Professional digital forensics platform — 16 plugins, MITRE ATT&CK, court-ready reporting.
Built by a US Army Counterintelligence Special Agent and Digital Forensic Examiner.
Free for US military and law enforcement. Commercial licensing available.
Strata is an air-gapped, court-ready forensic analysis platform built in Rust. It runs as a single binary on Windows, macOS, and Linux with no installation required. It parses evidence from Windows, macOS, iOS, and Android systems and produces court-defensible reports with a full chain-of-custody audit trail.
The tools that exist were built for enterprise budgets and conference demos. Strata was built for the examination — because a tool budget should never stand between an examiner and the evidence.
- 16 forensic plugins covering Windows, macOS, iOS, Android, cloud, network, memory, and malware
- 29 Sigma correlation rules with full MITRE ATT&CK kill chain coverage
- CSAM detection module — hash-based and perceptual detection, NCMEC/Project VIC compatible, immutable audit trail, free on all license tiers
- Court-ready reporting — Word and PDF export, chain-of-custody audit log, evidence integrity verification
- Air-gap deployable — single binary, USB portable, no cloud dependency, no telemetry
- Cross-platform — Windows, macOS, Linux. Parses evidence from iOS and Android devices
- 89% pure Rust — 871 tests, zero unsafe blocks in production paths
| Plugin | Coverage |
|---|---|
| Phantom | Registry hives, USBSTOR, ShimCache, WDigest, NTDS.dit, WMI persistence |
| Chronicle | UserAssist, Jump Lists, LNK files, Shellbags, Windows Timeline |
| Sentinel | Security.evtx, PowerShell 4103/4104, Sysmon, RDP, Kerberos, lateral movement |
| Trace | Prefetch, BAM/DAM, Scheduled Tasks, BITS jobs, timestomp detection, SRUM |
| Remnant | Recycle Bin, USN Journal, ADS, anti-forensic tool detection, VSS deletion |
| Guardian | Windows Defender, AV/EDR logs, WER crash files, firewall configuration |
| Cipher | WiFi passwords, browser credentials, SSH keys, AWS/Azure keys |
| MacTrace | LaunchAgents, FSEvents, Unified Log, Gatekeeper, quarantine, Time Machine |
| Nimbus | OneDrive, Google Drive, Teams, Slack, M365 UAL, AWS CloudTrail, Azure |
| Conduit | WiFi profiles, RDP history, VPN artifacts, DNS cache |
| NetFlow | PCAP/PCAPNG, IIS/Apache/Nginx logs, exfil tool detection |
| Vector | PE headers, VBA macros, PowerShell obfuscation, Mimikatz/Cobalt Strike |
| Wraith | hiberfil.sys, LSASS dump detection, crash dump analysis |
| Recon | Username/email/IP extraction, AWS AKIA key detection, SID history |
| Pulse | WhatsApp, Signal, Telegram, Discord, TikTok, Instagram — iOS/Android/Windows/macOS |
| Sigma | 29 correlation rules. Always runs last. Full MITRE ATT&CK kill chain. |
The strata-csam crate provides hash-based and perceptual CSAM detection for forensic examiners and law enforcement.
- Imports NCMEC MD5 hash lists, Project VIC VICS JSON, and generic SHA1/SHA256 sets
- 64-bit dHash perceptual matching with Hamming distance scoring
- SHA256-chained immutable audit log — every action recorded, nothing auto-displayed
- Court-ready PDF and JSON reports — no image content ever embedded
- Mandatory reporting notice per 18 U.S.C. § 2258A in every report
- Free on all license tiers — no gating, ever
Examiners import their own hash sets. Strata never bundles hash data.
# Prerequisites: Rust stable, Node.js, pnpm
git clone https://github.com/WolfmarkSystems/Strata.git
cd Strata
cargo build --release -p strataCI status: macOS ✅ · Linux ✅ · Windows ✅
Government Use License — Free
US military and law enforcement use Strata free. Verified by .mil or .gov email.
Covers: Army CID, NCIS, AFOSI, CGIS, FBI RCFL, HSI, IRS-CI, USSS, DEA, ATF, ICAC task forces, state and local LE.
Commercial License — Annual
For private forensic firms, corporate security teams, independent examiners, legal firms, and insurance investigators.
Contact: contact@wolfmarksystems.com
To report a vulnerability, see SECURITY.md.
Copyright © 2026 Wolfmark Systems. All rights reserved.
US Copyright Registration: Case #1-15137320181
See LICENSE for full terms.
wolfmarksystems.com · @WolfmarkSystems · contact@wolfmarksystems.com