mstoeck3/forensic-pathways
2
0
Fork 0
Code Issues 17 Pull Requests Projects Releases Activity

change framework

Browse Source
This commit is contained in:
Mario Stöckl
2025-07-14 10:11:42 +02:00
parent d90b345819
commit 921abfb5b9
32 changed files with 6736 additions and 3848 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
src/data/services.yaml
View File

@@ -1,85 +0,0 @@
# File: ./src/data/services.yaml
# Service Status Configuration
# This file configures the services monitored on the status page
# Connect to Uptime Kuma API for real-time data
# Uptime Kuma Configuration
uptimeKuma:
enabled: false # Set to true when Uptime Kuma is configured
apiUrl: "https://status.lab.local/api"
apiKey: "" # Add your Uptime Kuma API key here
refreshInterval: 30000 # Refresh every 30 seconds
# Static service definitions (used when Uptime Kuma is not available)
services:
- id: timesketch
name: "Timesketch Instance"
description: "Collaborative forensic timeline analysis platform"
url: "https://timesketch.lab.local"
category: "Analysis Tools"
status: "operational" # operational|degraded|maintenance|down
uptime: "99.9%"
responseTime: "245ms"
lastChecked: "2025-01-15T10:30:00Z"
- id: thehive
name: "TheHive Platform"
description: "Incident response and case management"
url: "https://thehive.lab.local"
category: "Case Management"
status: "operational"
uptime: "99.7%"
responseTime: "180ms"
lastChecked: "2025-01-15T10:30:00Z"
- id: misp
name: "MISP Instance"
description: "Threat intelligence sharing platform"
url: "https://misp.lab.local"
category: "Threat Intelligence"
status: "degraded"
uptime: "98.2%"
responseTime: "890ms"
lastChecked: "2025-01-15T10:29:00Z"
issues: "High response times due to database optimization"
- id: elasticsearch
name: "Elasticsearch Cluster"
description: "Search and analytics engine"
url: "https://elastic.lab.local"
category: "Infrastructure"
status: "operational"
uptime: "99.8%"
responseTime: "120ms"
lastChecked: "2025-01-15T10:30:00Z"
- id: neo4j
name: "Neo4j Database"
description: "Graph database for relationship analysis"
url: "https://neo4j.lab.local"
category: "Infrastructure"
status: "maintenance"
uptime: "97.1%"
responseTime: "N/A"
lastChecked: "2025-01-15T09:00:00Z"
issues: "Scheduled maintenance window: 09:00-11:00 UTC"
# Service categories for organization
categories:
- name: "Analysis Tools"
description: "Forensic analysis and timeline tools"
- name: "Case Management"
description: "Incident response and case tracking"
- name: "Threat Intelligence"
description: "IOC sharing and threat analysis"
- name: "Infrastructure"
description: "Backend services and databases"
# Overall status calculation
overall:
status: "partial_outage" # operational|degraded|partial_outage|major_outage
message: "4 of 5 services operational • 1 service under maintenance"
operationalCount: 3
degradedCount: 1
maintenanceCount: 1
downCount: 0

462
src/data/tools.yaml
View File

@@ -1,196 +1,312 @@
# File: ./src/data/tools.yaml
# DFIR Tools Database
# Edit this file to add, remove, or modify tools
# Structure: Each tool should have required fields marked with *
# Each tool can appear in multiple domains and phases
# Self-hosted services have isHosted: true and statusUrl for monitoring
tools:
- id: sleuthkit
name: "The Sleuth Kit" # * Display name
description: "Collection of command line tools for digital forensic analysis" # * Brief description
domains: # * Array of forensic domains
- "Filesystem Forensics"
phases: # * Array of DFIR phases
- "Examination"
- "Analysis"
platforms: # * Supported platforms
- "Linux"
- "Windows"
- "macOS"
skillLevel: "Intermediate" # * Beginner|Intermediate|Advanced
accessType: "CLI" # * CLI|GUI|Web|SaaS
url: "https://sleuthkit.org" # * Project homepage
tags: # Optional tags for search
- "timeline"
- "file-recovery"
- "metadata"
type: "FOSS" # * FOSS|SaaS
- id: volatility
name: "Volatility"
description: "Advanced memory forensics framework"
domains:
- "Memory Forensics"
- "Live Forensics"
- name: "Autopsy"
description: "Open source digital forensics platform with a graphical interface"
domains:
- "storage-file-system"
- "application-code"
phases:
- "Examination"
- "Analysis"
platforms:
- "Linux"
- "Windows"
- "macOS"
skillLevel: "Advanced"
accessType: "CLI"
url: "https://volatilityfoundation.org"
tags:
- "memory-analysis"
- "malware-detection"
- "process-analysis"
type: "FOSS"
- "examination"
- "analysis"
platforms: ["Windows", "Linux", "macOS"]
skillLevel: "intermediate"
accessType: "download"
url: "https://www.autopsy.com/"
license: "Apache 2.0"
tags: ["disk-forensics", "file-recovery", "timeline-analysis"]
isHosted: false
- id: wireshark
name: "Wireshark"
description: "Network protocol analyzer and packet capture tool"
- name: "Volatility 3"
description: "Advanced memory forensics framework for incident response and malware analysis"
domains:
- "Network Forensics"
- "memory-runtime"
phases:
- "Examination"
- "Reporting"
platforms:
- "Linux"
- "Windows"
- "macOS"
skillLevel: "Intermediate"
accessType: "GUI"
url: "https://wireshark.org"
tags:
- "packet-analysis"
- "network-traffic"
- "protocol-dissection"
type: "FOSS"
- "examination"
- "analysis"
platforms: ["Windows", "Linux", "macOS"]
skillLevel: "advanced"
accessType: "download"
url: "https://www.volatilityfoundation.org/"
license: "VSL"
tags: ["memory-forensics", "malware-analysis", "incident-response"]
isHosted: false
- id: plaso
name: "Plaso"
description: "Super timeline all the things"
- name: "TheHive"
description: "Security incident response platform for SOCs, CERTs and security teams"
domains:
- "Filesystem Forensics"
- "storage-file-system"
- "network-communication"
- "application-code"
phases:
- "Analysis"
- "Reporting"
platforms:
- "Linux"
- "Windows"
- "macOS"
skillLevel: "Advanced"
accessType: "CLI"
url: "https://plaso.readthedocs.io"
tags:
- "timeline"
- "log-analysis"
- "artifact-parsing"
type: "FOSS"
- "data-collection"
- "examination"
- "analysis"
- "reporting"
platforms: ["Web"]
skillLevel: "intermediate"
accessType: "self-hosted"
url: "https://thehive.example.lab"
license: "AGPL-3.0"
tags: ["incident-response", "case-management", "collaboration"]
isHosted: true
statusUrl: "https://uptime.example.lab/api/badge/1/status"
- id: yara
name: "YARA"
description: "Pattern matching engine for malware research"
- name: "MISP"
description: "Malware Information Sharing Platform for threat intelligence"
domains:
- "Malware Analysis"
- "Live Forensics"
- "network-communication"
- "application-code"
phases:
- "Data Collection"
- "Analysis"
platforms:
- "Linux"
- "Windows"
- "macOS"
skillLevel: "Advanced"
accessType: "CLI"
url: "https://virustotal.github.io/yara/"
tags:
- "pattern-matching"
- "malware-detection"
- "signatures"
type: "FOSS"
- "data-collection"
- "analysis"
- "reporting"
platforms: ["Web"]
skillLevel: "intermediate"
accessType: "self-hosted"
url: "https://misp.example.lab"
license: "AGPL-3.0"
tags: ["threat-intelligence", "ioc-sharing", "collaboration"]
isHosted: true
statusUrl: "https://uptime.example.lab/api/badge/2/status"
# Self-hosted services (what you call "SaaS Tools")
- id: timesketch
name: "Timesketch"
description: "Collaborative forensic timeline analysis"
- name: "Timesketch"
description: "Collaborative forensic timeline analysis platform"
domains:
- "Filesystem Forensics"
- "Network Forensics"
- "storage-file-system"
- "network-communication"
phases:
- "Analysis"
- "Reporting"
platforms:
- "Web"
skillLevel: "Intermediate"
accessType: "Web"
url: "https://timesketch.org"
tags:
- "timeline"
- "collaboration"
- "visualization"
type: "SaaS"
selfHosted: true
serviceUrl: "https://timesketch.lab.local" # Internal lab URL
- "analysis"
- "reporting"
platforms: ["Web"]
skillLevel: "intermediate"
accessType: "self-hosted"
url: "https://timesketch.example.lab"
license: "Apache 2.0"
tags: ["timeline-analysis", "collaboration", "visualization"]
isHosted: true
statusUrl: "https://uptime.example.lab/api/badge/3/status"
- id: thehive
name: "TheHive"
description: "Scalable incident response platform"
- name: "Wireshark"
description: "Network protocol analyzer for network troubleshooting and analysis"
domains:
- "Live Forensics"
- "network-communication"
phases:
- "Data Collection"
- "Analysis"
- "Reporting"
platforms:
- "Web"
skillLevel: "Intermediate"
accessType: "Web"
url: "https://thehive-project.org"
tags:
- "incident-response"
- "case-management"
- "collaboration"
type: "SaaS"
selfHosted: true
serviceUrl: "https://thehive.lab.local"
- "data-collection"
- "examination"
- "analysis"
platforms: ["Windows", "Linux", "macOS"]
skillLevel: "intermediate"
accessType: "download"
url: "https://www.wireshark.org/"
license: "GPL-2.0"
tags: ["network-analysis", "pcap", "protocol-analysis"]
isHosted: false
- id: misp
name: "MISP"
description: "Threat intelligence sharing platform"
- name: "EnCase"
description: "Commercial digital investigation platform"
domains:
- "Malware Analysis"
- "Live Forensics"
- "storage-file-system"
- "memory-runtime"
phases:
- "Analysis"
- "Reporting"
platforms:
- "Web"
skillLevel: "Advanced"
accessType: "Web"
url: "https://misp-project.org"
tags:
- "threat-intelligence"
- "ioc-sharing"
- "attribution"
type: "SaaS"
selfHosted: true
serviceUrl: "https://misp.lab.local"
- "data-collection"
- "examination"
- "analysis"
- "reporting"
platforms: ["Windows"]
skillLevel: "advanced"
accessType: "commercial"
url: "https://www.opentext.com/products/encase-forensic"
license: "Proprietary"
tags: ["commercial", "enterprise", "court-approved"]
isHosted: false
- name: "Cuckoo Sandbox"
description: "Automated malware analysis system using virtualization"
domains:
- "application-code"
- "network-communication"
phases:
- "examination"
- "analysis"
platforms: ["Linux"]
skillLevel: "advanced"
accessType: "self-hosted"
url: "https://cuckoosandbox.org/"
license: "GPL-3.0"
tags: ["malware-analysis", "sandbox", "dynamic-analysis"]
isHosted: true
statusUrl: ""
# Additional metadata
metadata:
lastUpdated: "2025-01-15"
totalTools: 8
domains:
- "Filesystem Forensics"
- "Network Forensics"
- "Memory Forensics"
- "Live Forensics"
- "Malware Analysis"
- "Cryptocurrency"
phases:
- "Data Collection"
- "Examination"
- "Analysis"
- "Reporting"
- name: "FTK Imager"
description: "Forensic imaging and preview tool by Exterro"
domains:
- "storage-file-system"
phases:
- "data-collection"
- "examination"
platforms: ["Windows"]
skillLevel: "intermediate"
accessType: "download"
url: "https://exterro.com/ftk-imager"
license: "Proprietary"
tags: ["disk-imaging", "preview", "data-acquisition"]
isHosted: false
- name: "GRR Rapid Response"
description: "Remote live forensics platform by Google"
domains:
- "platform-infrastructure"
- "storage-file-system"
phases:
- "data-collection"
- "examination"
platforms: ["Linux", "Windows"]
skillLevel: "advanced"
accessType: "self-hosted"
url: "https://github.com/google/grr"
license: "Apache 2.0"
tags: ["live-forensics", "remote-response", "dfir"]
isHosted: true
statusUrl: ""
- name: "Plaso (log2timeline)"
description: "Tool for automatic creation of timelines from various log files"
domains:
- "storage-file-system"
- "application-code"
phases:
- "analysis"
platforms: ["Linux", "Windows", "macOS"]
skillLevel: "intermediate"
accessType: "download"
url: "https://plaso.readthedocs.io/"
license: "Apache 2.0"
tags: ["timeline-analysis", "log-parsing", "dfir"]
isHosted: false
- name: "NetworkMiner"
description: "Network forensic analysis tool (NFAT)"
domains:
- "network-communication"
phases:
- "examination"
- "analysis"
platforms: ["Windows", "Linux (Mono)"]
skillLevel: "intermediate"
accessType: "download"
url: "https://www.netresec.com/?page=NetworkMiner"
license: "Freeware/Commercial"
tags: ["pcap-analysis", "passive-sniffing", "credential-recovery"]
isHosted: false
- name: "Redline"
description: "Memory and host analysis tool from FireEye"
domains:
- "memory-runtime"
- "application-code"
phases:
- "examination"
- "analysis"
platforms: ["Windows"]
skillLevel: "intermediate"
accessType: "download"
url: "https://www.mandiant.com/resources/download/redline"
license: "Proprietary"
tags: ["memory-analysis", "ioc-scan", "host-analysis"]
isHosted: false
- name: "KAPE"
description: "Triage tool to collect and parse forensic artifacts quickly"
domains:
- "storage-file-system"
- "platform-infrastructure"
phases:
- "data-collection"
- "analysis"
platforms: ["Windows"]
skillLevel: "intermediate"
accessType: "download"
url: "https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape"
license: "Freeware"
tags: ["triage", "artifact-collection", "parsing"]
isHosted: false
- name: "Velociraptor"
description: "Endpoint visibility and DFIR tool by Rapid7"
domains:
- "platform-infrastructure"
- "storage-file-system"
phases:
- "data-collection"
- "examination"
platforms: ["Windows", "Linux", "macOS"]
skillLevel: "advanced"
accessType: "self-hosted"
url: "https://www.velociraptor.app/"
license: "Apache 2.0"
tags: ["dfir", "hunting", "endpoint-monitoring"]
isHosted: true
statusUrl: ""
- name: "Arkime"
description: "Large-scale full packet capture and analysis"
domains:
- "network-communication"
phases:
- "data-collection"
- "analysis"
platforms: ["Linux"]
skillLevel: "advanced"
accessType: "self-hosted"
url: "https://arkime.com/"
license: "Apache 2.0"
tags: ["packet-capture", "full-packet-analysis", "network-forensics"]
isHosted: true
statusUrl: ""
- name: "X-Ways Forensics"
description: "Advanced work environment for computer forensic examiners"
domains:
- "storage-file-system"
phases:
- "examination"
- "analysis"
- "reporting"
platforms: ["Windows"]
skillLevel: "advanced"
accessType: "commercial"
url: "https://www.x-ways.net/forensics/"
license: "Proprietary"
tags: ["disk-forensics", "file-recovery", "commercial"]
isHosted: false
# Domain definitions for reference
domains:
- id: "storage-file-system"
name: "Storage & File System Artifacts"
- id: "memory-runtime"
name: "Memory & Runtime Artifacts"
- id: "network-communication"
name: "Network & Communication Artifacts"
- id: "application-code"
name: "Application & Code Artifacts"
- id: "multimedia-content"
name: "Multimedia & Content Artifacts"
- id: "transaction-financial"
name: "Transaction & Financial Artifacts"
- id: "platform-infrastructure"
name: "Platform & Infrastructure Artifacts"
# Phase definitions for reference
phases:
- id: "data-collection"
name: "Data Collection"
- id: "examination"
name: "Examination"
- id: "analysis"
name: "Analysis"
- id: "reporting"
name: "Reporting"