A lightweight, extensible forensic tool that leverages eBPF to collect real-time system events on Windows for Digital Forensics and Incident Response.

ebpf-for-DFIR extension

kernel-syscall-logger — eBPF-based Linux syscall tracer (CO-RE). Hooks raw_syscalls enter/exit, lightly decodes execve/openat/connect (IPv4), streams JSON events to stdout, and exposes Prometheus metrics for Grafana. Userspace C daemon supports filters (pid/uid/syscall). Fast, portable (x86_64/arm64), made for runtime monitoring and DFIR.