Multi-tool investigation orchestrator — Nmap/port/HTTP/subdomain scanners, traffic/memory/IOC forensics, workflow pipelines, and case management with report generation
Project description
investigator-core
A modular, multi-tool investigation framework for CTFs, lab environments, and authorized security testing. Orchestrates Nmap, custom port/HTTP/subdomain scanners, traffic/memory/IOC forensics, multi-step workflow pipelines, and case management with report generation — all from a single CLI.
Features
- Case Management — JSON-backed case files with evidence tracking, findings, notes, and status (open/closed)
- Nmap Scanner — full NSE support, custom args, sudo, timeout control
- Custom Port Scanner — threaded TCP, banner grabbing, configurable timeout
- HTTP Scanner — security header analysis, WAF detection, technology fingerprinting
- Subdomain Enumerator — DNS brute force + crt.sh transparency log
- IOC Harvester — extract emails, URLs, IPs, domains, hashes (MD5/SHA1/SHA256), CVEs from any text/PCAP/log
- PCAP Analyzer — packet stats, protocol hierarchy, DNS queries, HTTP requests (tshark)
- Memory Analyzer — Volatility 3 wrapper for memory dumps (Windows/Linux/Mac)
- Workflow Orchestrator — chain multiple tools into pipelines with example templates
- Report Generator — JSON, text, and self-contained HTML reports
- Interactive Dashboard — Rich-based TUI (coming in v0.3.0)
Installation
From PyPI (once published)
pip install investigator-core
From source
git clone https://github.com/rntuhm-gif/investigator-core.git
cd investigator-core
pip install -e .
# With all optional analyzers
pip install -e ".[full]"
# With PCAP analysis only
pip install -e ".[pcap]"
# With memory analysis only
pip install -e ".[memory]"
Dependencies
| Component | Tool | Install |
|---|---|---|
| Nmap scanning | python-nmap |
pip install python-nmap (also requires nmap binary) |
| Port scanning | built-in (sockets + threads) | none |
| HTTP scanning | requests, urllib3 |
included |
| Subdomain enum | requests |
included |
| IOC extraction | built-in (regex) | none |
| PCAP analysis | tshark + pyshark |
sudo apt install tshark + pip install pyshark |
| Memory forensics | volatility3 |
pip install volatility3 |
| Disk forensics | sleuthkit + pytsk3 |
sudo apt install sleuthkit + pip install pytsk3 |
Quick Start
# Create a case
investigator case create "HTB_Box" -d "Box enumeration" -i "you"
# Run scans
investigator scan 10.10.10.5 -n "HTB_Box" -p 22,80,443 --args "-sV -sC -T4"
investigator portscan 10.10.10.5 -p 1-65535 -t 200 --banner -n "HTB_Box"
investigator http https://10.10.10.5 -n "HTB_Box"
investigator subdomain target.htb -n "HTB_Box"
# Analyze evidence
investigator analyze pcap capture.pcap -n "HTB_Box"
investigator analyze memory memdump.raw -n "HTB_Box"
investigator analyze ioc /var/log/apache2/access.log -n "HTB_Box"
# Run a workflow pipeline
investigator workflow example web # creates a web recon template
investigator workflow run /tmp/web_workflow.json
# Generate a report
investigator report "HTB_Box" --format html -o report.html
investigator report "HTB_Box" --format json -o report.json
investigator report "HTB_Box" --format text
# List evidence
investigator evidence "HTB_Box" list
Architecture
investigator/
├── cli.py # argparse CLI entry point
├── config.py # JSON config in ~/.investigator/config.json
├── case_manager.py # CRUD for cases (JSON-backed)
├── dashboard.py # Rich-based TUI dashboard
├── scanners/
│ ├── base.py # abstract scanner interface
│ ├── nmap_scanner.py # python-nmap wrapper
│ ├── port_scanner.py # threaded TCP scanner
│ ├── http_scanner.py # HTTP/header/WAF detection
│ └── subdomain_enum.py # DNS brute + crt.sh
├── analyzers/
│ ├── pcap_analyzer.py # tshark/pyshark wrapper
│ ├── volatility_analyzer.py # volatility3 wrapper
│ └── ioc_harvester.py # regex-based IOC extraction
├── orchestrator/
│ ├── workflow.py # workflow definition + JSON I/O
│ └── runner.py # step execution engine
├── reports/
│ ├── report_generator.py # JSON/text/HTML output
│ └── evidence_locker.py # file storage per case
└── utils/
├── helpers.py
└── color_out.py
Data Storage
- Cases →
~/.investigator/cases/<name>.json - Evidence files →
~/.investigator/cases/<name>_evidence/ - Config →
~/.investigator/config.json
Workflow Examples
Built-in templates generate ready-to-run JSON pipelines:
investigator workflow example web # Web app recon: subdomain + http + nmap + ioc
investigator workflow example ctf # CTF box: full portscan + nmap -A
investigator workflow example malware # Malware triage: ioc + memory
investigator workflow example recon # Full external recon
Edit the generated JSON to swap targets, then run:
sed -i 's/TARGET/your-target.com/g' /tmp/web_workflow.json
investigator workflow run /tmp/web_workflow.json -n "MyCase"
Use Cases
- CTF competitions — Hack The Box, TryHackMe, VulnHub boxes
- Lab environments — personal practice, OSCP-style exercises
- OSCP/Pentest+ prep — build muscle memory around common recon/analysis workflows
- Forensics practice — PCAP and memory dump analysis with case tracking
- Tool development — extensible base classes for adding custom scanners/analyzers
License
MIT License — see LICENSE for details.
Disclaimer
This tool is intended for authorized security testing, CTF competitions, and educational lab environments only. Do not use against systems you do not own or have explicit written permission to test. The authors are not responsible for misuse.
Contributing
Pull requests welcome. For major changes, open an issue first to discuss what you'd like to change.
Links
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file investigator_core-0.2.0.tar.gz.
File metadata
- Download URL: investigator_core-0.2.0.tar.gz
- Upload date:
- Size: 30.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
76de30edc3667f0a6adee153e8d048905a38b04fd07ea884daaf91b66fa8d9a5
|
|
| MD5 |
17df1326286c643b1193b4b058c0ab64
|
|
| BLAKE2b-256 |
ca456e98864f9ca5ed64c39f33d56e408da883362846d0a434a5e6bb33fc97ea
|
Provenance
The following attestation bundles were made for investigator_core-0.2.0.tar.gz:
Publisher:
publish.yml on rntuhm-gif/investigator-core
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
investigator_core-0.2.0.tar.gz -
Subject digest:
76de30edc3667f0a6adee153e8d048905a38b04fd07ea884daaf91b66fa8d9a5 - Sigstore transparency entry: 2062366257
- Sigstore integration time:
-
Permalink:
rntuhm-gif/investigator-core@a7d50835eabdfa9084de8c9f36334eee1d24c9bb -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/rntuhm-gif
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@a7d50835eabdfa9084de8c9f36334eee1d24c9bb -
Trigger Event:
push
-
Statement type:
File details
Details for the file investigator_core-0.2.0-py3-none-any.whl.
File metadata
- Download URL: investigator_core-0.2.0-py3-none-any.whl
- Upload date:
- Size: 34.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
942d3f36a88772bc1041d2545ee4d1e36b350fca7e4301c809c344be3b6296f0
|
|
| MD5 |
11a7d31eaa181a2e35e6173232c9b60f
|
|
| BLAKE2b-256 |
302abea9cb920d7b589092a00083aa7584361852e1275286edfb5f68809cf621
|
Provenance
The following attestation bundles were made for investigator_core-0.2.0-py3-none-any.whl:
Publisher:
publish.yml on rntuhm-gif/investigator-core
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
investigator_core-0.2.0-py3-none-any.whl -
Subject digest:
942d3f36a88772bc1041d2545ee4d1e36b350fca7e4301c809c344be3b6296f0 - Sigstore transparency entry: 2062366338
- Sigstore integration time:
-
Permalink:
rntuhm-gif/investigator-core@a7d50835eabdfa9084de8c9f36334eee1d24c9bb -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/rntuhm-gif
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@a7d50835eabdfa9084de8c9f36334eee1d24c9bb -
Trigger Event:
push
-
Statement type: