DEV Community

Cover image for I built a forensics documentation tool because my university course drove me crazy
Niklas
Niklas

Posted on • Originally published at niklas-heringer.com

I built a forensics documentation tool because my university course drove me crazy

#forensics #security #linux #opensource

I'm not a professional forensics investigator, just a security student who had a university course on digital forensics last summer and got increasingly frustrated with one specific part of it: not the investigation, but the documentation.

Every tool, every command, every hash, manually noted. Timestamps written essentially by hand. Chain of custody as an afterthought. My colleagues felt the same way. So we built something to fix it.

forensic-log-tracker wraps your forensic commands, whatever you can do in a shell, and automatically produces timestamped, SHA256-hashed, GPG-signed investigation logs.
One command at the end generates a complete case report in Markdown.
It also provides explanations, as report readers are hardly ever experts, so for your commands you get structures like:

---

### [+] Command: `sha256sum working_copy.img`
- Timestamp: `2026-04-06T09-08-28-524115+00-00`
- GPG-signature: [+] Valid
- SHA256: `92cebec98bfd99f06db56bd758d5977b62abc27513805ca24a72cdb7ed0f5756`

#### Output:
[STDOUT]
08f8672e957e4f7f08ac9a7f2797c34bdffe51d35a7e04f60c1be256a82cc0ff  working_copy.img

[STDERR]

#### Context:
### [+] Legal Context for `sha256sum working_copy.img`

**Analyst:** Niklas Heringer
**Timestamp:** 2026-04-06T12:50:04.899436+00:00

The `sha256sum` command calculates a SHA-256 cryptographic hash of a file.

---
Enter fullscreen mode Exit fullscreen mode

Explanations and configs can be adjusted to your needs in YAML files that come along with your install.

I'd love if you checked it out and gave me feedback. One thing might be a PDF report option?

pip install forensic-log-tracker

flt setup # to setup a GPG key for the projects

flt new-case MY_CASE_NAME --description "Investigating suspicious image"
flt run "dd if=evidence.img of=working_copy.img bs=4M conv=noerror,sync" -c MY_CASE_NAME 
flt run "foremost -i working_copy.img -o output/ -v" -c MY_CASE_NAME 
flt report -c mycase
Enter fullscreen mode Exit fullscreen mode

All it can do can be found in the README :D.

To provide a bit of context, I wrote a beginner forensics guide around it, dd, Foremost, Scalpel, strings, the works.

There's a pre-built practice image to download and work through, and three interactive quizzes embedded in the post.

Full guide with interactive exercises

And if you use a forensic tool that's not in the explanations.yaml yet, PRs are very welcome.

github.com/mev0lent/forensic-log-tracker

Top comments (0)