This is a sophisticated white-hat security framework with exceptional attention to legal compliance and evidence handling. The cryptographic logging, chain-of-custody, and engagement letter system make it suitable for professional security work where legal defensibility matters. This is ment for Windows-based security operations.
| Y/N | Use Cases |
|---|---|
| ✅ | Penetration testing engagements |
| ✅ | Digital forensics investigations |
| ✅ | Security auditing with legal compliance |
| ✅ | Red team operations with documentation |
| ✅ | Incident response with evidence handling |
| Production use (requires encrypted container. soon) | |
| ❌ | Multi-platform operations (MADE FOR WINDOWS) |
init <target> [--engagement-letter <path>]- Initialize session with authorizationstatus- Display current session statuspanic- Emergency wipe: terminate processes, clear memory, exitrepl- Enter interactive REPL modeexit/quit- Exit REPL modeclear/cls- Clear terminal screen
run <tool> [--network] [--profile <minimal|standard|elevated>] [args...]- Execute tool in sandbox- Profiles control filesystem/registry access levels
--networkflag enables network (requires verification)- Built-in tools:
ping,ipconfig,netstat,nslookup,tracert,whoami,systeminfo
network tor [-p <port>]- Connect via Tor SOCKS5 proxy (default port 9050)- Verifies connection via check.torproject.org
- Enables kill-switch on verification failure
network vpn -c <config>- Configure VPN connectionnetwork verify- Test and verify active connectionnetwork status- Show detailed network statusnetwork disable- Disable all network access
forensics mount <target> [--vss]- Mount target for forensic analysis (read-only)--vssenables Volume Shadow Copy snapshot
forensics hash <path> [--sign]- Compute SHA-256 hashes- Works on files or entire directories
--signcryptographically signs the manifest
forensics copy <source> <dest>- Forensic copy with hash verification- Verifies integrity before and after copy
- Automatic evidence logging
evidence export <output> --format <json|xml>- Export chain-of-custody- Includes cryptographic signatures
- Full audit trail with timestamps
evidence sign <file> [--rfc3161] [--tsa-url <url>]- Sign file with legal timestamp--rfc3161enables RFC 3161 timestamp authority--tsa-urlspecifies TSA endpoint (e.g., http://timestamp.digicert.com)
evidence report <output>- Generate comprehensive audit report- Session details, authorization, full log chain
- Chain-of-custody documentation
- Evidence items and custody log
evidence template <output> [--template-type <standard|pentest|forensics>]- Generate engagement letter template- standard: General security testing
- pentest: Penetration testing engagement
- forensics: Digital forensics investigation
plugin list- List all installed pluginsplugin install <bundle>- Install plugin from bundle path- Verifies and signs plugin on installation
- Records capabilities (network, filesystem, registry)
plugin remove <id>- Uninstall plugin by IDplugin verify- Verify signatures of all installed pluginsplugin run <id> [args...]- Execute plugin in sandbox- Respects plugin capability restrictions
- Full logging and evidence collection
Hidden/Undocumented Features
- Session modes (CLI flag):
--mode <auditor|forensics|developer|minimal>- Affects default behavior - Ephemeral mode (CLI flag):
--ephemeral- Memory-only, no disk writes - Container support (CLI flag):
--container <path>- Encrypted persistent storage with security audit - Job object isolation (Windows): Automatic process containment with kill-on-close
- WFP firewall integration (Windows): Per-process network blocking via Windows Filtering Platform
- Secure memory wiping: All sensitive data zeroed on drop using volatile writes
- Hash chain logging: Every log entry chained with previous hash for tamper detection
- Automatic evidence collection: Tool executions auto-generate evidence items
- Sandbox Isolation - Job Objects work, but is not enforcing filesystem/registry restrictions at the Windows API level.
- RFC 3161 - Currently sends HTTP requests but doesn't actually parse RFC 3161 ASN.1 responses. A real TSA would reject requests when using this shell. It's a good stub though, and i plan on fixing such soon
- Container Encryption - Verifys the container exists and has correct permissions, but doesn't actually decrypt or use it. It's just a file check.
- Plugin Execution - Install/verify works, but no actual sandboxed execution or API.
All of these will be fixed/completed soon.