Flowrensics automates the collection and analysis of key Windows forensic artifacts.
It orchestrates Eric Zimmerman’s EZ Tools, Hayabusa, and Volatility 3.

1. Features
2. Prerequisites
3. Quick Start
4. Usage
5. Results
6. Roadmap
7. License

• One-click triage of Windows artifacts via EZ Tools (MFT, Prefetch, Registry hives, Event Logs, etc.).
• Memory analysis pipeline powered by Volatility 3.
• Fast threat-hunting timeline generation with Hayabusa (Sigma-rule-aware).
• Auto-download & update: Hayabusa and Volatility binaries are fetched on first use.
• Parallel execution with live progress and colorised logs.
• Self-contained: all scripts run inside a Python virtual environment; no system-wide installs required.
• Results folder structured for quick ingestion in Splunk, Timesketch, or Excel.
• Tested on Windows 10 & 11.

# Clone and enter the repo
> git clone https://github.com/syscall80h/Flowrensics.git
> cd Flowrensics

# Set up an isolated environment (PowerShell)
> py -m venv venv
> .\venv\Scripts\Activate.ps1

# Install Python dependencies
(venv) > pip install -r requirements.txt

# Launch the GUI
(venv) > py main.py

1. EZ Tools directory – browse to the net sub-folder containing the command-line EXEs.

2. Triage directory – select the root of the collection (e.g. the drive-letter folder).

• Windows Artifacts – choose individual EZ modules or run the full sweep.
• Memory Analysis – point to a raw memory dump and pick Volatility plugins.

All output is written to the Output directory, organised per module:

Output\
 ├─ EZ output     # CSV from EZ Tools
 ├─ Hayabusa\     # EVTX timeline & Sigma hits
 └─ Volatility\   # Plugin outputs

• Add YARA scan support for memory dumps
• Export consolidated timeline to Timesketch directly
• Run Volatility for a specific PID
• PDF rapport generated

Flowrensics is released under the MIT License – see the LICENSE file for details.