Forensic Intelligence Platform
STRATA

Every layer. Every artifact. Every platform. A single binary. Air-gapped. Court-ready.

For
Government
& Military
.mil / .gov · Free forever
For
Commercial
Use
Private firms · Contact for pricing
View on GitHub Platform Overview
19
Plugins
27
Sigma
15MB
Binary
5
Platforms
89%
Rust
Platform

Built for the field.
Not the boardroom.

A single 15MB binary. No installation required. Runs air-gapped. Built for examiners on 8-hour cases with evidence that matters.

01 / Windows
Windows Forensics
NTFS MFT walker. Registry hive parsing. Full EVTX real parser — 60+ event IDs across 7 channels. Prefetch, BAM/DAM, Scheduled Tasks, BITS jobs.
02 / macOS
macOS & APFS
Full APFS B-tree walker. LaunchAgents, FSEvents, Time Machine, Unified Log, Gatekeeper, quarantine artifacts. Apple-native app parsing.
03 / Mobile
iOS & Android
KnowledgeC.db, PowerLog, iTunes backup structure, SMS/iMessage. Android factory reset detection. WhatsApp, Signal, Telegram across both platforms.
04 / Evidence
Image Formats
E01/EWF, Ex01, L01, RAW/DD, VMDK, VHD/VHDX, AFF4, ISO, DMG. Hex editor. SHA-256 + MD5 hashing. 62-signature file carving.
05 / Reporting
Court-Ready Output
Word and PDF report export. Chain of custody audit log. Evidence integrity verification. Hash set import — NSRL and known-bad. IP geolocation.
06 / Threat Intel
MITRE ATT&CK
27 Sigma correlation rules. Full kill chain coverage. Confidence scoring. Kerberoasting, LSASS access, WMI persistence, lateral movement detection.
Plugins

19 plugins.
One examiner.

Every plugin runs independently. Sigma always runs last — correlating across all findings before producing a threat assessment.

PluginCoveragePlatform
Phantom
Registry hives, USBSTOR chain, ShimCache, WDigest detection, NTDS.dit, WMI persistence, CapabilityAccessManager
Windows
Chronicle
UserAssist, Jump Lists, RecentDocs MRU, TypedPaths, LNK files, Shellbags, Windows 10 Timeline, Office Recent Files
Windows
Sentinel
Security.evtx, PowerShell 4103/4104, Sysmon Operational, WinRM, RDP correlation, Kerberos, lateral movement
Windows
Trace
Prefetch all versions via frnsc-prefetch, BAM/DAM, Scheduled Tasks XML, BITS jobs, timestomp detection, SRUM
Windows
Remnant
Recycle Bin $I, USN Journal, $I30 slack, Zone.Identifier ADS, anti-forensic tool detection, VSS deletion evidence
Windows
Guardian
Windows Defender, Avast, Malwarebytes, WER crash files, firewall configuration
Windows
Cipher
WiFi passwords, browser credentials, Credential Manager, SSH keys, AWS/Azure keys, FileZilla, WinSCP, PuTTY
Windows
MacTrace
LaunchAgents/Daemons, Login Items, Spotlight, Unified Log, Gatekeeper, quarantine, FSEvents, Time Machine
macOS
Nimbus
OneDrive, Google Drive, Dropbox, Teams, Slack, Zoom, Outlook PST/OST, M365 UAL CSV, AWS CloudTrail, Azure Activity logs
Cloud
Conduit
WiFi profiles, RDP history, VPN artifacts, network shares, hosts file, DNS cache
Network
NetFlow
PCAP/PCAPNG validation, IIS/Apache/Nginx logs, WinSCP, Rclone, MEGAsync, remote access tools, P2P clients
Network
Vector
PE header analysis, VBA macro detection, PowerShell obfuscation, Mimikatz and Cobalt Strike signatures
Malware
Wraith
hiberfil.sys profiling, LSASS dump detection, crash dump analysis, pagefile string extraction
Memory
Recon
Username extraction, email regex, public IP detection, AWS AKIA key detection, SID history, domain artifacts
All
Pulse
WhatsApp, Signal, Telegram, Snapchat, Instagram, Discord, TikTok, Facebook Messenger — iOS, Android, Windows, macOS
All
Sigma
27 correlation rules. Always runs last. Full MITRE ATT&CK kill chain. Confidence scoring. Threat assessment output.
Last
Wolfmark Systems