Incident Response Toolkit

Respond faster.

Forensic artifact collection for Windows. One script, 50+ artifacts, zero dependencies.

Download v1.0.0 View source
50+
Artifacts
<5m
Direct Run
<10m
Live Response
0
Dependencies
Why NovaTrace

Built for responders who need answers fast.

Single file

One PowerShell script. No agents, no dependencies, no configuration needed.

Comprehensive

Collects processes, network, persistence, execution artifacts, registry hives, and event logs.

Forensically sound

Read-only operations. No system modifications. SHA256 hash manifest.

Live Response ready

Optimized for Microsoft Defender EDR. Upload, run, retrieve.

Organized output

Logical folder structure with SHA256 hash manifest. Ready for parsing tools.

Tool compatible

Works with Timeline Explorer, Eric Zimmerman tools, any forensic platform.

Collection scope

Everything you need.

Processes & DLLs
Network connections
DNS cache
Scheduled tasks
Registry hives
Prefetch files
Amcache
ShimCache
Browser history
Processes & DLLs
Network connections
DNS cache
Scheduled tasks
Registry hives
Prefetch files
Amcache
ShimCache
Browser history
Event logs
PowerShell history
USB artifacts
WMI subscriptions
BITS jobs
Jump lists
LNK files
SRUM database
Persistence mechanisms
Event logs
PowerShell history
USB artifacts
WMI subscriptions
BITS jobs
Jump lists
LNK files
SRUM database
Persistence mechanisms
Get started

Three commands.

Works on Windows 10, 11, Server 2016+. Run locally or via Live Response.

Download latest
# Run collection
.\NovaTrace.ps1

# Custom output path
.\NovaTrace.ps1 -OutputPath "D:\IR"

# Defender Live Response
putfile NovaTrace.ps1
run NovaTrace.ps1
getfile "C:\NovaTrace_*.zip"

Open source. Free forever.

Download Star on GitHub