CU

cuhsat/ffind

Find forensic artifacts in mount points or the live system. Part of the Forensic Artifacts Collecting Toolkit.

artifacts dfir fact ffind forensic forensic-tool forensic-tools go pipeline windows

ffind

Find forensic artifacts in mount points or the live system.

go install github.com/cuhsat/ffind@latest

Usage

$ ffind [-rcsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-C CSV] [-Z ZIP] [MOUNT ...]

Available options:

-H Hash algorithm
-C CSV listing name
-Z Zip archive name
-r Relative paths
-c Volume shadow copy
-s System artifacts only
-u User artifacts only
-q Quiet mode
-h Show usage
-v Show version

Aritfacts

Supported artifacts for Windows 7+ systems:

License

Released under the MIT License.

On this page

Languages

Go100.0%

Contributors

Latest Release

v0.5.3August 19, 2025

MIT License

Created July 27, 2025

Updated August 27, 2025