Skip to content

noirlang/worm

BranchesTags

Repository files navigation

Worm Logo

Worm Forensic Tool

Collect digital evidence in one place. Disk, RAM, and Android acquisition.

Website | Releases | Contributing | Security | Linux Agent | Windows Agent

worm-new.mp4

Overview

Worm is a desktop forensic acquisition tool for authorized investigations. It brings disk imaging, memory acquisition, Android collection, hash verification, case output handling, image viewing, and reporting into one native application.

The app runs as a real desktop window on Linux and Windows.

Features

  • Local disk acquisition: create raw disk images from local disks or image files.
  • Remote disk acquisition: collect disk images through the Linux and Windows agents.
  • Local memory acquisition: capture RAM with AVML on Linux and WinPMEM on Windows.
  • Remote memory acquisition: start, pause, resume, stop, track, and download RAM dumps from agents.
  • Android tools: check ADB, list devices, collect logical data, collect filesystem data, capture volatile data, and analyze Android case outputs.
  • Case management: store acquisitions, notes, hashes, Android outputs, and reports under selected cases.
  • Hashing and verification: calculate MD5, SHA1, SHA256, and SHA512; generate sidecar hashes for acquired evidence.
  • Image viewing: mount supported images read-only for inspection.
  • Reports: create case reports from collected outputs and notes.
  • Updates: check GitHub releases and download platform installers from inside the app.

Downloads

Release builds are published on GitHub Releases and on the website.

  • Linux AppImage: worm-linux-x64.AppImage
  • Linux DEB: worm-linux-x64.deb
  • Linux RPM: worm-linux-x64.rpm
  • Windows MSI: worm-windows-x64.msi

Agent binaries:

https://worm.noirlang.tr/worm-linux
https://worm.noirlang.tr/worm-win.exe

Build Requirements

Install the Rust stable toolchain:

rustup toolchain install stable --component rustfmt
rustup default stable

Linux development packages:

sudo apt update
sudo apt install -y build-essential pkg-config libgtk-3-dev libwebkit2gtk-4.1-dev

Windows builds require the Microsoft Edge WebView2 Runtime on the target system.

Build

Debug build:

cargo build --locked

Release build:

cargo build --release --locked

Run tests and checks:

cargo test --locked
cargo fmt --all -- --check
node --check ui/app.js

Build the Linux AppImage:

./scripts/build-appimage.sh

Run

Start the native desktop app:

cargo run -- ui

Run the release binary:

./target/release/worm ui

Open the browser-backed debug UI:

cargo run -- ui-browser

Agents

Run the Linux agent on the target machine:

wget -O worm-linux https://worm.noirlang.tr/worm-linux
chmod +x worm-linux
./worm-linux

Download the Windows agent:

https://worm.noirlang.tr/worm-win.exe

Connect to an agent from the app with IP address, port, and optional token.

About

Collect digital evidence in one place.Disk, RAM, and Android acquisition.

worm.noirlang.tr/

Topics

android forensic-analysis forensic forensic-tools digitalforensic android-forensics android-forensics-tool forensic-imageing

Resources

Readme

License

GPL-3.0 license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

9 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 9

Worm v0.0.10 Latest
Jun 4, 2026
+ 8 releases

Contributors

Languages