Chainsaw

Chainsaw is a Windows forensic analysis tool used for parsing system databases and extracting security artefacts. It functions as a forensic artefact extractor and a scanner for identifying security threats and log tampering within Windows event logs.

The project distinguishes itself by implementing a Sigma rule forensic scanner that applies standardized detection logic and custom rule sets to event logs and forensic artefacts. It enables threat hunting workflows by matching event data against patterns to identify malicious activity, lateral movement, and brute force attacks.

The tool's capabilities include event log triage using regular expressions, execution timeline reconstruction through the correlation of shimcache and amcache data, and the parsing of system resource usage databases. It further provides forensic data search utilities and the ability to export raw binary artefacts into structured JSON formats for external analysis.

Features

Forensic Tools - Provides a specialized tool for conducting digital forensic investigations and analyzing Windows system artifacts.

System Forensic Analysis - Provides a comprehensive suite for extracting and parsing Windows system artifacts to investigate host activity.

Forensic Artifact Parsing - Provides capabilities for decoding specialized system files like MFT and EVTX to reconstruct host state.

Execution Timeline Reconstruction - Combines shimcache and amcache data to build a chronological history of all processed executions on a system.

Forensic Event Correlation - Links disparate data sources like shimcache and amcache to reconstruct a chronological sequence of system events.

Forensic Parsers - Functions as a specialized forensic parser that extracts data from binary system files for security analysis.

Forensic Artifact Extraction - Extracts specific security evidence from disk files into local structured formats for analysis.

Threat Detection - Scans forensic artefacts using custom and standardized detection patterns to identify complex security threats.

Automated Hunting - Implements systematic workflows for proactively detecting malicious activity using Sigma detection logic.

Threat Hunting Workflows - Enables threat hunting by applying custom detection logic and rule levels to forensic data to identify malicious activity.

Forensic Scanners - Scans forensic artifacts against Sigma rules to automatically identify known security threat patterns.

Forensic Log Scanners - Provides a fast scanner for identifying security threats and log tampering within Windows event logs.

Threat Pattern Matchers - Evaluates forensic data against known threat signatures and standardized detection logic.

Forensic Event Triage - Scans event logs rapidly for indicators of malicious activity without requiring a centralized logging infrastructure.

Forensic Log Triage - Processes large event log files using filters and regular expressions to identify indicators of compromise.

Threat - Processes standardized Sigma rule sets against system event logs to automatically identify known threat patterns.

JSON Exports - Serializes extracted forensic artifacts into JSON format for improved interoperability with other analysis tools.

Data Export Formats - Converts raw forensic data into structured machine-readable formats suitable for external ingestion.

JSON Serializers - Transforms raw binary forensic evidence into structured JSON text formats for portability and external analysis.

System Resource Forensic Tracking - Extracts historical resource usage and network metrics from low-level system databases like SRUM.

Log Tampering Detections - Identifies gaps in record IDs and timestamps to detect selective log clearing or modification.

Resource Usage Troubleshooting - Analyzes system monitor data to isolate processes causing high resource consumption over time.

Digital Forensics - Tool for rapid searching and hunting in Windows event logs.

Threat Hunting Tools - Rapid identification of threats within Windows event logs.

WithSecureLabschainsaw

Features

Star history