Privacy-first DFIR tools that run entirely in your browser

Paste logs, reports or raw text and automatically extract IPs, domains, URLs, hashes, CVEs and more.

Analyze a SIEM alert dump or a threat report in seconds.

Convert between Unix epoch, Windows FILETIME, WebKit/Chrome timestamps, ISO 8601 and EXIF formats.

Decode a FILETIME value from a registry artifact.

Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 hashes for text or files. Compare against known values.

Verify file integrity or check a hash against a known IOC.

Parse raw email headers and inspect SPF, DKIM, DMARC results, received hops and suspicious indicators.

Triage a phishing email in seconds.

Inspect EXIF data, PDF metadata and document properties. Extract timestamps, creators and device information.

Verify image authenticity or extract creation dates from documents.

Parse syslog, CSV logs and generic text to build a chronological timeline. Filter by severity and search.

Reconstruct an attack timeline from security logs.

Decode suspicious strings, scripts and obfuscated payloads locally in your browser.

Decode suspicious script snippets and triage payload artifacts quickly.

Inspect Windows Event Logs locally for fast incident response triage.

Review key Windows security events from EVTX exports in seconds.

Parse Common/Combined web server logs, apply heuristics for SQLi, XSS and path traversal, highlight suspicious requests and export results as CSV.

Triage web server logs and export suspicious requests as CSV for investigations.

Open Windows registry hive files to extract autoruns, USB history and UserAssist artifacts for quick forensic review; CSV export available.

Extract autoruns and USB device history from registry hives in your browser.

Analyze EXE and DLL structure, sections and imports without leaving the browser.

Profile suspicious binaries before deeper reverse engineering.

Inspect Windows Prefetch files locally for execution details, run counts and referenced paths.

Recover execution metadata from .pf artifacts in-browser.

Test YARA rules locally against text or files, with no upload required.

Quickly triage suspicious content with custom rules.

Open SQLite databases locally and inspect browser/app artifacts, schema and records.

Analyze browser history or app databases without uploading.

Open mobile app SQLite databases exported from backups and inspect schema and records locally.

Inspect cookies, history and app databases from mobile backups in your browser.

Decode XML and binary plists and inspect small protobuf blobs directly in your browser; upload a WASM parser or .proto schema from the tool UI for fuller decoding.

Quickly preview plist manifests and decode protobuf messages with an uploaded schema or WASM parser.

Inspect iOS backup manifests, plists and lightweight metadata locally without uploads.

Review backup manifests and high-level metadata for mobile triage.

Open PCAP files to extract HTTP, DNS and TLS metadata and export findings as CSV for quick network triage.

Extract DNS queries, HTTP requests and TLS SNI for rapid investigation.