Unified DFIR Ecosystem

Native, portable tools without dependencies for triage, analysis, and correlation.

PowerForensics is a professional DFIR ecosystem that integrates forensic acquisition, temporal correlation, and relationship analysis to turn technical evidence into a coherent, defensible, and real-world incident-oriented investigation. Designed for analysts, not for black boxes.

5 Pillars Architecture

  1. 1. PowerTriage Collection
  2. 2. Forge Normalization
  3. 3. Analysis Management
  4. 4. Chronos Timeline
  5. 5. Nexus Relations

PowerForensics Ecosystem

A comprehensive forensic environment, composed of lightweight, portable tools designed for live or post-mortem analysis.

PowerTriage (Windows)

Advanced PowerShell script for Windows triage. Collects forensic artifacts (Prefetch, Amcache, SRUM, USB, Events, Shimcache, etc.). Compatible with direct execution on compromised machines or via EDR/XDR consoles.

PowerTriage Linux (Linux)

Standalone Bash tool for rapid Linux analysis. Extracts logs, sessions, active connections, scheduled tasks, users, cronjobs, recent commands, and persistence artifacts.

PowerTriage IoT (OpenWRT / IoT)

Specialized version for IoT and embedded environments. Integrates Python modules to analyze configurations, authentications, credentials, critical services, and vulnerabilities.

PowerForensics Platform Enterprise

Unified platform that centralizes triage results, generates interactive timelines (Chronos) and relationship graphs (Nexus), with automatic MITRE labeling and reporting.

Forge (Normalization)

Normalization engine that converts raw evidence into structured data. Multi-cloud support (AWS, Azure, M365, GCP) and log processing for Chronos and Nexus.

Chronos (Timeline)

Interactive timeline generation to visualize events in chronological order and detect attack patterns.

Nexus (Graph)

Graph analysis to visualize complex relationships between artifacts, users, and affected systems.

PowerForensics Platform Enterprise

The analysis layer that unifies Chronos — Timeline and Nexus — Graph, designed for DFIR teams that need to move from isolated artifacts to complete investigations.

Vision

The platform centralizes triage results, enables case management, evidence tagging, and the construction of timelines and relationship graphs ready to present in reports and technical committees.

It is oriented towards Enterprise environments where repeatable workflows, change control, and collaboration between analysts are required.

Planned capabilities

  • Direct ingestion of PowerTriage results (Windows, Linux, IoT)
  • Automatic construction of timelines in Chronos
  • Generation of entity and relationship graphs in Nexus
  • Case management, notes, and evidence tagging
  • Export of client-ready reports

PowerForensics Platform is our proprietary technology. We do not sell the software; we use it to offer you the fastest and deepest incident response service on the market.

Explore Technology

PowerTriage

Windows Forensic Analysis, Portable and Deep

PowerTriage is a native PowerShell tool designed for Windows (10/11/Server) capable of collecting and analyzing key system artifacts. It works without external dependencies and can be executed directly from an EDR/XDR environment or remote Live Response.

Ideal Usage

Incident Response Teams, Corporate DFIR, SOC, Hybrid or Air-gapped environments.

Key Features

  • Automated artifact extraction (Amcache, Prefetch, SRUM, ShimCache, USB, Jump Lists, RecentApps, etc.)
  • MITRE ATT&CK mapping of detected tactics and techniques
  • Structured export (JSON, CSV, HTML)
  • Integration with Chronos — Timeline and Nexus — Graph for visual analysis
  • Compatible with offline environments (acquisition from image or mounted volume)
  • Fully portable, no installation or dependencies

PowerTriage Linux

Forensic Triage for Linux Environments

Standalone Bash tool for rapid analysis on Linux systems. Extracts logs, sessions, active connections, tasks, users, cronjobs, and persistence artifacts.

Highlighted Features

  • Artifact extraction (logs, sessions, cron, users, etc.)
  • MITRE ATT&CK mapping with relevant tactics/techniques
  • Structured export (JSON, CSV, HTML)
  • Compatibility with offline analysis and mounted volumes
  • Integration with Chronos — Timeline and Nexus — Graph
PowerTriage Linux Screenshot
PowerTriage Linux execution on Linux (Bash)

PowerTriage IoT

Forensics on IoT Devices and OpenWRT

Specialized version for embedded environments. Analyzes configurations, credentials, critical services, and vulnerabilities.

Highlighted Features

  • Support for embedded Python modules
  • Analysis of critical services, credentials, and configurations
  • Export in lightweight formats for auditing
  • Compatibility with offline environments
  • Integration with Chronos and Nexus for correlation
PowerTriage IoT Screenshot
Analysis on IoT/OpenWRT devices

Documentation and Demo

Explore guides, use cases, and MITRE integration in the platform.

Open Docs GitHub

Contact & Collaboration

I am open to collaborations, feedback on the platform, or simply chatting about DFIR. If you are interested in the project or want to report an issue, write to me.

contacto@powerforensics.es