Contract-driven Windows evidence collection and offline artifact parsing in one Rust runtime.

Holo Forensics is a Windows-first forensic workbench for investigators who need repeatable evidence packaging and reviewable offline parsing without black-box tooling. It collects high-value artifacts into path-preserving archives with manifests, SHA-256 metadata, and documented collection contracts, then parses supported evidence into plain JSONL that is easy to review, diff, search, and hand off.

Most people should start with the desktop app. The UI now separates that workflow into two focused pages: Collect for source selection, evidence-scope review, packaging, and live collector status, and Parse for zip selection, parse planning, live plan tracking, and output telemetry.

The same Rust runtime also powers the CLI for labs, automation, and validation, but the main workflow is designed around the desktop experience.

Download the latest Windows release from the latest release page.

If you are evaluating Holo Forensics or using it for casework, start with the packaged desktop build instead of building from source.

Then follow the normal operator flow:

1. Choose the source volume you want to collect from.
2. Review or customize the evidence scope before packaging.
3. Pick the destination folder and create the evidence package.
4. Switch to the Parse page when you want to browse to a collection zip, inspect supported artifacts, and run offline parsing.

If you need to tune throughput for a large workstation or a quieter lab VM, the Settings dialog now includes an execution mode with separate collection-worker and parse-worker limits. Auto keeps the runtime on bounded defaults; Custom lets you pin explicit worker counts.

The same execution tuning is available to CLI and automation workflows. Offline parse runs accept --parse-workers, and request-driven collection archive runs accept collect-collection-archive --collection-workers. The full command details stay in the wiki home technical reference.

If you want source-build, CLI, or lab-validation details, use the wiki home technical reference.

The desktop UI gives analysts a focused Windows collection workflow with source selection, scope review, package destination, live collector status, and artifact-level progress.

The scope dialog makes it clear which evidence groups are live today, which are planned, and where tuneable collection options exist before you start acquisition.

The collection view is built for Windows acquisition: choose a source volume, confirm the scope, set the package destination, and watch each collector move from queued to staged or complete.

The app also includes a dedicated Parse page for existing evidence archives, with zip and output selection, detected-artifact toggles, live parser-plan status, and CPU/RAM/I-O telemetry beside the standard settings and shadow-copy recovery prompts.

The parse view keeps archive selection, supported-artifact detection, live parser-plan tracking, and system telemetry in one place so you can inspect or run offline parsing without leaving the desktop workflow.

Investigators usually have to trade off between tools that are easy to run, easy to automate, and easy to validate after the fact. Holo Forensics is built to narrow that gap:

• One Rust runtime for desktop and CLI workflows, without shell-script glue as the core execution path
• Path-preserving evidence packages with SHA-256 hashes, manifests, and explicit collector metadata
• VSS-backed Windows acquisition paths that keep related artifacts aligned to a defensible point in time
• Offline parsing that only runs documented artifact contracts instead of opaque best-effort guesses
• Plain JSONL, logs, and manifests that are easy to review, diff, hand off, or ingest into search systems

Holo Forensics has two separate jobs: Create Package collects Windows artifacts into a preserved zip layout, and Parse Mode turns supported artifacts into JSONL. Some collected artifacts are preserved for later analysis even if Holo does not parse them yet.

Parse Mode also recognizes Windows Search databases in supplied evidence packages and parser-only raw-input contracts for Shim databases, restore-point logs, and Windows Timeline when those files already exist inside the archive.

In the parity column below, ✅ means Create Package and Parse Mode both cover that Windows surface today. 🕒 means one side exists today, but the matching collector or parser is still missing.

Create Package preserves original Windows paths where applicable, hashes collected bytes with SHA-256, and writes collector metadata under $metadata/collectors/<volume>/<collector>/. Recycle Bin collection now defaults to modern $I* metadata and XP INFO2, with full raw modern and legacy on-disk preservation still available through Recycle Bin tuning or CLI flags; Parse Mode covers modern $I* metadata through windows_recycle_bin and XP INFO2 through windows_recycle_bin_info2. Outlook collection now defaults to classic .ost/.pst stores. Content.Outlook attachment cache content and targeted new Outlook package-state roots discovered under Microsoft.OutlookForWindows_* package families remain available through Outlook tuning or CLI flags, but Parse Mode currently binds only the classic store files to windows_outlook.

Collector exists, matching parser is still missing:

• windows_powershell_activity_collection
• windows_logfile_collection
• windows_indx_collection

Parser exists, matching live collector is still missing:

• windows_shimdb -> windows_shimdb_collection
• windows_restore_point_log -> windows_restore_point_log_collection
• windows_timeline -> windows_timeline_collection

Most of the additional Windows parser families run through the shared adapter in src/parsers/windows/artemis.rs and a vendored Artemis v0.19.0 workspace under third_party/artemis. That local fork preserves the existing Holo Forensics plan, manifest, and JSONL output contracts while keeping the Windows offline-file fixes in-repo. Create Package does not yet collect parser-only inputs for Shim databases, restore-point logs, or Windows Timeline, and Parse Mode does not yet have matching parser families for PowerShell Activity, $LogFile, or INDX collector output.

• Rust stable with Cargo

The desktop UI supports:

• Collection section: Full, Triage, and Custom profiles are exposed in the UI. The Collection tab presents the Windows collection surfaces listed above, with available live collectors for event logs, registry, Prefetch, Microsoft Protection Logs, BITS, Windows Search, Scheduled Tasks, WMI Repository, PowerShell Activity, browser artifacts with tuneable subcollections and parsed-history defaults, Outlook stores with tuneable raw attachment-cache and new Outlook package-state opt-ins, Jump Lists, LNK Files, Recycle Bin, SRUM, $MFT, $LogFile, INDX records, and $UsnJrnl.
• Collection workflow section: when multiple VSS-backed collectors run for the same volume, the package workflow reuses one shared point-in-time VSS snapshot so related artifacts stay aligned.
• Parse Mode section: use the Parse page to browse to a selected zip, detect supported artifact groups, choose which detected groups to run, watch live plan status and resource telemetry, and write parser results without blocking the UI.
• Settings section: persist theme, Elasticsearch destination defaults, and shared execution tuning for collection and parse worker limits. The password remains session-local.
• Failure handling section: collection and parse failures surface through desktop error dialogs, and startup failures before Slint is ready fall back to a native Windows error dialog with the technical log path.
• Runtime safety section: VSS shadow copies created by Holo Forensics are tracked under ~/.holo-forensics/vss-shadow-copies.json. If the app starts and those tracked snapshots still exist, the desktop UI prompts to keep them for reuse or delete them before continuing. When Windows blocks live VSS revalidation for the current session, the recovery dialog falls back to the tracked snapshot metadata so analysts can still decide whether to keep or remove the old snapshots.

If you want advanced CLI workflows, release-build steps, or collector command details, use the wiki home technical reference.

Each run writes:

output/<collection-name>/
  extracted/
  results/
    <family>/
      *.jsonl
      *.log
  manifest.json

manifest.json records enabled parser families, bound collections, parser plans, outputs, logs, and per-plan status.

• src/ -> active Rust CLI and runtime
• src/collection_catalog.rs -> built-in collection catalog and parser-to-collection validation
• src/collections/windows/ -> live Windows collector implementations for BITS, browser artifacts, Outlook stores with optional attachment-cache and new Outlook package-state raw preservation, EVTX, Jump Lists, LNK Files, Microsoft Protection Logs, PowerShell Activity, Prefetch, Recycle Bin, Scheduled Tasks, WMI Repository, registry, $MFT, $LogFile, INDX records, SRUM, and $UsnJrnl
• src/parsers/windows/ -> native and vendored-Artemis-backed Windows parser implementations for browser history, EVTX, Prefetch, registry-derived artifacts, LNK files, Jump Lists, SRUM, Recycle Bin, Scheduled Tasks, WMI persistence, $MFT, USN journal, restore-point logs, XP recycle-bin INFO2, and Windows Timeline
• third_party/artemis/ -> vendored Artemis v0.19.0 workspace maintained in-repo for Windows offline parsing fixes
• src/parser_catalog.rs -> built-in parser family catalog
• holoForensics.wiki/ -> parser and collection documentation

• User and operator guide, including CLI reference
• Parser wiki
• Collection wiki

• Project source: Apache License 2.0
• Vendored and bundled third-party software: Third-party notices

• Windows-focused collection and parsing
• Offline parsing only
• Some UI collection surfaces are planned and not yet implemented
• Parser and collector coverage is limited to the families listed above