🦉 Thanatology Part 1 - Introducing the Thanatology project
In digital forensics, tools are only as valuable as the investigator’s ability to understand and explain their output, especially when presenting evidence in court. Beyond simply extracting data, the methodology behind how artifacts are collected and interpreted plays a critical role in admissibility, reliability and credibility.
This blog post series introduces the Thanatology Project, an open-source, cross-platform digital forensics framework currently under development. Built on top of the Exhume ToolKit (a modular set of Rust-based forensic tools), Thanatology combines performance, transparency, and modern design via a Tauri-based desktop interface. Designed for law enforcement and digital forensic professionals, the project emphasizes not only artifact collection and presentation but will also try to provide help for interpretation.
For example, when analyzing EXTFS file systems, Thanatology will try to offers guidance on timestamp meanings and includes complete extraction details suitable for annexing to formal reports.
The blog series will cover:
- An overview of the Thanatology project and its goals.
- A high-level introduction to the Exhume tool suite.
- Deep dives into each Exhume module and its specific forensic use case.
- Updates on the project development.
- Interesting research techniques we found during our journey.
While Thanatology is not intended to replace established tools, it will attempt to offers a modular and modern alternative ideal for cross-verifying findings or integrating into custom workflows. This blogpost series is mainly here to provide the community with updates, technical knowledge and any interesting subjects we found along the way.
Purpose and motivations
Working in the digital forensics field for a while now. I am amazed to witness many investigators using tools without being able to answer some critical questions in front of court, thus making the whole work sometimes worthless. Here are some critical questions that could pop up during review:
- What is the artefact?
- Where did it come from?
- How was it acquired?
- How was it processed or analyzed?
- What does it mean?
- Can this be independently verified?
Although education, experience, and expertise are key to answer these questions, we felt that the need to have more control and transparency in the tool we use is critical.
With the intention to better understand what digital forensics tools are actually doing from scratch; I wanted to build my own tools. The trigger was during a criminology degree in 2024, I was introduced and dived deep inside the traditional medical forensics field and had the opportunity to witness how well the technical procedure is design for the study of the dead and the living. This gave me the motivation to create the “Thanatology” project named after this discipline1 in an effort to create a framework that allows the digital investigator expert to be more rigorous by design.
What Is Thanatology?
In short, Thanatology is a modern and enhanced digital forensics Desktop Application which is cross-platform using the power of the Tauri framework.
It is built on top of the Exhume tool suite (or toolkit). The exhume tool suite is a set of command line and libraries written in rust from scratch to parse data from different digital sources and formats to extract artifacts. There is nothing new to the approach, the sleuthkit2 is built around a similar philosophy.
The difference here is that I wanted to use the powerful capabilities of the rust language to produce an alternative and perhaps more modern approach to propose as many digital forensics features as possible like disk image forensics, memory forensics, malware analysis and, in time, Artificial Intelligence features.
It also allows me to compare my results with well-established tools and challenge myself technically. I could already witness during my journey some inconsistencies in some well-known and widely used tools that will be detailed in later blog posts. In short, rebuilding almost everything from scratch might sound time consuming and not interesting but it is worth it to learn new things and stimulate innovation.
Design and architecture
The Thanatology project is built around 2 major components:
- The Exhume Tool Suite
- The Tauri Framework
The Exhume Tool suite
The exhume tool suite (named after the exhume3 terms in the discipline and the idea of bringing back from neglect or obscurity), is the foundation of the applications. Any digital forensics examiner can use the exhume tool suite as a command line to perform digital forensics investigation. Exhume is a hybrid tool suite, each tool can be used as a command line or as a library thus enabling any member of the community to write their own tools. Thanatology is just a Desktop application using the exhume tool suite as a library. We will deep dive into exhume in the next blogpost of this series.
The Tauri Framework
Digital Forensics is a cross-platform discipline!
Tauri is a modern framework for building cross-platform desktop applications using:
- A Frontend: Web technologies (React, Vue, Svelte, etc.)
- A Backend: Native Rust code
It allows developers to package their web-based UI as a lightweight, secure desktop application across Windows, Linux, and macOS. In our case, we choose the REACT MUI framework for the frontend.
Unlike Electron (which bundles Chromium), Tauri uses the system’s native webview (WebView2 on Windows, WKWebView on macOS, and WebKitGTK on Linux), making it much smaller and more secure.
There is many more advantages in using the tauri framework you can learn more here.
In the context of Thanatology, Tauri allows seamless reuse of the exhume tool suite code in the desktop app. This ensures high performance, memory safety, and low-level control without sacrificing UX. We are using a local SQLite database for the first major release, but the goal is to have an hybrid approach where the use can choose between a local or remote database, enabling collaboration.
State of the art
Thanatology is in its development phase, it is evolving in parallel of the Exhume toolsuite, exhume being the library which the projects is relying up on. We are starting with traditional disk forensics and currently have made several millstones described below.
Basic case & evidence management
In Thanatology, a case is a set of evidence. The investigator can create a case and add one or multiple evidence linked to the created case. The type of evidence supported is currently only “disk image” which can be a logical or physical acquisition.
MBR & GPT Partition Discovery
Once the evidence is selected, the preprocessing of the evidence can begin. The preprocessing phase is meant for the investigator to choose what he wants to analyze. It is important in the case of disk forensics for example that the investigator knows exactly what was discovered and that the action can be replicated with the exhume tool kit command line. You can see below the difference between discovering partitions in the Exhume toolkit with the CLI versus the output produced in the desktop application. That show how interlinked the twos are. Our philosophy is: “What you can see in the Desktop application can be recovered using the CLI”.
The investigator can choose which partitions he wishes to analyze. Thanatology is transparent and will inform the investigator if it is not capable of parsing some types of partitions. In the example below, we selected the Linux/GNU partition, which is recognized by Exhume, however the swap partition is not yet supported by any modules, thus indicating this information to the user. We plan to add the capability to choose which investigation modules to run in the processing phase so the investigator can disable or enable some modules depending on the context.
Basic ExtFS and NTFS file indexing
The next step after the preprocessing phase is the processing phase. This is where the investigator will start the processing of the evidence. We build a basic file discovery module to index each file inside the local database. We have implemented a filesystem normalization system in exhume. This system is inherited by Thanatology. The advantage is that we can build the Exhume tool suite with the Thanatology application in mind to guide us.
Investigating the evidence
When the processing is done, the last stage is to review it to perform our digital investigation. The current design is only for demonstration purpose and will evolve in time but here is a sneak peak into the features we would like to provide for the first release:
- Artifacts category navigation: Preselect some known artifacts base on the digital forensic community.
- Simple and deep file introspection: We are developing our own “Advanced File Viewer” to introspect files in real time.
- Agnostic shell integration: Many investigators like to use the command line to run their own tools or the Exhume toolkit as a command line in the evidence they are investigating. We are integrating the capability to pop shells in Thanatology like you would in visual studio code for example.
- Whiteboard: The investigator can keep track of the story he is building around the case using the Whiteboard which is based on excalidraw.
Conclusion
This blogpost was about presenting a high-level vision of the project. In the future blogpost of the series, we will dive deep into the Exhume Tool Suite, exploring the most important existing modules and how to use them. Many blogposts will follow to update on the state of the Thanatology development. We have many ideas, but this is a side project so if you want to get involved into this project, we have created a Discord Community Server that you can join using the following link.