AI Query History Forensic Extractor
Extract Claude Code and ChatGPT conversation history into CSV timelines for forensic analysis and incident response.
aix is a forensic artifact tool that extracts AI assistant query history from local storage and outputs structured CSV timelines. Designed for DFIR analysts investigating AI tool usage on endpoints.
Part of the Acquired Security forensic tools suite.
| AI Tool | Platform | Storage Format | Data Extracted |
|---|---|---|---|
| Claude Code | macOS, Linux, Windows | JSONL files (~/.claude/) |
Full conversations, prompts, responses, model, token usage, project context |
| ChatGPT Desktop | Windows (MS Store), Windows (Standalone), macOS | LevelDB, SQLite | Conversation metadata, titles, timestamps, session IDs |
- Auto-scan triage images or live endpoints for AI artifacts
- Direct extraction from specific artifact paths
- Interactive mode with guided menu
- Cross-platform path detection (macOS, Linux, Windows)
- NaturalLanguage column for semantic timeline indexing
- CSV output compatible with forensic timeliner workflows
Download pre-built binaries from Releases, or build from source:
cargo build --releaseCross-compile for Windows (from macOS):
rustup target add x86_64-pc-windows-gnu
cargo build --release --target x86_64-pc-windows-gnuAuto-detect and extract all AI artifacts from an endpoint image:
aix scan -d /path/to/triage/image -o /output/directory# Claude Code - full .claude directory
aix extract -i /Users/analyst/.claude -o claude_history.csv
# Claude Code - single history file
aix extract -i /Users/analyst/.claude/history.jsonl
# ChatGPT Desktop (Windows MS Store)
aix extract -i "C:\Users\Admin\AppData\Local\Packages\OpenAI.ChatGPT-Desktop_*\LocalCache\Roaming\ChatGPT" -o chatgpt.csvaix -iaix [OPTIONS] [COMMAND]
Commands:
scan Auto-detect AI artifacts in a triage directory
extract Extract from a specific artifact file or directory
Options:
-v, --verbose Enable verbose logging
-i, --interactive Interactive menu mode
-h, --help Print help
-V, --version Print version
scan:
-d, --dir <DIR> Triage root directory to scan
-o, --output <DIR> Output directory for CSV files
-u, --user <USER> Username override
extract:
-i, --input <PATH> Artifact file or directory
-o, --output <FILE> Output CSV file (omit for stdout)
-t, --tool <TOOL> AI tool type: claude-code, chatgpt (auto-detected if omitted)
-u, --user <USER> Username override
| Column | Description |
|---|---|
| Timestamp | UTC timestamp (MM/DD/YYYY HH:MM:SS AM/PM) |
| Role | Message role: user, assistant, system |
| Content | Message content (truncated to 500 chars) |
| Session ID | Conversation/session identifier |
| Message ID | Unique message identifier |
| Parent ID | Parent message ID (conversation threading) |
| Project | Working directory or project context |
| AI Tool | Source tool (Claude Code, ChatGPT) |
| Model | AI model used (claude-opus-4-6, gpt-4o, etc.) |
| Input Tokens | Input token count |
| Output Tokens | Output token count |
| Source File | Path to the source artifact file |
| Record ID | Sequential record number |
| NaturalLanguage | Human-readable timeline summary |
| Platform | Path |
|---|---|
| macOS/Linux | ~/.claude/history.jsonl |
| macOS/Linux | ~/.claude/projects/<project>/<session>.jsonl |
| Windows | C:\Users\<user>\.claude\history.jsonl |
| Windows | C:\Users\<user>\.claude\projects\<project>\<session>.jsonl |
| Platform | Path |
|---|---|
| macOS | ~/Library/Application Support/com.openai.chat/ |
| macOS (Atlas) | ~/Library/Application Support/OpenAI/Atlas/ |
| Windows (MS Store) | C:\Users\<user>\AppData\Local\Packages\OpenAI.ChatGPT-Desktop_*\LocalCache\Roaming\ChatGPT\ |
| Windows (Standalone) | C:\Users\<user>\AppData\Roaming\OpenAI\ChatGPT\ |
Requires Rust 1.70+.
# macOS/Linux
cargo build --release
# Windows cross-compile (requires mingw-w64)
brew install mingw-w64 # macOS
cargo build --release --target x86_64-pc-windows-gnuMIT