Chimera is a modular, agent-less forensic triage framework designed for Incident Response (IR) teams. It bridges the gap between fast "Live Response" and deep-dive forensics by orchestrating industry-standard tools (EZTools, AVML, Hindsight) via PowerShell and SSH.
Note: This tool is designed for authorised forensic acquisition only.
Chimera is part of the RootGuard ecosystem. For detailed usage instructions, forensic methodology, and artifact analysis guides, visit our official documentation:
👉 RootGuard Official Docs (GitBook)
- Shadow Copy (VSS) Access: Bypasses file locks to parse Registry, Event Logs, and filesystem artifacts.
- Eric Zimmerman Integration: Native support for EZTools (Amcache, Shimcache, Registry) outputting directly to CSV.
- Browser Forensics: Automated history/profile parsing for Chrome, Edge, and Brave using Hindsight.
- Zero-Footprint Triage: Pushes a static payload via SSH, executes via RAM/Tmp, and cleans up traces automatically.
- "The Goat" Engine: A hybrid collection script combining methodologies for deep artifact hunting (Web Shells, Rootkits, User History, Docker, Databases).
- Memory Acquisition: Streamlined RAM capture using Microsoft's AVML with on-the-fly compression to minimize transfer time.
Beyond this tool, RootGuard provides a comprehensive learning hub for Digital Forensics and Incident Response. Visit the site to explore topics including:
- Linux Forensics: Deep dives into
/procanalysis, inode anomaly detection, and persistence hunting. - Windows Artifacts: Understanding ShimCache, Amcache, and SRUM for evidence of execution.
- Memory Forensics: Methodologies for acquiring and analysing volatile memory.
- Incident Response Playbooks: Structured workflows for handling Ransomware, BEC, and Web Shell incidents.
Chimera requires external third-party tools (EZTools, AVML, Hindsight) to function. These are not included in the repo to ensure you always use the latest verifiable binaries.
👉 Read the Full Installation Guide
- Open PowerShell as Administrator.
- Unblock Scripts (First time only):
Get-ChildItem -Recurse | Unblock-File
- Initialize Chimera (This creates the Tools folder and support subfolders)
.\Initialize-Chimera.ps1- Tools and Dependencies Download and add the respective binary dependencies to the appropriate folder/subfolder
- Run the Launcher:
.\Chimera.ps1
- Collect Windows artifacts Select the appropriate option from the Chimera Menu option
| Module | OS | Description |
|---|---|---|
Invoke-WinArtifacts |
Windows | VSS-based artifact collection (Registry, Event Logs, ShimCache). |
Invoke-BrowserArtifacts |
Windows | Multi-browser history and download parsing. |
Invoke-LinuxLiveResponse |
Linux | Hybrid forensic triage (System, Network, Persistence, Web Shells). |
Invoke-LinuxMemCapture |
Linux | Remote RAM acquisition using AVML + Gzip streaming. |
This software is provided "as is", without warranty of any kind. The author is not responsible for any damage or legal issues caused by the use of this tool. Always ensure you have proper authorization before running forensic acquisition tools on any network or endpoint.
Project maintained by RootGuard