# Install chainsaw with Homebrew, Nix, zypper

Rapidly Search and Hunt through Windows Forensic Artefacts. Version 2.16.0 via Homebrew; verified 2026-05-09.

## Install

```sh
sudo av install brew:chainsaw
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install chainsaw
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#chainsaw
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ch/chainsaw/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install apache-chainsaw
```

  Evidence: openSUSE Tumbleweed package metadata: apache-chainsaw from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:chainsaw
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/chainsaw>
- **Version:** 2.16.0
- **Source summary:** Rapidly Search and Hunt through Windows Forensic Artefacts
- **Homepage:** <https://github.com/WithSecureLabs/chainsaw>
- **Repository:** <https://github.com/WithSecureLabs/chainsaw>
- **Upstream docs:** <https://github.com/WithSecureLabs/chainsaw#readme>
- **License:** GPL-3.0-only
- **Source archive:** <https://github.com/WithSecureLabs/chainsaw/archive/refs/tags/v2.16.0.tar.gz>
- **Last updated:** 2026-05-09T11:59:50Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- chainsaw (cli)
- chainsaw (alias)

## Build dependencies

- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.16.0
- Package-manager updated: 2026-05-09
- Local data: ok
- Upstream repository: https://github.com/WithSecureLabs/chainsaw
- Upstream latest detected: v2.16.0 (current)
## Project history and usage

Chainsaw is a WithSecure Labs command-line tool for rapid Windows forensic triage. It searches event logs and other Windows artefacts, applies Sigma and custom detection rules, and emits investigator-friendly output formats.

### Project history

WithSecure Countercept created Chainsaw for incident-response cases where endpoint telemetry or a SIEM was not available, so analysts needed fast standalone processing of Windows artefacts. The public GitHub repository was created in August 2021 and v1.0.0 was released later that month.

The project evolved from an all-in-one threat-hunting bundle toward a tool that expects users to keep Sigma rules and sample event logs separately. The README notes that Chainsaw v2 stopped including Sigma Rules and EVTX-Attack-Samples as submodules so users could track those projects independently.

### Adoption history

Chainsaw is distributed through GitHub releases, Nix, and the Homebrew formula named chainsaw. That packaging path matters because the tool is useful as a portable first-response binary on analyst workstations and ephemeral response systems.

GitHub release metadata shows active maintenance from v1.0.0 in 2021 through v2 releases in 2026.

### How it is used

Typical use is to run chainsaw against Windows event-log collections, optionally supplying a Sigma rules directory and a mapping file such as mappings/sigma-event-logs-all.yml. The README documents output formats including table, CSV, and JSON, plus timeline generation from Shimcache enriched with Amcache data.

### Why package nerds care

Chainsaw is notable in package-manager culture because it packages modern Rust DFIR tooling for a workflow that often used heavier SIEM stacks such as Splunk or ELK. It also shows the Sigma ecosystem becoming something local CLIs can consume directly.

### Timeline

- 2021: GitHub repository created by WithSecureLabs.
- 2021: v1.0.0 published on GitHub releases.
- 2023: v2 line documented removal of bundled Sigma and EVTX sample submodules.
- 2026: v2.16.0 published on GitHub releases.

### Related projects

- SigmaHQ/sigma provides the Sigma detection rules Chainsaw can run.
- omerbenamram/evtx is the Rust EVTX parser wrapped by Chainsaw.
- sbousseaden/EVTX-ATTACK-SAMPLES is used in the README example dataset workflow.

### Sources

- <https://github.com/WithSecureLabs/chainsaw#readme>
- <https://github.com/WithSecureLabs/chainsaw/releases>
- <https://api.github.com/repos/WithSecureLabs/chainsaw>


## Security Notes

No matching local secret-handling manifest was found for chainsaw. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** chainsaw
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - chainsaw: normalized package name match | nixpkgs package indexes: pkgs/by-name/ch/chainsaw/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- zypper - apache-chainsaw - 2.1.0-5.8: normalized package name match | openSUSE Tumbleweed package metadata: apache-chainsaw from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Apache Chainsaw | https://logging.apache.org/chainsaw


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Text processing packages](https://www.automicvault.com/pkg/text-processing-tools/) - Matched text, document, or structured-data processing metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [evtx](https://www.automicvault.com/pkg/brew/evtx/) - Shares av.db curated category or tags: cli, forensics, rust, security.
- [afflib](https://www.automicvault.com/pkg/brew/afflib/) - Shares av.db curated category or tags: cli, forensics, security.
- [dc3dd](https://www.automicvault.com/pkg/brew/dc3dd/) - Shares av.db curated category or tags: cli, forensics, security.
- [dcfldd](https://www.automicvault.com/pkg/brew/dcfldd/) - Shares av.db curated category or tags: cli, forensics, security.
- [hack-browser-data](https://www.automicvault.com/pkg/brew/hack-browser-data/) - Shares av.db curated category or tags: cli, forensics, security.
- [ssdeep](https://www.automicvault.com/pkg/brew/ssdeep/) - Shares av.db curated category or tags: cli, forensics, security.
- [mac-robber](https://www.automicvault.com/pkg/brew/mac-robber/) - Shares av.db curated category or tags: cli, forensics, security.
- [binwalk](https://www.automicvault.com/pkg/brew/binwalk/) - Shares av.db curated category or tags: cli, forensics, security.

## Combined YAML source

View the package source record on GitHub. [combined/chainsaw.yml](https://github.com/automic-vault/db/blob/main/combined/chainsaw.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
