Windows · macOS · Linux — DFIR

Modern digital forensics — without the legacy price

Daylight is a fast, cross-platform DFIR platform for incident responders and examiners — a modern alternative to Autopsy and EnCase, with native threat-intel correlation and court-admissible chain-of-custody reporting.

Request the download See the features

v1.1 · Built-in tutorial on first run · One-click Run Full Analysis

image formats: DD, E01, VMDK

Windows artifact types extracted

intel sources: OTX, VT, MalwareBazaar

The platform

Everything an examination needs, in one tool

From mounting the evidence to handing the report to a lawyer — without stitching together six utilities.

Open any evidence source

Raw/DD, EnCase E01, and VMDK images, auto-detected — plus attached physical drives (read-only, with a write-blocker reminder) and mounted folders.

Browse terabytes, instantly

NTFS, FAT, exFAT, ext2/3/4, HFS+, and APFS via The Sleuth Kit, with lazy navigation that stays fast on terabyte images. Full MAC(b) timestamps and deleted-entry detection.

Artifact extraction

Prefetch (incl. Win10 decompression), LNK, registry, event logs, shellbags, browser history, Amcache, Shimcache, and Jump Lists — extracted into a searchable case database.

Unified timeline + full-text search

Every artifact timestamp on one timeline, and SQLite FTS5 full-text search across everything extracted. Find the pivot point in seconds.

Native threat intel

IOC feeds with auto-flagging, plus AlienVault OTX, VirusTotal, and MalwareBazaar lookups — correlation built in, not bolted on.

Court-ready reporting

Branded HTML/PDF reports, a CMMC incident-evidence package, and tamper-evident chain of custody with an integrity digest.

DD / rawE01 (EWF)VMDKNTFSFAT / exFAText2/3/4HFS+APFSPrefetchLNKRegistryEVTXShellbagsBrowser historyAmcacheShimcacheJump ListsMD5 / SHA-1 / SHA-256

The workflow

From evidence to report in four moves

Or click ⚡ Run Full Analysis on the dashboard and let it run extract → IOC scan → report in one pass.

Add evidence

Open a disk image, attach a physical drive read-only, or point at a mounted folder. Format detection is automatic.

Extract & recover

Pull artifacts, hash files in one pass, carve by signature, and recover deleted files — all on background threads.

Analyze & correlate

Work the unified timeline, search everything with FTS5, and let IOC feeds and OTX/VT/MalwareBazaar flag what's hostile.

Report

Generate branded HTML/PDF reports or a CMMC evidence package, with tamper-evident chain of custody.

Who it's for

For the examiners legacy tools price out

EnCase budgets belong to governments and big-four firms. The work doesn't.

Incident responders

Triage a compromised machine fast: one-click full analysis, IOC auto-flagging, and a timeline that shows you the story.

Forensic examiners

Defensible methodology: read-only acquisition paths, one-pass hashing, deleted-entry detection, and chain of custody with an integrity digest.

MSPs & small security teams

Serve defense and SMB clients with real forensics capability — including CMMC incident-evidence packages — without a six-figure tool budget.

Put it on a case today

Cross-platform, with a built-in tutorial on first run. Email us for the download — you'll hear back from the person who built it.

Request the download Contact

A note on forensic practice: Daylight supports sound methodology — read-only handling, hashing, chain of custody — but admissibility always depends on your process and jurisdiction. Follow your organization's procedures and applicable law.