Skip to content

itsmeRiF/dfir-framework2

Repository files navigation

🛡️ CyberX | DFIR Framework

End-to-End Digital Forensics & Incident Response Framework

Case Management • Evidence Processing • Artifact Parsing • Timeline Analysis • Incident Correlation


📌 Overview

CyberX DFIR Framework is a modular Digital Forensics and Incident Response (DFIR) platform built using Flask.

The framework provides a unified investigation workspace for:

📁 Case Management
📤 Evidence Upload & Processing
🔍 Artifact Analysis
🕒 Timeline Reconstruction
🚨 Incident Detection & Correlation
📊 Investigation Data Export

All forensic artifacts are normalized into a common Event Model, allowing investigators to analyze artifacts across:

  • Events Explorer
  • Timeline View
  • Incident Dashboard

🔎 Artifact Analysis Modules

Artifact Extensions Parser / Engine Output
✅ Windows Event Logs .evtx Hayabusa + Sigma Rules Threat detections, suspicious activities
✅ Registry Hives SYSTEM, SOFTWARE, SAM, NTUSER.DAT Registry Parser Persistence mechanisms, configuration artifacts
✅ Prefetch Files .pf Prefetch Parser Execution history, LOLBin detection
✅ Jump Lists .automaticDestinations-ms, .customDestinations-ms OLE + LNK Parser Recent applications, accessed files
✅ Memory Dumps .raw, .mem, .dmp, .vmem Volatility3 + IOC Extraction Processes, network artifacts, memory analysis

🏗️ DFIR Processing Pipeline

                Evidence Upload
                       |
                       ↓
              Artifact Identification
                       |
        +--------------+--------------+
        |              |              |
      EVTX        Registry       Memory
        |              |              |
    Hayabusa      Hive Parser   Volatility3
        |              |              |
        +--------------+--------------+
                       |
                       ↓
              Normalized Event Model
                       |
          +------------+------------+
          |                         |
       Timeline              Incident Engine
          |                         |
          ↓                         ↓
 Investigation View          Threat Detection

⚙️ Installation

Clone Repository

git clone https://github.com/itsmeRiF/dfir-framework2.git

cd dfir-framework2

Create Virtual Environment

python -m venv .venv

.venv\Scripts\activate

Install Requirements

pip install -r requirements.txt

Create user

python bootstrap.py

Start Application

python app.py

Access:

http://127.0.0.1:1338

Default Credentials:

Username: analyst
Password: analyst123

For Event Logs Analysis

Download Hayabusa and place:

hayabusa.exe

inside:

tools/

Before first use:

cd tools

hayabusa.exe update-rules

This downloads:

  • Sigma Detection Rules
  • Detection Metadata
  • Hayabusa Rule Configuration

🗺️ Development Roadmap

Phase 1 — Core Windows Artifacts ✅

  • Windows Event Logs (EVTX)
  • Registry Hives
  • Prefetch Files
  • Jump Lists
  • Memory Dumps

To-do:

  • Display summary of RAM Analysis
  • Running processes
  • Active network connections

Phase 2 — Advanced Artifact Support 🚧

  • Browser History

Phase 3 — File System Forensics 🔮

  • Master File Table (MFT)
  • USN Journal
  • SRUM Database
  • Recycle Bin Analysis

🚀 Current Features

✅ Case Management
✅ Evidence Repository
✅ Artifact Auto Detection
✅ Hayabusa Integration
✅ Sigma Rule Detection
✅ Event Normalization
✅ Timeline Analysis
✅ Incident Correlation
✅ Severity Classification
✅ CSV Export


🔮 Future Integrations

  • Volatility3 Memory Framework
  • YARA Malware Detection
  • MITRE ATT&CK Mapping
  • Threat Intelligence Integration
  • IOC Extraction Engine
  • Automated Investigation Reports

👥 Contributors

Thanks to all contributors who helped build and test this CyberX DFIR Framework.

Made with ❤️ in India 🇮🇳

CyberX DFIR Framework

About

The automation framework for Digital Forensics and Incident Response --CyberX

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors