🦉 Thanatology
Thanatology is a cross-platform digital forensics desktop application built with Tauri, powered by the Exhume toolkit, and designed to bring the full investigation workflow into a single interface.
It is aimed at investigators who need to move from case intake to evidence processing, filesystem exploration, artifact extraction, timeline analysis, memory operations, and eventually report-oriented analysis without jumping between disconnected tools.
Case-centric workflow
Organize investigations around cases, collaborators and evidence sets instead of isolated scripts and one-off exports.
Exhume-native processing and integration
Reuses Exhume modules for disk containers, partition layouts, filesystems, indexing and artifact extraction.
Modern analyst UI
Smooth and modern React and MUI front-end with integrated viewers, investigative tabs, progress tracking and room for rich visual workflows.
Architecture at a glance​
Each evidence is progressively transformed from a raw source into a structured local and portable investigation dataset. That means the UI is not just calling parsers directly: it is orchestrating a pipeline where discovery, indexing, artifact extraction and viewer-specific analysis can all build on the same evidence context.
Built around the investigation lifecycle​
Thanatology is structured a main end-to-end workflow:
- Create a case and attach one or many evidence sources.
- Pre-process evidence by identifying image formats, discovering partitions and selecting the relevant scope.
- Process the evidence with filesystem-aware indexing and artifact extraction.
- Investigate the result through specialized tabs such as Files, System, Users, Network, Multimedia, Applications and Timeline.
- Drill into content with raw, hexadecimal, SQLite, PE and event-oriented viewers.
- Extend the investigation with memory modules and AI-assisted analysis.
This workflow is still pretty basic for a first release but will evolve in time.
Core capabilities & Progress​
Case and evidence management​
Thanatology starts with the operational layer investigators need first: cases, metadata, and evidence registration. The application currently models different evidence types, including disk images, folder/logical sources, and memory analysis.
Pre-processing and evidence scoping​
Before deep analysis starts, the application helps the analyst understand the evidence structure:
- disk image format detection
- partition discovery
- partition selection for physical analysis
- support for logical and physical acquisition workflows
- preparation steps for encrypted volumes such as BitLocker key material input
Filesystem processing and artifact extraction​
The processing pipeline is designed around Exhume modules API and evidence-specific SQLite stores. The current workflow inludes:
- NTFS, ExFAT, APFS and ExtFS support
- indexing content into queryable local databases
- identifying file types and artifacts
- extracting structured artifact objects for later investigation views
Investigation workspace​
Once an evidence source is processed, the main workspace exposes a partition-scoped investigation interface with dedicated tabs for:
- Summary
- Files
- System
- Network
- Users
- Multimedia
- Applications
- Timeline
- AI Triage Report
Investigation views
The interface already exposes category-oriented navigation so an analyst can jump between filesystem, system and timeline contexts without rebuilding the same search again and again.
Integrated content viewers
Thanatology already includes a multi-mode file viewer capable of pivoting between raw, hexadecimal and structured views (PEFile, EVTX,...).
Memory analysis direction​
Thanatology is also expanding beyond post-mortem disk analysis. We are integrated a LeechCore DMA Workspace connected with the Exhume Memory module. This currently include:
- DMA connector discovery
- Process listing
- Modules Listing
- BitLocker key recovery from memory
- Physical memory dumping with progress feedback
AI-assisted analysis​
Exhume will eventually propose it's own agent and is still in early developement phase. The architecture will include agent and specialist modules intended to support investigation workflows with AI. The direction is not generic chatbot UX, but evidence-aware assistance that can enrich the investigative process with:
- text analysis
- image analysis
- audio analysis
- artifact-oriented AI output stored back into the evidence database
- agent-assisted search and investigation pivots
Positioning​
Thanatology is still in active development, but the direction is already clear: build a desktop environment where a forensic examiner can stay inside one product for the majority of the investigation.
That positioning matters because most labs still stitch together a chain of separate tools for case management, parsing, timeline work, memory analysis and ad hoc artifact review. Thanatology is trying to collapse that fragmentation into a single analyst workspace.
Would you like to be involved ? Join the Discord !