum sizes · custom channel configurations · identify logging gaps caused by deliberate channel manipulation · runs locally
file (any type) → file (any type)
event log computer name spoofing detectordrop evtx csv from multiple sources · detect events claiming to originate from unexpected computer names · identify log injection using spoofed source computer names · surface events inconsistent with the machine that generated them · runs locally
file (any type) → file (any type)
event log export timing anomaly detectordrop security evtx csv · detect evidence of event log export operations · identify logs that were exported then cleared · surface wevtutil epl and other export commands preceding clearing · runs locally
file (any type) → file (any type)
event log file and channel ACL modification detectordrop security evtx csv · detect permission changes on evtx log files or channels · identify access restrictions preventing forensic reading · surface acl modifications locking investigators out of log data · runs locally
file (any type) → file (any type)
event log record overwrite pattern detectordrop evtx csv · detect evidence that log records were overwritten due to size constraints · identify intentionally triggered overwrite attacks · surface evidence of forced log rotation destroying historical records · runs locally
file (any type) → file (any type)
event log selective deletion detectordrop evtx csv · detect record ID sequence gaps indicating selective event deletion · identify missing event ranges · score tampering probability · surface what was removed · runs locally
file (any type) → file (any type)
event log sequence number deep gap analyzerdrop multiple evtx csvs · cross-channel sequence number analysis · detect record ID gaps across all loaded channels simultaneously · identify coordinated multi-channel deletion · surface which channels were targeted · runs locally
file (any type) → file (any type)
event log service stop detectordrop security or system evtx csv · detect event log service stops and restarts · correlate gaps with adjacent events · surface windows event log service manipulation · identify log blackout windows · runs locally
file (any type) → file (any type)
event log service stop detectordrop evtx csv · 1100 1101 1102 104 7036 7040 4719 4907 · 4688 sc stop wevtutil cl · gap detection · ±5min correlation · csv export · runs locally
file (any type) → file (any type)
event log size and retention tampering detectordrop system evtx csv or registry export · detect event log maximum size reductions · identify retention policy changes · surface configuration that caused evidence overwriting · runs locally
file (any type) → file (any type)
event log source registration tampering detectordrop registry export · detect modified event log source registrations · identify providers removed or added to hide or inject events · surface manipulation of the event provider registry · runs locally
file (any type) → file (any type)
event log thread ID and process ID anomaly detectordrop security evtx csv · detect events with impossible or anomalous process and thread IDs · identify synthetic events with invalid PID/TID values · surface fabricated log entries detectable by process context · runs locally
file (any type) → file (any type)
event log time source conflict detectordrop evtx csvs from multiple channels · detect timestamp inconsistencies between channels that should be synchronized · identify events that contradict each other temporally · surface clock manipulation artifacts across log sources · runs locally
file (any type) → file (any type)
evidence chain of custody trackertrack evidence items · transfers · analysis log · hash-wasm compute · disposition · export pdf coc report · json case file · runs locally
file (any type) → file (any type)
evidence gap analyzerone or more timeline csvs · bucket density · gap detection · css heatmap · remediation hints · export gap csv · runs locally
file (any type) → file (any type)
evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally
file (any type) → file (any type)
evidence of evidence deletion detectordrop mft csv · usn journal · evtx csvs · prefetch csvs · prove that specific forensic artifacts were deliberately destroyed · mft entries for deleted tool execution logs · prefetch for cleanup utilities · usn entries for mass deletions · the meta-forensic layer · runs locally
file (any type) → file (any type)
evidence of evidence deletion detectordrop mft usn journal prefetch shimcache and evtx csvs · detect coordinated multi-artifact evidence destruction · identify systematic cleanup campaigns · score the overall anti-forensic effort · surface the full picture of what was removed · runs locally
file (any type) → file (any type)
excel formula extractorxlsx xlsm zip xml · legacy xls biff · dde webservice hyperlinks externals · hidden sheets · severity tags · csv export · runs locally
file (any type) → file (any type)
execution artifact cross-source correlatordrop prefetch · amcache · shimcache · srum · userassist csvs · find the same binary across all sources · unified execution timeline · highlight multi-source corroboration · runs locally
file (any type) → file (any type)
execution time vs login session conflict detectordrop security evtx csv and shimcache or prefetch csv · detect execution evidence occurring outside known login sessions · identify executions that cannot be attributed to any user session · surface phantom execution gaps indicating anti-forensic log manipulation · runs locally
file (any type) → file (any type)
exfat recoverydrop .img/.dd image · parse exFAT boot sector · FAT walk · deleted entries · file tree · hex preview · recover download · csv · runs locally
file (any type) → file (any type)
exif fixerdrop JPEGs with broken or missing EXIF · repair corrupt tags · rebuild missing timestamp from filename · batch redate · download fixed files · runs locally
file (any type) → file (any type)
exif mapvisualize gps coords from photo exif on a map · batch · runs locally
image → image
expert witness statement formatterpaste technical forensics findings · reformat in plain language suitable for legal proceedings · identify jargon · suggest plain explanations · structured legal statement format · runs locally
file (any type) → file (any type)
ext4 recoverydrop an ext4 disk image · parse inode table · recover unlinked inodes · extract file content from surviving data blocks · runs locally
file (any type) → file (any type)
extractunzip zip · 7z · rar · tar · gz · bz2 · xz · zst
file (any type) → file (any type)
extract audiopull audio track from video · mp3 / wav / aiff
video → audio
extract framesgrab a single frame · every n · by interval · or every frame · zip output
video → image
extract texturespull every embedded image out of any 3d model
3d → image
face swap artifact detectordrop an image · jawline color mismatch · compression boundary heuristics · face-region signal table · runs locally
file (any type) → file (any type)
facebook data export parserdrop Facebook data export ZIP · parse messages · friends · posts · ads · location · search history · devices · export CSV · runs locally
file (any type) → file (any type)
fadefade-in / fade-out · linear · exp · log · ease
audio → audio
fat32 recoverydrop a FAT32 disk image · scan for deleted file entries · recover files marked deleted but not overwritten · export zip · runs locally
file (any type) → file (any type)
favicon database forensic gap analyzerdrop chrome favicon db csv or firefox favicons sqlite csv · detect favicon records for domains with no corresponding history · surface browsing activity preserved in favicon cache after history was cleared · runs locally
file (any type) → file (any type)
favicon database forensic parserdrop chrome favicons sqlite · extract all favicon-linked urls from the favicon database · reconstruct browsing evidence that survives history clearing · surface ghost visit urls preserved in favicon cache after history deletion · runs locally
file (any type) → file (any type)
file access to process correlatordrop sysmon event 11 file create · event 23 file delete · mft csv · evtx 4663 · link file creation and access events to the responsible process · build per-process file activity timeline · identify data staging by process · runs locally
file (any type) → file (any type)
file autopsydrop any file · magic bytes · real format vs extension · entropy · hex header · embedded signatures · damage assessment · runs locally
file (any type) → file (any type)
file birth time deep analyzerdrop mft csv · compare si vs fn vs indx · detect birth time inconsistencies · copy vs create · export csv · runs locally
file (any type) → file (any type)
file carve conflict and overlap resolverdrop a raw disk image · identify regions where multiple file carve candidates overlap · score each candidate using structure validity entropy and context · surface the most likely valid interpretation of contested disk regions · runs locally
file (any type) → file (any type)
file carverscan any binary for embedded files · JPEG · PNG · PDF · ZIP · MP4 · SQLite · 30+ signatures · extract all · download zip · runs locally
file (any type) → file (any type)
file carving anti-detection pattern detectordrop a disk image or binary file · detect deliberate partial overwrite of file headers to prevent carving · identify files with valid bodies but corrupted magic bytes · surface anti-carving techniques · runs locally
file (any type) → file (any type)
file dna structural fingerprinterdrop any files · structural fingerprint beyond hash · near-duplicate clusters · ssdeep tlsh section string layers · runs locally
file (any type) → file (any type)
file entropy slicerdrop any file · interactive entropy heatmap with zoom · click any block to inspect hex · detect encrypted regions · compressed sections · hidden data boundaries · runs locally
file (any type) → file (any type)
file extension vs magic byte mismatch scannerdrop file listing with hashes or paste file paths and first bytes · detect files with extensions inconsistent with their actual content type · identify renamed malware and hidden payloads · surface extension-based camouflage · runs locally
file (any type) → file (any type)
file integrity verifierdrop checksum manifests plus payload files · md5 sha1 sha256 sha512 · verified mismatch missing · certutil · chunked hashing · csv txt export · runs locally
file (any type) → file (any type)
file shredder remnant and signature scannerdrop mft csv usn journal csv or file listing · detect execution artifacts of file shredding tools · identify sdelete eraser bleachbit cipher patterns · surface files that were securely deleted · runs locally
file (any type) → file (any type)
file signature batch scannerdrop hundreds of files · detect extension mismatch · magic bytes vs declared extension · batch triage · export report · runs locally
file (any type) → file (any type)
file size vs content mismatch detectordrop file listing with sizes or mft csv · detect files with logical size inconsistent with their type · identify zero-byte executables and oversized text files indicating hidden or replaced content · runs locally
file (any type) → file (any type)
fileless malware artifact extractordrop memory dump strings output · evtx csv · registry exports · extract process-injected code indicators · identify fileless payload artifacts · powershell fileless patterns · wmi fileless persistence · runs locally
file (any type) → file (any type)
filesystem clock accuracy validatordrop a disk image or mft csv with event logs · cross-correlate timestamps with ntp sync events · tls certificate timestamps · email received headers · establish how accurate the system clock actually was · detect deliberate clock manipulation · runs locally
file (any type) → file (any type)
filesystem diffdrop two file manifests (CSV from evidence-manifest-generator) · detect files added · deleted · modified · hash changed · size changed between snapshots · export diff · runs locally
file (any type) → file (any type)
filesystem event lsn ordering validatordrop logfile operation csv and mft csv · use log sequence numbers as tamper-resistant event ordering · prove which file system events occurred first · expose timestamp inversions that are physically impossible · validate or invalidate claimed event sequences · runs locally
file (any type) → file (any type)
filesystem journal readerdrop an ext3/ext4 image · parse the ext journal (JBD2) · list recent transactions · recover files from journal commits · runs locally
file (any type) → file (any type)
firefox history analyzerdrop firefox places.sqlite · browsing history · bookmarks · searches · downloads · frecency · runs locally
file (any type) → file (any type)
Firefox Multi-Account Container identity artifact parserdrop firefox sessionstore jsonlz4 and containers json and permissions sqlite · reconstruct container identities and their associated browsing activity · surface which sites were accessed under which identity · identify compartmentalized browsing patterns · runs locally
file (any type) → file (any type)
firefox sessionstore analyzerdrop sessionstore.jsonlz4 · mozilla lz4 decompress · open closed tabs · form data scroll stats · search urls titles · runs locally
file (any type) → file (any type)
Firefox sessionstore.jsonlz4 parserdrop firefox sessionstore jsonlz4 or sessionstore js file · decompress and parse firefox session data · reconstruct all open tabs windows and navigation history · surface form data scroll positions and tab group state · runs locally
file (any type) → file (any type)
firewall rule deletion burst detectordrop security evtx csv · detect bulk firewall rule deletion · identify removal of network monitoring rules · surface firewall configuration destruction enabling unmonitored network communication · runs locally
file (any type) → file (any type)
firmware hardcoded credential scannerdrop firmware binary · passwords · api keys · private keys · jwt · default creds · internal ips · severity table · csv export · runs locally
file (any type) → file (any type)
firmware image analyzerdrop a firmware image · detect format · extract filesystem · find credentials · ssh keys · certificates · hardcoded strings · runs locally
file (any type) → file (any type)
fitbit artifact forensic extractorparse Fitbit exports, sync artifacts, activity records, and biometric data and reconstruct wearable activity evidence · runs locally
file (any type) → file (any type)
flatten pdfbake form fields · strip annotations · purge javascript
pdf → pdf
font converterttf · otf · woff · woff2 · convert between formats · runs locally
file (any type) → file (any type)
forensic acquisition method and timeline reconstructordrop prefetch shimcache mft and security evtx csvs · reconstruct the complete forensic acquisition timeline · identify what was collected when and by whom · surface the investigation method and any collection gaps · runs locally
file (any type) → file (any type)
forensic artifact confidence scorerdrop forensic finding csvs · score chain of custody · reliability · corroboration · output is a heuristic confidence triage · not an admissibility determination · runs locally
file (any type) → file (any type)
forensic boot media usage artifact detectordrop system evtx csv and registry export · detect evidence of booting from external media · identify usb boot events and alternate os boot artifacts · surface forensic live boot or attacker bootable media usage · runs locally
file (any type) → file (any type)
forensic case metadata trackertrack case information · examiner details · tools used · hash values · evidence items · export a standardized case log as pdf · import and continue previous sessions · runs locally
file (any type) → file (any type)
forensic finding formatterform-driven finding block · timestamps normalized to iso · evidence numbered · live markdown preview · export md/txt · runs locally
file (any type) → file (any type)
forensic image integrity verifierdrop e01 or aff image files with accompanying hash manifests · verify hash chains · check internal segment hashes · detect any modification to forensic images · validate chain of custody integrity · runs locally
file (any type) → file (any type)
forensic imaging tool artifact detectordrop prefetch shimcache amcache or mft csv · detect forensic imaging tool execution on the suspect machine · identify when the machine was imaged · surface imaging artifacts and write blocker evidence · runs locally
file (any type) → file (any type)
forensic investigator account artifact detectordrop security evtx csv · detect accounts created for forensic examination purposes · identify investigator logon sessions · surface examination timeline and investigator account activity · runs locally
file (any type) → file (any type)
forensic timeline builderdrop CSV exports from any forensic tool · merge EVTX · prefetch · LNK · browser history · recycle bin into one chronological timeline · filter · export · runs locally
file (any type) → file (any type)
forensic timestamp decoderpaste any timestamp value · decode as Windows FILETIME · Unix · Mac Absolute · .NET ticks · Chrome microseconds · GPS · OLE date · HFS+ · all formats at once · runs locally
file (any type) → file (any type)
forensic tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect forensic investigation tools run on the suspect machine · identify who ran forensic tools and when · surface examiner or attacker tool reconnaissance on the machine · runs locally
file (any type) → file (any type)
ftp session reconstructordrop pcap or pcapng · control port 21 user pass retr stor pasv port · data channel match · credentials · download zip · export csv · runs locally
file (any type) → file (any type)
full disk entropy heatmap mapperdrop a raw disk image · compute shannon entropy for every 512-byte sector · render a full disk entropy heatmap · instantly visualize where encrypted compressed or random data lives vs normal filesystem content · locate hidden encrypted volumes · runs locally
file (any type) → file (any type)
full windows persistence mapdrop registry exports · scheduled task xml · startup listings · service exports · wmi exports · unified persistence view · csv export · runs locally
file (any type) → file (any type)
future timestamp artifact detectordrop mft or artifact csv · detect files with timestamps in the future · identify timestamps before system installation · surface impossible date values · correlate with system clock evidence · runs locally
file (any type) → file (any type)
fuzzy hash calculatordrop files · compute ssdeep and tlsh · compare similarity · find malware variants · runs locally
file (any type) → file (any type)
gainboost or attenuate audio in dB · soft-clip protect
audio → audio
gan fingerprint detectordrop an image · fft grid periodicity · color histogram anomalies · synthetic likelihood score 0–100 · runs locally
file (any type) → file (any type)
garmin artifact forensic extractorparse Garmin wearable artifacts including workouts, GPS tracks, heart rate, and synced activities · runs locally
file (any type) → file (any type)
gcp audit log analyzerdrop google cloud audit log json · api calls · iam changes · storage access · vm events · security findings · runs locally
file (any type) → file (any type)
gif → videoshrink animated gifs · mp4 · webm
image → video
gif rescuerepair corrupt GIF · validate header · image descriptor blocks · frame table · reconstruct what plays · download fixed file · runs locally
file (any type) → file (any type)
gis and gps track forensic analyzerdrop kml gpx geojson or csv files with coordinates · extract all location data · reconstruct movement timeline · identify locations · correlate timestamps with other artifacts · detect location spoofing · runs locally
file (any type) → file (any type)
git history secret scannerpaste git log -p · scan added lines only · mask secrets · commit file line · csv export · runs locally
file (any type) → file (any type)
git repository forensic analyzerdrop a .git directory or git bundle file · extract full commit history · recover deleted commits via reflog · stash contents · author metadata · file change history · detect secret leaks in history · runs locally
file (any type) → file (any type)
github actions workflow log analyzerdrop workflow logs · secret patterns · nc/curl suspicious · permissions summary · critical banner · export csv · runs locally
file (any type) → file (any type)
github audit log analyzerdrop github enterprise audit log json or csv export · parse repository and organization events · surface suspicious access patterns force pushes secret scanning alerts and member changes · reconstruct git activity timeline · runs locally
file (any type) → file (any type)
github audit log parserjson or jsonl audit export · action actor org repo · repo org hook oauth protected branch secret scanning · suspicious flags · export csv · runs locally
file (any type) → file (any type)
GitHub Copilot usage artifact analyzerreconstruct GitHub Copilot usage, completions, and AI-assisted coding workflows · runs locally
file (any type) → file (any type)
go symbol extractordrop elf pe mach-o · gopclntab magic · function names · go.buildinfo module · offensive package flags · csv export · runs locally
file (any type) → file (any type)
golden ticket detectordrop security evtx csv · identify 4769 events with impossible ticket lifetimes · unusual encryption types · cross-realm tickets · detect golden and silver ticket use · runs locally
file (any type) → file (any type)
google account artifact forensic extractordrop android accounts_ce.db gms databases or sync state files · parse google accounts service authorizations and grants · extract android_id gsf_id fcm token · runs locally
file (any type) → file (any type)
Google Gemini activity forensic analyzerparse Gemini activity exports and reconstruct prompts, account usage, and AI interactions · runs locally
file (any type) → file (any type)
google home artifact forensic analyzerdrop assistant my activity exports json html or zip · categorize cast speaker routines · device phrase inventory · timeline csv json · runs locally
file (any type) → file (any type)
google pay artifact forensic extractordrop Android Google Pay database files from the app data directory · parse enrolled payment methods, transaction records, and loyalty card artifacts · surface device account numbers, merchant interactions, and payment timestamps · identify transit pass and loyalty program usage · runs locally
file (any type) → file (any type)
google takeout archive forensic parserdrop google takeout zip or individual takeout json csv html files · parse account activity across all google services · reconstruct location history search history youtube watch history gmail metadata and drive activity · surface forensic timeline across all google products · runs locally
file (any type) → file (any type)
google takeout forensic analyzerdrop google takeout zip or extracted folder · parse location search youtube chrome gmail photos calendar activity · reconstruct account timeline · surface behavioral patterns · runs locally
file (any type) → file (any type)
google takeout parserdrop a Google Takeout ZIP · parse location history · YouTube watch history · search activity · Chrome history · activity logs · export CSV · runs locally
file (any type) → file (any type)
gps navigation artifact forensic extractorgpx/kml · google timeline · waze/apple maps · tomtom ov2 · destination clusters · favorites csv · runs locally
file (any type) → file (any type)
gpt / mbr editordrop a disk image · parse MBR or GPT in full · edit partition entries · fix CRC checksums · write corrected table back · export fixed image · runs locally
file (any type) → file (any type)
gradient mapluminance to gradient · custom stops + presets
image → image
grain · noisefilm grain or digital noise · mono or color
image → image
grayscale pdfconvert every page to grayscale · luminance-faithful
pdf → pdf
halftonenewspaper halftone screen · mono · duotone · cmyk · circles · squares · lines
image → image
hard link abuse artifact detectordrop mft csv · detect files with unusual numbers of hard links · identify hard link creation patterns used to complicate forensic analysis · surface files accessible from multiple paths to hide their true location · runs locally
file (any type) → file (any type)
hashmd5 · sha-1 · sha-256 · sha-384 · sha-512 · files & text · runs locally
file (any type) → file (any type)
hash set comparerdrop or paste two hash lists · find matches · unique to each set · NSRL known-good filtering · malware hash matching · export diff CSV · runs locally
file (any type) → file (any type)
hashcat rule generatorinfer hashcat rules from base/mutated pairs · suffix · leet · capitalize · runs locally
file (any type) → file (any type)
header / footerstamp templated headers and footers · token substitution
pdf → pdf
heap spray detectordrop memory dump · NOP sleds · repeated 4KB blocks · shellcode prefixes · byte runs · density map · csv · runs locally
file (any type) → file (any type)
heap spray pattern detectordrop raw memory dump · repeated 4kb block detection · nop sled inventory · entropy analysis · spray candidate csv · runs locally
file (any type) → file (any type)
heic / heif readerdrop an iPhone HEIC or HEIF file · parse ISO BMFF container · extract full-size JPEG · thumbnail · EXIF metadata · runs locally
file (any type) → file (any type)
helm chart security analyzerdrop helm chart tgz or zip · scan values and templates · hardcoded secrets · privileged containers · security score · csv export · runs locally
file (any type) → file (any type)
hex diffdrop two binary files · see exactly which bytes differ · offset · old value · new value · runs locally
file (any type) → file (any type)
hfs+ parserdrop .img/.dd partition · volume header · catalog B-tree · file paths · deleted orphans · mac HFS time · csv json export · runs locally
file (any type) → file (any type)
hiberfil analyzerdrop hiberfil.sys · urls paths processes keys · hibr header · category tabs · csv export · runs locally
file (any type) → file (any type)
hidden and unaccounted partition detectordrop disk layout text or diskpart output · detect partitions not visible in windows explorer · identify hidden volumes and unaccounted disk space · surface potential truecrypt veracrypt hidden volumes · runs locally
file (any type) → file (any type)
home assistant forensic analyzerhome-assistant recorder sqlite + configuration.yaml · chain context_id across states/events · person/device_tracker presence timeline · automation + call_service timelines · exposes home gps from yaml · csv+json export · runs locally
file (any type) → file (any type)
homekit accessory forensic analyzerdrop home backup zip or plist files · scenes triggers automation accessories · surface geofence lat lon · plist runs locally · csv json export
file (any type) → file (any type)
honeypot file access detectordrop file access logs or security evtx csv · flag honeypot and canary patterns · insider trip wires · csv export · runs locally
file (any type) → file (any type)
host-based beaconing detectordrop sysmon event 3 or netstat csv · periodic outbound connections per process · interval and jitter stats · beacon score 0–100 · css interval bars · csv export · runs locally
file (any type) → file (any type)
HOSTS file modification detectordrop hosts file content or paste text · analyze hosts file for suspicious entries · detect dns hijacking and security tool blocking entries · surface anti-forensic and evasion-related host overrides · runs locally
file (any type) → file (any type)
http access log analyzerdrop apache nginx iis access logs · request timeline · top ips · error analysis · scanner detection · web shell access · sqli xss patterns · runs locally
file (any type) → file (any type)
http cookie lifecycle forensic analyzerdrop a pcap file or browser cookie database exports · reconstruct the complete lifecycle of session cookies · creation renewal expiry · detect cross-site cookie sharing that links identities · identify session hijacking indicators · runs locally
file (any type) → file (any type)
http request response artifact extractordrop pcap or pcapng · tcp reassembly · extract http methods urls status codes headers · user agent inventory · credential flags · export csv · runs locally
file (any type) → file (any type)
http2 pcap parserdrop pcap or pcapng · tcp reassembly · h2c preface pri http/2 · tls alpn h2 · hpack decode · stream method path status · export csv · runs locally
file (any type) → file (any type)
huggingface cache forensic extractoranalyze HuggingFace cache artifacts and reconstruct downloaded models and datasets · parse HF_HOME caches, manifests, and transformers metadata · runs locally
file (any type) → file (any type)
hypervisor log forensic analyzerdrop vmware esxi logs · hyper-v event logs · kvm libvirt logs · detect vm creation deletion · snapshot operations · unusual vm activity · escape attempts · network configuration changes · runs locally
file (any type) → file (any type)
iam escalation graphiam policy json · wildcard expansion · 15 escalation patterns · attack chains · severity · csv + json export · runs locally
file (any type) → file (any type)
icloud artifact forensic extractordrop icloud plists · bird daemon state · clouddocs sqlite · .icloud placeholders · cloudkit log excerpts · parse account identity sync metadata and drive inventory · surface cloud-only files · runs locally
file (any type) → file (any type)
icloud drive artifact forensic extractordrop icloud drive databases clouddocs placeholders or mobile documents metadata · parse file metadata sharing and tombstones · surface cloud-only files · detect public links · runs locally
file (any type) → file (any type)
icloud keychain artifact forensic analyzerdrop ios keychain-backup plist keychain sync preferences or keychain-2.db · analyze icloud keychain sync state · classify items synced vs local-only · surface security circle peers · runs locally
file (any type) → file (any type)
icmp covert channel detector and extractordrop pcap · icmp echo analysis · payload encoding · timing patterns · extract covert data · icmp tunneling · runs locally
file (any type) → file (any type)
ICMP tunnel artifact detectordrop pcap or pcapng file · detect data encoded in icmp payloads · identify icmp tunneling tools · surface non-standard icmp usage and covert icmp channels · runs locally
file (any type) → file (any type)
image file execution options hijack detectordrop software hive reg export · detect debugger hijacks via ifeo · silentprocessexit hijacks · accessibility feature backdoors · process execution redirection · runs locally
file (any type) → file (any type)
image infodimensions · format · exif · gps · icc · runs locally
image → image
image resampling algorithm forensic identifierdrop jpeg or png · detect resize · nearest neighbor · bilinear · bicubic · lanczos · estimate scale factor · runs locally
file (any type) → file (any type)
image steganography brute-forcerdrop png jpeg bmp · lsb openstego silentye · wordlist passwords · exif metadata · extract payloads · runs locally
file (any type) → file (any type)
image steganography detectordrop an image · chi-square test · rs analysis · lsb extraction attempt · detect hidden data probability · runs locally
file (any type) → file (any type)
images → pdfassemble images into one pdf
image → pdf
IMEI artifact forensic analyzerparse IMEI identifiers from Android artifacts and correlate them with device, SIM, and carrier evidence · runs locally
file (any type) → file (any type)
IMEI change artifact detectordetect evidence of IMEI modification, spoofing, or mismatch across Android and carrier artifacts · runs locally
file (any type) → file (any type)
imphash calculatordrop a PE file · compute Mandiant-style import hash · list all imports · compare with known samples · runs locally
file (any type) → file (any type)
in-memory malware configuration extractordrop process memory dump · xor decode json xml config blocks · c2 ip port campaign mutex extraction · multi-technique local scan · runs locally
file (any type) → file (any type)
incident response playbook generatorselect incident type · context fields · structured ir checklist · containment eradication recovery · markdown or pdf export · runs locally
file (any type) → file (any type)
incident scope & blast radius estimatordrop lateral movement csvs · host connection logs · active directory exports · estimate total affected hosts · identify the blast radius · map credential exposure scope · assess data at risk · runs locally
file (any type) → file (any type)
incident timeline builderdrop multiple CSVs with timestamps from any forensic tool · merge into unified chronological timeline · entity tagging · filter by source · export full timeline · runs locally
file (any type) → file (any type)
incident timeline html exporterdrop timeline csv · auto-detect columns · color-coded event cards · filterable html report · iframe preview · export html · runs locally
file (any type) → file (any type)
IndexedDB and web storage clearing detectordrop mft csv filtered to browser profile paths · detect cleared indexeddb and local storage databases · identify web application data stores that were selectively wiped · surface web app session evidence in storage remnants · runs locally
file (any type) → file (any type)
IndexedDB artifact extractordrop chrome or firefox indexeddb leveldb files or sqlite file · extract stored web application data · reconstruct key-value records from indexeddb databases · surface web app session tokens cached content and application state · runs locally
file (any type) → file (any type)
indx slack timestamp inconsistency detectordrop indx or mft csv · compare index slack timestamps to current mft · timestomp · deleted files · runs locally
file (any type) → file (any type)
infotainment system forensic extractorivi sqlite dumps · csv/json/sql insert · schema sniff · qnx/android/harman platform · nav/calls/bt/media/wifi · csv/json export · runs locally
file (any type) → file (any type)
initials stampstamp initials and date in a corner of every page · single or batch
pdf → pdf
inline hook artifact detectordrop apihooks ssdt volatility output or memory region · detect jmp patches and inline api hooks · classify hook destinations · export csv · runs locally
file (any type) → file (any type)
inode explorerdrop an ext2/3/4 image · browse the inode table interactively · view permissions · timestamps · block pointers · direct and indirect · runs locally
file (any type) → file (any type)
insider threat behavioral indicator scorerdrop multiple forensic artifact csvs for a specific user · score against published insider threat behavioral indicators · data staging · unusual access · policy violations · communication patterns · produce risk profile · runs locally
file (any type) → file (any type)
instagram data export parserdrop Instagram data export ZIP · parse messages · followers · following · posts · stories · liked content · search history · export CSV · runs locally
file (any type) → file (any type)
inter-process communication channel mapperdrop handle table exports or volatility handles output · map ipc channels · shared memory · named pipes · alpc ports · com topology · runs locally
file (any type) → file (any type)
invertnegative image · channels and / or alpha · runs locally
image → image
invert pdfinvert colours · easy dark-mode reading
pdf → pdf
investigation knowledge graph builderdrop forensic csv exports · extract entities and relationships · knowledge graph visualization · hub and path analysis · runs locally
file (any type) → file (any type)
ioc bulk validator & triagepaste or drop iocs · validate format · dedupe · severity score · private ip flags · stix 2.1 export · csv · runs locally
file (any type) → file (any type)
ioc bulk validator + triage
file (any type) → file (any type)
ioc deduplicator and normalizerdrop multiple ioc lists from any format · deduplicate · normalize · classify by type · validate format · enrich with context · export in stix csv and plain text formats · runs locally
file (any type) → file (any type)
ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
file (any type) → file (any type)
ioc threat intelligence report generatorioc list + context · stix 2.1 bundle · tlp banner · pdf report · csv export · runs locally
file (any type) → file (any type)
ios activity energy and motion artifact analyzerdrop ios health databases · parse energy exercise stand and move goal data · reconstruct activity ring history · correlate energy with device activity · runs locally
file (any type) → file (any type)
ios afc (apple file conduit) artifact extractorpaste or drop afc log or filesystem listing · parse afc transfer artifacts · reconstruct access timeline · flag afc2 paths · runs locally
file (any type) → file (any type)
ios agent-based extraction artifact parserdrop agent extraction manifest json xml plist · parse tool version data classes · team id lookup · consent and integrity notes · runs locally
file (any type) → file (any type)
iOS aggregated dict forensic extractordrop iOS aggregated usage plist files (from private/var/mobile/Library/AggregateDictionary/) · parse aggregated scalar and histogram counters · decode counter keys · surface usage frequency data for system features and app interactions · runs locally
file (any type) → file (any type)
iOS AirDrop artifact forensic extractordrop iOS AirDrop database files and system logs · parse AirDrop transfer records · extract sender and receiver identities, filenames, transfer timestamps, and acceptance status · surface AirDrop discovery logs · detect unsolicited AirDrop attempts · reconstruct AirDrop file transfer history · runs locally
file (any type) → file (any type)
ios app install and uninstall timeline reconstructordrop manifest db applicationstate plists installd log · install uninstall upgrade timeline · mass uninstall alerts · runs locally
file (any type) → file (any type)
ios app usage duration forensic analyzerdrop knowledgeC RMAdminStore BIOME · multi-source session merge · per-app stats gaps discrepancies · runs locally
file (any type) → file (any type)
ios backup analyzerdrop an ios backup manifest · browse file structure · extract app data · databases · runs locally
file (any type) → file (any type)
ios backup diff and version comparatordrop two manifest.db files · added deleted modified renamed paths · forensic significance tags · runs locally
file (any type) → file (any type)
ios backup encryption key artifact analyzerdrop manifest.plist and manifest.db · keybag hierarchy · protection class accessibility · per-file encryption class counts · runs locally
file (any type) → file (any type)
ios backup manifest and status parserdrop manifest status or info plist · backupkeybag tlv · encryption assessment · installed apps · runs locally
file (any type) → file (any type)
ios backup manifest integrity verifierdrop manifest.db and backup blobs · sha1 integrity vs manifest · missing modified unexpected files · runs locally
file (any type) → file (any type)
iOS backup source device identifierdrop info plist · extract udid imei serial · model lookup · multi-backup mismatch flags · runs locally
file (any type) → file (any type)
ios banking app artifact forensic extractordrop iOS banking app database files from the app container · parse cached transaction records, account summaries, and notification artifacts · surface transaction metadata, MCC-decoded merchant types, and fraud/login alerts · detect suspicious transaction patterns · runs locally
file (any type) → file (any type)
iOS binary plist deep extractordrop a binary plist or any file containing embedded bplist blobs · deeply extract all nested binary plists · decode all NSDate timestamps · recover partial or truncated plist structures · surface all embedded data objects · runs locally
file (any type) → file (any type)
iOS biome artifact forensic analyzerdrop iOS BIOME stream files (from private/var/mobile/Library/Biome/streams/) · parse BIOME protobuf or binary format records · decode activity stream entries · surface app usage, user interactions, and behavioral patterns recorded by the BIOME framework · runs locally
file (any type) → file (any type)
ios burner app artifact detectordrop iOS backup Manifest.db, ApplicationState.db, knowledgeC.db, or app listings · detect installed and previously deleted burner phone number and anonymous communication apps · surface usage timestamps and residual artifacts from deleted apps · identify ephemeral identity patterns · runs locally
file (any type) → file (any type)
ios calendar event forensic analyzerdrop Calendar.sqlitedb · parse events calendars attendees · deleted cancelled meetings · runs locally
file (any type) → file (any type)
ios call history gap detectordrop CallHistory.storedata · detect pk gaps and temporal silence · two-db delta · voicemail cross-ref · runs locally
file (any type) → file (any type)
ios call history parserdrop ios callhistory storedata sqlite · parse all call records · reconstruct call timeline · identify frequent contacts unknown numbers and voip calls · surface deleted call gap analysis · runs locally
file (any type) → file (any type)
ios cash app artifact forensic extractordrop iOS Cash App database files from the app container · parse transaction records, payment notes, and account artifacts · surface payment amounts, counterparty Cashtags, and timestamps · detect suspicious payment patterns and structured transactions · runs locally
file (any type) → file (any type)
ios checkm8 extraction artifact analyzerpaste or drop checkra1n or palera1n log · parse exploit chain · device chip ios version · forensic integrity rating · runs locally
file (any type) → file (any type)
ios contact merge and deletion artifact detectordrop AddressBook.sqlitedb · detect deleted merged modified contacts · orphaned multi-values · two-db delta · runs locally
file (any type) → file (any type)
ios contacts database forensic analyzerdrop AddressBook.sqlitedb · parse contacts phones emails notes · rowid gaps · account sources · runs locally
file (any type) → file (any type)
ios core data artifact forensic parserdrop an ios core data sqlite store · parse entity model and records · decode timestamps and blob attributes · reconstruct schema for forensic interpretation · runs locally
file (any type) → file (any type)
ios coremotion artifact forensic analyzerdrop coremotion sqlite · parse cmmotionactivity · motion timeline · automotive sessions · gap inventory · runs locally
file (any type) → file (any type)
ios crash log analyzerdrop ios crash reports ips or crash files · exception type · stack trace · loaded images · thread states · runs locally
file (any type) → file (any type)
ios crash log forensic analyzerdrop ios crash log .ips or .crash file · parse structured crash report · extract exception type signal and faulting address · reconstruct crash context · surface forensically relevant crash patterns and repeated crashes · runs locally
file (any type) → file (any type)
iOS crash log forensic extractordrop an iOS crash log (.crash or .ips file) · parse crash report structure · extract faulting process, exception type, crashed thread backtrace, and binary images · identify forensically significant crashes · detect signs of exploitation or intentional crash induction · runs locally
file (any type) → file (any type)
ios datausage sqlite parserdrop ios datausage sqlite · parse per-app cellular and wifi data usage statistics · reconstruct which apps consumed network data and when · surface large data transfers and unusual app network activity · runs locally
file (any type) → file (any type)
iOS DataUsage.sqlite forensic analyzerdrop an iOS DataUsage.sqlite file · parse cellular and WiFi data usage records per app · surface usage timelines, roaming events, and anomalous data transfers · correlate app data usage with device activity · reconstruct network activity timeline · runs locally
file (any type) → file (any type)
ios dating app artifact forensic extractor (Tinder, Bumble, Hinge)drop iOS dating app database files (Tinder, Bumble, or Hinge) · auto-detect app · parse match records, messages, and profile metadata · surface match timestamps, screenshot alerts, and own location from account plist · detect confirmed real-world meetings (Hinge We Met) · runs locally
file (any type) → file (any type)
ios deleted photo recovery artifact detectordrop photos.sqlite · recently deleted tombstones · mass deletion events · cloud-only artifacts · runs locally
file (any type) → file (any type)
iOS device timestamp vs backup timestamp conflict detectordrop info plist and manifest db · detect future file timestamps · clock manipulation flags · runs locally
file (any type) → file (any type)
ios discord artifact forensic extractordrop iOS Discord database files from the app container · parse cached messages, server memberships, DM threads, and user identity · surface deleted message local cache content · decode Discord snowflake timestamps · reconstruct Discord communication timeline · runs locally
file (any type) → file (any type)
ios encrypted backup password recovery artifact detectordrop manifest.plist · keybag pbkdf2 salt and iterations · crack time estimates · protection class keys · runs locally
file (any type) → file (any type)
ios encrypted messaging app residue detectordrop iOS backup Manifest.db, knowledgeC.db, Screen Time database, DataUsage.sqlite, and keychain files · detect and quantify encrypted messaging app usage across all artifact sources · reconstruct scope of inaccessible encrypted communications · produce forensic gap assessment · runs locally
file (any type) → file (any type)
ios exif and photo metadata forensic extractordrop jpeg heic png · extract exif gps tags · timestamp discrepancy flags · metadata csv export · runs locally
file (any type) → file (any type)
ios face recognition grouping forensic analyzerdrop photos.sqlite · zperson zdetectedface · co-occurrence matrix · person directory · runs locally
file (any type) → file (any type)
ios facebook messenger artifact forensic extractordrop iOS Facebook Messenger database files from the app container · parse message threads, call records, and group memberships · surface message content, unsent message envelopes, and media references · reconstruct Messenger communication timeline · runs locally
file (any type) → file (any type)
iOS FaceTime call artifact forensic analyzerdrop iOS FaceTime call history databases (FaceTime.db or CallHistory.storedata) and relevant plists · parse FaceTime audio and video call records · extract caller/callee identities, call duration, call type, and timestamps · detect missed, declined, and failed calls · surface FaceTime Link artifacts · reconstruct FaceTime communication timeline · runs locally
file (any type) → file (any type)
ios frequent locations artifact analyzerdrop routined cache · location clusters stay-points · commute patterns · anomaly detection · runs locally
file (any type) → file (any type)
ios gaming artifact forensic extractordrop iOS Game Center database files or StoreKit IAP cache · parse achievement records, leaderboard scores, multiplayer match history, and in-app purchase records · surface gaming activity timestamps and social gaming relationships · runs locally
file (any type) → file (any type)
ios geofence artifact forensic extractordrop clients.plist · parse geofence regions · entry exit events · stalkerware heuristics · runs locally
file (any type) → file (any type)
ios health database deep forensic analyzerdrop healthdb secure.sqlite · steps heart rate sleep falls workouts · movement timeline · alibi verification · runs locally
file (any type) → file (any type)
ios health database forensic extractordrop healthdb secure sqlite · parse health records samples and metadata · step counts heart rate sleep workouts · reconstruct activity timeline · runs locally
file (any type) → file (any type)
ios imessage attachment forensic extractordrop ios sms.db and attachment files from backup · parse attachment records · uti types · transfer state · cross-reference files on disk · expired audio · stickers · runs locally
file (any type) → file (any type)
ios imessage deletion artifact detectordrop ios sms.db · rowid gaps · join orphans · deleted_messages tombstones · ck_sync_state=2 · two-db guid compare · bulk deletion · runs locally
file (any type) → file (any type)
ios imessage edited message forensic reconstructordrop ios sms.db · detect imessage edit artifacts · edit chain reconstruction · word diff between versions · two-db text delta · runs locally
file (any type) → file (any type)
ios imessage unsend artifact detectordrop ios sms.db · detect imessage unsend artifacts · system messages · processing tasks · 2-minute window · runs locally
file (any type) → file (any type)
ios instagram artifact forensic extractordrop iOS Instagram database files from the app container · parse direct messages, search history, and account artifacts · surface ephemeral media tombstones and cached CDN URLs · reconstruct Instagram activity timeline · runs locally
file (any type) → file (any type)
ios ipa analyzerdrop an ios ipa · info.plist · entitlements · permissions · url schemes · embedded frameworks · certificate hints · runs locally
file (any type) → file (any type)
iOS IPS crash report forensic parserdrop iOS .ips crash report files (JSON format, iOS 15+) · parse the full IPS structure · decode all fields · surface exception details, thread states, memory maps, and jetsam metadata · correlate multiple crash reports · runs locally
file (any type) → file (any type)
iOS iTunes backup forensic analyzerdrop manifest db or plist · full backup inventory · device identity · keybag · domain breakdown · runs locally
file (any type) → file (any type)
ios jailbreak artifact detectordrop manifest db or path list · detect jailbreak indicators cydia sileo substrate · tool identification · removal hints · runs locally
file (any type) → file (any type)
ios jailbreak type and version identifierdrop path list or manifest db · identify jailbreak tool version type rootless rootful · bootstrap hooking framework · integrity assessment · runs locally
file (any type) → file (any type)
ios keychain artifact forensic extractordrop keychain-backup plist from itunes backup · parse item classes · decode accessibility and timestamps · surface credentials tokens certificates · runs locally
file (any type) → file (any type)
ios keychain artifact parserdrop keychain-backup plist · metadata only · access groups · wifi and web credentials · no secret bytes · runs locally
file (any type) → file (any type)
ios knowledge c database forensic analyzerdrop knowledgeC.db · parse ZOBJECT activity store · app sessions lock wifi location siri camera mic · full timeline · runs locally
file (any type) → file (any type)
iOS ktrace artifact forensic analyzerdrop an iOS ktrace file or kdebug log export · parse kernel trace events · surface syscall patterns, process activity, and I/O operations · detect anomalous kernel event sequences · reconstruct process and thread activity timelines · runs locally
file (any type) → file (any type)
ios linkedin artifact forensic extractordrop iOS LinkedIn database files from the app container · parse messaging artifacts, connection metadata, job search history, and application records · surface professional identity and communication patterns · reconstruct LinkedIn activity timeline · runs locally
file (any type) → file (any type)
ios location historydrop ios location sqlite databases · zrtvisit zannotation learned poi · apple absolute time · timeline · movement ascii · export csv · runs locally
file (any type) → file (any type)
ios location history deep reconstructordrop ios backup databases · correlate significant locations · routined · coreduet · cache.sqlite · motion data · reconstruct complete movement history from all available ios location sources · runs locally
file (any type) → file (any type)
ios lockdown certificate artifact extractordrop pairing plist der or pem · decode x509 lockdown certs · chain validation · udid and host uuid · pem csv json export · runs locally
file (any type) → file (any type)
ios locked note artifact analyzerdrop NoteStore.sqlite · surface password-protected notes · encryption header metadata · snippet fragments · runs locally
file (any type) → file (any type)
ios lyft artifact forensic extractordrop iOS Lyft database files from the app container · parse ride records and pickup/dropoff locations · surface saved Home and Work locations · detect airport trips, night trips, and Primetime pricing events · reconstruct Lyft travel history · runs locally
file (any type) → file (any type)
iOS Mail app artifact forensic extractordrop iOS Mail Envelope Index + Protected Index · parse envelope metadata · sender recipient subject snippet · mailbox threads accounts · runs locally
file (any type) → file (any type)
iOS Mail deleted message recovery artifact detectordrop iOS Mail Envelope Index (1–2 versions) · Trash soft-delete · ROWID gaps · flags deleted · thread orphans · two-DB delta · runs locally
file (any type) → file (any type)
ios maps search history forensic extractordrop Maps sqlite or plist · parse searches destinations · home work locations · route history · runs locally
file (any type) → file (any type)
ios motion activity artifact forensic analyzerdrop CoreMotion sqlite · parse activity sessions · automotive walking timeline · daily summaries · runs locally
file (any type) → file (any type)
iOS netusage artifact forensic extractordrop an iOS netusage.sqlite or network usage plist · parse per-process network usage records · surface WiFi and cellular transfer volumes · reconstruct network activity timeline per app · detect anomalous upload patterns · runs locally
file (any type) → file (any type)
ios notes complete forensic analyzerdrop notestore.sqlite · notes including deleted · locked metadata · attachments · sensitive content scan · runs locally
file (any type) → file (any type)
ios notes database forensic extractordrop NoteStore.sqlite · parse note content attachments · deleted trashed notes · nskeyedarchiver decode · runs locally
file (any type) → file (any type)
ios pairing record forensic analyzerdrop itunes lockdown pairing plist · parse device and host certificates · escrow bag detection · pairing age and trust implications · csv json export · runs locally
file (any type) → file (any type)
iOS partial backup forensic reconstructordrop manifest db and status plist · reconstruct interrupted backup coverage · domain and app gaps · runs locally
file (any type) → file (any type)
ios photos database forensic analyzerdrop photos.sqlite · metadata including deleted · location · hidden photos · creation timeline · runs locally
file (any type) → file (any type)
ios photos.sqlite forensic analyzerdrop photos.sqlite · zasset inventory · deleted hidden gps clusters · faces albums · timestomp flags · runs locally
file (any type) → file (any type)
iOS plist forensic parserdrop any iOS plist file (binary or XML) · parse all keys and values · decode NSDate timestamps to human-readable UTC · detect and decode nested binary plists · surface all forensically significant fields · runs locally
file (any type) → file (any type)
ios plist parser and analyzerdrop ios plist binary or xml · nested tree · forensic key detection · flattened csv export · runs locally
file (any type) → file (any type)
iOS powerlog forensic analyzerdrop an iOS powerlog database (CurrentPowerlog.PLSQL or exported powerlog text) · parse power state, app foreground/background transitions, CPU wake events, and network activity indicators · reconstruct device activity timeline from power events · runs locally
file (any type) → file (any type)
ios recent calls database forensic analyzerdrop CallHistory.storedata · parse call records · caller callee type duration · deleted row gaps · call timeline · runs locally
file (any type) → file (any type)
ios reminders database forensic extractordrop RemindersV6.storedata · parse reminders lists due dates · completed trashed recurring · runs locally
file (any type) → file (any type)
ios safari browsing history forensic analyzerdrop History.db · urls titles visit counts timestamps · tombstones rowid gaps · sessions search queries · runs locally
file (any type) → file (any type)
ios safari download artifact forensic analyzerdrop Downloads.plist · source urls filenames sizes timestamps · partial auto-delete flags · suspicious types · runs locally
file (any type) → file (any type)
ios safari favicon database forensic extractordrop Favicons.db · page urls and favicon timestamps · survives history clearing · optional History.db cross-ref · runs locally
file (any type) → file (any type)
ios safari icloud tab forensic extractordrop CloudTabs.db · synced open tabs across icloud devices · urls titles device names · cross-device overlap · runs locally
file (any type) → file (any type)
ios safari reading list artifact forensic extractordrop Bookmarks.db · reading list urls titles excerpts · fetch status offline copy · deleted row gaps · runs locally
file (any type) → file (any type)
ios screen recording artifact detectordrop photos.sqlite or path list · detect screen recordings · replaykit resolution match · deleted hidden alerts · runs locally
file (any type) → file (any type)
ios screen time artifact forensic extractordrop RMAdminStore or screen time db · app usage pickups notifications web · gaps bypass flags · runs locally
file (any type) → file (any type)
ios screen time forensic analyzerdrop screen time sqlite from ios backup · app usage · website visits · pickup frequency · digital activity · alibi assessment · runs locally
file (any type) → file (any type)
ios screenshot burst forensic analyzerdrop photos.sqlite · screenshot detection · burst clustering · rapid capture flags · runs locally
file (any type) → file (any type)
ios shared album artifact forensic extractordrop photos.sqlite · shared album inventory · public url alerts · participant metadata · runs locally
file (any type) → file (any type)
iOS SharePlay artifact forensic analyzerdrop iOS SharePlay database files, FaceTime call history, and relevant plists · parse SharePlay session artifacts · surface shared media identifiers, activity types, and participant information · reconstruct SharePlay activity timeline and co-viewing/co-listening history · runs locally
file (any type) → file (any type)
ios signal artifact forensic extractordrop signal.sqlite · parse conversations and messages · disappearing timers · view-once flags · draft messages · registered phone · rowid gaps · runs locally
file (any type) → file (any type)
ios signal sealed sender artifact analyzerdrop signal.sqlite · three-timestamp delivery analysis · linked device activity · identity verification · burst detection · latency patterns · runs locally
file (any type) → file (any type)
ios significant locations forensic extractordrop routined Cache.sqlite · parse significant places visits · home work inference · visit timeline · runs locally
file (any type) → file (any type)
ios sms and imessage database forensic analyzerdrop sms.db · parse messages handles chats attachments · tapbacks reply threads rowid gaps · delivery read receipts timeline · runs locally
file (any type) → file (any type)
ios sms database parserdrop iOS backup SMS.db · threaded conversation view · timestamps · attachments · participants · export CSV · runs locally
file (any type) → file (any type)
ios snapchat artifact forensic extractordrop iOS Snapchat database files from the app container · parse snap metadata, chat records, and friend lists · surface snap open timestamps, screenshot alerts, and expired snap tombstones · reconstruct Snapchat activity timeline · runs locally
file (any type) → file (any type)
ios snapchat memory forensic extractordrop iOS Snapchat database files · parse Snapchat Memories artifacts · extract saved snap metadata, camera roll save records, location tags, and Highlights · detect deleted Memories · surface cloud sync status · runs locally
file (any type) → file (any type)
ios spotlight forensic artifact extractordrop spotlight index stores or plist exports · parse search index artifacts · query history and app indexing records · detect anti-forensic index removal · runs locally
file (any type) → file (any type)
ios spotlight search artifact extractordrop ios spotlight sqlite or interactionc database · extract spotlight search queries · reconstruct what the user searched for on device · surface app launches via spotlight and searched contact names · runs locally
file (any type) → file (any type)
iOS sysdiagnose artifact analyzerdrop an iOS sysdiagnose archive (tar.gz or extracted folder listing) · enumerate all artifact categories present · parse high-value forensic files within the archive · surface device state, installed apps, active processes, network state, and log excerpts · runs locally
file (any type) → file (any type)
ios telegram artifact forensic extractordrop cache4.db or account db · parse chats messages channels · forwarding edits tombstones · disappearing timers · mid gap analysis · runs locally
file (any type) → file (any type)
ios telegram secret chat artifact detectordrop telegram db · detect secret chat sessions · dh key fingerprint emoji grid · sequence gap analysis · self-destruct timers · runs locally
file (any type) → file (any type)
ios tiktok local artifact forensic extractordrop iOS TikTok database files from the app container · parse direct messages, search history, video view records, and account identity artifacts · surface content interaction patterns and communication metadata · reconstruct TikTok activity timeline · runs locally
file (any type) → file (any type)
ios twitter/x artifact forensic extractordrop iOS Twitter/X database files from the app container · parse direct messages, tweet cache, and search history · surface DM content including deleted message local cache · decode Twitter snowflake timestamps · reconstruct Twitter/X activity timeline · runs locally
file (any type) → file (any type)
ios uber artifact forensic extractordrop iOS Uber database files from the app container · parse trip records and pickup/dropoff locations · surface saved Home and Work locations · detect airport trips, night trips, and surge pricing events · reconstruct travel history · runs locally
file (any type) → file (any type)
iOS unified log (logarchive) forensic analyzerdrop an iOS unified log export (text, JSON, or CSV from log show) · parse log entries · filter by subsystem, category, process, and time range · surface security-relevant events · reconstruct activity timelines · runs locally
file (any type) → file (any type)
ios venmo artifact forensic extractordrop iOS Venmo database files from the app container · parse payment records and transaction notes · surface audience settings (public/friends/private) · surface social feed likes and comments on transactions · reconstruct Venmo financial and social activity timeline · runs locally
file (any type) → file (any type)
ios voicemail artifact forensic extractordrop voicemail.db · parse voicemail records · caller numbers timestamps durations · deleted tombstones · rowid gaps · runs locally
file (any type) → file (any type)
ios vpn app artifact forensic extractordrop iOS VPN app database files, configuration plists, and NEVPNManager records · parse connection session logs, server configurations, and account artifacts · surface kill switch, obfuscation, multi-hop, and Tor settings · detect VPN usage gaps and anti-forensic patterns · runs locally
file (any type) → file (any type)
ios wallet pass forensic artifact analyzerdrop apple wallet pkpass or wallet database · parse pass structure · extract barcode location beacons and travel dates · surface payment and identity pass data · runs locally
file (any type) → file (any type)
iOS WhatsApp artifact forensic extractordrop iOS WhatsApp ChatStorage.sqlite and Contacts.sqlite · parse all chats, messages, groups, and media references · reconstruct conversation timelines with delivery status · surface location shares, contact cards, and deleted message placeholders · runs locally
file (any type) → file (any type)
iOS WhatsApp call log forensic analyzerdrop iOS WhatsApp ChatStorage.sqlite · parse WhatsApp voice and video call records from ZWACALLHISTORY or system message fallback · extract call type, duration, direction, and timestamps · detect missed and rejected calls · surface call patterns · runs locally
file (any type) → file (any type)
iOS WhatsApp deleted message recovery detectordrop iOS WhatsApp ChatStorage.sqlite (one or two versions) · detect soft-deleted placeholders and hard-deleted ROWID gaps · surface media residue from deleted messages · detect bulk deletion patterns before acquisition · runs locally
file (any type) → file (any type)
ios workout route forensic extractordrop healthdb with workout routes · decode protobuf cllocation series · reconstruct gps paths · gpx and csv export · runs locally
file (any type) → file (any type)
iot firmware forensic extractorphase1 magic signature scan · phase2 streaming ascii strings urls credentials pem-ish · phase3 uimage + squash metadata surface · heuristic · no filesystem mount · csv+json export · runs locally
file (any type) → file (any type)
ip batch analyzerrfc1918 · bogon · cloud cidr hints · tor exit sample list · batch paste · runs locally
file (any type) → file (any type)
ipv6 tunneling and covert channel detectordrop pcap · 6in4 teredo isatap 6to4 · ipv6 extension anomalies · flow label covert hints · bypass assessment · csv export · runs locally
file (any type) → file (any type)
irc botnet log analyzerdrop irc log files · detect bot commands · extract c2 channels · nick patterns · command flood · runs locally
file (any type) → file (any type)
iso udf parserdrop iso img bin · ISO9660 PVD sector 16 · Joliet SVD · Rock Ridge NM TF · UDF AVDP sector 256 · file browser · hex · csv json export · runs locally
file (any type) → file (any type)
itunes backup artifact extractordrop manifest db and backup plists · domain inventory · high-value paths · fileid mapping · runs locally
file (any type) → file (any type)
itunes backup decryptorManifest.plist + encrypted Manifest.db · KeyBag TLV · PBKDF2 AES-KW · Files table · domain filter · CSV · runs locally
file (any type) → file (any type)
javascript deobfuscatorpaste obfuscated javascript · packed js · fromcharcode · atob · hex unicode · beautify · html script extract · iocs · runs locally
file (any type) → file (any type)
jit compiled code region extractordrop browser or jvm memory dump · identify jit regions by executable non-backed memory · v8 ryujit hotspot artifacts · bytecode hints · runs locally
file (any type) → file (any type)
jpeg quantization table camera model identifierdrop jpeg · extract dqt tables · match starter signature set · quality estimate · exif-free · runs locally
file (any type) → file (any type)
jsonformat · minify · sort · validate
file (any type) → file (any type)
json → csvturn json arrays/objects into a csv file (also on custom stacks)
file (any type) → spreadsheet
json and xml data structure provenance tracerdrop json or xml files · analyze internal structure · namespace usage · key ordering · formatting conventions · whitespace patterns · identify what tool or framework generated the data · detect structural anomalies indicating manual editing · runs locally
file (any type) → file (any type)
jump list cross-application timeline correlatordrop multiple jlecmd csv exports · unified timeline · cross-app document access · network and removable flags · export csv · runs locally
file (any type) → file (any type)
jump list manipulation and clearing detectordrop jumplist csv or automaticDestinations listing · detect cleared jump lists · identify gaps between jump list entries and other execution evidence · surface selective jump list entry removal · runs locally
file (any type) → file (any type)
jump list selective clearing detectordrop automaticDestinations file listing and mft csv · detect cleared or emptied jump list files · identify applications with cleared jump lists despite evidence of use · surface selective jump list destruction targeting specific applications · runs locally
file (any type) → file (any type)
jwt bruteforcerpaste jwt + wordlist · webcrypto hmac-sha256 verify · batched attempts · progress rate · investigative use warning · runs locally
file (any type) → file (any type)
kerberoasting detectordrop security evtx csv · identify event 4769 with rc4 encryption type for service tickets · unusual requestors · flag accounts at risk · reconstruct attack timeline · runs locally
file (any type) → file (any type)
kerberos traffic analyzerparse kerberos pcap csv or evtx 4768/4769 · flag as-rep roast · rc4 kerberoast bursts · runs locally
file (any type) → file (any type)
kernel driver anomaly detectordrop loaded driver list exports or memory dump driver lists · flag drivers not on disk · unsigned drivers · drivers loaded from unusual paths · compare against known-good baselines · runs locally
file (any type) → file (any type)
key + bpmdrop a track · detect musical key and tempo · camelot wheel for harmonic mixing · runs locally
audio → audio
keyboard layout artifact and typo pattern detectordrop binary strings output · document text · chat logs · email text · scan for characters that only appear when using specific keyboard layouts · detect cyrillic-latin mixups · keyboard-specific typo patterns · infer operator nationality hints · runs locally
file (any type) → file (any type)
known DLL hijack residue detectordrop mft csv or file listing · detect dll files placed in application directories to shadow system dlls · identify dll search order hijacking artifacts · surface ghost dlls that loaded instead of legitimate system libraries · runs locally
file (any type) → file (any type)
kubernetes event log analyzerdrop kubectl events json or text · crashloops · oom kills · scheduling failures · privileged starts · pod lifecycle · csv export · runs locally
file (any type) → file (any type)
kubernetes forensics analyzerdrop k8s audit json and pod rbac yaml · flag privileged pods · docker.sock hostpath · cluster-admin bindings · exec bursts · secrets bulk reads · runs locally
file (any type) → file (any type)
kubernetes pod security standards analyzerdrop pod or deployment yaml files · score against pod security standards · restricted baseline privileged · flag specific violations · prioritized findings · runs locally
file (any type) → file (any type)
kubernetes rbac graph builderdrop rbac yaml · clusterroles · rolebindings · service accounts · wildcard flags · permission graph · csv export · runs locally
file (any type) → file (any type)
lateral movement chain visualizerdrop evtx csv · 4624 4648 4776 · host graph · force-directed canvas · suspicious patterns · timeline · export png · runs locally
file (any type) → file (any type)
lateral movement chain visualizerdrop evtx csvs · link logon service creation and remote execution events · reconstruct multi-hop chains · runs locally
file (any type) → file (any type)
lateral movement network pattern detectordrop pcap pcapng or zeek conn log · detect smb admin share rdp hops credential reuse pivot patterns · movement chain · export csv · runs locally
file (any type) → file (any type)
ldap enumeration detectorparse ldap bind/search logs csv · flag anonymous bind · bulk enumeration · runs locally
file (any type) → file (any type)
lessons learned report generatordrop investigation findings csvs · timeline exports · tool detection reports · generate structured post-incident lessons learned document · root cause · timeline · impact · recommendations · all locally from evidence · runs locally
file (any type) → file (any type)
license compliance checkerdrop sbom or manifest · classify licenses · gpl/agpl flags · context-aware risk · notice + csv export · runs locally
file (any type) → file (any type)
linux auditd log deep analyzerdrop audit.log or ausearch export · syscall and file access · privilege escalation · execve timeline · multi-record correlation · csv export · runs locally
file (any type) → file (any type)
linux extended attribute forensic analyzerdrop getfattr output or filesystem listing with xattr data · parse linux extended attributes · extract security labels · capabilities · custom metadata · detect data hiding in xattrs · capability escalation risks · runs locally
file (any type) → file (any type)
linux persistence mechanism deep analyzerdrop cron systemd profile ssh ld.so listings · map persistence paths · suspicion scoring · csv export · runs locally
file (any type) → file (any type)
linux rootkit artifact scannerdrop proc and filesystem listings · hidden files · ld.so.preload · setuid inventory · kernel module anomalies · csv export · runs locally
file (any type) → file (any type)
live response tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect live response and triage collection tool execution · identify when and how live response was performed · surface kape triage collector and incident response tool artifacts · runs locally
file (any type) → file (any type)
llm jailbreak conversation artifact detectorscan conversation exports for dan · roleplay bypass · injection patterns · severity · export csv · runs locally
file (any type) → file (any type)
LNK file absence anomaly detectordrop lnk file listing csv and mft or recent docs csv · identify recently accessed files that have no corresponding LNK file · detect LNK clearing indicating user activity history destruction · surface file access with no shell link record · runs locally
file (any type) → file (any type)
lnk file batch timeline correlatordrop hundreds of lnk shortcut files or lnk csv exports · build single unified recently-accessed timeline · deduplicate · surface deleted source files · correlate access times across all shortcuts · runs locally
file (any type) → file (any type)
Local LLM model artifact forensic extractoridentify locally installed LLM models, runtimes, quantizations, and inference artifacts · runs locally
file (any type) → file (any type)
local vector database forensic analyzerchroma sqlite · faiss index · lancedb hints · collection inventory · export csv · runs locally
file (any type) → file (any type)
log file authenticity and integrity scorerdrop any log file · verify internal consistency · line endings · timestamps · detect log injection · fabrication indicators · authenticity score · runs locally
file (any type) → file (any type)
log forwarding disable detectordrop system evtx csv · detect windows event forwarding subscription changes · identify forwarding disabled events · surface periods where logs were not forwarded to SIEM · runs locally
file (any type) → file (any type)
log gap statistical anomaly detectordrop timestamped log csv · model event frequency · detect improbable gaps · poisson scoring · multi-log correlation · export csv · runs locally
file (any type) → file (any type)
log ingestion gap and silent host detectordrop siem export or event log collector export · identify machines that stopped sending logs · calculate expected vs actual log volume per host · detect hosts that went dark · flag suspicious silences · runs locally
file (any type) → file (any type)
log wiper artifact detectormulti-file drop · registry evtx prefetch · ccleaner eraser bleachbit · campaign correlation · csv export · runs locally
file (any type) → file (any type)
log wiping pattern and tool attribution detectordrop any evtx csv mft csv or prefetch csv · detect signatures of known log wiping tools and techniques · identify automated vs manual wiping patterns · surface coordinated log destruction with tool attribution · runs locally
file (any type) → file (any type)
LOLBin execution burst detectordrop 4688 or sysmon evtx csv · detect living off the land binary execution · identify lolbin abuse patterns · surface unusual lolbin invocations and burst usage · runs locally
file (any type) → file (any type)
lolbin living-off-the-land detectordrop 4688 evtx csv · certutil mshta wscript regsvr32 rundll32 bitsadmin and 40+ lolbins · flag unusual invocations · export csv · runs locally
file (any type) → file (any type)
loop videorepeat a video clip N times · seamless · keeps audio · runs locally
video → video
loudness meterintegrated LUFS · true peak · LRA · broadcast compliance · EBU R128 · runs locally
audio → audio
LSA protection and credential guard disable detectordrop system evtx csv and registry export · detect lsa protection disabled · identify credential guard removal · surface attempts to weaken credential protection enabling credential theft · runs locally
file (any type) → file (any type)
lsa provider & ssp analyzerdrop system or security registry export · detect unauthorized ssps · authentication packages · password filter dlls · wdigest flag · runs locally
file (any type) → file (any type)
lsass dump artifact analyzerdrop sysmon or security evtx csv · detect lsass access and dump indicators · flag suspicious callers · minidump paths · runs locally
file (any type) → file (any type)
lsb stego extractorpng bmp · lsb bit depth 1-4 · channel order · entropy · magic bytes · hex dump · download payload · runs locally
file (any type) → file (any type)
lut bakechain luts and cdls into one .cube · ordered · tetrahedral
file (any type) → file (any type)
lut converterread cube · 3dl · write cube · downsample only
file (any type) → file (any type)
lut previewapply lut to still or video frame · tetrahedral · before/after
file (any type) → image
lzma / xz stream extractordrop any binary · scan lzma xz gzip streams · decompress where possible · payload magic detect · download streams · csv inventory · runs locally
file (any type) → file (any type)
MAC address spoofing artifact detectordrop system evtx csv or registry export · detect network adapter mac address changes · identify locally administered mac addresses indicating spoofing · surface adapter reconfiguration events · runs locally
file (any type) → file (any type)
macos spotlight metadata forensic analyzerdrop spotlight metadata exports or mds_stores database exports · extract file metadata indexed by spotlight · surface files that existed even if deleted · document metadata · author information · runs locally
file (any type) → file (any type)
macos tcc database forensic analyzerdrop tcc.db sqlite · camera mic screen contacts calendar permissions · sensitive grants · csv export · runs locally
file (any type) → file (any type)
macos unified log forensic parserdrop log show csv or text export · subsystems and processes · auth and launch events · security timeline · csv export · runs locally
file (any type) → file (any type)
mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
file (any type) → file (any type)
malware config extractorpaste malware strings or config blob · extract c2 urls · mutex · named pipes · runs locally
file (any type) → file (any type)
malware sandbox and VM environment evasion detectordrop sysmon evtx csv · detect malware performing environment checks for vm sandbox and analysis detection · identify registry and wmi queries probing for virtual machine artifacts · surface systematic evasion behavior · runs locally
file (any type) → file (any type)
malware string analyzerdrop a binary or paste strings · score for maliciousness · cluster by category · flag c2 patterns · apis · paths · runs locally
file (any type) → file (any type)
markdown → pdfrender .md to a typeset pdf · headings · code · tables · lists · cover page · runs locally
file (any type) → pdf
masquerading binary detectordrop 4688 evtx csv or file listing · flag executables mimicking windows binaries from wrong paths · svchost from downloads · csv export · runs locally
file (any type) → file (any type)
memory acquisition tool artifact detectordrop prefetch shimcache or 4688 evtx csv and mft csv · detect memory imaging tool execution · identify when ram was acquired · surface memory dump files and acquisition method · runs locally
file (any type) → file (any type)
memory artifact suppression via large page detectordrop sysmon evtx csv and registry export · detect large page allocation and memory locking used to prevent pagefile evidence · identify techniques avoiding memory artifact creation · surface memory management abuse for anti-forensic purposes · runs locally
file (any type) → file (any type)
memory artifact timeline reconstructordrop volatility csv exports · merge process network registry file events · unified memory timeline · gap detection · csv export · runs locally
file (any type) → file (any type)
memory beacon pattern detectordrop memory dump or volatility strings · cobalt strike beacon strings and config markers · meterpreter empire heuristics · sleep jitter c2 extraction · runs locally
file (any type) → file (any type)
memory credential theft artifact detectordrop security evtx csv and sysmon evtx csv · detect credential dumping from memory · identify lsass access patterns · surface mimikatz and other credential dumper indicators · runs locally
file (any type) → file (any type)
memory heap object type identifierdrop memory dump strings or raw segment · scan heap for object type signatures · vtable · credential structures · dotnet java python objects · runs locally
file (any type) → file (any type)
memory string timeline reconstructordrop multiple timestamped string extractions or timeline csv · new removed persistent strings · ioc temporal tracking · runs locally
file (any type) → file (any type)
merge audiojoin clips · optional crossfade
audio → audio
merge meshesflatten + join primitives · cut draw calls · any 3d format
3d → 3d
merge pdfcombine pdfs in order
pdf → pdf
mesh infodeep stats · meshes · materials · textures · attributes · bounds · warnings
3d → 3d
metadata scrubbing tool artifact detectordrop file listings · mft csv · registry exports · detect use of exiftool mat2 or similar metadata strippers · they leave their own traces · identify files that were processed by scrubbing tools · runs locally
file (any type) → file (any type)
mft entry reuse anomaly detectordrop mft csv · detect abnormally high mft entry reuse rates · identify evidence of mass file deletion and creation in entry slots · surface patterns indicating attacker file staging and cleanup · runs locally
file (any type) → file (any type)
MFT record slack residue deep extractordrop mft binary or mft slack csv · extract and analyze residual data from mft record slack fields · recover previous attribute fragments from unused record space · surface historical file metadata hidden in mft slack · runs locally
file (any type) → file (any type)
mft sequence vs timestamp conflict analyzerdrop mft csv · detect conflicts between mft entry sequence and file timestamps · impossible ordering · reused entries · runs locally
file (any type) → file (any type)
MFT slack space artifact detectordrop mft binary or slack extraction csv · detect artifacts hidden in mft record slack · identify residual data from previous file occupants · surface hidden data and historical file metadata in unused mft space · runs locally
file (any type) → file (any type)
microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
file (any type) → file (any type)
microsoft access database forensic analyzerdrop mdb or accdb files · parse jet database structure · extract tables · recover deleted records · vba macro scan · runs locally
file (any type) → file (any type)
Microsoft Copilot artifact forensic analyzeranalyze Microsoft Copilot artifacts including prompts, coding sessions, and AI-assisted workflows · runs locally
file (any type) → file (any type)
microsoft teams export forensic analyzerdrop teams export zip or eDiscovery teams json export · parse messages channels and user activity · reconstruct conversation threads and meeting records · surface file sharing deleted messages and guest access events · runs locally
file (any type) → file (any type)
midnight timestamp cluster detectordrop mft or artifact csv · detect files timestamped to exactly midnight or other round values · identify timestomping tool artifacts · surface files with suspiciously clean timestamps · runs locally
file (any type) → file (any type)
mirror pdfflip horizontally or vertically · pure vector · per page
pdf → pdf
mitre att&ck technique mapperpaste observed behaviors or ttp descriptions · map to att&ck technique ids · generate att&ck navigator layer json · show tactic coverage · runs locally · no network required
file (any type) → file (any type)
mobile airplane mode artifact timeline analyzerdrop knowledgec.db logcat or powerlog · reconstruct airplane mode sessions · correlate offline periods with app activity · duration and frequency patterns · runs locally
file (any type) → file (any type)
mobile app deletion burst artifact detectordrop iOS or Android app install/uninstall records (iTunes backup Manifest.db, knowledgeC.db, ApplicationState.db, Android packages.xml, MobileInstallation.log, or logcat) · detect bursts of app deletions in short time windows · identify forensically significant app categories deleted · surface deletion timing relative to acquisition date · distinguish normal app management from pre-examination evidence destruction · runs locally
file (any type) → file (any type)
mobile app permission revocation burst artifact detectordrop iOS TCC database unified logs or Android runtime-permissions.xml and logcat · detect permission revocation bursts · flag camera microphone location revocations · surface pre-acquisition evidence gaps · runs locally
file (any type) → file (any type)
mobile app sandbox artifact analyzerdrop ios app sandbox directory listing or android app data directory listing · identify forensically significant files within app sandboxes · map file types to forensic categories · surface databases caches preferences and logs within each app container · runs locally
file (any type) → file (any type)
mobile app sqlite schema auto-mapperdrop any unknown mobile app sqlite database · auto-detect schema · classify tables by content type · identify messages contacts locations media · extract data from recognized patterns · reverse-engineer unknown app databases · runs locally
file (any type) → file (any type)
mobile backup to cloud gap detectordrop ios backup plists manifest.db or android backup metadata · detect backup frequency gaps · classify elevated and significant gaps · surface disabled backup periods · runs locally
file (any type) → file (any type)
mobile biometric change artifact detectordrop unified log · biometrickitd plist · android logcat · enrollment delete bursts · pre-acquisition significance · runs locally
file (any type) → file (any type)
mobile cloud sync artifact forensic analyzerdrop icloud plists · accounts3.sqlite · android accounts.xml · per-app sync state · sync gaps · account inventory · runs locally
file (any type) → file (any type)
mobile conversation deletion pattern detectordrop iOS sms.db, WhatsApp ChatStorage.sqlite, Signal signal.sqlite, or Android mmssms.db with optional comparison versions · detect patterns of conversation deletion across all messaging platforms · surface contact-specific deletion, temporal deletion windows, and pre-acquisition cleanup · distinguish normal message management from targeted evidence destruction · runs locally
file (any type) → file (any type)
mobile date and time manipulation artifact detectordrop ios backup databases or android listings · multi-source timestamp analysis · gps exif vs system clock · build date anchor · sequential rowid integrity · midnight/future clustering · runs locally
file (any type) → file (any type)
mobile device handoff artifact forensic analyzerdrop handoff plist · knowledgeC.db · unified log · URL extraction · cross-device continuity timeline · runs locally
file (any type) → file (any type)
mobile device pairing history forensic analyzerdrop ios lockdown plists · android adb authorized keys · usb logs · host identifiers · escrowbag alerts · certificate details · runs locally
file (any type) → file (any type)
mobile device pairing record analyzerdrop ios lockdown pairing plist or android adb key files · parse device pairing credentials · identify which computers have been paired with the device · surface pairing timestamps and certificate details · runs locally
file (any type) → file (any type)
mobile factory reset evidence artifact detectordrop iOS backup Info.plist / Status.plist or Android recovery logs, getprop output, and filesystem listings · detect artifacts indicating a factory reset occurred · distinguish first-time setup from post-reset setup · surface data remnants that survived the reset · assess completeness of the wipe · runs locally
file (any type) → file (any type)
mobile find my disable artifact detectordrop iCloud find my plists · unified log · android logcat · disable timeline · anti-forensic correlation · runs locally
file (any type) → file (any type)
mobile hotspot connection artifact forensic analyzerdrop powerlog · netusage · dhcp leases · logcat · bridge100 sessions · client device inventory · runs locally
file (any type) → file (any type)
mobile location history extractordrop ios locations sqlite · google location json · csv gps · haversine stops · movement timeline · runs locally
file (any type) → file (any type)
mobile location services disable artifact detectordrop powerlog knowledgeC routined cache logcat · location off timeline · visit gaps · pre-acquisition disable · runs locally
file (any type) → file (any type)
mobile notification disable pattern artifact detectordrop iOS notification plists Screen Time database or Android logcat and notification policy · detect notification disable bursts · flag messaging and banking app silencing · Screen Time notification drops · runs locally
file (any type) → file (any type)
mobile passcode change burst artifact detectordrop iOS logs plists or Android logcat and locksettings database · detect passcode change events · surface credential type changes · identify passcode change bursts · assess complexity weakening · runs locally
file (any type) → file (any type)
mobile payment artifact forensic analyzerdrop iOS or Android payment-related database files, transaction logs, or wallet preference files · parse mobile payment transaction artifacts · surface payment amounts, merchant identifiers, and timestamps · detect payment method configurations · reconstruct payment activity timeline across Apple Pay, Google Pay, and other payment apps · runs locally
file (any type) → file (any type)
mobile photo metadata batch analyzerdrop multiple jpeg or heic image files · extract and aggregate exif metadata · reconstruct photo timeline and location trail · surface device identifiers camera settings and gps coordinates across all images · runs locally
file (any type) → file (any type)
mobile privacy mode app usage artifact detectordrop knowledgec.db screen time or usage stats · privacy browser and e2e app sessions · orchestration pattern detection · private browsing coverage · runs locally
file (any type) → file (any type)
mobile remote wipe artifact detectordrop iOS backup files, MDM enrollment plists, or Android DevicePolicyManager logs and logcat output · detect evidence of remote wipe commands being issued or executed · identify the wipe initiator (MDM, Find My iPhone, Google Find My Device, Samsung Find My Mobile) · surface wipe timing and scope · assess whether wipe was completed or interrupted · runs locally
file (any type) → file (any type)
mobile screen time manipulation artifact detectordrop screen time db + knowledgeC · cross-source ratio · pickup consistency · clearing events · reliability assessment · runs locally
file (any type) → file (any type)
mobile screen time parserdrop ios screen time sqlite or android usage_stats.db · daily usage · per-app ranking · hourly heatmap · runs locally
file (any type) → file (any type)
mobile timeline reconstruction cross platformdrop ios + android artifacts · unified chronological timeline · timestamp normalization · gap detection · multi-source correlation clusters · csv re-import · runs locally
file (any type) → file (any type)
mobile to desktop artifact correlation tooldrop mobile + desktop csv exports · hash · url · search · identity correlation · confidence scoring · cross-device timeline · runs locally
file (any type) → file (any type)
mobile vpn activation pattern artifact analyzerdrop netusage.sqlite knowledgec.db or logcat · vpn tunnel timeline · utun interface traffic · kill switch heuristics · sensitive app correlation · runs locally
file (any type) → file (any type)
monero transaction structure forensic analyzerdrop monero transaction hex or json exports · parse ring signature structure · analyze ring composition · apply heuristics to identify likely true spends · detect unusual ring sizes · blockchain analysis with privacy caveats · runs locally
file (any type) → file (any type)
MSHTA abuse artifact detectordrop 4688 or sysmon evtx csv · detect mshta hta execution abuse · identify inline script execution via mshta · surface remote hta loading and vbscript javascript abuse patterns · runs locally
file (any type) → file (any type)
mui cache correlatordrop muicache csv · known-good vs known-bad cross-reference · unknown suspicious flags · csv export · runs locally
file (any type) → file (any type)
multi-artifact correlatordrop CSV exports from any forensic tool · correlate by filename · hash · IP · user across sources · surface cross-artifact matches · export report · runs locally
file (any type) → file (any type)
multi-layer encoding recursive unwrapperdrop any file or paste text · automatically detect and unwrap stacked encoding layers · base64 inside gzip inside hex inside url encoding · recursive up to 20 layers · track decode chain · reveal final payload · runs locally
file (any type) → file (any type)
multi-sheet csvone xlsx → zip of csvs · runs locally
spreadsheet → file (any type)
multi-source entity resolverdrop forensic csvs · resolve names emails usernames ips across sources · probabilistic entity profiles · runs locally
file (any type) → file (any type)
mutex name forensic artifact analyzerdrop handle exports · memory dump strings · sysmon exports · extract mutex names · match against 500+ known malware family mutex signatures · identify malware family from mutex · flag unusual mutex patterns · runs locally
file (any type) → file (any type)
mvno artifact forensic analyzeridentify mobile virtual network operator usage from SIM and carrier artifacts · runs locally
file (any type) → file (any type)
n-up pdfimpose 2 · 4 · 6 · 8 · 9 · 16 pages per sheet · pure vector
pdf → pdf
named pipe forensic artifact analyzerdrop sysmon event 17 18 csvs or handle exports · detect malicious named pipe usage · cobalt strike pipe patterns · common c2 framework pipe names · lateral movement via pipes · privilege escalation via pipe impersonation · runs locally
file (any type) → file (any type)
natural language writing sample authorship comparatordrop multiple text files or paste writing samples · compute 40 plus stylometric features · sentence length distribution · vocabulary richness · function word frequencies · punctuation patterns · produce similarity score with confidence intervals between samples · runs locally
file (any type) → file (any type)
nest camera forensic analyzerdrop nest google takeout json csv zip fragments · postal_code extraction · familiar visitor labels · activity zone inventory · csv json export · runs locally
file (any type) → file (any type)
NetBIOS name spoofing and LLMNR poisoning artifact detectordrop system evtx csv and sysmon evtx csv · detect netbios and llmnr poisoning artifacts · identify name resolution anomalies used for credential capture · surface nbt-ns and llmnr abuse patterns · runs locally
file (any type) → file (any type)
netflow analyzerdrop netflow v5 v9 or ipfix exports · traffic patterns · top talkers · protocol distribution · geographic connections · runs locally
file (any type) → file (any type)
netsh helper dll and winsock persistence detectordrop software and system hive reg exports · detect persistence via netsh helper dlls · winsock layered service providers · name service providers · filter driver persistence · runs locally
file (any type) → file (any type)
network connection timeline builderdrop pcap pcapng or zeek conn log or windows netstat output · build a chronological connection timeline · reconstruct what connected where and when · surface connection bursts gaps and suspicious temporal patterns · runs locally
file (any type) → file (any type)
network flow anomaly detectordrop pcap pcapng or zeek conn log · apply statistical anomaly detection to network flows · surface outliers in byte count duration connection rate and port usage · identify scanning exfiltration and tunneling anomalies · runs locally
file (any type) → file (any type)
network share access log clearing detectordrop security evtx csv · detect smb network share access log gaps · identify share access audit disable events · surface lateral movement that was logged then cleared · runs locally
file (any type) → file (any type)
nfc tap artifact forensic extractordrop iOS NFC tag interaction logs, Android NFC dispatch log, or NDEF dump files · parse NFC tap events · extract NDEF record contents, tag identifiers, and tap timestamps · surface NFC-triggered app launches and payment interactions · reconstruct NFC interaction history · runs locally
file (any type) → file (any type)
nft metadata and provenance forensic analyzerdrop nft metadata json files or token uri exports · parse metadata · trace token history · identify mutable vs immutable storage · detect wash trading patterns · flag suspicious provenance · runs locally
file (any type) → file (any type)
normalize audiomatch peak ceiling or loudness
audio → audio
normalsrecompute · flip · or unitize vertex normals · fix scans / ai output / inside-out meshes
3d → 3d
npm & pypi known-malicious package checkerdrop manifests or paste package list · bundled malicious db · dependency confusion · export csv · runs locally
file (any type) → file (any type)
ntfs alternate data stream deep analyzerdrop mft csv or file listing with ads entries · enumerate all alternate data streams · extract content where possible · detect zone identifier abuse · flag hidden executables · surface data concealment · runs locally
file (any type) → file (any type)
NTFS compressed file anomaly detectordrop mft csv · detect files with NTFS compression applied anomalously · identify compressed executables and unusual compressed file populations · surface compression used to obscure file sizes and evade detection · runs locally
file (any type) → file (any type)
ntfs file born-time consensus enginedrop mft csv · usn journal csv · logfile operation export · indx csv · correlate all four timestamp sources for every file · produce consensus born-time with confidence score · expose disagreements that prove tampering · runs locally
file (any type) → file (any type)
NTFS file system tunneling artifact detectordrop mft csv · detect file system tunnel cache artifacts · identify files that inherited timestamps from deleted predecessors · surface anti-forensic timestamp inheritance exploitation · runs locally
file (any type) → file (any type)
ntfs filesystem metadata anomaly detectordrop mft csv or ntfs metadata export · detect anomalies in core ntfs metadata files · identify tampered boot sector volume header or mft mirror · surface filesystem-level anti-forensic modifications · runs locally
file (any type) → file (any type)
ntfs hard link forensic analyzerdrop mft csv · detect files with multiple directory entries (hard links) · map all paths pointing to same inode · identify data sharing between paths · detect hard link based anti-forensics · runs locally
file (any type) → file (any type)
ntfs journal gap analyzerdrop usn journal csv or ntfs logfile csv · detect gaps in journal sequence numbers · identify windows where filesystem activity was not recorded · surface journal clearing or rollover events · runs locally
file (any type) → file (any type)
ntfs logfile transaction journal parserdrop a raw $logfile from ntfs · parse every metadata operation on the volume · file creates modifies deletes renames · lower level than usn journal · reconstruct operations that were cleared from usn journal · runs locally
file (any type) → file (any type)
ntfs reparse point and symlink forensicsdrop mft csv or file listing · map all ntfs reparse points · symlinks · junctions · mount points · detect symlink attacks · data redirection · path traversal setups · runs locally
file (any type) → file (any type)
NTFS USN journal wrap and evidence loss detectordrop usn journal csv · detect journal wrap events where oldest records were overwritten · estimate how much file activity history was lost · identify intentionally triggered journal wraps destroying evidence · runs locally
file (any type) → file (any type)
NTLM credential capture and relay artifact detectordrop security evtx csv and system evtx csv · detect ntlm relay attack artifacts · identify responder and inveigh execution remnants · surface forced authentication attempts and credential capture patterns · runs locally
file (any type) → file (any type)
obd2 forensic analyzertorque pro · forscan csv · dtc decode · hard brake · rapid accel · high speed events · trips · csv/json export · runs locally
file (any type) → file (any type)
object access auditing disable detectordrop security evtx csv · detect object access audit subcategory disabling · identify file system registry and sam auditing gaps · surface what file access was made invisible · runs locally
file (any type) → file (any type)
ocrextract text from any pdf or image · invisible-text searchable pdf · runs locally · tesseract.js
pdf → pdf
office add-in persistence analyzerdrop registry exports or add-in directory listing · com xll vsto add-ins · untrusted dll paths · export csv · runs locally
file (any type) → file (any type)
office coauthoring session artifact extractordrop docx xlsx pptx · coauthoring session data · user identity guids · session timestamps · edit attribution per section · survives track changes acceptance · runs locally
file (any type) → file (any type)
office document revision history extractordrop docx xlsx pptx or odt file · extract full revision and version history metadata · reconstruct authorship timeline · surface who created modified and saved the document and when · runs locally
file (any type) → file (any type)
office document version ghost content extractordrop doc xls ppt ole2 office files · scan free sectors · padding slack · recover ghost text from previous saves · runs locally
file (any type) → file (any type)
office macro analyzerdrop doc · xls · ppt · docm · xlsm · pptm · extract vba macros · flag dangerous apis · detect obfuscation · malware analysis · runs locally
file (any type) → file (any type)
office macro artifact analyzerdrop docm xlsm pptm or legacy doc xls ppt · extract vba macro code · identify suspicious patterns · surface autorun macros shell commands and obfuscation · runs locally
file (any type) → file (any type)
office template injection & dde detectordrop docx xlsx pptx files · detect template injection via relationships · remote template urls · dde payloads · excel 4.0 xlm macros · ole object injection · external data connections · runs locally
file (any type) → file (any type)
office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
file (any type) → file (any type)
ole2 compound document forensic carverdrop a raw disk image or binary · carve ole2 compound documents from raw bytes using directory structure signatures · recover word excel powerpoint old format files · more reliable than header-only carving · reconstruct compound documents from fragments · runs locally
file (any type) → file (any type)
Ollama usage artifact forensic analyzeranalyze Ollama model usage, downloads, prompts, and local inference activity · runs locally
file (any type) → file (any type)
onenote forensic analyzerdrop onenote one or onepkg files · extract notebook structure · embedded files · revision history · malware delivery detection · runs locally
file (any type) → file (any type)
ooxml hidden content extractordrop docx xlsx pptx file · extract all hidden text rows columns slides and layers · surface content invisible in normal view · identify data intentionally hidden within the document structure · runs locally
file (any type) → file (any type)
optimize 3dshrink geometry + textures · in: glb · gltf · obj · stl · fbx · 3mf · usdz · dae
3d → 3d
organize pdfreorder · duplicate · rotate · delete pages
pdf → pdf
orient 3drotate · mirror · z-up ↔ y-up · queue ops at the root
3d → 3d
orphaned MFT entry detectordrop mft csv · detect mft entries whose parent directory no longer exists · reconstruct orphaned file paths · surface files that survived directory deletion and identify hidden file locations · runs locally
file (any type) → file (any type)
osint normalizerpaste osint dump · extract emails phones ips crypto handles · disposable tor private heuristics · e.164 · five tabs · per-category csv · runs locally
file (any type) → file (any type)
overlay / appended data extractordrop any file · find EOF marker for JPEG · ZIP · PDF · PNG · extract data appended after EOF · detect format of appended payload · runs locally
file (any type) → file (any type)
packer identifier extendedpe · elf · mach-o packer signatures · upx · themida · vmp · string scan · runs locally
file (any type) → file (any type)
page numbersadd numbering · format · position · skip cover sheets
pdf → pdf
pagefile timeline reconstructorpaste strings output · 30-min sessions · urls credentials paths · timeline tabs · csv export · runs locally
file (any type) → file (any type)
parent process ID spoofing detectordrop 4688 evtx csv or sysmon csv · detect processes with impossible or suspicious parent-child relationships · identify ppid spoofing attacks · surface process trees where claimed parent could not have spawned the child · runs locally
file (any type) → file (any type)
parent-child process anomaly detectordrop 4688 evtx csv · static and dynamic parent-child baseline · lsass always critical · ranked anomaly table · csv export · runs locally
file (any type) → file (any type)
partial download artifact recoverydrop browser partial download files .crdownload .part .tmp · reconstruct what was being downloaded · extract file type · recover partial content · identify source url from metadata · assess recovery potential · runs locally
file (any type) → file (any type)
partial file forensic completion estimatordrop partial or truncated files · estimate what percentage is present · determine what structure is missing · assess whether missing portions would contain forensically significant content · provide format-specific recovery guidance · runs locally
file (any type) → file (any type)
partition table and MBR anomaly detectordrop mbr binary paste or diskpart output · detect partition table anomalies indicating tampering · identify non-standard partition configurations · surface MBR modification and bootkit artifacts in partition layout · runs locally
file (any type) → file (any type)
pass-the-hash indicator detectordrop security evtx csv · correlate logon type 3 ntlm events with admin share access · detect pth patterns · 4624 ntlm logon type 3 without password spray · runs locally
file (any type) → file (any type)
passive os fingerprinter from pcapdrop a pcap file · reconstruct the operating system of every host from tcp/ip stack behavior · ttl values · window sizes · tcp options ordering · ip flag patterns · no active probing · identify os from existing captured traffic · runs locally
file (any type) → file (any type)
password manager artifact forensic analyzerdrop keepass kdbx files · bitwarden local vault json · 1password local artifacts · no decryption attempted · extract metadata · database size · last modified · entry count hints · access patterns · runs locally
file (any type) → file (any type)
password spray & brute force detectordrop security evtx csv · analyze authentication failure patterns · detect low-and-slow password spray · high-speed brute force · credential stuffing patterns · flag attacker ips · runs locally
file (any type) → file (any type)
pcap cleartext credential extractordrop pcap or pcapng · extract cleartext ftp smtp pop3 imap http basic telnet credentials · tcp reassembly · export csv · runs locally
file (any type) → file (any type)
pcap email artifact extractordrop pcap or pcapng · smtp pop3 imap tcp reassembly · sender recipient subject attachments · starttls detection · export csv · runs locally
file (any type) → file (any type)
pcap file transfer reconstructordrop pcap or pcapng · reconstruct http ftp smb file transfers · sha256 magic bytes · download reconstructed files · export csv · runs locally
file (any type) → file (any type)
pcap malware family fingerprinterdrop pcap · ja3 imphash sni and http signatures · malware family attribution from network traffic · export csv · runs locally
file (any type) → file (any type)
PCAP network flow reconstructordrop pcap or pcapng file · parse all packets · reconstruct tcp and udp flows · compute flow statistics · surface top talkers unusual ports and flow anomalies · runs locally
file (any type) → file (any type)
pdf → imagesrasterize pages to png / jpg / webp
pdf → image
pdf annotation extractordrop pdf · parse annots subtype contents rect · author modified · bad redaction text under redact · summary table · export csv · runs locally
file (any type) → file (any type)
pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
file (any type) → file (any type)
pdf digital signature chain analyzerdrop pdf file · extract and analyze all digital signatures · validate signature structure · reconstruct certificate chains · surface signer identity timestamps and what content was signed · runs locally
file (any type) → file (any type)
pdf extract textpull plain text · txt · json · markdown
pdf → file (any type)
pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
file (any type) → file (any type)
pdf form field artifact extractordrop pdf file · extract all interactive form fields · recover submitted field values · surface pre-filled hidden and calculation fields · reconstruct form submission state · runs locally
file (any type) → file (any type)
pdf form fieldsdetect fillable fields · list names · types · values
pdf → spreadsheet
pdf incremental update forensic analyzerdrop pdf file · detect and analyze incremental updates appended to the pdf · reconstruct the document modification history · surface what changed between each update · identify signature bypass attacks via incremental updates · runs locally
file (any type) → file (any type)
pdf infodeep inspector · sizes · forms · attachments · fingerprint
pdf → pdf
pdf javascript deobfuscatorextract javascript from pdf · multi-pass decode · exploit heuristics · heap spray hints · iocs · runs locally
file (any type) → file (any type)
pdf metadataview & edit title · author · subject · keywords
pdf → pdf
pdf object stream mutation detectordrop a pdf · parse objects at raw binary level · detect post-creation mutations · incremental update abuse · prove tampered objects after signing · runs locally
file (any type) → file (any type)
pdf statsbulk page count + metadata across many pdfs · export csv
pdf → spreadsheet
pdf steganography checkerdrop a pdf · check whitespace · metadata · object streams · comment fields · hidden layers · invisible text · runs locally
file (any type) → file (any type)
pdf to wordextract text from pdf · export as .docx · runs locally
pdf → file (any type)
pdf/aflag pdf as archival · embed sRGB output intent · stamp xmp
pdf → pdf
PE compile timestamp vs filesystem timestamp conflict detectordrop mft csv or file listing with pe headers · extract compile timestamps from pe headers · detect files with filesystem timestamps earlier than their compile timestamp · surface impossible binaries indicating timestomping · runs locally
file (any type) → file (any type)
PE header in-memory anomaly detectordrop malfind or procdump pe region · analyze pe header for in-memory anomalies · header stomping unpacked sections hollowing indicators · export csv · runs locally
file (any type) → file (any type)
peer group statistical outlier analyzerdrop artifact sets for multiple users · compute per-user feature vectors · identify statistical outliers · surface the user whose behavior differs most from their peers · peer comparison charts · runs locally
file (any type) → file (any type)
persona consistency checkercross-check name email username location age · osint persona flags · runs locally
file (any type) → file (any type)
phishing URL extractor from email bodydrop eml files or paste email body html · extract all urls from email body and headers · decode obfuscated and redirected urls · surface phishing indicators and malicious link patterns · runs locally
file (any type) → file (any type)
phone number analyzere.164 normalize · country codes · nanp area lookup · batch paste · runs locally
file (any type) → file (any type)
pii detector redactorregex pii detect · email ssn phone ip · redact in place · export clean text · runs locally
file (any type) → file (any type)
pitch shiftchange pitch without altering speed · semitones · cents · runs locally
audio → audio
pivot tablegroup-by · sum · count · avg · min · max · csv source
spreadsheet → spreadsheet
pixelateblock pixelation · average or nearest sample · runs locally
image → image
polyglot file detectordrop a file · test against multiple format parsers simultaneously · detect files that satisfy two formats at once · JPEG+ZIP · PDF+ZIP · HTML+ZIP · runs locally
file (any type) → file (any type)
port monitor and print processor persistence detectordrop system registry hive export · detect persistence via port monitor dlls · print processor dlls · time provider dlls · loaded by system on boot with high privileges · runs locally
file (any type) → file (any type)
port scan pattern detectordrop pcap or pcapng file or zeek conn log · detect port scanning behavior · identify scan techniques syn connect udp and stealth scans · surface scanning source ips targets and scan timing · runs locally
file (any type) → file (any type)
posterizereduce levels per channel · perceptual · luminance · rgb
image → image
PowerShell constrained language mode bypass detectordrop powershell operational evtx csv · detect constrained language mode bypass attempts · identify techniques used to escape powershell restrictions · surface clm bypass artifacts in script block logs · runs locally
file (any type) → file (any type)
powershell deobfuscatorpaste obfuscated powershell · base64 utf-16 · deflate gzip · concat replace · char arrays · multi-pass · iocs · runs locally
file (any type) → file (any type)
PowerShell encoded command burst detectordrop 4688 or sysmon evtx csv · detect bursts of base64 encoded powershell commands · decode all encoded commands · identify obfuscation patterns · surface what was executed under encoding cover · runs locally
file (any type) → file (any type)
powershell encoded command decoderpaste -enc or drop 4688 csv · decode base64 utf-16le · multi-layer · dangerous patterns · export csv · runs locally
file (any type) → file (any type)
PowerShell history clearing detectordrop powershell operational evtx csv or psreadline history file · detect cleared powershell command history · identify gaps in command execution record · surface anti-forensic powershell history manipulation · runs locally
file (any type) → file (any type)
powershell module logging disable detectordrop powershell operational evtx csv and registry export · detect module logging disabled or never configured · identify gaps in powershell pipeline logging · surface periods with no module execution records · runs locally
file (any type) → file (any type)
PowerShell transcription disable and gap detectordrop registry export and powershell operational evtx csv · detect transcription logging disabled · identify missing transcript files · surface gaps in powershell session recording · runs locally
file (any type) → file (any type)
PowerShell version 2 downgrade attack detectordrop security evtx csv powershell evtx csv or 4688 csv · detect powershell version 2 invocation · identify downgrade attacks bypassing logging and amsi · surface all version 2 execution instances · runs locally
file (any type) → file (any type)
pptx to pdfconvert powerpoint .pptx to pdf · slide text and approximate layout · images not rendered · runs locally
file (any type) → pdf
prefetch absence anomaly detectordrop prefetch file listing csv or directory export · detect disabled prefetch on active systems · identify missing prefetch for known-executed binaries · surface prefetch gaps indicating anti-forensic suppression · runs locally
file (any type) → file (any type)
prefetch hash anomaly and collision detectordrop prefetch file listing csv · detect multiple prefetch files for the same executable name · identify prefetch hash collisions indicating execution from multiple paths · surface hash manipulation and path-based execution hiding · runs locally
file (any type) → file (any type)
prepaid sim activation artifact forensic detectordetect evidence of prepaid SIM activation, refill activity, and temporary/burner subscriber behavior · runs locally
file (any type) → file (any type)
print spool job content reconstructordrop windows print spool spl files · parse emf and raw spool formats · reconstruct document content from spool fragments · extract text from emf records · recover what was printed even after deletion · runs locally
file (any type) → file (any type)
print spooler artifact forensic analyzerdrop shd spool files evtx csv registry exports · print job history · printnightmare indicators · export csv · runs locally
file (any type) → file (any type)
private browsing session artifact remnant detectordrop browser profile directory listing mft csv or dns cache export · detect remnants of private browsing sessions · identify artifacts that survive incognito mode · surface what private browsing left behind · runs locally
file (any type) → file (any type)
privilege escalation timelinedrop windows evtx csv · 4688 4672 4648 4624 · escalation patterns · process tree · privilege alerts · timeline export · runs locally
file (any type) → file (any type)
privilege escalation timeline reconstructordrop security evtx csv · reconstruct privilege changes · 4672 special privileges · 4673 privileged service calls · 4674 operations on privileged objects · token elevation events · runs locally
file (any type) → file (any type)
prnu fingerprinterjpeg png sensor noise · residual fingerprint · pearson correlation · heatmap viz · LIKELY DIFFERENT · CSV · runs locally
file (any type) → file (any type)
process ancestry reconstructordrop 4688 evtx csv · parent-child process trees · flag unusual parentage · office spawning shell · export csv · runs locally
file (any type) → file (any type)
process creation audit gap detectordrop security evtx csv · detect gaps in 4688 process creation events · identify windows where process execution was invisible · correlate with command line logging status · surface execution blind spots · runs locally
file (any type) → file (any type)
process doppelganging and herpaderping artifact detectordrop sysmon evtx csv · detect process doppelganging and herpaderping artifacts · identify transacted ntfs file writes followed by execution · surface advanced in-memory evasion techniques · runs locally
file (any type) → file (any type)
process hollowing artifact analyzerdrop sysmon evtx csv or 4688 evtx csv · detect process hollowing indicators · identify processes with suspicious memory allocation patterns · surface unmapped PE sections and known hollowing tool signatures · runs locally
file (any type) → file (any type)
process hollowing memory artifact analyzerdrop volatility malfind or cmdline or pstree output · detect process hollowing indicators · vad vs image mismatches · dkom hidden processes · runs locally
file (any type) → file (any type)
process memory dump analyzerdrop a process memory dump · extract strings · urls · ips · credentials patterns · loaded modules · network connections · runs locally
file (any type) → file (any type)
process memory string extractordrop raw memory dump or strings text · streaming ascii utf-16le extraction · urls ips credentials c2 iocs · csv export · runs locally
file (any type) → file (any type)
process to network connection correlatordrop sysmon evtx csv with event 3 · or netstat snapshots · and process creation events · link specific process executions to specific network connections via pid and timestamp · identify which process made which connection · runs locally
file (any type) → file (any type)
program compatibility assistant artifact gap detectordrop mft csv and registry export · detect program compatibility assistant database gaps · identify pca artifact clearing · surface execution evidence recorded in pca that was then wiped · runs locally
file (any type) → file (any type)
prompt injection artifact detectorscan documents for hidden delimiters · html comments · zero-width · bidi overrides · export csv · runs locally
file (any type) → file (any type)
protect pdfpassword protect · aes-256 · permission flags · runs locally
pdf → pdf
protocol misuse detectordrop pcap or pcapng file · detect protocols being used outside their standard specification · identify c2 channels hidden in legitimate protocols · surface application data on wrong ports and protocol-level anomalies · runs locally
file (any type) → file (any type)
psreadline history gap and anomaly analyzerpaste or drop psreadline consolehost_history txt · detect gaps in command history · identify suspicious command sequences · surface anti-forensic commands · reconstruct powershell session timeline · runs locally
file (any type) → file (any type)
PST / MBOX artifact timeline builderdrop mbox file or pst csv export · parse all email records · build chronological message timeline · surface communication patterns gaps and anomalies · reconstruct folder structure and label history · runs locally
file (any type) → file (any type)
pyc inspectordrop .pyc · magic python version · marshal code object · disassemble opcodes · flag exec eval subprocess · csv · runs locally
file (any type) → file (any type)
quic and http3 flow forensic analyzerdrop pcap · quic udp flows · http3 hints · quic c2 indicators · client fingerprint · tunneling flags · runs locally
file (any type) → file (any type)
ransom note analyzerpaste or drop ransom notes · 55+ family fingerprints · crypto addresses · onion urls · emails · nomoreransom hints · highlighted text · runs locally
file (any type) → file (any type)
ransomware encryption onset timerdrop mft csv and evtx csv · pinpoint the exact moment encryption began · identify patient zero file · work backward to find initial access · correlate with attacker actions · runs locally
file (any type) → file (any type)
ransomware family identifierdrop encrypted file samples · ransom notes · iocs · fingerprint against 200+ families · output family name · known decryptors · nomoransom hints · extension patterns · c2 patterns · runs locally
file (any type) → file (any type)
ransomware impact estimatorbefore and after csv listings · encrypted files · extension changes · data at risk · encryption wave timeline · ransom notes · runs locally
file (any type) → file (any type)
ransomware pre-encryption staging detectordrop evtx csv and mft csv · identify pre-encryption staging behaviors · network scanning · credential dumping · data exfiltration before encryption · lateral movement artifacts · runs locally
file (any type) → file (any type)
rare process detectordrop 4688 · prefetch · or shimcache csv · rarity score 0–100 · path risk · offensive tool names · single-occurrence flag · csv export · runs locally
file (any type) → file (any type)
rdp cache parserdrop .bmc/.bin cache files · RDP8 magic or legacy BGRA tiles · thumbnail grid · hide uniform tiles · export zip · runs locally
file (any type) → file (any type)
rdp session timeline reconstructordrop security and terminal services evtx csvs · correlate 4624 type 10 logons 4778 4779 connect disconnect · reconstruct full rdp sessions with duration and activity · runs locally
file (any type) → file (any type)
readyboost usb cache artifact and deletion detectordrop mft csv and registry export · detect readyboost cache files deleted from usb devices · identify evidence of usb-based memory cache destruction · surface emDMgmt registry entries for previously connected readyboost devices · runs locally
file (any type) → file (any type)
received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
file (any type) → file (any type)
recent documents registry clearing artifact detectordrop ntuser.dat reg export · detect cleared recent documents registry entries · identify gaps in the recent document history · surface bulk clearing of document access records · runs locally
file (any type) → file (any type)
recent documents vs LNK file consistency checkerdrop ntuser.dat reg export and lnk file listing csv · identify documents in recent docs registry key with no corresponding lnk file · detect selective lnk clearing while registry entries remain · surface inconsistencies between artifact sources · runs locally
file (any type) → file (any type)
recentdocs mru deep analyzerdrop ntuser.dat reg export · parse recentdocs mru · office file mru · sensitive file type flags · export csv · runs locally
file (any type) → file (any type)
recovery prioritization matrix generatordrop affected asset inventory with business criticality ratings · generate prioritized recovery sequence · consider dependencies · rto rpo requirements · available resources · output sequenced recovery plan · runs locally
file (any type) → file (any type)
recycle bin artifact and clearing detectordrop recycle bin metadata csv or $I file listing · analyze file deletion timeline · detect bulk deletion events · surface recycle bin clearing patterns · identify deleted file categories · runs locally
file (any type) → file (any type)
recycle bin deep correlation analyzerdrop recycle bin $i files · mft csv · browser history · process execution csvs · correlate each deletion with the process that caused it · establish why each file was deleted · timeline of deletion activity · runs locally
file (any type) → file (any type)
recycle bin restoration and bypass artifact detectordrop mft csv and usn journal csv · detect files restored from the recycle bin · identify files sent to recycle bin then immediately restored (suspicious cycling) · surface recycle bin bypass using shift-delete · runs locally
file (any type) → file (any type)
redaction quality verifierdrop pdf or image · text under redact · incomplete black boxes · canvas pixel scan · runs locally
file (any type) → file (any type)
redline pdfword-level diff · strike removed · underline added · annotated report
pdf → pdf
reflective DLL load indicator detectordrop sysmon evtx csv · detect reflective dll loading patterns · identify modules loaded without corresponding file on disk · surface in-memory only dll execution · runs locally
file (any type) → file (any type)
reflective DLL load memory indicator detectordrop ldrmodules malfind or raw memory region · detect reflective dll loading · module-less in-memory pe · reflectiveloader export and stubs · runs locally
file (any type) → file (any type)
registry ACL and permission modification detectordrop security evtx csv · detect registry key permission changes · identify keys locked from forensic access · surface permission modifications enabling or concealing attacker persistence · runs locally
file (any type) → file (any type)
registry autorun entry removal detectordrop security evtx csv or registry diff export · detect persistence mechanism removal · identify autorun keys deleted during investigation window · surface attacker cleanup of persistence artifacts · runs locally
file (any type) → file (any type)
registry deleted key recovery tooldrop a raw registry hive binary · scan hive for deleted but not overwritten key and value structures · recover key names · value names · value data · creation timestamps · forensic registry carving · runs locally
file (any type) → file (any type)
registry hive carver from disk imagedrop a raw disk image or memory dump · scan for registry hive fragments by regf signature · extract and reconstruct partial hives · identify additional registry hives beyond the standard locations · runs locally
file (any type) → file (any type)
registry hive rollback detectordrop registry hive exports from multiple control sets · detect values present in backup hive but absent in current · identify registry keys deleted between snapshots · surface rollback evidence · runs locally
file (any type) → file (any type)
registry hive size anomaly detectordrop registry hive file listing or disk inventory csv · detect registry hives that are unusually small or large · identify hives that were truncated or padded · surface hive size inconsistencies indicating tampering or replacement · runs locally
file (any type) → file (any type)
registry hive slack space artifact detectordrop registry hive binary or slack extraction output · detect artifacts hidden in registry hive slack space · identify residual data from deleted keys in hive free cells · surface historical registry content from slack · runs locally
file (any type) → file (any type)
registry key deletion burst detectordrop registry transaction log or security evtx csv · detect rapid bulk registry key deletion · identify scripted registry cleanup operations · surface anti-forensic registry wiping patterns · runs locally
file (any type) → file (any type)
registry key name collision and spoofing detectordrop registry export · detect registry key names that closely mimic legitimate key names · identify homoglyph and whitespace tricks in key names · surface attacker persistence hidden in look-alike key names · runs locally
file (any type) → file (any type)
registry key ownership anomaly detectordrop registry export with security descriptors · detect registry keys owned by unexpected accounts · identify attacker-owned registry keys that survived cleanup · surface ownership anomalies indicating unauthorized key creation · runs locally
file (any type) → file (any type)
registry key timestamp anomaly detectordrop registry hive export with last write times · detect abnormal timestamp clustering · identify mass key modification in short windows · surface registry restoration and manipulation events · runs locally
file (any type) → file (any type)
registry last write time regression detectordrop registry export with timestamps from multiple snapshots · detect registry keys whose last write time regressed between snapshots · identify impossible timestamp rollbacks in registry key history · surface offline editing and hive restoration artifacts · runs locally
file (any type) → file (any type)
registry transaction log gap analyzerdrop registry hive and transaction log files · detect gaps or corruption in registry transaction logs · identify hive states inconsistent with their transaction history · surface evidence of offline hive editing bypassing transactions · runs locally
file (any type) → file (any type)
registry value data entropy analyzerdrop registry export · detect registry values with abnormally high entropy indicating encoded or encrypted content · identify shellcode or payloads stored in registry values · surface obfuscated persistence payloads · runs locally
file (any type) → file (any type)
registry value type mismatch detectordrop registry export · detect values with incorrect data types for their expected type · identify type confusion used to hide data or evade tools · surface malformed registry entries indicating tampering · runs locally
file (any type) → file (any type)
regsvr32 Squiblydoo and COM scriptlet abuse detectordrop 4688 or sysmon evtx csv · detect regsvr32 used to execute remote com scriptlets · identify squiblydoo technique and inline script execution · surface regsvr32 abuse patterns bypassing applocker · runs locally
file (any type) → file (any type)
remote desktop log clearing and gap detectordrop rdp evtx csvs · detect rdp session log gaps · identify rdp channel clearing · surface rdp session reconstruction with cleared log indicators · runs locally
file (any type) → file (any type)
remote forensic collection artifact detectordrop security evtx csv and system evtx csv · detect remote forensic collection agent activity · identify velociraptor grr and edrmdr collection artifacts · surface evidence of remote live response operations · runs locally
file (any type) → file (any type)
remote service installation timelinedrop system evtx csv · parse 7045 new service installed events · correlate with logon events to identify which account installed each service · flag suspicious service paths · runs locally
file (any type) → file (any type)
remove backgroundalpha matte cutout · transparent png / webp · runs locally
image → image
resize imagescale by px or percent
image → image
resize pagesreflow onto new sheet size · letter · a4 · custom
pdf → pdf
reverse audioplay any audio backwards · runs locally
audio → audio
ring camera artifact forensic extractordrop ring exported json csv or zip timelines · ding motion alarm ingest classification · utc hour occupancy heuristic · csv json export · runs locally
file (any type) → file (any type)
roaming artifact forensic analyzerparse roaming indicators, visited networks, and international carrier transitions from Android and carrier artifacts · runs locally
file (any type) → file (any type)
roku chromecast usage forensic analyzerroku json · chromecast · youtube tv/play tagging · channel rollup density · heuristic filters · csv/json export · runs locally
file (any type) → file (any type)
rotate imagerotate · flip · 90 / 180 / 270
image → image
rotate pdfturn pages · 90 / 180 / 270 · whole doc or per page
pdf → pdf
rtf analyzerdrop an rtf file · extract embedded objects · ole packages · equation editor objects · hex payloads · malware analysis · runs locally
file (any type) → file (any type)
rtf control word forensic analyzerdrop rtf file · parse rtf control words and groups · extract document metadata · detect suspicious control sequences · surface embedded objects ole content and obfuscated payloads · runs locally
file (any type) → file (any type)
runmru and typed paths clearing detectordrop ntuser.dat reg export · detect cleared run dialog history · identify missing typed path entries · surface evidence of user activity history destruction · runs locally
file (any type) → file (any type)
RunOnce and run key clearing artifact detectordrop security evtx csv or registry export · detect run and runonce key value deletion · identify persistence mechanism removal · surface autorun entries that existed and were then deleted during the investigation window · runs locally
file (any type) → file (any type)
rust binary heuristicsdrop binary · rust confidence score · panic strings · crate paths · offensive crate flags · csv export · runs locally
file (any type) → file (any type)
safe boot registry modification detectordrop security evtx csv and registry export · detect safe boot configuration changes · identify services added to safe boot mode bypassing security software · surface safe boot abuse for anti-forensic purposes · runs locally
file (any type) → file (any type)
sam account change timelinedrop sam registry export or security evtx csv · timeline account creates disables password changes · correlate with logon events · runs locally
file (any type) → file (any type)
sam database analyzerdrop sam hive · local user accounts · login metadata · password hints · no hash extraction · csv export · runs locally
file (any type) → file (any type)
SAM hive modification artifact detectordrop security evtx csv · detect unauthorized sam database access and modification · identify account creation hiding · surface local account manipulation patterns · runs locally
file (any type) → file (any type)
samsung galaxy watch artifact forensic extractorparse Samsung Galaxy Watch and Samsung Health artifacts and reconstruct wearable pairing, activity, and biometric evidence · runs locally
file (any type) → file (any type)
sbom analyzer & vulnerability checkerdrop cyclonedx or spdx sbom · parse components · flag known vulnerable versions · license summary · risk score · csv + json export · runs locally
file (any type) → file (any type)
scale / unitsnormalize model scale between m / cm / in · any 3d format
3d → 3d
scheduled task deletion and history clearing detectordrop security system and task scheduler evtx csvs · detect scheduled task deletion · identify task history clearing · surface task creation followed by deletion indicating attacker cleanup · runs locally
file (any type) → file (any type)
screenshot origin and platform forensic detectordrop screenshot png or jpeg · identify ios android macos windows · device resolution match · metadata · status bar heuristics · runs locally
file (any type) → file (any type)
script block logging disable detectordrop powershell operational evtx csv and security evtx csv · detect script block logging disablement · identify registry changes disabling powershell logging · surface gaps in powershell execution record · runs locally
file (any type) → file (any type)
script interpreter abuse detectordrop 4688 evtx csv · powershell wscript cscript mshta encoded args · decode inline · suspicious paths · export csv · runs locally
file (any type) → file (any type)
search query to file access intent correlatordrop windows search query exports · browser search history · file access logs · correlate what the user searched for with what they subsequently accessed · establish search intent behind file access · build evidence of deliberate targeting · runs locally
file (any type) → file (any type)
secure boot violation and bypass artifact detectordrop system evtx csv and registry export · detect secure boot disabled or bypassed · identify code integrity violations at boot · surface bootkit and rootkit enablement through secure boot manipulation · runs locally
file (any type) → file (any type)
secure delete overwrite pattern remnant scannerdrop binary sample of file slack or unallocated space · identify overwrite patterns from specific secure delete tools · fingerprint the wipe method used · assess what if anything is recoverable · runs locally
file (any type) → file (any type)
secure delete remnant scannermft csv or file listing · sdelete eraser cipher patterns · confidence score · csv export · runs locally
file (any type) → file (any type)
secure wipe completeness forensic scorerdrop a disk image · verify whether a secure wipe was actually complete · score overwrite pattern coverage per sector · identify sectors the wipe missed · identify sectors that were wiped but then reallocated and rewritten · prove the wipe was incomplete if evidence survives · runs locally
file (any type) → file (any type)
security descriptor tampering detectordrop security evtx csv · detect changes to security descriptors on forensically significant objects · identify permission modifications locking out investigators · surface acl changes enabling attacker persistence or data access · runs locally
file (any type) → file (any type)
selective prefetch deletion detectordrop prefetch csv and shimcache or 4688 csv · identify executables that ran but have no prefetch · detect targeted prefetch deletion hiding specific tool usage · surface the gap between execution evidence and prefetch evidence · runs locally
file (any type) → file (any type)
semantic structure-based file carverdrop a raw disk image or binary · carve files based on internal structure consistency rather than just magic bytes · find jpeg-shaped regions by dct statistics · sqlite-shaped regions by btree structure · pe-shaped regions by section validity · finds files that header-based carvers miss · runs locally
file (any type) → file (any type)
sequence → gifimage sequence to animated gif · natural sort
image → image
sequence → videoimage sequence to mp4 or webm · webcodes · natural sort · runs locally
image → video
serialized object forensic analyzerdrop java serialized streams · python pickle · dotnet binaryformatter · php serialized strings · extract class names · detect gadget chains · runs locally
file (any type) → file (any type)
service deletion burst detectordrop system evtx csv · detect rapid service deletion patterns · identify attacker persistence mechanism removal · surface service install-then-delete lifecycle indicating attack tool cleanup · runs locally
file (any type) → file (any type)
service worker and PWA cache inspectordrop chrome service worker cache storage files or cache api leveldb · inspect cached resources from progressive web apps and service workers · reconstruct offline content and app shell · surface cached credentials responses and sensitive api data · runs locally
file (any type) → file (any type)
shadow copy creation disable and suppression detectordrop registry export and system evtx csv · detect volume shadow copy service disabled or shadow copy creation suppressed · identify configuration changes preventing future shadow copy creation · surface vss service manipulation · runs locally
file (any type) → file (any type)
shadow copy differential forensics analyzerdrop two file system manifests or mft csvs from different shadow copies · compute exactly what changed between them · files added deleted modified · reconstruct what attacker changed · timeline of filesystem evolution · runs locally
file (any type) → file (any type)
sharpenunsharp mask + clarity · finishing pass
image → image
shellbag timeline extendeddrop shellbags csv · sort timeline · gaps >14d · unc network usb paths · depth >8 · csv export · runs locally
file (any type) → file (any type)
shellbag vs MFT consistency checkerdrop shellbag csv and mft csv · identify directories accessed per shellbags that no longer exist in mft · surface deleted folder access history · detect shellbag clearing · runs locally
file (any type) → file (any type)
shellcode analyzerhex base64 binary shellcode · x86 x64 disassembly · peb stack strings · nop sled · xor stub · iocs · runs locally
file (any type) → file (any type)
shellcode region entropy analyzerdrop memory dump pe or hex paste · windowed shannon entropy · high-entropy and shellcode candidate regions · pe section entropy · export csv · runs locally
file (any type) → file (any type)
shimcache entry order anomaly detectordrop shimcache csv · detect entries out of expected chronological order · identify shimcache manipulation · surface entries inserted at wrong position in the cache · runs locally
file (any type) → file (any type)
si fn timestamp divergence analyzerdrop mft csv · deep analysis of standard information vs file name timestamp divergence · visualize delta distributions · detect systematic manipulation patterns · surface file populations with impossible SI/FN relationships · runs locally
file (any type) → file (any type)
sigma rule testerpaste sigma yaml · drop evtx csv or json logs · evaluate detections · field highlights · mitre tags · export matches · runs locally
file (any type) → file (any type)
signature blockstamp typed signature block · printed name · title · date
pdf → pdf
signature field hints
pdf → file (any type)
silence trimauto-strip silence · edges or all gaps · adjustable threshold · runs locally
audio → audio
sim card artifact forensic extractordrop SIM dumps, ATR logs, EF file exports, or SIM filesystem images · parse SIM identifiers, service tables, SMS storage, network configuration, and SIM metadata · reconstruct SIM-level evidence and carrier provisioning state · runs locally
file (any type) → file (any type)
sim iccid and imsi forensic correlatorcorrelate ICCID, IMSI, MSISDN, and carrier identifiers across artifacts · detect reused SIMs, carrier migrations, cloned identifiers, and multi-device associations · runs locally
file (any type) → file (any type)
sim last number dialed artifact extractorparse SIM LND records and reconstruct last dialed number history · runs locally
file (any type) → file (any type)
sim phonebook artifact forensic extractorparse SIM ADN/FDN/LND phonebook entries and reconstruct SIM-resident contact evidence · runs locally
file (any type) → file (any type)
sim sms artifact forensic extractorparse SIM-resident SMS storage and reconstruct stored SMS evidence · runs locally
file (any type) → file (any type)
sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally
file (any type) → file (any type)
slack export forensic analyzerdrop slack workspace export zip or individual channel json files · parse all messages files and users · reconstruct conversation threads · surface file sharing deleted message indicators and user activity patterns · runs locally
file (any type) → file (any type)
smart contract bytecode analyzerpaste evm hex · disassemble push pop · flag delegatecall selfdestruct · opcode table · runs locally
file (any type) → file (any type)
smart lock access forensic analyzeraugust/schlage csv · code slot NAMES · unlock→lock sessions · late-night anomalies · attributable keypad access · csv/json export · runs locally
file (any type) → file (any type)
smart splitsplit big pdf by blank · pattern · interval · bookmarks
pdf → pdf
smart thermostat timeline analyzernest json · ecobee csv · generic mode csv · away/home cues · vacation windows · utc routine bands · corroborative occupancy · csv/json export · runs locally
file (any type) → file (any type)
smart tv artifact forensic extractorsamsung lg json walks · viewing · apps · search · account linkage cues · heuristic timeline · csv/json export · runs locally
file (any type) → file (any type)
smb artifact forensic analyzerdrop pcap or pcapng · smb2 sessions shares file ops · ntlm capture formatting · admin share lateral movement alerts · export csv · runs locally
file (any type) → file (any type)
smb stream reconstructordrop pcap or pcapng port 445 139 · smb2 ntlmssp session setup · tree connect create read write reassembly · download zip · export csv · runs locally
file (any type) → file (any type)
smb traffic analyzerdrop smb pcap csv or conn log · admin share access · failed auth bursts · export csv · runs locally
file (any type) → file (any type)
sms and imessage database parserdrop ios sms.db sqlite file · parse all messages conversations and attachments · reconstruct conversation threads · surface deleted message gaps and attachment metadata · runs locally
file (any type) → file (any type)
smtp pcap reconstructordrop pcap or pcapng · tcp reassembly ports 25 587 465 · mail from rcpt to data · mime attachments · download eml · export csv · runs locally
file (any type) → file (any type)
sni certificate mismatch and domain fronting detectordrop a pcap file · scan tls connections for sni hostname mismatch against certificate common name · detect domain fronting · c2 evasion via cdn · interception indicators · flag connections where traffic claims to be somewhere it is not · runs locally
file (any type) → file (any type)
social resizeig · tiktok · x · linkedin · fb · yt · pinterest presets · zip batch
image → image
socks proxy chain forensic detectordrop pcap · socks4 socks5 tunnels · proxy chaining · destination extraction · topology map · csv export · runs locally
file (any type) → file (any type)
sort linessort · dedupe · shuffle · reverse · trim · case-insensitive
file (any type) → file (any type)
source code style forensic fingerprinterdrop source code or decompiled text · analyze indentation · naming · comments · apis · stylometric fingerprint · compare authorship · runs locally
file (any type) → file (any type)
sparse file artifact detectordrop mft csv · detect sparse files used to hide data or create dummy large files · identify sparse file patterns inconsistent with legitimate use · surface anti-forensic use of ntfs sparse file feature · runs locally
file (any type) → file (any type)
sparse file detectordrop any file · 4096-byte chunk classification · zero fill pattern data · unicode density map · stats · export chunk csv · runs locally
file (any type) → file (any type)
sparse file forensic analyzerdrop mft csv or file listing · identify sparse files · map allocated vs unallocated regions within files · detect data hidden in sparse regions · identify wasted space used for hiding · runs locally
file (any type) → file (any type)
split meshexplode a model into per-mesh / per-primitive / per-material glb files · zip output
3d → 3d
split pdfextract ranges or burst pages
pdf → pdf
spoliation evidence detectordrop mft or evtx csv · mass delete bursts · timeline gaps · anti-forensics flags · export csv · runs locally
file (any type) → file (any type)
spreadsheet formula dependency and data origin mapperdrop xlsx · full formula dependency graph · external sources · hidden sheets · named ranges · trace output cells to source data · runs locally
file (any type) → file (any type)
sqlite wal analyzerdrop -wal · optional .db schema · WAL header frames transactions · leaf page rows · page viewer · csv export · runs locally
file (any type) → file (any type)
sqlite wal and free page deep reconstructordrop any sqlite database · simultaneously scan free pages · wal journal · and unallocated page regions · recover soft-deleted rows · uncommitted wal transactions · partial records · unified recovery report · runs locally
file (any type) → file (any type)
square padcenter on a square canvas · color or blur fill · ig grid
image → image
squashfs filesystem extractordrop squashfs or firmware · superblock parse · zlib blocks · file tree browse · download files · runs locally
file (any type) → file (any type)
ssh forensic artifact analyzerdrop auth.log known_hosts authorized_keys sshd_config · session timeline · brute force hints · key fingerprints · csv export · runs locally
file (any type) → file (any type)
Stable Diffusion generation metadata extractorextract Stable Diffusion generation metadata and reconstruct image generation parameters · runs locally
file (any type) → file (any type)
stamp pdfrubber-stamp gallery · DRAFT · APPROVED · VOID · RECEIVED + date · single placement
pdf → pdf
startup & autorun impact analyzerdrop registry exports or autoruns csv · suspicion score 0–100 · encoded command flags · csv export · runs locally
file (any type) → file (any type)
startup approved entries manipulation detectordrop registry export · detect changes to startup approved keys controlling which startup items are enabled · identify startup items disabled or removed via startup approved registry · surface manipulation of startup item visibility · runs locally
file (any type) → file (any type)
startup folder artifact gap detectordrop mft csv and prefetch or shimcache csv · detect missing startup folder entries for processes known to have run at startup · identify startup folder clearing · surface execution evidence without corresponding startup artifacts · runs locally
file (any type) → file (any type)
statistical anomaly detectoriqr outliers · z-score · benford's law · csv numeric columns · runs locally
file (any type) → file (any type)
sticky notes forensic analyzerdrop plum.sqlite or legacy snt · extract notes including deleted · timestamps · sensitive content flags · export csv · runs locally
file (any type) → file (any type)
string splitting and concatenation obfuscation detectordrop script files or binary strings output · detect string splitting concatenation obfuscation · reconstruct obfuscated strings · extract iocs · runs locally
file (any type) → file (any type)
strip 3dremove animations · skins · morph targets · vertex colors · names · extras · cameras · lights
3d → 3d
strip metadataremove exif / xmp
image → image
structured log parsercef · leef · syslog · json lines · normalize fields · export csv · runs locally
file (any type) → file (any type)
sub-second timestamp suppression detectordrop mft csv · detect systematic loss of sub-second timestamp precision across file populations · identify files where 100ns ntfs precision was stripped · surface the boundary between natural and tool-written timestamps · runs locally
file (any type) → file (any type)
subject investigation awareness behavioral detectordrop prefetch shimcache browser history and registry exports · detect behavioral patterns indicating the subject is aware of or responding to an investigation · identify forensic tool scanning and evidence scrubbing triggered by external events · surface reactive anti-forensic behavior · runs locally
file (any type) → file (any type)
subtitle convertconvert subtitles between srt · vtt · ass · preview cues · runs locally
file (any type) → file (any type)
super file analyzerdrop any file · runs autopsy · entropy · strings · polyglot check · overlay scan · packer detection · outputs one unified forensic report · runs locally
file (any type) → file (any type)
svg forensicsdrop or paste svg · domparser never render · scripts handlers external refs data uris foreignobject · severity scoring · csv · stripped svg download · runs locally
file (any type) → file (any type)
svg optimizeclean · compress · strip bloat · SVGO · reduces file size · runs locally
file (any type) → file (any type)
synthetic event injection detectordrop evtx csv · detect artificially injected events · identify events with anomalous record IDs · surface timestamp inconsistencies indicating fabricated log entries · runs locally
file (any type) → file (any type)
sysmon configuration coverage auditordrop sysmon xml configuration file · score detection coverage · identify blind spots · flag missing event types · compare against community best-practice configs · produce gap analysis with specific recommendations · runs locally
file (any type) → file (any type)
Sysmon configuration tampering detectordrop sysmon evtx csv and system evtx csv · detect sysmon service stops · identify configuration changes reducing coverage · surface gaps in sysmon telemetry stream · runs locally
file (any type) → file (any type)
system clock rollback artifact detectordrop evtx csv and mft csv · detect deliberate clock manipulation · forward and backward moves · corrected timeline · runs locally
file (any type) → file (any type)
system clock skew forensic analyzerdrop multi-system log exports · skew matrix · ntp evidence · causal violations · corrected timeline csv · runs locally
file (any type) → file (any type)
SYSTEM hive rollback indicator detectordrop system evtx csv and registry export · detect evidence that the system hive was restored to a previous state · identify service and driver configurations inconsistent with event log history · surface rollback attacks hiding configuration changes · runs locally
file (any type) → file (any type)
tab restore and session recovery artifact parserdrop chrome last session last tabs current session or current tabs binary files · parse session recovery data · reconstruct tabs windows and navigation history at time of last browser close · surface all urls and form state preserved in session files · runs locally
file (any type) → file (any type)
tables to csvextract pdf tables · column detection · per-page or merged
pdf → spreadsheet
task scheduler transaction log gap detectordrop microsoft-windows-taskscheduler operational evtx csv · detect gaps in task scheduler event records · identify task history clearing and channel disablement · surface scheduled task execution windows that were erased · runs locally
file (any type) → file (any type)
taskbar pinned items forensic analyzerdrop taskband registry export or taskbar lnk listing · pinned and removed items · unusual security tool flags · export csv · runs locally
file (any type) → file (any type)
tcp retransmission pattern forensic analyzerdrop a pcap file · analyze tcp retransmission patterns · detect network-level manipulation · traffic injection attempts · side-channel information leakage · reconstruct what happened at the network level that caused unusual retransmissions · runs locally
file (any type) → file (any type)
tesla artifact forensic analyzerdata request zip · trip/charging csv · account json · vin decode · unified timeline · speed/hour flags · map links · csv/json export · runs locally
file (any type) → file (any type)
text diffline & word level diff · side-by-side · unified
file (any type) → file (any type)
text steganography detectorpaste or drop text · zero-width · homoglyph · whitespace snow · suspicion score · visualize hidden chars · csv export · runs locally
file (any type) → file (any type)
text steganography extractorpaste text · zws binary · snow whitespace · homoglyph bits · acrostic · nth char · tag chars · download payloads · runs locally
file (any type) → file (any type)
textureoverlay paper · grunge · scratches · scale · rotate · tile · 16 blend modes · batch
image → image
thread execution order forensic reconstructordrop volatility threads output or crash dump thread listings · reconstruct execution order · thread injection · stack frames · timeline · runs locally
file (any type) → file (any type)
thread injection artifact analyzerdrop volatility threads or dlllist or vadinfo output · thread start addresses outside known modules · apc and createremotethread artifacts · runs locally
file (any type) → file (any type)
threat hunt hypothesis generatorselect mitre ttp · artifact hunt checklist · spl and kql queries · markdown playbook export · runs locally
file (any type) → file (any type)
thresholdtwo-color threshold · luminance · channel · bayer dither
image → image
thumbnail 3drender any 3d model to a static png · jpeg · webp · custom angle / size / bg
3d → image
thumbnail reverse lookup and orphan matcherdrop a windows thumbcache database and an image collection · compute perceptual hashes of all thumbnails · match each thumbnail to its original file · identify orphaned thumbnails whose originals were deleted · runs locally
file (any type) → file (any type)
time-of-day activity fingerprinterdrop logon evtx csv or activity logs for a user · build 24-hour activity fingerprint · compare two time periods · chi-squared test for pattern change · detect when a different person used the account · account sharing detection · runs locally
file (any type) → file (any type)
time-of-day anomaly detectordrop 4624 logon evtx csv · per-user hour histogram · z-score anomalies · css heatmap grid · anomalous logons csv · runs locally
file (any type) → file (any type)
timestamp cluster anomaly detectordrop mft or artifact csv · detect unnatural timestamp clustering · identify timestamps set to identical values · surface batch timestomping operations · score file populations by timestamp naturalness · runs locally
file (any type) → file (any type)
timestamp cross-source validatordrop mft exif filesystem document and log csvs · cross-source timestamp contradictions · authenticity score · export csv · runs locally
file (any type) → file (any type)
timestamp normalizercsv timestamp column detection · iso8601 normalize · unix · syslog · export csv · runs locally
file (any type) → file (any type)
timestamp precision and resolution analyzerdrop mft or artifact csvs · sub-second precision patterns · synthetic timestamp detection · digit distribution · export csv · runs locally
file (any type) → file (any type)
timestamp precision collapse detectordrop mft csv · detect mass loss of sub-second timestamp precision · identify files where precision was stripped by external tools · surface populations affected by timestomping operations · runs locally
file (any type) → file (any type)
timestamp rounding pattern detectordrop mft csv · detect files whose timestamps have been rounded to the nearest second minute or hour · identify specific rounding patterns indicating timestomping tool quantization · surface systematic rounding across file populations · runs locally
file (any type) → file (any type)
timestomp consistency cross-validatordrop mft csv · cross-validate si and fn timestamps · detect divergence indicating timestomping · score each file · surface manipulated entries · runs locally
file (any type) → file (any type)
timestomp detectordrop mft csv · si vs fn timestamps · midnight clusters · divergence score · export csv · runs locally
file (any type) → file (any type)
timezone conflict and inference tooldrop multiple forensic csvs · infer utc offsets · detect timezone contradictions · unified timeline export · runs locally
file (any type) → file (any type)
tls certificate chain forensic analyzerdrop pcap · extract tls handshakes · parse certificates · ja3 and sni anomalies · export csv · runs locally
file (any type) → file (any type)
tls session ticket forensic analyzerdrop a pcap file · extract tls session tickets from client hello extensions · link multiple tls connections to the same underlying session · de-anonymize traffic across apparent ip changes · detect session ticket reuse across different source ips · runs locally
file (any type) → file (any type)
token manipulation artifact analyzerdrop security evtx csv · detect token impersonation and privilege events · 4624 type 2/3 anomalies · special privileges assigned · runs locally
file (any type) → file (any type)
token privilege abuse and manipulation detectordrop security evtx csv · detect token privilege abuse for privilege escalation or anti-forensic purposes · identify sebackupprivilege and serestoreprivilege abuse accessing restricted files · surface token manipulation events · runs locally
file (any type) → file (any type)
tracked changes forensic reconstructordrop docx file · extract all tracked insertions deletions and format changes · reconstruct the full editing history by author · surface deleted content and identify who removed what · runs locally
file (any type) → file (any type)
transposeswap rows and columns · csv in · csv out · header handling
spreadsheet → spreadsheet
trim audioclip start and end · optional fades
audio → audio
trim videocut a clip from any video · scrub start · scrub end · keeps audio
video → video
ttp consistency analyzerpaste ioc list + observed ttps · score consistency vs bundled actor profiles · runs locally
file (any type) → file (any type)
u-boot image parserdrop uimage or fit · legacy header parse · crc verify · gzip decompress · architecture os type · multi image · runs locally
file (any type) → file (any type)
uefi firmware volume parserdrop uefi rom bin · fv ffs scan · guid lookup · pe32 te sections · suspicious modules · export csv · runs locally
file (any type) → file (any type)
unallocated space artifact scannerdrop raw unallocated space binary or carved strings export · scan for file headers and forensic artifacts in unallocated clusters · identify deleted file remnants · surface file types recoverable from unallocated space · runs locally
file (any type) → file (any type)
unbacked memory region detectordrop vad malfind text or csv · executable memory without file backing · mz in memory · rwx regions · process summary · csv export · runs locally
file (any type) → file (any type)
unified login session reconstructordrop 4624 evtx · rdp logs · vpn logs · ssh logs · browser cookie databases · srum csv · build one unified session per user per day across all authentication sources · identify gaps · flag impossible sessions · runs locally
file (any type) → file (any type)
unlock pdfremove a known password · password never leaves the device
pdf → pdf
unpacked PE region identifierdrop procmemdump or memory dump · scan mz pe headers · filter known modules · packer fingerprint imports overlay · export csv · runs locally
file (any type) → file (any type)
user behavior baseline profilerdrop months of logon evtx csvs or auth log exports · build statistical baseline per user · active hours · session duration · machine affinity · flag any session that deviates significantly from that user's normal pattern · runs locally
file (any type) → file (any type)
user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
file (any type) → file (any type)
UserAssist clearing and gap detectordrop ntuser.dat reg export · detect cleared userassist entries · identify gaps in user program execution history · surface clearing events and suspicious absences · runs locally
file (any type) → file (any type)
userassist vs prefetch execution gap detectordrop userassist csv and prefetch csv · identify executables in one artifact but absent from the other · detect selective artifact clearing targeting specific applications · surface what a user ran that was then hidden · runs locally
file (any type) → file (any type)
username pattern generatorname variations · l33t speak · platform handle patterns · osint username lists · runs locally
file (any type) → file (any type)
USN journal vs MFT timestamp conflict detectordrop usn journal csv and mft csv · detect timestamp values in usn journal that contradict current mft timestamps · surface files whose timestamps were modified after they were last journaled · runs locally
file (any type) → file (any type)
uv viewerinspect uv maps · draw wireframe over texture · per-mesh · uv0 · uv1 · export png · runs locally
3d → image
vad region anomaly analyzerdrop volatility vadinfo or malfind output · rwx private regions · anonymous executable vad · suspicious file-backed mappings · runs locally
file (any type) → file (any type)
vehicle bluetooth pairing forensic analyzerivi sqlite · ios plist · android bt_config · CoD + OUI · connection timeline · primary/passenger role · csv/json export · runs locally
file (any type) → file (any type)
vehicle wifi hotspot forensic analyzeronstar · att drivewifi · dhcp client logs · mac oui · hostname identity · presence timeline · csv/json export · runs locally
file (any type) → file (any type)
video → giftrim · fps · palette · also exports webm
video → image
video container forensic analyzerdrop mp4 mov mkv avi files · parse container atom box structure · extract all metadata tracks · chapter marks · embedded thumbnails · creation tool information · detect container manipulation · timestamp inconsistencies · runs locally
file (any type) → file (any type)
video deepfake analyzerdrop a short video · sample frames · blink rate · face boundary flicker · temporal inconsistency score · runs locally
file (any type) → file (any type)
video infoduration · codecs · bitrate · fps · audio channels · runs locally
video → video
video thumbnailscrub and pick the best frame · export png · jpg · webp · runs locally
video → image
video transcriptspeech-to-text from video or audio · Whisper · txt · srt · vtt · runs locally
video → video
video watermarkstamp text or image watermark onto video · position · opacity · runs locally
file (any type) → video
vignettesoft edge darken or lighten · oval / circle · feather
image → image
virtual machine snapshot metadata analyzerdrop vmware vmsd vmx files or hyper-v xml config files · parse snapshot tree · reconstruct vm state history · identify when snapshots were taken · detect snapshot abuse · deleted snapshots · runs locally
file (any type) → file (any type)
volume shadow copy deletion detectordrop system or security evtx csv · detect vss deletion commands · identify shadow copy destruction patterns · correlate with ransomware or anti-forensic activity · surface which deletion method was used · runs locally
file (any type) → file (any type)
vs code deep forensic analyzerdrop vscode appdata directory contents · recently opened files · workspace history · extension list · git configuration · stored secrets · snippet history · reconstruct developer activity and project access · runs locally
file (any type) → file (any type)
vss deletion detectorevtx csv + registry · vssadmin wmic bcdedit wbadmin · shadow events · ransomware prep score · runs locally
file (any type) → file (any type)
watermark imagestamp saved or uploaded marks · grid · tile · diagonal · batch
image → image
watermark makerdesign text · png · svg watermarks · save local · export json
image → image
watermark pdftext or image · diagonal or tiled · runs locally
pdf → pdf
waveform imagerender audio as a static png · bars · filled · line · custom colors
audio → image
wearable heart rate artifact forensic extractorparse wearable biometric heart rate records and reconstruct physiological activity timelines · runs locally
file (any type) → file (any type)
wearable sleep artifact forensic extractorparse wearable sleep tracking artifacts and reconstruct sleep/wake patterns and biometric sleep evidence · runs locally
file (any type) → file (any type)
webassembly binary forensic inspectordrop wasm from browser cache · parse module structure · imports exports · string literals · obfuscation · malicious capability flags · runs locally
file (any type) → file (any type)
weld verticesmerge coincident vertices · tolerance slider · optional smooth normals
3d → 3d
wevtutil execution artifact detectordrop security system and powershell evtx csvs · detect wevtutil execution patterns · identify log clearing commands · correlate with process creation events · surface log manipulation operations · runs locally
file (any type) → file (any type)
wifi connection history forensic extractordrop iOS wifi plist · android WifiConfigStore · wpa_supplicant · SSID BSSID history · password artifacts · runs locally
file (any type) → file (any type)
wifi probe history analyzerparse probe request csv · timeline ssids per client · suspicious hidden networks · runs locally
file (any type) → file (any type)
wifi probe request artifact forensic analyzerdrop WiFi probe request capture files, iOS diagnostic logs, or Android WiFi scan logs · parse probe request frames to extract SSIDs that devices were probing for · surface location history from probed network names · detect privacy-compromising probe request patterns · analyze device identifier exposure · runs locally
file (any type) → file (any type)
wifi smart plug forensic analyzerkasa · wemo · tuya heuristic json walkers · appliance alias surfacing · on/off sessions · presence dwell cues · csv/json export · runs locally
file (any type) → file (any type)
Windows Activity History collection suppression detectordrop registry export · detect activity history collection disabled across all collection mechanisms · identify policy-level activity suppression · compute an overall activity collection suppression score · runs locally
file (any type) → file (any type)
windows audit policy completeness scorerdrop auditpol csv export or security evtx showing 4719 events · score current audit policy against cis benchmark · identify what attack techniques are invisible due to missing audit categories · produce gap analysis with recommendations · runs locally
file (any type) → file (any type)
windows clipboard history forensic analyzerdrop clipboard history sqlite or activitiescache db · credential and sensitive data detection · timeline · export csv · runs locally
file (any type) → file (any type)
windows crash dump analyzerdrop a windows minidump · exception details · faulting module · stack trace · loaded modules · bug check analysis · runs locally
file (any type) → file (any type)
windows credential manager forensicsdrop credman export or vault csv · list stored credentials · flag generic vs domain · surface target anomalies · runs locally
file (any type) → file (any type)
windows defender cloud protection disable detectordrop windows defender operational evtx csv and registry export · detect cloud protection and maps reporting disabled · identify spynet telemetry suppression · surface defender intelligence feed disconnection hiding malware from cloud detection · runs locally
file (any type) → file (any type)
windows defender detection history clearing detectordrop windows defender operational evtx csv · detect clearing of defender threat detection history · identify removal of malware detection records · surface evidence that detection events were erased · runs locally
file (any type) → file (any type)
windows defender exclusion artifact detectordrop security evtx csv or registry export · detect defender exclusion additions · identify paths processes and extensions excluded from scanning · surface exclusions covering attacker tools · runs locally
file (any type) → file (any type)
windows error reporting forensic analyzerdrop wer report files or registry exports · decode exception codes · exploit risk scoring · export csv · runs locally
file (any type) → file (any type)
Windows Error Reporting suppression detectordrop system evtx csv and registry export · detect windows error reporting disabled or suppressed · identify crash dump suppression hiding evidence of crashing malware · surface wer configuration changes · runs locally
file (any type) → file (any type)
windows etl event trace log parserdrop windows etl binary files · parse event trace log format · decode provider guids · bits wfp dns extraction · export csv · runs locally
file (any type) → file (any type)
windows event log attack chain mapperdrop evtx csvs · map event ids to mitre attack techniques · reconstruct lateral movement chains · credential access · persistence · discovery · flag sequences not just individual events · runs locally
file (any type) → file (any type)
windows event log parserdrop a .evtx file · parse Windows event log · filter by event ID · level · source · export CSV · runs locally
file (any type) → file (any type)
windows firewall log gap detectordrop windows firewall log file · detect gaps in connection logging · identify firewall log clearing events · surface windows where network activity was not recorded · runs locally
file (any type) → file (any type)
windows installer artifact analyzerdrop msi log files or software registry exports · reconstruct software installation history · identify recently installed tools · detect silent installations · msiexec evidence · flag security-relevant installs · runs locally
file (any type) → file (any type)
windows installer cache forensic analyzerdrop c windows installer directory listing or mft entries for that path · analyze cached msi msp files · reconstruct software installation history · identify what was installed even after uninstall · extract installer metadata · runs locally
file (any type) → file (any type)
windows notification database forensic parserdrop wpndatabase.db sqlite · extract push notification history · app notifications · message previews · alert content · reconstruct what notifications user received · identify communication patterns · runs locally
file (any type) → file (any type)
windows search index parserdrop Windows.edb · ESE catalog btree · SystemIndex paths · search terms · raw tables · filter · csv export · runs locally
file (any type) → file (any type)
windows timeline vs search history cross-reference detectordrop activitiescache db csv and wordwheelquery reg export · detect gaps between windows timeline activity and local search history · identify selective clearing of one artifact while other remains · surface timeline consistency anomalies · runs locally
file (any type) → file (any type)
Windsurf IDE forensic analyzeranalyze Windsurf IDE artifacts and reconstruct AI coding sessions, prompts, and workspace activity · runs locally
file (any type) → file (any type)
wireless probe request artifact analyzerdrop monitor-mode pcap · extract 802.11 probe requests · device ssid history · tracking artifacts · export csv · runs locally
file (any type) → file (any type)
wmi lateral movement detectordrop wmi activity logs or evtx csv · detect remote wmi connections · unusual wmi class creation · suspicious method executions · correlate with logon events · runs locally
file (any type) → file (any type)
word fast-save artifact extractordrop doc file · extract fast-save residual text blocks · recover deleted text preserved in the binary structure · surface authorship artifacts hidden in the binary word document · runs locally
file (any type) → file (any type)
word to pdfconvert .docx to pdf · text-flow re-typeset · headings · lists · paragraphs · images and complex layout not preserved · runs locally
file (any type) → pdf
write blocker configuration and bypass artifact detectordrop registry export and system evtx csv · detect write blocker configuration in registry · identify attempts to write to a read-only protected device · surface write blocker bypass attempts · runs locally
file (any type) → file (any type)
WScript and CScript execution artifact detectordrop 4688 or sysmon evtx csv · detect wscript and cscript execution patterns · identify script execution without corresponding script files · surface encoded and obfuscated script execution · runs locally
file (any type) → file (any type)
xlsx → csvconvert excel workbooks to csv · one file per sheet · zip output for multi-sheet
spreadsheet → spreadsheet
xml ↔ jsonconvert xml ↔ json · attributes · pretty
file (any type) → file (any type)
yaml ↔ jsonconvert yaml ↔ json · multi-doc · indent control
file (any type) → file (any type)
yara rule testerpaste a yara rule · drop a file · see matches · which strings and conditions triggered · educational · runs locally
file (any type) → file (any type)
z wave forensic analyzerzwavejs logs · zwcfg xml · node inventory · value update timeline · friendly name substitution · csv+json export · runs locally
file (any type) → file (any type)
zigbee network forensic analyzerzigbee2mqtt logs · devices yaml · MQTT publish excerpts · reconstruct friendly ieee map · heuristic topic inventory · csv+json export · runs locally
file (any type) → file (any type)
zip archive assembly sequence forensic reconstructordrop zip · local header vs central directory order · timestamp gaps · multi-session flags · csv export · runs locally
file (any type) → file (any type)
zip comment forensicsparse zip raw bytes · eocd archive comment · per-entry cd comments · appended data · sfx detection · csv export · runs locally
file (any type) → file (any type)
zip rescuerecover files from a corrupt ZIP · scans raw bytes for local file headers · bypasses damaged central directory · download what survives · runs locally
file (any type) → file (any type)
zoom application forensic analyzerdrop zoom sqlite databases · log files · configuration files · extract meeting history · chat logs · file transfer records · participant lists · recording artifacts · reconstruct zoom activity timeline · runs locally
file (any type) → file (any type)
zoom meeting artifact extractordrop zoom meeting logs csv chat txt recording vtt transcript or account activity csv · parse meeting metadata participant lists chat messages and recording artifacts · reconstruct meeting timeline and participant activity · runs locally
file (any type) → file (any type)

open any row to run the tool; stacks stay on-device.