mstoeck3/forensic-pathways
2
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Activity

content overhaul

Browse Source
This commit is contained in:
overcuriousity 2025-07-28 10:46:17 +02:00
parent b1834aace1
commit 81bbafeef1
5 changed files with 2354 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
context.md
View File

@ -32,6 +32,7 @@ license: string? # Software license
knowledgebase: boolean? # Has detailed documentation knowledgebase: boolean? # Has detailed documentation
tags: string[] # Searchable keywords tags: string[] # Searchable keywords
related_concepts: string[]? # Links to concept-type tools related_concepts: string[]? # Links to concept-type tools
related_software: string[]? #Links to software-type-tools
``` ```
### Taxonomies ### Taxonomies

136
dfir_yaml_editor.html
View File

@ -526,7 +526,7 @@
</div> </div>
<div class="form-group"> <div class="form-group">
<label>Scenarios</label> <label>🎮 Scenario Tags <small style="color: #666;">(adds scenario: prefix to tags)</small></label>
<div id="scenariosCheckbox" class="checkbox-group"></div> <div id="scenariosCheckbox" class="checkbox-group"></div>
</div> </div>
</div> </div>
@ -777,11 +777,14 @@
{ id: 'specific-os', name: 'Betriebssysteme', description: 'Operating Systems which focus on forensics' } { id: 'specific-os', name: 'Betriebssysteme', description: 'Operating Systems which focus on forensics' }
], ],
scenarios: [ scenarios: [
{ id: 'registry', icon: '🗃️', friendly_name: 'Registry-Analyse' }, { id: 'scenario:disk_imaging', icon: '💽', friendly_name: 'Datenträgerabbild' },
{ id: 'memory-forensics', icon: '🧠', friendly_name: 'Memory-Forensik' }, { id: 'scenario:memory_dump', icon: '🧠', friendly_name: 'RAM-Analyse' },
{ id: 'network-analysis', icon: '🌐', friendly_name: 'Netzwerk-Analyse' }, { id: 'scenario:file_recovery', icon: '🗑️', friendly_name: 'Datenrettung' },
{ id: 'malware-analysis', icon: '🦠', friendly_name: 'Malware-Analyse' }, { id: 'scenario:browser_history', icon: '🌍', friendly_name: 'Browser-Spuren' },
{ id: 'mobile-forensics', icon: '📱', friendly_name: 'Mobile-Forensik' } { id: 'scenario:credential_theft', icon: '🛑', friendly_name: 'Zugangsdiebstahl' },
{ id: 'scenario:remote_access', icon: '📡', friendly_name: 'Fernzugriffe' },
{ id: 'scenario:persistence', icon: '♻️', friendly_name: 'Persistenzsuche' },
{ id: 'scenario:windows-registry', icon: '📜', friendly_name: 'Registry-Analyse' }
] ]
}; };
@ -819,7 +822,7 @@
// Search in description // Search in description
if (tool.description && tool.description.toLowerCase().includes(term)) return true; if (tool.description && tool.description.toLowerCase().includes(term)) return true;
// Search in tags // Search in tags (includes scenarios as scenario: prefixed tags)
if (tool.tags && tool.tags.some(tag => tag.toLowerCase().includes(term))) return true; if (tool.tags && tool.tags.some(tag => tag.toLowerCase().includes(term))) return true;
// Search in related concepts // Search in related concepts
@ -828,10 +831,13 @@
// Search in related software // Search in related software
if (tool.related_software && tool.related_software.some(software => software.toLowerCase().includes(term))) return true; if (tool.related_software && tool.related_software.some(software => software.toLowerCase().includes(term))) return true;
// Search in scenarios // Search in scenario friendly names (from tags that start with scenario:)
if (tool.scenarios && tool.scenarios.some(scenario => { if (tool.tags && tool.tags.some(tag => {
const scenarioData = yamlData.scenarios.find(s => s.id === scenario); if (tag.startsWith('scenario:')) {
return scenarioData && scenarioData.friendly_name.toLowerCase().includes(term); const scenarioData = yamlData.scenarios.find(s => s.id === tag);
return scenarioData && scenarioData.friendly_name.toLowerCase().includes(term);
}
return false;
})) return true; })) return true;
// Search in type // Search in type
@ -1052,16 +1058,15 @@
const icon = document.getElementById('toolIcon').value.trim(); const icon = document.getElementById('toolIcon').value.trim();
if (icon) tool.icon = icon; if (icon) tool.icon = icon;
// Add domains, phases, and scenarios // Add domains, phases
tool.domains = getCheckedValues('#domainsCheckbox input:checked'); tool.domains = getCheckedValues('#domainsCheckbox input:checked');
tool.phases = getCheckedValues('#phasesCheckbox input:checked'); tool.phases = getCheckedValues('#phasesCheckbox input:checked');
const scenarios = getCheckedValues('#scenariosCheckbox input:checked');
if (scenarios.length > 0) tool.scenarios = scenarios;
// Add tags, related concepts, and related software // Add tags and scenario tags (scenarios get added to tags with scenario: prefix)
const tags = getTags(); const tags = getTags();
if (tags.length > 0) tool.tags = tags; const scenarioTags = getCheckedValues('#scenariosCheckbox input:checked');
const allTags = [...tags, ...scenarioTags];
if (allTags.length > 0) tool.tags = allTags;
const relatedConcepts = getRelatedConcepts(); const relatedConcepts = getRelatedConcepts();
if (relatedConcepts.length > 0) tool.related_concepts = relatedConcepts; if (relatedConcepts.length > 0) tool.related_concepts = relatedConcepts;
@ -1118,9 +1123,19 @@
function clearForm() { function clearForm() {
document.getElementById('toolForm').reset(); document.getElementById('toolForm').reset();
// Clear all tag inputs properly
document.getElementById('tagsInput').innerHTML = '<input type="text" id="tagInputField" placeholder="Add tags..." onkeydown="handleTagInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">'; document.getElementById('tagsInput').innerHTML = '<input type="text" id="tagInputField" placeholder="Add tags..." onkeydown="handleTagInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
document.getElementById('relatedConceptsInput').innerHTML = '<input type="text" id="relatedConceptInputField" placeholder="Add concept names..." onkeydown="handleRelatedConceptInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">'; document.getElementById('relatedConceptsInput').innerHTML = '<input type="text" id="relatedConceptInputField" placeholder="Add concept names..." onkeydown="handleRelatedConceptInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
document.getElementById('relatedSoftwareInput').innerHTML = '<input type="text" id="relatedSoftwareInputField" placeholder="Add software names..." onkeydown="handleRelatedSoftwareInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">'; document.getElementById('relatedSoftwareInput').innerHTML = '<input type="text" id="relatedSoftwareInputField" placeholder="Add software names..." onkeydown="handleRelatedSoftwareInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
// Clear all checkboxes
document.querySelectorAll('#domainsCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
document.querySelectorAll('#phasesCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
document.querySelectorAll('#scenariosCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
document.querySelectorAll('#platformsCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
document.querySelectorAll('#domainAgnosticCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
currentEditingIndex = -1; currentEditingIndex = -1;
toggleConditionalFields(); toggleConditionalFields();
} }
@ -1155,14 +1170,21 @@
// Set checkboxes // Set checkboxes
setCheckboxValues('#domainsCheckbox input', tool.domains || []); setCheckboxValues('#domainsCheckbox input', tool.domains || []);
setCheckboxValues('#phasesCheckbox input', tool.phases || []); setCheckboxValues('#phasesCheckbox input', tool.phases || []);
setCheckboxValues('#scenariosCheckbox input', tool.scenarios || []);
setCheckboxValues('#platformsCheckbox input', tool.platforms || []); setCheckboxValues('#platformsCheckbox input', tool.platforms || []);
setCheckboxValues('#domainAgnosticCheckbox input', tool['domain-agnostic-software'] || []); setCheckboxValues('#domainAgnosticCheckbox input', tool['domain-agnostic-software'] || []);
// Set tags // Separate scenario tags from regular tags
const allTags = tool.tags || [];
const scenarioTags = allTags.filter(tag => tag.startsWith('scenario:'));
const regularTags = allTags.filter(tag => !tag.startsWith('scenario:'));
// Set scenario checkboxes based on scenario tags
setCheckboxValues('#scenariosCheckbox input', scenarioTags);
// Set regular tags
const tagsContainer = document.getElementById('tagsInput'); const tagsContainer = document.getElementById('tagsInput');
tagsContainer.innerHTML = '<input type="text" id="tagInputField" placeholder="Add tags..." onkeydown="handleTagInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">'; tagsContainer.innerHTML = '<input type="text" id="tagInputField" placeholder="Add tags..." onkeydown="handleTagInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
(tool.tags || []).forEach(tag => addTag('tagsInput', tag)); regularTags.forEach(tag => addTag('tagsInput', tag));
// Set related concepts // Set related concepts
const conceptsContainer = document.getElementById('relatedConceptsInput'); const conceptsContainer = document.getElementById('relatedConceptsInput');
@ -1241,10 +1263,11 @@
const card = document.createElement('div'); const card = document.createElement('div');
card.className = `tool-card ${tool.type || 'software'}`; card.className = `tool-card ${tool.type || 'software'}`;
const tags = (tool.tags || []).map(tag => `<span class="tag">${tag}</span>`).join(''); const tags = (tool.tags || []).filter(tag => !tag.startsWith('scenario:')).map(tag => `<span class="tag">${tag}</span>`).join('');
const knowledgebaseIndicator = tool.knowledgebase ? '<span class="tag" style="background: #e8f5e8; color: #27ae60;">📚 KB</span>' : ''; const knowledgebaseIndicator = tool.knowledgebase ? '<span class="tag" style="background: #e8f5e8; color: #27ae60;">📚 KB</span>' : '';
const relatedSoftwareIndicator = (tool.related_software && tool.related_software.length > 0) ? '<span class="tag" style="background: #e3f2fd; color: #1976d2;">🔗 SW</span>' : ''; const relatedSoftwareIndicator = (tool.related_software && tool.related_software.length > 0) ? '<span class="tag" style="background: #e3f2fd; color: #1976d2;">🔗 SW</span>' : '';
const scenariosIndicator = (tool.scenarios && tool.scenarios.length > 0) ? '<span class="tag" style="background: #f3e5f5; color: #7b1fa2;">🎮 SC</span>' : ''; const scenarioTags = (tool.tags || []).filter(tag => tag.startsWith('scenario:'));
const scenariosIndicator = scenarioTags.length > 0 ? '<span class="tag" style="background: #f3e5f5; color: #7b1fa2;">🎮 SC</span>' : '';
card.innerHTML = ` card.innerHTML = `
<h3>${tool.icon ? tool.icon + ' ' : ''}${tool.name} <span style="font-size: 0.7em; color: #666;">[${tool.type || 'software'}]</span></h3> <h3>${tool.icon ? tool.icon + ' ' : ''}${tool.name} <span style="font-size: 0.7em; color: #666;">[${tool.type || 'software'}]</span></h3>
@ -1294,7 +1317,10 @@
const indicators = []; const indicators = [];
if (tool.knowledgebase) indicators.push('📚'); if (tool.knowledgebase) indicators.push('📚');
if (tool.related_software?.length > 0) indicators.push('🔗'); if (tool.related_software?.length > 0) indicators.push('🔗');
if (tool.scenarios?.length > 0) indicators.push('🎮');
// Check for scenario tags
const scenarioTags = (tool.tags || []).filter(tag => tag.startsWith('scenario:'));
if (scenarioTags.length > 0) indicators.push('🎮');
card.innerHTML = ` card.innerHTML = `
<div style="display: flex; align-items: center; gap: 10px; margin-bottom: 10px;"> <div style="display: flex; align-items: center; gap: 10px; margin-bottom: 10px;">
@ -1517,17 +1543,20 @@
} }
} }
// NEW: Scenario operations // Scenario operations (work with tags that have scenario: prefix)
function bulkAddScenarios() { function bulkAddScenarios() {
if (selectedTools.size === 0) return showMessage('No tools selected', 'error'); if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
const scenarios = prompt('Enter scenario IDs to add (comma-separated):'); const scenarios = prompt('Enter scenario IDs to add (comma-separated, e.g., scenario:memory_dump,scenario:registry):');
if (scenarios) { if (scenarios) {
const scenarioList = scenarios.split(',').map(s => s.trim()).filter(s => s); const scenarioList = scenarios.split(',').map(s => {
const trimmed = s.trim();
return trimmed.startsWith('scenario:') ? trimmed : `scenario:${trimmed}`;
}).filter(s => s !== 'scenario:');
selectedTools.forEach(index => { selectedTools.forEach(index => {
const tool = yamlData.tools[index]; const tool = yamlData.tools[index];
tool.scenarios = [...new Set([...(tool.scenarios || []), ...scenarioList])]; tool.tags = [...new Set([...(tool.tags || []), ...scenarioList])];
}); });
showMessage(`Added scenarios to ${selectedTools.size} tools`); showMessage(`Added scenario tags to ${selectedTools.size} tools`);
renderBulkGrid(); renderBulkGrid();
} }
} }
@ -1536,26 +1565,33 @@
if (selectedTools.size === 0) return showMessage('No tools selected', 'error'); if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
const scenarios = prompt('Enter scenario IDs to remove (comma-separated):'); const scenarios = prompt('Enter scenario IDs to remove (comma-separated):');
if (scenarios) { if (scenarios) {
const scenarioList = scenarios.split(',').map(s => s.trim()).filter(s => s); const scenarioList = scenarios.split(',').map(s => {
const trimmed = s.trim();
return trimmed.startsWith('scenario:') ? trimmed : `scenario:${trimmed}`;
}).filter(s => s !== 'scenario:');
selectedTools.forEach(index => { selectedTools.forEach(index => {
const tool = yamlData.tools[index]; const tool = yamlData.tools[index];
if (tool.scenarios) { if (tool.tags) {
tool.scenarios = tool.scenarios.filter(scenario => !scenarioList.includes(scenario)); tool.tags = tool.tags.filter(tag => !scenarioList.includes(tag));
if (tool.scenarios.length === 0) delete tool.scenarios; if (tool.tags.length === 0) delete tool.tags;
} }
}); });
showMessage(`Removed scenarios from ${selectedTools.size} tools`); showMessage(`Removed scenario tags from ${selectedTools.size} tools`);
renderBulkGrid(); renderBulkGrid();
} }
} }
function bulkClearScenarios() { function bulkClearScenarios() {
if (selectedTools.size === 0) return showMessage('No tools selected', 'error'); if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
if (confirm(`Are you sure you want to clear ALL scenarios from ${selectedTools.size} selected tools?`)) { if (confirm(`Are you sure you want to clear ALL scenario tags from ${selectedTools.size} selected tools?`)) {
selectedTools.forEach(index => { selectedTools.forEach(index => {
delete yamlData.tools[index].scenarios; const tool = yamlData.tools[index];
if (tool.tags) {
tool.tags = tool.tags.filter(tag => !tag.startsWith('scenario:'));
if (tool.tags.length === 0) delete tool.tags;
}
}); });
showMessage(`Cleared scenarios from ${selectedTools.size} tools`); showMessage(`Cleared scenario tags from ${selectedTools.size} tools`);
renderBulkGrid(); renderBulkGrid();
} }
} }
@ -1769,12 +1805,15 @@ ${tool.domains && tool.domains.length > 0 ? `## Anwendungsbereiche
${tool.domains.map(domain => `- ${domain}`).join('\n')}\n\n` : ''}${tool.phases && tool.phases.length > 0 ? `## Ermittlungsphasen ${tool.domains.map(domain => `- ${domain}`).join('\n')}\n\n` : ''}${tool.phases && tool.phases.length > 0 ? `## Ermittlungsphasen
${tool.phases.map(phase => `- ${phase}`).join('\n')}\n\n` : ''}${tool.scenarios && tool.scenarios.length > 0 ? `## Anwendungsszenarien ${tool.phases.map(phase => `- ${phase}`).join('\n')}\n\n` : ''}${(() => {
const scenarioTags = (tool.tags || []).filter(tag => tag.startsWith('scenario:'));
return scenarioTags.length > 0 ? `## Anwendungsszenarien
${tool.scenarios.map(scenario => { ${scenarioTags.map(scenarioTag => {
const scenarioData = yamlData.scenarios.find(s => s.id === scenario); const scenarioData = yamlData.scenarios.find(s => s.id === scenarioTag);
return scenarioData ? `- ${scenarioData.icon} ${scenarioData.friendly_name}` : `- ${scenario}`; return scenarioData ? `- ${scenarioData.icon} ${scenarioData.friendly_name}` : `- ${scenarioTag}`;
}).join('\n')}\n\n` : ''}## ${tool.type === 'concept' ? 'Grundlagen' : tool.type === 'method' ? 'Vorgehensweise' : 'Installation & Nutzung'} }).join('\n')}\n\n` : '';
})()}## ${tool.type === 'concept' ? 'Grundlagen' : tool.type === 'method' ? 'Vorgehensweise' : 'Installation & Nutzung'}
${tool.type === 'concept' ? ${tool.type === 'concept' ?
`### Kernkonzepte `### Kernkonzepte
@ -1863,7 +1902,7 @@ TODO: Füge weitere nützliche Links und Ressourcen hinzu.
}); });
} }
// Enhanced Validation including scenarios and related_software // Enhanced Validation
function validateYAML() { function validateYAML() {
if (!yamlData) return showMessage('No data to validate', 'error'); if (!yamlData) return showMessage('No data to validate', 'error');
@ -1873,7 +1912,7 @@ TODO: Füge weitere nützliche Links und Ressourcen hinzu.
if (!yamlData.tools) validationResults.push('❌ Missing tools section'); if (!yamlData.tools) validationResults.push('❌ Missing tools section');
if (!yamlData.domains) validationResults.push('❌ Missing domains section'); if (!yamlData.domains) validationResults.push('❌ Missing domains section');
if (!yamlData.phases) validationResults.push('❌ Missing phases section'); if (!yamlData.phases) validationResults.push('❌ Missing phases section');
if (!yamlData.scenarios) validationResults.push('⚠️ Missing scenarios section'); if (!yamlData.scenarios) validationResults.push('⚠️ Missing scenarios section (for reference)');
// Validate tools // Validate tools
yamlData.tools?.forEach((tool, index) => { yamlData.tools?.forEach((tool, index) => {
@ -1904,12 +1943,13 @@ TODO: Füge weitere nützliche Links und Ressourcen hinzu.
}); });
} }
// Validate scenarios references // Validate scenario tags (check tags that start with scenario:)
if (tool.scenarios && tool.scenarios.length > 0) { if (tool.tags && tool.tags.length > 0) {
tool.scenarios.forEach(scenarioId => { const scenarioTags = tool.tags.filter(tag => tag.startsWith('scenario:'));
const exists = yamlData.scenarios?.some(s => s.id === scenarioId); scenarioTags.forEach(scenarioTag => {
const exists = yamlData.scenarios?.some(s => s.id === scenarioTag);
if (!exists) { if (!exists) {
validationResults.push(`⚠️ Tool ${index + 1}: Scenario "${scenarioId}" not found in scenarios`); validationResults.push(`⚠️ Tool ${index + 1}: Scenario tag "${scenarioTag}" not found in scenarios reference`);
} }
}); });
} }

2156
src/data/tools-untagged.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

55
src/data/tools.yaml
View File

@ -27,6 +27,8 @@ tools:
- carving - carving
- artifact-extraction - artifact-extraction
- keyword-search - keyword-search
- scenario:file_recovery
- scenario:browser_history
related_concepts: related_concepts:
- SQL Query Fundamentals - SQL Query Fundamentals
- Hash Functions & Digital Signatures - Hash Functions & Digital Signatures
@ -37,7 +39,6 @@ tools:
license: Apache 2.0 license: Apache 2.0
knowledgebase: false knowledgebase: false
- name: Volatility 3 - name: Volatility 3
icon: 📦
type: software type: software
description: >- description: >-
Das Universalwerkzeug der Live-Forensik, unverzichtbar für die Analyse von Das Universalwerkzeug der Live-Forensik, unverzichtbar für die Analyse von
@ -47,6 +48,9 @@ tools:
erweiterbar, erfordert aber solide Kommandozeilen-Kenntnisse. Version 3 erweiterbar, erfordert aber solide Kommandozeilen-Kenntnisse. Version 3
bringt deutliche Performance-Verbesserungen und bessere bringt deutliche Performance-Verbesserungen und bessere
Formatunterstützung. Formatunterstützung.
skillLevel: advanced
url: https://www.volatilityfoundation.org/
icon: 📦
domains: domains:
- incident-response - incident-response
- static-investigations - static-investigations
@ -55,21 +59,8 @@ tools:
phases: phases:
- examination - examination
- analysis - analysis
platforms: scenarios:
- Windows - scenario:memory_dump
- Linux
- macOS
related_concepts:
- Hash Functions & Digital Signatures
- Regular Expressions (Regex)
related_software: null
domain-agnostic-software: null
skillLevel: advanced
accessType: download
url: https://www.volatilityfoundation.org/
projectUrl: ''
license: VSL
knowledgebase: false
tags: tags:
- commandline - commandline
- memory - memory
@ -77,6 +68,16 @@ tools:
- artifact-extraction - artifact-extraction
- scripting - scripting
- process-analysis - process-analysis
related_concepts:
- Hash Functions & Digital Signatures
- Regular Expressions (Regex)
platforms:
- Windows
- Linux
- macOS
accessType: download
license: VSL
knowledgebase: false
- name: TheHive 5 - name: TheHive 5
icon: 🌐 icon: 🌐
type: software type: software
@ -1484,7 +1485,7 @@ tools:
icon: 📦 icon: 📦
type: software type: software
description: >- description: >-
Der Windows-Registry-Experte mit hunderten Plugins für automatisierte Der scenario:windows-registry-Experte mit hunderten Plugins für automatisierte
Analyse. Extrahiert USB-Historie, installierte Software, Analyse. Extrahiert USB-Historie, installierte Software,
Benutzeraktivitäten und Malware-Spuren. Die Plugin-Architektur erlaubt Benutzeraktivitäten und Malware-Spuren. Die Plugin-Architektur erlaubt
maßgeschneiderte Untersuchungen für spezielle Fälle. Spart Stunden maßgeschneiderte Untersuchungen für spezielle Fälle. Spart Stunden
@ -1753,7 +1754,7 @@ tools:
Windows-Forensik. Ermöglicht Remote-Zugriff auf Windows-Systeme für Windows-Forensik. Ermöglicht Remote-Zugriff auf Windows-Systeme für
Live-Forensik und IR. Die Skript-Sammlung deckt von SMB-Enumeration bis Live-Forensik und IR. Die Skript-Sammlung deckt von SMB-Enumeration bis
Kerberos-Attacks alles ab. Unverzichtbar für die Untersuchung von Lateral Kerberos-Attacks alles ab. Unverzichtbar für die Untersuchung von Lateral
Movement und Persistence. Movement und scenario:persistence.
domains: domains:
- incident-response - incident-response
- network-forensics - network-forensics
@ -2209,27 +2210,27 @@ domain-agnostic-software:
name: Betriebssysteme name: Betriebssysteme
description: Operating Systems which focus on forensics description: Operating Systems which focus on forensics
scenarios: scenarios:
- id: disk_imaging - id: scenario:disk_imaging
icon: 💽 icon: 💽
friendly_name: Datenträgerabbild friendly_name: Datenträgerabbild
- id: memory_dump - id: scenario:memory_dump
icon: 🧠 icon: 🧠
friendly_name: RAM-Analyse friendly_name: RAM-Analyse
- id: file_recovery - id: scenario:file_recovery
icon: 🗑️ icon: 🗑️
friendly_name: Datenrettung friendly_name: Datenrettung
- id: browser_history - id: scenario:browser_history
icon: 🌍 icon: 🌍
friendly_name: Browser-Spuren friendly_name: Browser-Spuren
- id: credential_theft - id: scenario:credential_theft
icon: 🛑 icon: 🛑
friendly_name: Zugangsdiebstahl friendly_name: Zugangsdiebstahl
- id: remote_access - id: scenario:remote_access
icon: 📡 icon: 📡
friendly_name: Fernzugriffe friendly_name: Fernzugriffe
- id: persistence - id: scenario:persistence
icon: ♻️ icon: ♻️
friendly_name: Persistenzsuche friendly_name: Persistenzsuche
- id: windows-registry - id: scenario:windows-registry
icon: 📜 icon: 📜
friendly_name: Registry-Analyse friendly_name: Registry-Analyse

238
src/data/tools.yaml.example
View File

@ -1,177 +1,83 @@
tools: tools:
- name: Rapid Incident Response Triage on macOS - name: Autopsy
icon: 📋
type: method
description: >-
Spezialisierte Methodik für die schnelle Incident Response auf
macOS-Systemen mit Fokus auf die Sammlung kritischer forensischer
Artefakte in unter einer Stunde. Adressiert die Lücke zwischen
Windows-zentrierten IR-Prozessen und macOS-spezifischen
Sicherheitsarchitekturen. Nutzt Tools wie Aftermath für effiziente
Datensammlung ohne zeitaufwändige Full-Disk-Images. Besonders wertvoll für
Unternehmensumgebungen mit gemischten Betriebssystem-Landschaften.
domains:
- incident-response
- static-investigations
- malware-analysis
phases:
- data-collection
- examination
platforms: []
related_concepts: null
related_software:
- Aftermath
domain-agnostic-software: null
skillLevel: intermediate
accessType: null
url: >-
https://www.sans.org/white-papers/rapid-incident-response-on-macos-actionable-insights-under-hour/
projectUrl: null
license: null
knowledgebase: null
tags:
- macos
- rapid-response
- triage
- incident-response
- aftermath
- enterprise
- methodology
- apple
- name: Aftermath
icon: 📦
type: software type: software
description: >- description: >-
Jamf's Open-Source-Tool für die schnelle Sammlung forensischer Artefakte Die führende Open-Source-Alternative zu kommerziellen Forensik-Suiten mit
auf macOS-Systemen. Sammelt kritische Daten wie Prozessinformationen, intuitiver grafischer Oberfläche. Besonders stark in der Timeline-Analyse,
Netzwerkverbindungen, Dateisystem-Metadaten und Systemkonfigurationen ohne Keyword-Suche und dem Carving gelöschter Dateien. Die modulare
Full-Disk-Imaging. Speziell entwickelt für die Rapid-Response-Triage in Plugin-Architektur erlaubt Erweiterungen für spezielle
Enterprise-Umgebungen mit macOS-Geräten. Normalisiert Zeitstempel und Untersuchungsszenarien. Zwar komplexer als kommerzielle Lösungen, aber
erstellt durchsuchbare Ausgabeformate für effiziente Analyse. dafür vollständig transparent und kostenfrei.
skillLevel: intermediate
url: https://www.autopsy.com/
icon: 📦
domains: domains:
- incident-response - incident-response
- static-investigations - static-investigations
- malware-analysis - malware-analysis
- mobile-forensics
- cloud-forensics
phases: phases:
- data-collection
- examination - examination
platforms: - analysis
- macOS tags:
- gui
- filesystem
- timeline-analysis
- carving
- artifact-extraction
- keyword-search
- scenario:file_recovery
- scenario:browser_history
related_concepts: related_concepts:
- SQL Query Fundamentals
- Hash Functions & Digital Signatures - Hash Functions & Digital Signatures
related_software: null platforms:
domain-agnostic-software: null - Windows
skillLevel: intermediate - Linux
accessType: download accessType: download
url: https://github.com/jamf/aftermath/
projectUrl: ''
license: Apache 2.0 license: Apache 2.0
knowledgebase: false knowledgebase: false
tags: - name: Volatility 3
- macos type: software
- incident-response
- triage
- artifact-collection
- rapid-response
- jamf
- enterprise
- commandline
- name: Regular Expressions (Regex)
icon: 🔤
type: concept
description: >- description: >-
Pattern matching language for searching, extracting, and manipulating Das Universalwerkzeug der Live-Forensik, unverzichtbar für die Analyse von
text. Essential for log analysis, malware signature creation, and data RAM-Dumps. Mit über 100 Plugins extrahiert es Prozesse,
extraction from unstructured sources. Forms the backbone of many forensic Netzwerkverbindungen, Registry-Keys und versteckte Malware aus dem
tools and custom scripts. Arbeitsspeicher. Die Python-basierte Architektur macht es flexibel
domains: erweiterbar, erfordert aber solide Kommandozeilen-Kenntnisse. Version 3
- incident-response bringt deutliche Performance-Verbesserungen und bessere
- malware-analysis Formatunterstützung.
- network-forensics skillLevel: advanced
- fraud-investigation url: https://www.volatilityfoundation.org/
phases: icon: 📦
- examination
- analysis
platforms: []
related_concepts: null
related_software: null
domain-agnostic-software: null
skillLevel: intermediate
accessType: null
url: https://regexr.com/
projectUrl: null
license: null
knowledgebase: true
tags:
- pattern-matching
- text-processing
- log-analysis
- string-manipulation
- search-algorithms
- name: SQL Query Fundamentals
icon: 🗃️
type: concept
description: >-
Structured Query Language for database interrogation and analysis.
Critical for examining application databases, SQLite artifacts from
mobile devices, and browser history databases. Enables complex
correlation and filtering of large datasets.
domains:
- incident-response
- mobile-forensics
- fraud-investigation
- cloud-forensics
phases:
- examination
- analysis
platforms: []
related_concepts: null
related_software: null
domain-agnostic-software: null
skillLevel: intermediate
accessType: null
url: https://www.w3schools.com/sql/
projectUrl: null
license: null
knowledgebase: false
tags:
- database-analysis
- query-language
- data-correlation
- mobile-artifacts
- browser-forensics
- name: Hash Functions & Digital Signatures
icon: 🔐
type: concept
description: >-
Cryptographic principles for data integrity verification and
authentication. Fundamental for evidence preservation, malware
identification, and establishing chain of custody. Understanding of MD5,
SHA, and digital signature validation.
domains: domains:
- incident-response - incident-response
- static-investigations - static-investigations
- malware-analysis - malware-analysis
- cloud-forensics - network-forensics
phases: phases:
- data-collection
- examination - examination
platforms: [] - analysis
related_concepts: null scenarios:
related_software: null - scenario:memory_dump
domain-agnostic-software: null
skillLevel: advanced
accessType: null
url: https://en.wikipedia.org/wiki/Cryptographic_hash_function
projectUrl: null
license: null
knowledgebase: false
tags: tags:
- cryptography - commandline
- data-integrity - memory
- evidence-preservation - malware-analysis
- malware-identification - artifact-extraction
- chain-of-custody - scripting
- process-analysis
related_concepts:
- Hash Functions & Digital Signatures
- Regular Expressions (Regex)
platforms:
- Windows
- Linux
- macOS
accessType: download
license: VSL
knowledgebase: false
domains: domains:
- id: incident-response - id: incident-response
name: Incident Response & Breach-Untersuchung name: Incident Response & Breach-Untersuchung
@ -212,9 +118,27 @@ domain-agnostic-software:
name: Betriebssysteme name: Betriebssysteme
description: Operating Systems which focus on forensics description: Operating Systems which focus on forensics
scenarios: scenarios:
- id: registry - id: scenario:disk_imaging
icon: 🗃️ icon: 💽
friendly_name: "Registry-Analyse" friendly_name: Datenträgerabbild
- id: memory-forensics - id: scenario:memory_dump
icon: 🧠 icon: 🧠
friendly_name: "Memory-Forensik" friendly_name: RAM-Analyse
- id: scenario:file_recovery
icon: 🗑️
friendly_name: Datenrettung
- id: scenario:browser_history
icon: 🌍
friendly_name: Browser-Spuren
- id: scenario:credential_theft
icon: 🛑
friendly_name: Zugangsdiebstahl
- id: scenario:remote_access
icon: 📡
friendly_name: Fernzugriffe
- id: scenario:persistence
icon: ♻️
friendly_name: Persistenzsuche
- id: scenario:windows-registry
icon: 📜
friendly_name: Registry-Analyse