FROSTVEIL

by FrostNode

Advanced browser forensics toolkit — extract, decrypt, analyze.

> git clone > view docs

0+Lines

0Modules

0+Artifacts

0+Browsers

ZeroDependencies

Capabilities

What Frostveil extracts, decrypts, and analyzes

Artifact Extraction

History, cookies, bookmarks, downloads, searches, sessions, extensions, autofill, LocalStorage/IndexedDB from 9+ browsers.

Credential Decryption

DPAPI (Windows), Keychain (macOS), PBKDF2 (Linux), offline DPAPI with known passwords, pure-Python AES-256-GCM.

Deleted Record Recovery

WAL file carving, freelist page recovery, journal analysis, ghost visit detection via favicon forensics.

Threat Intelligence

DGA domain detection, homoglyph/typosquatting analysis, IOC scanning, behavioral anomaly detection, data exfiltration heuristics.

PII & Secret Scanning

Credit cards (Luhn validated), API keys (AWS, GitHub, Stripe, Slack), JWTs, private keys, cryptocurrency addresses, 30+ patterns.

Cloud Account Enumeration

70+ service detection rules across Google, Microsoft, AWS, GitHub, Slack, Discord, Stripe, PayPal, OpenAI, and more.

Session Hijack Analysis

Cookie security auditing (Secure/HttpOnly/SameSite), JWT decoding, risk scoring, curl replay command generation.

Browser Fingerprinting

Reconstructs User-Agent, extensions, language, timezone, screen, WebGL, fonts, hardware info from preferences.

Password Audit

Entropy scoring, keyboard walk detection, pattern analysis, common password matching, reuse matrix.

Windows Artifact Parsing

Prefetch files, Jump Lists, LNK shortcuts, Recycle Bin metadata.

OPSEC Mode

Stealth process masking, AES-256-GCM encrypted output bundles, execution trace cleanup.

Forensic Export

STIX 2.1, bodyfile (Sleuthkit), CASE/UCO ontology, Elasticsearch bulk, PDF reports, HTML reports.

Use Cases

Real-world scenarios where Frostveil accelerates your investigation

Incident Response

Rapidly triage compromised endpoints — extract credentials, session tokens, and browsing history to map attacker activity across all installed browsers.

$ python main.py --full --format json --out ir_evidence.json

DFIRTriageAll Browsers

Insider Threat Investigation

Detect data exfiltration patterns, cloud account usage, and anomalous browsing behavior. Recover deleted history and identify unauthorized service access.

$ python main.py --full --ioc --cloud --deleted --format json

BehavioralCloud EnumDeleted Recovery

Password Audit

Evaluate credential hygiene across the organization — identify weak passwords, reuse patterns, keyboard walks, and credentials matching known breach databases.

$ python main.py --credentials --password-audit --format csv

ComplianceEntropy AnalysisReuse Matrix

Threat Hunting

Scan browser artifacts for IOCs — DGA domains, homoglyph phishing URLs, suspicious extensions, and data exfiltration heuristics across all user profiles.

$ python main.py --full --ioc --threat-intel --stix

IOC ScanningDGA DetectionSTIX Export

PII & Secret Discovery

Locate exposed credentials, API keys, credit card numbers, and private keys stored in browser data — autofill, LocalStorage, cookies, and form history.

$ python main.py --full --pii --secrets --format json

30+ PatternsLuhn ValidationAPI Keys

Compliance & Forensic Reporting

Generate court-ready evidence packages with manifest signing, chain-of-custody metadata, and export to STIX 2.1, CASE/UCO, or PDF report formats.

$ python main.py --full --format json --report pdf --sign

STIX 2.1CASE/UCOPDF Reports

Interactive Dashboard

26 analysis views — explore artifacts in real time

127.0.0.1:8080

Total Artifacts

2,847

Credentials

156

IOC Matches

Browsers

Threat Risk Score

87/ 100

CRITICAL

Artifact Breakdown

History

1,247

892

Credentials

156

Downloads

234

Bookmarks

318

Recent Credentials

Domain	Username	Password	Strength	Browser
github.com	d.beglaryan	••••••••	Strong	Chrome
aws.amazon.com	admin@corp	••••••••	Weak	Edge
mail.google.com	frostnode	••••••••	Medium	Firefox
slack.com	daniel.b	••••••••	Strong	Brave

Supported Browsers

Cross-browser artifact extraction across all major platforms

Chrome

WinMacLinux

Edge

WinMacLinux

Firefox

WinMacLinux

Brave

WinMacLinux

Opera

WinMacLinux

Opera GX

Win

Vivaldi

WinMacLinux

Chromium

WinMacLinux

Yandex

Win

Waterfox

WinMacLinux

Safari

(partial)

Mac

Quick Start

Zero dependencies — clone and run

Clone & Run
1> git clone https://github.com/dbeglaryan/Frostveil.git
2> cd Frostveil
3> python main.py --full --format json --out evidence.json

Interactive Dashboard
1> python main.py --full --format json --out evidence.json --dashboard

Docker
1> docker build -t frostveil .
2> docker run -v /path/to/data:/data frostveil --full --format json --out /data/evidence.json

Pipeline Architecture

Five-phase forensic analysis pipeline

Extract

Parallel browser artifact extraction (8 threads)

Analyze

Deleted recovery, anti-forensics, cloud enumeration, PII scan

Output

JSON/CSV/JSONL/SQLite with splitting options

Intelligence

IOC scanning, forensic analysis, password audit

Report

HTML, PDF, STIX, CASE, bodyfile, Elasticsearch export & manifest signing

How Frostveil Compares

Feature comparison with popular alternatives

Feature	Frostveil	HackBrowserData	Hindsight	LaZagne
Price	Free	Free	Free	Free
Dependencies	None	Go runtime	Python + deps	Python + deps
Browsers	9+	8	Chrome only	5
Credential decrypt	Yes	Yes	No	Yes
IOC scanning	Yes	No	No	No
Password audit	Yes	No	No	No
PII scanning	Yes (30+)	No	No	No
Cloud accounts	Yes (70+)	No	No	No
Fingerprinting	Yes	No	No	No
Session hijack	Yes	No	No	No
Deleted recovery	Yes	No	Yes	No
Windows artifacts	Yes	No	No	No
STIX export	Yes	No	No	No
Dashboard	Yes (26 views)	No	Basic	No
PDF reports	Yes	No	No	No
OPSEC/stealth	Yes	No	No	No
Plugin system	Yes	No	No	No