A comprehensive, cross-OS forensic acquisition agent. It walks a host (live), a mounted volume, a pytsk3 disk image (E01/dd/vhd), or a raw device (BitLocker) and gathers artifacts into a signed, content-addressed bundle — the same contract Citadel's Talon produces — while keeping Triager's strengths (pytsk3 imaging, YARA, multithreading) and one-file-per-collector modularity.
- Cross-OS catalog — 70 collectors: 52 Windows, 11 Linux, 7 macOS.
- Content-addressed bundle —
manifest.json | events.jsonl | blobs/<sha256> | bundle.sha256, conforming to the vendoredcontracts/bundle_manifest.schema.json; manifest is schema-validated before sealing.--output-format {zip,bundle,both}. - Capabilities catalog —
capabilities.yamlis the single source of truth for what is collectable (renderable as a UI). Its optionvalues are the--collectkeys, validated against the collector registry at startup. - Auto-discovery registry — collectors self-register by class; adding one is a single new file (no more 3-place dispatch tables). Talon category keys (
evtx,network_cfg, …) work as aliases. - Unified source abstraction (
sources/) — one collector body runs against live FS, mounted volume, pytsk3 image, or raw device+BitLocker (dislocker→cryptsetup, ntfs-3g). - Dead-box —
--path <mount>,--disk <device> --bitlocker-key <key>, plus the existing--image-path. - IOC sweep —
--fetch "mimikatz*" --fetch "re:\.(ps1|hta)$" --fetch-root C:\Users. - Remote delivery — gRPC/mTLS agent, AES-256-GCM chunked resumable upload, S3/MinIO presigned + Citadel case API (
--api-url/--case-id/--api-token,--presigned-url). All optional/lazy-imported. - Finished collectors —
hashing(MD5/SHA256 inventory),file_listing(recursive MACB),yara(rule scan → match JSONL) are implemented. - Tests —
pytest tests/(chunker, secure-upload, registry consistency, source+bundle schema, stub collectors).
-
Two Operation Modes:
- Live system mode: Collect from a running Windows machine
- Dead-box mode: Collect from a mounted dd image
-
Three Collection Levels:
small: Fast triage with highest-value artifactscomplete: Comprehensive collection of all common artifactsexhaustive: Full forensic collection with advanced features
-
50+ Artifact Categories:
- Registry hives and user profiles
- Event logs (Security, System, Application, PowerShell, Sysmon, etc.)
- Filesystem artifacts ($MFT, $UsnJrnl, ADS)
- Execution artifacts (Prefetch, Superfetch, SRUM, Amcache, Shimcache, BAM)
- Persistence mechanisms (Autoruns, Scheduled Tasks, Services, WMI)
- Network configuration and history
- USB device history
- Browser artifacts (Chrome, Firefox, Edge, IE)
- Email data (Outlook, Thunderbird)
- Messaging apps (Teams, Slack, Discord, Signal, WhatsApp, Telegram)
- Cloud storage (OneDrive, Google Drive, Dropbox)
- Remote access tools (AnyDesk, TeamViewer, RDP, SSH)
- Credentials and authentication data
- Antivirus/EDR logs
- And many more...
-
Deterministic Output Structure: Every file is placed at a predictable path for automated analysis
-
Parallel Collection: Multi-threaded collection for faster triage
-
Comprehensive Manifest: JSON and CSV manifests tracking all collected files with hashes
-
ZIP Output: Automatic creation of password-protected ZIP archives (ZIP64 support for >4GB)
# Clone or download the tool
cd triager
# Install dependencies
pip install -r requirements.txtFor full functionality, install optional dependencies:
pip install yara-python regipy pytsk3 pyewf pycryptodome pyzipper pywin32yara-python: YARA rule scanningregipy: Offline registry parsingpytsk3: Raw NTFS accesspyewf: E01/EWF image supportpycryptodome: Cryptographic operationspyzipper: Password-protected ZIPpywin32: Windows API access (Windows only)
# Live triage - small level (fast)
python triager.py --mode live --level small
# Live triage - complete level
python triager.py --mode live --level complete
# Dead-box against mounted image
python triager.py --mode image --image-path E:\ --level complete
# Collect specific categories
python triager.py --mode live --level complete --categories registry,eventlogs,browser_all
# With password-protected ZIP
python triager.py --mode live --level complete --zip-password "S3cur3P@ss!"
# Exhaustive mode with YARA scanning
python triager.py --mode image --image-path E:\ --level exhaustive --yara-rules ./rules/usage: triager.py [-h] (--mode {live,image} | --image-path IMAGE_PATH)
[--level {small,complete,exhaustive}]
[--categories CATEGORIES]
[--include-users INCLUDE_USERS]
[--output-dir OUTPUT_DIR]
[--zip-password ZIP_PASSWORD]
[--keep-unzipped] [--no-zip]
[--threads THREADS]
[--yara-rules YARA_RULES]
[--collect-pagefile] [--collect-hiberfil]
[--collect-swapfile] [--config CONFIG]
[--quiet] [--max-file-size MAX_FILE_SIZE]
Triager - Comprehensive Forensic Triage Tool
options:
-h, --help show this help message and exit
--mode {live,image} Collection mode: live system or mounted image
--image-path IMAGE_PATH
Path to mounted dd image (implies --mode image)
--level {small,complete,exhaustive}
Collection level (default: complete)
--categories CATEGORIES
Comma-separated list of categories to collect
--include-users INCLUDE_USERS
Comma-separated list of usernames to collect
--output-dir OUTPUT_DIR
Output directory (default: ./output)
--zip-password ZIP_PASSWORD
Password for ZIP encryption
--keep-unzipped Keep uncompressed output directory
--no-zip Skip ZIP creation
--threads THREADS Number of parallel threads (default: 4)
--yara-rules YARA_RULES
Path to YARA rules file or directory
--collect-pagefile Collect pagefile.sys
--collect-hiberfil Collect hiberfil.sys
--collect-swapfile Collect swapfile.sys
--config CONFIG Path to configuration file (default: config.yaml)
--quiet Suppress stdout output
--max-file-size MAX_FILE_SIZE
Maximum file size in MB (0 = no limit)
Create a config.yaml file for default settings:
mode: live
level: complete
categories: []
output_dir: ./output
threads: 4
zip_password: null
keep_unzipped: false
hash_collected: true
max_file_size_mb: 0CLI flags override configuration file values.
Triager_HOSTNAME_YYYYMMDD_HHMMSS/
├── metadata/
│ ├── collection_manifest.json
│ ├── collection_log.txt
│ ├── system_info.json
│ ├── config_used.yaml
│ └── errors.log
├── registry/
│ ├── SYSTEM
│ ├── SOFTWARE
│ ├── SAM
│ ├── SECURITY
│ └── users/
│ └── <username>/
│ ├── NTUSER.DAT
│ └── UsrClass.dat
├── eventlogs/
│ ├── Security.evtx
│ ├── System.evtx
│ └── ...
├── filesystem/
│ ├── $MFT
│ ├── $LogFile
│ └── ...
├── execution/
│ ├── prefetch/
│ ├── superfetch/
│ └── ...
└── ... (50+ categories)
Fast triage (~5-15 minutes):
- Registry hives
- Critical event logs
- Prefetch
- Amcache
- Shimcache/BAM
- SRUM
- PowerShell history
- Basic browser history
- Scheduled tasks
- Services
- Windows Defender logs
Comprehensive collection (~30-90 minutes):
- Everything in Small, plus:
- All event logs
- Full $MFT
- All user hives
- Full browser profiles
- Email artifacts
- Messaging apps
- Cloud storage
- Remote access tools
- SSH/FTP configs
- Credential stores
- Antivirus/EDR logs
- IIS logs
- Boot artifacts
- And more...
Full forensic collection (hours):
- Everything in Complete, plus:
- Full pagefile/hiberfil/swapfile
- Volume Shadow Copy extraction
- YARA scanning
- Entropy analysis
- Full volume file listing
- Hashing of all executables
- Deleted MFT entry carving
Use these shortcuts in --categories:
browser_all: Chrome + Firefox + Edge + IEemail_all: Outlook + Thunderbird + Othermessaging_all: Teams + Slack + Discord + Signal + WhatsApp + Telegramcloud_all: OneDrive + Google Drive + Dropbox + Other
- Python 3.8+
- Windows 7/8/10/11 or Server 2012-2022
- Administrator/SYSTEM privileges for live collection
- Sufficient disk space for collected artifacts
- Requires administrator or SYSTEM privileges
- Some files may be locked (pagefile, registry hives)
- Uses Volume Shadow Copy when available
- Mount dd images with FTK Imager, Arsenal Image Mounter, or similar
- Read-only access recommended
- All files should be accessible
Every collected file follows a deterministic naming convention so downstream analysis tools can locate files by path alone.
MIT License
Contributions welcome! Please read CONTRIBUTING.md first.
This tool is for authorized forensic analysis only. Ensure you have proper legal authority before collecting data from any system.
