Web evidence
Access logs, error logs, POST requests, upload behavior, suspicious keywords, and request timing help locate entry clues.
Open Investigator · WebShell investigation
Trace WebShell clues from requests to files, processes, and outbound behavior.
A WebShell alert often starts from a path, upload, request keyword, suspicious process, or changed file. Open Investigator turns those clues into a local evidence workflow.
Apache-2.0Read-only toolsAI evidence reasoning
Search intent
For searches like WebShell investigation tool, web server incident response, suspicious JSP PHP ASP file investigation, and AI WebShell triage.
How it worksOpen Investigator can inspect web logs, suspicious request patterns, upload and POST activity, recent web-root changes, web-user processes, command history, network connections, and Java or middleware context. The AI uses those observations to connect weak signals into a timeline and report.
Investigation boundaryOpen Investigator collects and correlates evidence. It does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall or registry state.
Practical workflow
Use it as a first-pass host investigation loop.
Host evidence
Recent JSP, PHP, ASP, JAR, WAR, CLASS, and script changes are checked against process, network, user, and persistence context.
Report handoff
Findings keep supporting evidence IDs and gaps so a responder can validate whether the clue is benign, suspicious, or likely compromise.
Common searches
Queries this page answers.
WebShell investigation toolOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
web server incident responseOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
suspicious web root file changesOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
AI WebShell triageOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Use Open Investigator when a web alert needs local evidence before containment or cleanup.
The source, usage examples, contribution notes, and issue tracker live in the public Open Investigator repository.