Getting started Install, run your first case, and point AI triage at a local LLM.

Install

digger is pure Python ≥ 3.10. Base install needs psutil, requests, pyyaml, rich. Optional extras pull in YARA, Windows registry parsing, GeoIP, etc.

# Clone or download, then from the repo root:
pip install -e .

# Recommended — every optional feature:
pip install -e ".[all]"

# Add the AES-256-GCM hybrid encryption helper:
pip install cryptography

# Add post-quantum cryptography:
pip install oqs   # after building liboqs; see https://openquantumsafe.org

First case

# 1. Collect every artifact this user is allowed to read
digger collect --case-dir ./case-2026-01

# 2. Run the detection stack against the collected evidence
digger scan --case-dir ./case-2026-01

# 3. Verify the evidence hash chain
digger verify --case-dir ./case-2026-01

# 4. Render a self-contained HTML report
digger report --case-dir ./case-2026-01 --format html --out ./case-2026-01/report.html

or just:

digger investigate --case-dir ./case-2026-01 --report ./report.html

Privileges. Some artifacts require elevation (Windows EVTX, Linux auditd, macOS unified logs at depth, /var/log/auth.log on some distros). Run with sudo / runas administrator when you can. Collectors that need admin but don't have it are skipped, not failed.

Pointing AI triage at a local LLM

Triage talks to any OpenAI-compatible /v1/chat/completions endpoint. Three common setups:

llama.cpp

# Pull a GGUF — anything that can JSON-format works
huggingface-cli download zai-org/GLM-4.6-GGUF GLM-4.6-Q4_K_M.gguf --local-dir ./models

# Serve it
llama-server -m ./models/GLM-4.6-Q4_K_M.gguf \
    --host 127.0.0.1 --port 8080 -c 32768 --jinja

# Then triage
digger triage --case-dir ./case-2026-01 \
    --llm-base-url http://127.0.0.1:8080/v1 \
    --llm-model GLM-4.6

ollama

ollama serve
ollama pull qwen2.5:14b-instruct
digger triage --case-dir ./case-2026-01 \
    --llm-base-url http://127.0.0.1:11434/v1 \
    --llm-model qwen2.5:14b-instruct

Environment variables

export DIGGER_LLM_BASE_URL=http://127.0.0.1:8080/v1
export DIGGER_LLM_MODEL=GLM-4.6
export DIGGER_LLM_API_KEY=local
export DIGGER_LLM_TEMPERATURE=0.2
digger triage --case-dir ./case-2026-01

Government / regulated environments

Run in FIPS 140-3 mode (refuses non-approved algorithms, runs known-answer tests at startup) and tag the case with classification + TLP:

digger --fips-mode \
       --classification CUI \
       --tlp TLP:AMBER+STRICT \
       investigate --case-dir ./case-2026-01

# Generate compliance reports against named frameworks
digger compliance assess --case-dir ./case-2026-01 \
       --frameworks nist_800_171,cmmc_2_0,iso_27001

# PQC-sign the chain tip
digger pqc sign --case-dir ./case-2026-01 \
       --algorithm ML-DSA-65 --key /secrets/digger.sk

# Export to STIX 2.1 for sharing
digger export stix --case-dir ./case-2026-01 --tlp TLP:AMBER

Common flags

Flag	Effect
`--no-banner`	Suppress the ASCII banner (use in scripts/CI)
`--fips-mode`	Enable FIPS 140-3 restrictions; runs KATs first
`--classification`	Classification marking written to chain of custody
`--tlp`	Default TLP marking (CLEAR \| GREEN \| AMBER \| AMBER+STRICT \| RED)
`--only`	Comma-separated collector/detector names to run only
`--no-admin`	Skip every collector that requires elevation

Where evidence lives

./case-2026-01/
├── evidence.db                 SQLite store (artifacts + findings + hash chain)
├── chain_of_custody.json       ISO 27037 / NIST 800-86 record
├── case_signature.json         PQC signature over chain tip (after `digger pqc sign`)
├── files/                      preserved evidence files
├── compliance/                 framework reports (after `compliance assess`)
└── report.html                 final triaged report