LIVECAP Project v1.0

There are currently tools made available, such as Windows Forensic Toolchest, which automate a live Windows forensic investigation. However, these tools are private and require a purchasing fee. The Livecap project, started by Francis Mensah, is an open source Windows forensic tool alternative. The tool was entirely developed as a contribution towards anyone interested in the open source forensic community. The tool is publicly available on Google (

The Livecap project is a forensic framework intended to simplify the task of forensic live capture. It is designed to automate the live forensic investigation and provide a formatted HTML report of the findings.


 All that the user needs to do is specify the source of the tools that will be used in addition to a few configuration details and Livecap does the rest. Livecap adheres to standard forensic practices such as not doing anything that can tamper with forensic evidence on the victim workstation from which information is being captured. Through the use of client/server architecture Livecap transfers all its data from the victim workstation to the forensic workstation via a TCP/IP connection. Where this approach is not feasible the tool also supports other storage means including mounted remote drive and attached USB storage. It is, however, recommended the client/server TCP/IP connection be used with the client being run from a CD ROM on the victim workstation. This guarantees the least interference with forensic evidence.