Forensic analysis in three simple steps

ForensicLens separates collection from analysis. Collect evidence on the compromised system, analyze on a trusted machine, get clear answers.

1

Collect Forensic Evidence

5–15 minutes Always FREE Windows, Linux, macOS

What happens during collection?

The ForensicLens collector is a standalone executable that runs on the suspected compromised machine. It systematically gathers forensic artifacts without modifying any system files or requiring installation.

What gets collected:

  • Event Logs - Security, System, Application logs (Windows) or auth/syslog (Linux/macOS)
  • Registry Snapshots - Run keys, services, scheduled tasks, persistence locations (Windows)
  • Authentication Records - Login history, failed attempts, privilege escalations
  • System Configuration - Audit policies, firewall settings, installed software
  • Artifact Metadata - File timestamps, user accounts, network configuration

Collection tiers:

Essential

5-15 minutes | 150-250 MB

Fast triage. Covers the 62 core indicators. Perfect for quick investigation or when time is critical.

Extended

30-90 minutes | 1-1.5 GB

Thorough investigation. Adds browser artifacts, prefetch data, PowerShell history. Recommended for most cases.

Deep

1-3 hours | 5-10 GB

Comprehensive analysis. Full file system listing, memory dumps. For complex incidents requiring maximum detail.

Running the collector:

$ forensiclens collect --tier essential --incident-date 2024-11-10

ForensicLens v1.0 - Forensic Data Collection
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

System: Windows 11 Pro (LAPTOP-ABC123)
Tier: Essential (estimated 5-15 minutes)

Starting: Event Log Collection...
Completed: Event Log Collection ✓

Starting: Registry Artifacts...
Completed: Registry Artifacts ✓

Starting: Authentication Records...
Completed: Authentication Records ✓

Starting: System Configuration...
Completed: System Configuration ✓

Collection complete!
Output: ForensicLens_LAPTOP-ABC123_20241115_143000.zip
Size: 187 MB (compressed)

Transfer this file to a trusted system for analysis.

Key features:

Safe & Non-invasive

Only reads files, never modifies. No installation required. Won't interfere with running systems or trigger defensive tools.

USB-Portable

Single executable. Run from USB drive. No dependencies. Perfect for air-gapped or restricted environments.

Standard Format

Outputs ZIP file. Contents are human-readable (CSV, JSON, plain text). No proprietary formats. You own your data.

Graceful Degradation

If an artifact can't be collected (permissions, missing files), collection continues. Errors logged but don't stop the process.

2

Transfer to Trusted System

2-5 minutes Critical security step

Why transfer to a separate machine?

Security: If the original system is compromised, you don't want to analyze evidence on the same machine where an attacker might still have access.

Integrity: Analyzing on a separate, trusted system ensures the analysis itself can't be tampered with by malware still present on the compromised machine.

Transfer methods:

  • USB Drive - Copy ZIP to USB, physically transfer to clean machine
  • Network Share - Copy to secured network location (if confident network isn't compromised)
  • Cloud Storage - Upload to Dropbox/Drive/OneDrive if appropriate for your security model
  • Direct Connection - Cable connection or secure file transfer
Important: Secure Your Evidence

The ZIP file contains sensitive information about your system. Treat it like you would treat your passwords or encryption keys.

  • Don't upload to untrusted cloud services
  • Don't email without encryption
  • Delete from compromised system after transfer
  • Store securely on the analysis machine
3

Analyze & Get Answers

10-30 minutes Web-based dashboard Paid (first machine free in beta)

What happens during analysis?

Upload the ZIP file to the ForensicLens Analyzer, which runs on your trusted machine. The analyzer automatically:

Transfer methods:

  1. Parses Artifacts - Extracts and indexes all collected data
  2. Checks 62 Indicators - Runs detection algorithms across all categories
  3. Correlates Evidence - Links related findings for context
  4. Generates Dashboard - Creates interactive visualization of results

The Three-State Detection Model:

Every indicator is evaluated and assigned one of three states:

DETECTED

Evidence of malicious activity was found in the collected artifacts.

Example: "127 failed RDP login attempts from 3 external IPs detected in Event ID 4625"

NOT DETECTED

No evidence found AND sufficient logging existed to detect the activity if it had occurred.

Example: "No scheduled tasks created. Audit log enabled and no gaps detected."

INDETERMINATE

Cannot determine due to cleared logs, disabled logging, or missing data.

Example: "Security log cleared on 2024-11-10. Cannot verify authentication events before that date."

Overview

At-a-glance summary: critical findings, risk level, system information, and confidence scores for each category.

Detailed Findings

Drill down into each category. See specific indicators, evidence citations, timestamps, and context.

Raw Artifacts

Access original collected data. Verify our analysis manually. Everything is transparent and verifiable.

Export Reports

Generate PDF/HTML reports. Include executive summary or technical details. Share with stakeholders or auditors.

Interpreting results:

What to do with your results:
  • All 🟢 NOT DETECTED: No evidence of compromise found. Logging was sufficient. Likely clean (but not guaranteed).
  • Any ☢ DETECTED: Evidence of malicious activity. Review findings, plan remediation, consider professional help if severe.
  • Multiple ❓ INDETERMINATE: Cannot determine due to missing data. Consider it suspicious—why was logging disabled or logs cleared?
  • Mix of all three: Common scenario. Some indicators detected, some clear, some indeterminate. Use findings to guide investigation.

What makes ForensicLens different?

Most forensic tools are either too basic (miss things) or too complex (require experts). ForensicLens bridges that gap.

Honesty Over Confidence

We use a three-state model (DETECTED/NOT DETECTED/INDETERMINATE) instead of pretending we can always give definitive answers.

Why it matters: You need to know when our analysis is limited by missing data. False confidence is dangerous.

Transparent Methodology

We publish exactly what we check, which logs we read, and how we reach conclusions. The full methodology is open source.

Why it matters: You should be able to verify our findings. Black box tools require blind trust.

Accessible to Generalists

Designed for IT admins who understand computers but aren't forensic investigators. No specialized training required.

Why it matters: Most organizations can't afford forensic experts. You shouldn't need a PhD to investigate a breach.

Separation of Collection & Analysis

Collect on compromised system, analyze on trusted system. Evidence can't be tampered with during analysis.

Why it matters: If malware is still present, analyzing on the same machine lets attackers see what you're finding.

Human-Readable Outputs

ZIP files contain CSV, JSON, and text files. No proprietary formats. You can inspect everything manually if desired.

Why it matters: You own your data. You're not locked into our tool. You can verify or extend our analysis.

60× Faster Than Manual

What would take days of manual log analysis takes 30 minutes with ForensicLens. Focus on remediation, not archaeology.

Why it matters: Time matters in incident response. The faster you understand the breach, the faster you can fix it.

Technical Details

System Requirements

Collection (runs on suspected machine):

  • Windows 10/11, Windows Server 2016+
  • Linux (most distributions, kernel 4.0+)
  • macOS 10.15+
  • Administrator/root privileges
  • 50 MB disk space
  • No internet required

Analysis (runs on trusted machine):

  • Any OS with web browser
  • 4 GB RAM minimum
  • Web browser (Chrome, Firefox, Safari, Edge)
  • Internet connection (for updates)

Data Privacy

Your data never leaves your infrastructure.

  • Collection runs entirely offline
  • Analysis runs locally (Streamlit dashboard)
  • No cloud uploads required
  • No telemetry or phone-home
  • You control where data is stored

What we collect (telemetry):

Nothing. We don't collect usage data, crash reports, or any information about your systems.

When you purchase an analysis license, we only collect payment information (handled by Stripe) and your email for license delivery.

Ready to see it in action?

Join the beta and analyze your first machine free.

Join Beta Waitlist Read Full Methodology