diff --git a/.astro/data-store.json b/.astro/data-store.json
index c143cad..c4d4215 100644
--- a/.astro/data-store.json
+++ b/.astro/data-store.json
@@ -1 +1 @@
-[["Map",1,2,7,8],"meta::meta",["Map",3,4,5,6],"astro-version","5.12.3","astro-config-digest","{\"root\":{},\"srcDir\":{},\"publicDir\":{},\"outDir\":{},\"cacheDir\":{},\"compressHTML\":true,\"base\":\"/\",\"trailingSlash\":\"ignore\",\"output\":\"server\",\"scopedStyleStrategy\":\"attribute\",\"build\":{\"format\":\"directory\",\"client\":{},\"server\":{},\"assets\":\"_astro\",\"serverEntry\":\"entry.mjs\",\"redirects\":true,\"inlineStylesheets\":\"auto\",\"concurrency\":1},\"server\":{\"open\":false,\"host\":true,\"port\":4321,\"streaming\":true,\"allowedHosts\":[]},\"redirects\":{},\"image\":{\"endpoint\":{\"route\":\"/_image\",\"entrypoint\":\"astro/assets/endpoint/node\"},\"service\":{\"entrypoint\":\"astro/assets/services/sharp\",\"config\":{}},\"domains\":[],\"remotePatterns\":[],\"responsiveStyles\":false},\"devToolbar\":{\"enabled\":true},\"markdown\":{\"syntaxHighlight\":{\"type\":\"shiki\",\"excludeLangs\":[\"math\"]},\"shikiConfig\":{\"langs\":[],\"langAlias\":{},\"theme\":\"github-dark\",\"themes\":{},\"wrap\":false,\"transformers\":[]},\"remarkPlugins\":[],\"rehypePlugins\":[],\"remarkRehype\":{},\"gfm\":true,\"smartypants\":true},\"security\":{\"checkOrigin\":true},\"env\":{\"schema\":{},\"validateSecrets\":false},\"experimental\":{\"clientPrerender\":false,\"contentIntellisense\":false,\"headingIdCompat\":false,\"preserveScriptOrder\":false,\"liveContentCollections\":false,\"csp\":false,\"rawEnvValues\":false},\"legacy\":{\"collections\":false},\"session\":{\"driver\":\"fs-lite\",\"options\":{\"base\":\"/var/home/user01/Projekte/forensic-pathways/node_modules/.astro/sessions\"}}}","knowledgebase",["Map",9,10,100,101,149,150,223,224,288,289,344,345],"misp",{"id":9,"data":11,"body":35,"filePath":36,"digest":37,"rendered":38,"legacyId":99},{"title":12,"tool_name":13,"description":14,"last_updated":15,"author":16,"difficulty":17,"categories":18,"tags":24,"sections":31,"review_status":34},"MISP - Plattform für Threat Intelligence Sharing","MISP","Das Rückgrat des modernen Threat-Intelligence-Sharings mit über 40.000 aktiven Instanzen weltweit.",["Date","2025-07-20T00:00:00.000Z"],"Claude 4 Sonnet","intermediate",[19,20,21,22,23],"incident-response","static-investigations","malware-analysis","network-forensics","cloud-forensics",[25,26,27,28,29,30],"web-based","threat-intelligence","api","correlation","ioc-sharing","automation",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":33},true,false,"published","> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\n**MISP (Malware Information Sharing Platform & Threat Sharing)** ist eine freie Open-Source-Plattform zur strukturierten Erfassung, Speicherung, Analyse und gemeinsamen Nutzung von Cyber-Bedrohungsdaten. Mit über 40.000 Instanzen weltweit ist MISP der De-facto-Standard für den Austausch von Indicators of Compromise (IoCs) und Threat Intelligence zwischen CERTs, SOCs, Strafverfolgungsbehörden und anderen sicherheitsrelevanten Organisationen.\n\nDie föderierte Architektur ermöglicht einen kontrollierten, dezentralen Austausch von Informationen über vertrauenswürdige Partner hinweg. Durch Taxonomien, Tags und integrierte APIs ist eine automatische Anreicherung, Korrelation und Verarbeitung von Informationen in SIEMs, Firewalls oder Endpoint-Lösungen möglich.\n\n## Installation\n\n### Voraussetzungen\n\n- **Server-Betriebssystem:** Linux (empfohlen: Debian/Ubuntu)\n- **Abhängigkeiten:** MariaDB/MySQL, PHP, Apache/Nginx, Redis\n- **Ressourcen:** Mindestens 4 GB RAM, SSD empfohlen\n\n### Installationsschritte\n\n```bash\n# Beispiel für Debian/Ubuntu:\nsudo apt update && sudo apt install -y curl gnupg git python3 python3-pip redis-server mariadb-server apache2 php libapache2-mod-php\n\n# MISP klonen\ngit clone https://github.com/MISP/MISP.git /var/www/MISP\n\n# Setup-Skript nutzen\ncd /var/www/MISP && bash INSTALL/INSTALL.debian.sh\n````\n\nWeitere Details: [Offizielle Installationsanleitung](https://misp.github.io/MISP/INSTALL.debian/)\n\n## Konfiguration\n\n### Webserver\n\n* HTTPS aktivieren (Let's Encrypt oder Reverse Proxy)\n* PHP-Konfiguration anpassen (`upload_max_filesize`, `memory_limit`, `post_max_size`)\n\n### Benutzerrollen\n\n* Administrator, Org-Admin, Analyst etc.\n* Zugriffsbeschränkungen nach Organisation/Feed definierbar\n\n### Feeds und Galaxies\n\n* Aktivierung von Feeds (z. B. CIRCL, Abuse.ch, OpenCTI)\n* Nutzung von Galaxies zur Klassifizierung (APT-Gruppen, Malware-Familien)\n\n## Verwendungsbeispiele\n\n### Beispiel 1: Import von IoCs aus externem Feed\n\n1. Feed aktivieren unter **Administration → List Feeds**\n2. Feed synchronisieren\n3. Ereignisse durchsuchen, analysieren, ggf. mit eigenen Daten korrelieren\n\n### Beispiel 2: Automatisierte Anbindung an SIEM\n\n* REST-API-Token erstellen\n* API-Calls zur Abfrage neuer Events (z. B. mit Python, Logstash oder MISP Workbench)\n* Integration in Security-Systeme über JSON/STIX export\n\n## Best Practices\n\n* Regelmäßige Backups der Datenbank\n* Taxonomien konsistent verwenden\n* Nutzung der Sighting-Funktion zur Validierung von IoCs\n* Vertrauensstufen (TLP, PAP) korrekt setzen\n* Nicht nur konsumieren – auch teilen!\n\n## Troubleshooting\n\n### Problem: MISP-Feeds laden nicht\n\n**Lösung:**\n\n* Internetverbindung prüfen\n* Cronjobs aktiv?\n* Logs prüfen: `/var/www/MISP/app/tmp/logs/error.log`\n\n### Problem: API gibt 403 zurück\n\n**Lösung:**\n\n* Ist der API-Key korrekt und aktiv?\n* Rechte des Benutzers überprüfen\n* IP-Filter im MISP-Backend beachten\n\n### Problem: Hohe Datenbanklast\n\n**Lösung:**\n\n* Indizes optimieren\n* Redis aktivieren\n* Alte Events regelmäßig archivieren oder löschen\n\n## Weiterführende Themen\n\n* STIX2-Import/Export\n* Erweiterungen mit MISP Modules (z. B. für Virustotal, YARA)\n* Föderierte Netzwerke und Community-Portale\n* Integration mit OpenCTI oder TheHive\n\n---\n\n**Links:**\n\n* 🌐 [Offizielle Projektseite](https://misp-project.org/)\n* 📦 [CC24-MISP-Instanz](https://misp.cc24.dev)\n* 📊 [Status-Monitoring](https://status.mikoshi.de/api/badge/34/status)\n\nLizenz: **AGPL-3.0**","src/content/knowledgebase/misp.md","35930fa919a46964",{"html":39,"metadata":40},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>\u003Cstrong>MISP (Malware Information Sharing Platform & Threat Sharing)\u003C/strong> ist eine freie Open-Source-Plattform zur strukturierten Erfassung, Speicherung, Analyse und gemeinsamen Nutzung von Cyber-Bedrohungsdaten. Mit über 40.000 Instanzen weltweit ist MISP der De-facto-Standard für den Austausch von Indicators of Compromise (IoCs) und Threat Intelligence zwischen CERTs, SOCs, Strafverfolgungsbehörden und anderen sicherheitsrelevanten Organisationen.\u003C/p>\n\u003Cp>Die föderierte Architektur ermöglicht einen kontrollierten, dezentralen Austausch von Informationen über vertrauenswürdige Partner hinweg. Durch Taxonomien, Tags und integrierte APIs ist eine automatische Anreicherung, Korrelation und Verarbeitung von Informationen in SIEMs, Firewalls oder Endpoint-Lösungen möglich.\u003C/p>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"voraussetzungen\">Voraussetzungen\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Server-Betriebssystem:\u003C/strong> Linux (empfohlen: Debian/Ubuntu)\u003C/li>\n\u003Cli>\u003Cstrong>Abhängigkeiten:\u003C/strong> MariaDB/MySQL, PHP, Apache/Nginx, Redis\u003C/li>\n\u003Cli>\u003Cstrong>Ressourcen:\u003C/strong> Mindestens 4 GB RAM, SSD empfohlen\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installationsschritte\">Installationsschritte\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Beispiel für Debian/Ubuntu:\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -y\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> curl\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> gnupg\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> python3-pip\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> redis-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mariadb-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apache2\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> libapache2-mod-php\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># MISP klonen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/MISP/MISP.git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/MISP\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Setup-Skript nutzen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/MISP\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">bash\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> INSTALL/INSTALL.debian.sh\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Weitere Details: \u003Ca href=\"https://misp.github.io/MISP/INSTALL.debian/\">Offizielle Installationsanleitung\u003C/a>\u003C/p>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Ch3 id=\"webserver\">Webserver\u003C/h3>\n\u003Cul>\n\u003Cli>HTTPS aktivieren (Let’s Encrypt oder Reverse Proxy)\u003C/li>\n\u003Cli>PHP-Konfiguration anpassen (\u003Ccode>upload_max_filesize\u003C/code>, \u003Ccode>memory_limit\u003C/code>, \u003Ccode>post_max_size\u003C/code>)\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"benutzerrollen\">Benutzerrollen\u003C/h3>\n\u003Cul>\n\u003Cli>Administrator, Org-Admin, Analyst etc.\u003C/li>\n\u003Cli>Zugriffsbeschränkungen nach Organisation/Feed definierbar\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"feeds-und-galaxies\">Feeds und Galaxies\u003C/h3>\n\u003Cul>\n\u003Cli>Aktivierung von Feeds (z. B. CIRCL, Abuse.ch, OpenCTI)\u003C/li>\n\u003Cli>Nutzung von Galaxies zur Klassifizierung (APT-Gruppen, Malware-Familien)\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"beispiel-1-import-von-iocs-aus-externem-feed\">Beispiel 1: Import von IoCs aus externem Feed\u003C/h3>\n\u003Col>\n\u003Cli>Feed aktivieren unter \u003Cstrong>Administration → List Feeds\u003C/strong>\u003C/li>\n\u003Cli>Feed synchronisieren\u003C/li>\n\u003Cli>Ereignisse durchsuchen, analysieren, ggf. mit eigenen Daten korrelieren\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"beispiel-2-automatisierte-anbindung-an-siem\">Beispiel 2: Automatisierte Anbindung an SIEM\u003C/h3>\n\u003Cul>\n\u003Cli>REST-API-Token erstellen\u003C/li>\n\u003Cli>API-Calls zur Abfrage neuer Events (z. B. mit Python, Logstash oder MISP Workbench)\u003C/li>\n\u003Cli>Integration in Security-Systeme über JSON/STIX export\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Regelmäßige Backups der Datenbank\u003C/li>\n\u003Cli>Taxonomien konsistent verwenden\u003C/li>\n\u003Cli>Nutzung der Sighting-Funktion zur Validierung von IoCs\u003C/li>\n\u003Cli>Vertrauensstufen (TLP, PAP) korrekt setzen\u003C/li>\n\u003Cli>Nicht nur konsumieren – auch teilen!\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-misp-feeds-laden-nicht\">Problem: MISP-Feeds laden nicht\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Internetverbindung prüfen\u003C/li>\n\u003Cli>Cronjobs aktiv?\u003C/li>\n\u003Cli>Logs prüfen: \u003Ccode>/var/www/MISP/app/tmp/logs/error.log\u003C/code>\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"problem-api-gibt-403-zurück\">Problem: API gibt 403 zurück\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Ist der API-Key korrekt und aktiv?\u003C/li>\n\u003Cli>Rechte des Benutzers überprüfen\u003C/li>\n\u003Cli>IP-Filter im MISP-Backend beachten\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"problem-hohe-datenbanklast\">Problem: Hohe Datenbanklast\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Indizes optimieren\u003C/li>\n\u003Cli>Redis aktivieren\u003C/li>\n\u003Cli>Alte Events regelmäßig archivieren oder löschen\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>STIX2-Import/Export\u003C/li>\n\u003Cli>Erweiterungen mit MISP Modules (z. B. für Virustotal, YARA)\u003C/li>\n\u003Cli>Föderierte Netzwerke und Community-Portale\u003C/li>\n\u003Cli>Integration mit OpenCTI oder TheHive\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>\u003Cstrong>Links:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>🌐 \u003Ca href=\"https://misp-project.org/\">Offizielle Projektseite\u003C/a>\u003C/li>\n\u003Cli>📦 \u003Ca href=\"https://misp.cc24.dev\">CC24-MISP-Instanz\u003C/a>\u003C/li>\n\u003Cli>📊 \u003Ca href=\"https://status.mikoshi.de/api/badge/34/status\">Status-Monitoring\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Cp>Lizenz: \u003Cstrong>AGPL-3.0\u003C/strong>\u003C/p>",{"headings":41,"localImagePaths":96,"remoteImagePaths":97,"frontmatter":11,"imagePaths":98},[42,46,50,54,57,60,63,66,69,72,75,78,81,84,87,90,93],{"depth":43,"slug":44,"text":45},1,"übersicht","Übersicht",{"depth":47,"slug":48,"text":49},2,"installation","Installation",{"depth":51,"slug":52,"text":53},3,"voraussetzungen","Voraussetzungen",{"depth":51,"slug":55,"text":56},"installationsschritte","Installationsschritte",{"depth":47,"slug":58,"text":59},"konfiguration","Konfiguration",{"depth":51,"slug":61,"text":62},"webserver","Webserver",{"depth":51,"slug":64,"text":65},"benutzerrollen","Benutzerrollen",{"depth":51,"slug":67,"text":68},"feeds-und-galaxies","Feeds und Galaxies",{"depth":47,"slug":70,"text":71},"verwendungsbeispiele","Verwendungsbeispiele",{"depth":51,"slug":73,"text":74},"beispiel-1-import-von-iocs-aus-externem-feed","Beispiel 1: Import von IoCs aus externem Feed",{"depth":51,"slug":76,"text":77},"beispiel-2-automatisierte-anbindung-an-siem","Beispiel 2: Automatisierte Anbindung an SIEM",{"depth":47,"slug":79,"text":80},"best-practices","Best Practices",{"depth":47,"slug":82,"text":83},"troubleshooting","Troubleshooting",{"depth":51,"slug":85,"text":86},"problem-misp-feeds-laden-nicht","Problem: MISP-Feeds laden nicht",{"depth":51,"slug":88,"text":89},"problem-api-gibt-403-zurück","Problem: API gibt 403 zurück",{"depth":51,"slug":91,"text":92},"problem-hohe-datenbanklast","Problem: Hohe Datenbanklast",{"depth":47,"slug":94,"text":95},"weiterführende-themen","Weiterführende Themen",[],[],[],"misp.md","regular-expressions-regex",{"id":100,"data":102,"body":116,"filePath":117,"digest":118,"rendered":119,"legacyId":148},{"title":103,"tool_name":104,"description":105,"last_updated":106,"author":16,"difficulty":17,"categories":107,"tags":109,"sections":115,"review_status":34},"Regular Expressions (Regex) – Musterbasierte Textanalyse","Regular Expressions (Regex)","Pattern matching language für Suche, Extraktion und Manipulation von Text in forensischen Analysen.",["Date","2025-07-20T00:00:00.000Z"],[19,21,22,108],"fraud-investigation",[110,111,112,113,114],"pattern-matching","text-processing","log-analysis","string-manipulation","search-algorithms",{"overview":32,"installation":33,"configuration":33,"usage_examples":32,"best_practices":32,"troubleshooting":33,"advanced_topics":32},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\n**Regular Expressions (Regex)** sind ein leistungsfähiges Werkzeug zur Erkennung, Extraktion und Transformation von Zeichenfolgen anhand vordefinierter Muster. In der digitalen Forensik sind Regex-Ausdrücke unverzichtbar: Sie helfen beim Auffinden von IP-Adressen, Hash-Werten, Dateipfaden, Malware-Signaturen oder Kreditkartennummern in großen Mengen unstrukturierter Daten wie Logdateien, Netzwerktraces oder Memory Dumps.\n\nRegex ist nicht auf eine bestimmte Plattform oder Software beschränkt – es wird in nahezu allen gängigen Programmiersprachen, Texteditoren und forensischen Tools unterstützt.\n\n## Verwendungsbeispiele\n\n### 1. IP-Adressen extrahieren\n\n```regex\n\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b\n````\n\nVerwendung:\n\n* Finden von IP-Adressen in Firewall-Logs oder Packet Captures.\n* Beispiel-Zeile:\n\n  ```\n  Connection from 192.168.1.101 to port 443 established\n  ```\n\n### 2. E-Mail-Adressen identifizieren\n\n```regex\n[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\n```\n\nVerwendung:\n\n* Erkennung von kompromittierten Accounts in Phishing-E-Mails.\n* Analyse von Useraktivitäten oder Kommunikationsverläufen.\n\n### 3. Hash-Werte erkennen (z. B. SHA-256)\n\n```regex\n\\b[A-Fa-f0-9]{64}\\b\n```\n\nVerwendung:\n\n* Extraktion von Malware-Hashes aus Memory Dumps oder YARA-Logs.\n\n### 4. Zeitstempel in Logdateien extrahieren\n\n```regex\n\\d{4}-\\d{2}-\\d{2}[ T]\\d{2}:\\d{2}:\\d{2}\n```\n\nVerwendung:\n\n* Zeitsensitive Korrelationsanalysen (z. B. bei Intrusion Detection oder Timeline-Rekonstruktionen).\n\n## Best Practices\n\n* **Regex testen**: Nutze Plattformen wie [regexr.com](https://regexr.com/) oder [regex101.com](https://regex101.com/) zur Validierung.\n* **Performance beachten**: Komplexe Ausdrücke können ineffizient sein und Systeme verlangsamen – verwende Lazy Quantifiers (`*?`, `+?`) bei Bedarf.\n* **Escape-Zeichen korrekt anwenden**: Spezielle Zeichen wie `.` oder `\\` müssen bei Bedarf mit `\\\\` oder `\\.` maskiert werden.\n* **Portabilität prüfen**: Unterschiedliche Regex-Engines (z. B. Python `re`, PCRE, JavaScript) interpretieren manche Syntax leicht unterschiedlich.\n* **Lesbarkeit fördern**: Verwende benannte Gruppen (`(?P\u003Cname>...)`) und Kommentare (`(?x)`), um reguläre Ausdrücke besser wartbar zu machen.\n\n## Weiterführende Themen\n\n### Lookaheads und Lookbehinds\n\nMit **Lookaheads** (`(?=...)`) und **Lookbehinds** (`(?\u003C=...)`) können Bedingungen formuliert werden, ohne dass der Text Teil des Matchs wird.\n\nBeispiel: Alle `.exe`-Dateinamen **ohne** das Wort `safe` davor matchen:\n\n```regex\n(?\u003C!safe\\s)[\\w-]+\\.exe\n```\n\n### Regex in Forensik-Tools\n\n* **YARA**: Unterstützt Regex zur Erstellung von Malware-Signaturen.\n* **Wireshark**: Filtert Payloads anhand von Regex-ähnlicher Syntax.\n* **Splunk & ELK**: Verwenden Regex für Logparsing und Visualisierung.\n* **Volatility Plugins**: Extrahieren Artefakte mit Regex-basierten Scans.\n\n---\n\n> 🔤 **Regex ist ein universelles Werkzeug für Analysten, Ermittler und Entwickler, um versteckte Informationen schnell und flexibel aufzuspüren.**\n>\n> Nutze es überall dort, wo Textdaten eine Rolle spielen.","src/content/knowledgebase/regular-expressions-regex.md","247bcf48ebdc9ba0",{"html":120,"metadata":121},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>\u003Cstrong>Regular Expressions (Regex)\u003C/strong> sind ein leistungsfähiges Werkzeug zur Erkennung, Extraktion und Transformation von Zeichenfolgen anhand vordefinierter Muster. In der digitalen Forensik sind Regex-Ausdrücke unverzichtbar: Sie helfen beim Auffinden von IP-Adressen, Hash-Werten, Dateipfaden, Malware-Signaturen oder Kreditkartennummern in großen Mengen unstrukturierter Daten wie Logdateien, Netzwerktraces oder Memory Dumps.\u003C/p>\n\u003Cp>Regex ist nicht auf eine bestimmte Plattform oder Software beschränkt – es wird in nahezu allen gängigen Programmiersprachen, Texteditoren und forensischen Tools unterstützt.\u003C/p>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"1-ip-adressen-extrahieren\">1. IP-Adressen extrahieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">\\b(?:\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{1,3}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\.)\u003C/span>\u003Cspan style=\"color:#F97583\">{3}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{1,3}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\b\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>\n\u003Cp>Finden von IP-Adressen in Firewall-Logs oder Packet Captures.\u003C/p>\n\u003C/li>\n\u003Cli>\n\u003Cp>Beispiel-Zeile:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>Connection from 192.168.1.101 to port 443 established\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"2-e-mail-adressen-identifizieren\">2. E-Mail-Adressen identifizieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">[a-zA-Z0-9._%+-]\u003C/span>\u003Cspan style=\"color:#F97583\">+\u003C/span>\u003Cspan style=\"color:#DBEDFF\">@\u003C/span>\u003Cspan style=\"color:#79B8FF\">[a-zA-Z0-9.-]\u003C/span>\u003Cspan style=\"color:#F97583\">+\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\.[a-zA-Z]\u003C/span>\u003Cspan style=\"color:#F97583\">{2,}\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>Erkennung von kompromittierten Accounts in Phishing-E-Mails.\u003C/li>\n\u003Cli>Analyse von Useraktivitäten oder Kommunikationsverläufen.\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"3-hash-werte-erkennen-zb-sha-256\">3. Hash-Werte erkennen (z. B. SHA-256)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">\\b[A-Fa-f0-9]\u003C/span>\u003Cspan style=\"color:#F97583\">{64}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\b\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>Extraktion von Malware-Hashes aus Memory Dumps oder YARA-Logs.\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"4-zeitstempel-in-logdateien-extrahieren\">4. Zeitstempel in Logdateien extrahieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{4}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">-\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">-\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#79B8FF\">[ T]\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">:\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">:\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>Zeitsensitive Korrelationsanalysen (z. B. bei Intrusion Detection oder Timeline-Rekonstruktionen).\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Regex testen\u003C/strong>: Nutze Plattformen wie \u003Ca href=\"https://regexr.com/\">regexr.com\u003C/a> oder \u003Ca href=\"https://regex101.com/\">regex101.com\u003C/a> zur Validierung.\u003C/li>\n\u003Cli>\u003Cstrong>Performance beachten\u003C/strong>: Komplexe Ausdrücke können ineffizient sein und Systeme verlangsamen – verwende Lazy Quantifiers (\u003Ccode>*?\u003C/code>, \u003Ccode>+?\u003C/code>) bei Bedarf.\u003C/li>\n\u003Cli>\u003Cstrong>Escape-Zeichen korrekt anwenden\u003C/strong>: Spezielle Zeichen wie \u003Ccode>.\u003C/code> oder \u003Ccode>\\\u003C/code> müssen bei Bedarf mit \u003Ccode>\\\\\u003C/code> oder \u003Ccode>\\.\u003C/code> maskiert werden.\u003C/li>\n\u003Cli>\u003Cstrong>Portabilität prüfen\u003C/strong>: Unterschiedliche Regex-Engines (z. B. Python \u003Ccode>re\u003C/code>, PCRE, JavaScript) interpretieren manche Syntax leicht unterschiedlich.\u003C/li>\n\u003Cli>\u003Cstrong>Lesbarkeit fördern\u003C/strong>: Verwende benannte Gruppen (\u003Ccode>(?P<name>...)\u003C/code>) und Kommentare (\u003Ccode>(?x)\u003C/code>), um reguläre Ausdrücke besser wartbar zu machen.\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Ch3 id=\"lookaheads-und-lookbehinds\">Lookaheads und Lookbehinds\u003C/h3>\n\u003Cp>Mit \u003Cstrong>Lookaheads\u003C/strong> (\u003Ccode>(?=...)\u003C/code>) und \u003Cstrong>Lookbehinds\u003C/strong> (\u003Ccode>(?<=...)\u003C/code>) können Bedingungen formuliert werden, ohne dass der Text Teil des Matchs wird.\u003C/p>\n\u003Cp>Beispiel: Alle \u003Ccode>.exe\u003C/code>-Dateinamen \u003Cstrong>ohne\u003C/strong> das Wort \u003Ccode>safe\u003C/code> davor matchen:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">(?<!\u003C/span>\u003Cspan style=\"color:#DBEDFF\">safe\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\s\u003C/span>\u003Cspan style=\"color:#F97583\">)\u003C/span>\u003Cspan style=\"color:#79B8FF\">[\\w-]\u003C/span>\u003Cspan style=\"color:#F97583\">+\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\.\u003C/span>\u003Cspan style=\"color:#DBEDFF\">exe\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"regex-in-forensik-tools\">Regex in Forensik-Tools\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cstrong>YARA\u003C/strong>: Unterstützt Regex zur Erstellung von Malware-Signaturen.\u003C/li>\n\u003Cli>\u003Cstrong>Wireshark\u003C/strong>: Filtert Payloads anhand von Regex-ähnlicher Syntax.\u003C/li>\n\u003Cli>\u003Cstrong>Splunk & ELK\u003C/strong>: Verwenden Regex für Logparsing und Visualisierung.\u003C/li>\n\u003Cli>\u003Cstrong>Volatility Plugins\u003C/strong>: Extrahieren Artefakte mit Regex-basierten Scans.\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cblockquote>\n\u003Cp>🔤 \u003Cstrong>Regex ist ein universelles Werkzeug für Analysten, Ermittler und Entwickler, um versteckte Informationen schnell und flexibel aufzuspüren.\u003C/strong>\u003C/p>\n\u003Cp>Nutze es überall dort, wo Textdaten eine Rolle spielen.\u003C/p>\n\u003C/blockquote>",{"headings":122,"localImagePaths":145,"remoteImagePaths":146,"frontmatter":102,"imagePaths":147},[123,124,125,128,131,134,137,138,139,142],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":70,"text":71},{"depth":51,"slug":126,"text":127},"1-ip-adressen-extrahieren","1. IP-Adressen extrahieren",{"depth":51,"slug":129,"text":130},"2-e-mail-adressen-identifizieren","2. E-Mail-Adressen identifizieren",{"depth":51,"slug":132,"text":133},"3-hash-werte-erkennen-zb-sha-256","3. Hash-Werte erkennen (z. B. SHA-256)",{"depth":51,"slug":135,"text":136},"4-zeitstempel-in-logdateien-extrahieren","4. Zeitstempel in Logdateien extrahieren",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":94,"text":95},{"depth":51,"slug":140,"text":141},"lookaheads-und-lookbehinds","Lookaheads und Lookbehinds",{"depth":51,"slug":143,"text":144},"regex-in-forensik-tools","Regex in Forensik-Tools",[],[],[],"regular-expressions-regex.md","kali-linux",{"id":149,"data":151,"body":166,"filePath":167,"digest":168,"rendered":169,"legacyId":222},{"title":152,"tool_name":153,"description":154,"last_updated":155,"author":16,"difficulty":17,"categories":156,"tags":159,"sections":165,"review_status":34},"Kali Linux - Die Hacker-Distribution für Forensik & Penetration Testing","Kali Linux","Leitfaden zur Installation, Nutzung und Best Practices für Kali Linux – die All-in-One-Plattform für Security-Profis.",["Date","2025-07-20T00:00:00.000Z"],[19,157,158],"forensics","penetration-testing",[160,161,158,162,163,164],"live-boot","tool-collection","forensics-suite","virtualization","arm-support",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":32},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\nKali Linux ist eine auf Debian basierende Linux-Distribution, die speziell für Penetration Testing, digitale Forensik, Reverse Engineering und Incident Response entwickelt wurde. Mit über 600 vorinstallierten Tools ist sie ein unverzichtbares Werkzeug für Security-Experten, Ermittler und forensische Analysten. Die Live-Boot-Funktion erlaubt es, Systeme ohne Spuren zu hinterlassen zu analysieren – ideal für forensische Untersuchungen.\n\n## Installation\n\n### Option 1: Live-System (USB/DVD)\n\n1. ISO-Image von [kali.org](https://www.kali.org/get-kali/) herunterladen.\n2. Mit **Rufus** oder **balenaEtcher** auf einen USB-Stick schreiben.\n3. Vom USB-Stick booten (ggf. Boot-Reihenfolge im BIOS anpassen).\n4. Kali kann direkt ohne Installation im Live-Modus verwendet werden.\n\n### Option 2: Installation auf Festplatte\n\n1. ISO-Image booten und **Graphical Install** wählen.\n2. Schritt-für-Schritt durch den Installationsassistenten navigieren:\n   - Sprache, Zeitzone und Tastaturlayout auswählen\n   - Partitionierung konfigurieren (automatisch oder manuell)\n   - Benutzerkonten erstellen\n3. Nach Installation Neustart durchführen.\n\n### Option 3: Virtuelle Maschine (VM)\n\n- Offizielle VM-Images für VirtualBox und VMware von der [Kali-Website](https://www.kali.org/get-kali/#kali-virtual-machines)\n- Importieren, ggf. Netzwerkbrücke und Shared Folders aktivieren\n\n## Konfiguration\n\n### Netzwerkeinstellungen\n\n- Konfiguration über `nmtui` oder `/etc/network/interfaces`\n- VPN und Proxy-Integration über GUI oder Terminal\n\n### Updates & Paketquellen\n\n```bash\nsudo apt update && sudo apt full-upgrade\n````\n\n> Hinweis: `kali-rolling` ist die Standard-Distribution für kontinuierliche Updates.\n\n### Sprache & Lokalisierung\n\n```bash\nsudo dpkg-reconfigure locales\nsudo dpkg-reconfigure keyboard-configuration\n```\n\n## Verwendungsbeispiele\n\n### 1. Netzwerkscan mit Nmap\n\n```bash\nnmap -sS -T4 -A 192.168.1.0/24\n```\n\n### 2. Passwort-Cracking mit John the Ripper\n\n```bash\njohn --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt\n```\n\n### 3. Forensik mit Autopsy\n\n```bash\nautopsy &\n```\n\n### 4. Android-Analyse mit MobSF (in Docker)\n\n```bash\ndocker pull opensecurity/mobile-security-framework-mobsf\ndocker run -it -p 8000:8000 mobsf\n```\n\n## Best Practices\n\n* Nutze immer **aktuelle Snapshots** oder VM-Clones vor gefährlichen Tests\n* Verwende separate Netzwerke (z. B. Host-only oder NAT) für Tests\n* Deaktiviere automatisches WLAN bei forensischen Analysen\n* Prüfe und aktualisiere regelmäßig Toolsets (`apt`, `git`, `pip`)\n* Halte deine ISO-Images versioniert für forensische Reproduzierbarkeit\n\n## Troubleshooting\n\n### Problem: Keine Internetverbindung nach Installation\n\n**Lösung:** Netzwerkadapter prüfen, ggf. mit `ifconfig` oder `ip a` überprüfen, DHCP aktivieren.\n\n### Problem: Tools fehlen nach Update\n\n**Lösung:** Tool-Gruppen wie `kali-linux-default` manuell nachinstallieren:\n\n```bash\nsudo apt install kali-linux-default\n```\n\n### Problem: „Permission Denied“ bei Tools\n\n**Lösung:** Root-Rechte nutzen oder mit `sudo` ausführen.\n\n## Weiterführende Themen\n\n* **Kustomisierung von Kali ISOs** mit `live-build`\n* **NetHunter**: Kali für mobile Geräte (Android)\n* **Kali Purple**: Defensive Security Suite\n* Integration mit **Cloud-Infrastrukturen** via WSL oder Azure\n\n---\n\n**Links & Ressourcen:**\n\n* Offizielle Website: [https://kali.org](https://kali.org/)\n* Dokumentation: [https://docs.kali.org/](https://docs.kali.org/)\n* GitLab Repo: [https://gitlab.com/kalilinux](https://gitlab.com/kalilinux)\n* Discord-Community: [https://discord.com/invite/kali-linux](https://discord.com/invite/kali-linux)","src/content/knowledgebase/kali-linux.md","09243ebc79d75dbc",{"html":170,"metadata":171},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Kali Linux ist eine auf Debian basierende Linux-Distribution, die speziell für Penetration Testing, digitale Forensik, Reverse Engineering und Incident Response entwickelt wurde. Mit über 600 vorinstallierten Tools ist sie ein unverzichtbares Werkzeug für Security-Experten, Ermittler und forensische Analysten. Die Live-Boot-Funktion erlaubt es, Systeme ohne Spuren zu hinterlassen zu analysieren – ideal für forensische Untersuchungen.\u003C/p>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"option-1-live-system-usbdvd\">Option 1: Live-System (USB/DVD)\u003C/h3>\n\u003Col>\n\u003Cli>ISO-Image von \u003Ca href=\"https://www.kali.org/get-kali/\">kali.org\u003C/a> herunterladen.\u003C/li>\n\u003Cli>Mit \u003Cstrong>Rufus\u003C/strong> oder \u003Cstrong>balenaEtcher\u003C/strong> auf einen USB-Stick schreiben.\u003C/li>\n\u003Cli>Vom USB-Stick booten (ggf. Boot-Reihenfolge im BIOS anpassen).\u003C/li>\n\u003Cli>Kali kann direkt ohne Installation im Live-Modus verwendet werden.\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"option-2-installation-auf-festplatte\">Option 2: Installation auf Festplatte\u003C/h3>\n\u003Col>\n\u003Cli>ISO-Image booten und \u003Cstrong>Graphical Install\u003C/strong> wählen.\u003C/li>\n\u003Cli>Schritt-für-Schritt durch den Installationsassistenten navigieren:\n\u003Cul>\n\u003Cli>Sprache, Zeitzone und Tastaturlayout auswählen\u003C/li>\n\u003Cli>Partitionierung konfigurieren (automatisch oder manuell)\u003C/li>\n\u003Cli>Benutzerkonten erstellen\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003Cli>Nach Installation Neustart durchführen.\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"option-3-virtuelle-maschine-vm\">Option 3: Virtuelle Maschine (VM)\u003C/h3>\n\u003Cul>\n\u003Cli>Offizielle VM-Images für VirtualBox und VMware von der \u003Ca href=\"https://www.kali.org/get-kali/#kali-virtual-machines\">Kali-Website\u003C/a>\u003C/li>\n\u003Cli>Importieren, ggf. Netzwerkbrücke und Shared Folders aktivieren\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Ch3 id=\"netzwerkeinstellungen\">Netzwerkeinstellungen\u003C/h3>\n\u003Cul>\n\u003Cli>Konfiguration über \u003Ccode>nmtui\u003C/code> oder \u003Ccode>/etc/network/interfaces\u003C/code>\u003C/li>\n\u003Cli>VPN und Proxy-Integration über GUI oder Terminal\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"updates--paketquellen\">Updates & Paketquellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> full-upgrade\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cblockquote>\n\u003Cp>Hinweis: \u003Ccode>kali-rolling\u003C/code> ist die Standard-Distribution für kontinuierliche Updates.\u003C/p>\n\u003C/blockquote>\n\u003Ch3 id=\"sprache--lokalisierung\">Sprache & Lokalisierung\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dpkg-reconfigure\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> locales\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dpkg-reconfigure\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> keyboard-configuration\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"1-netzwerkscan-mit-nmap\">1. Netzwerkscan mit Nmap\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">nmap\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -sS\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -T4\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -A\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 192.168.1.0/24\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"2-passwort-cracking-mit-john-the-ripper\">2. Passwort-Cracking mit John the Ripper\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">john\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --wordlist=/usr/share/wordlists/rockyou.txt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> hashes.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"3-forensik-mit-autopsy\">3. Forensik mit Autopsy\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">autopsy\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> &\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"4-android-analyse-mit-mobsf-in-docker\">4. Android-Analyse mit MobSF (in Docker)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">docker\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> opensecurity/mobile-security-framework-mobsf\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">docker\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> run\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -it\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -p\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 8000:8000\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mobsf\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Nutze immer \u003Cstrong>aktuelle Snapshots\u003C/strong> oder VM-Clones vor gefährlichen Tests\u003C/li>\n\u003Cli>Verwende separate Netzwerke (z. B. Host-only oder NAT) für Tests\u003C/li>\n\u003Cli>Deaktiviere automatisches WLAN bei forensischen Analysen\u003C/li>\n\u003Cli>Prüfe und aktualisiere regelmäßig Toolsets (\u003Ccode>apt\u003C/code>, \u003Ccode>git\u003C/code>, \u003Ccode>pip\u003C/code>)\u003C/li>\n\u003Cli>Halte deine ISO-Images versioniert für forensische Reproduzierbarkeit\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-keine-internetverbindung-nach-installation\">Problem: Keine Internetverbindung nach Installation\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Netzwerkadapter prüfen, ggf. mit \u003Ccode>ifconfig\u003C/code> oder \u003Ccode>ip a\u003C/code> überprüfen, DHCP aktivieren.\u003C/p>\n\u003Ch3 id=\"problem-tools-fehlen-nach-update\">Problem: Tools fehlen nach Update\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Tool-Gruppen wie \u003Ccode>kali-linux-default\u003C/code> manuell nachinstallieren:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> kali-linux-default\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"problem-permission-denied-bei-tools\">Problem: „Permission Denied“ bei Tools\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Root-Rechte nutzen oder mit \u003Ccode>sudo\u003C/code> ausführen.\u003C/p>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Kustomisierung von Kali ISOs\u003C/strong> mit \u003Ccode>live-build\u003C/code>\u003C/li>\n\u003Cli>\u003Cstrong>NetHunter\u003C/strong>: Kali für mobile Geräte (Android)\u003C/li>\n\u003Cli>\u003Cstrong>Kali Purple\u003C/strong>: Defensive Security Suite\u003C/li>\n\u003Cli>Integration mit \u003Cstrong>Cloud-Infrastrukturen\u003C/strong> via WSL oder Azure\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>\u003Cstrong>Links & Ressourcen:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Offizielle Website: \u003Ca href=\"https://kali.org/\">https://kali.org\u003C/a>\u003C/li>\n\u003Cli>Dokumentation: \u003Ca href=\"https://docs.kali.org/\">https://docs.kali.org/\u003C/a>\u003C/li>\n\u003Cli>GitLab Repo: \u003Ca href=\"https://gitlab.com/kalilinux\">https://gitlab.com/kalilinux\u003C/a>\u003C/li>\n\u003Cli>Discord-Community: \u003Ca href=\"https://discord.com/invite/kali-linux\">https://discord.com/invite/kali-linux\u003C/a>\u003C/li>\n\u003C/ul>",{"headings":172,"localImagePaths":219,"remoteImagePaths":220,"frontmatter":151,"imagePaths":221},[173,174,175,178,181,184,185,188,191,194,195,198,201,204,207,208,209,212,215,218],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":48,"text":49},{"depth":51,"slug":176,"text":177},"option-1-live-system-usbdvd","Option 1: Live-System (USB/DVD)",{"depth":51,"slug":179,"text":180},"option-2-installation-auf-festplatte","Option 2: Installation auf Festplatte",{"depth":51,"slug":182,"text":183},"option-3-virtuelle-maschine-vm","Option 3: Virtuelle Maschine (VM)",{"depth":47,"slug":58,"text":59},{"depth":51,"slug":186,"text":187},"netzwerkeinstellungen","Netzwerkeinstellungen",{"depth":51,"slug":189,"text":190},"updates--paketquellen","Updates & Paketquellen",{"depth":51,"slug":192,"text":193},"sprache--lokalisierung","Sprache & Lokalisierung",{"depth":47,"slug":70,"text":71},{"depth":51,"slug":196,"text":197},"1-netzwerkscan-mit-nmap","1. Netzwerkscan mit Nmap",{"depth":51,"slug":199,"text":200},"2-passwort-cracking-mit-john-the-ripper","2. Passwort-Cracking mit John the Ripper",{"depth":51,"slug":202,"text":203},"3-forensik-mit-autopsy","3. Forensik mit Autopsy",{"depth":51,"slug":205,"text":206},"4-android-analyse-mit-mobsf-in-docker","4. Android-Analyse mit MobSF (in Docker)",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":82,"text":83},{"depth":51,"slug":210,"text":211},"problem-keine-internetverbindung-nach-installation","Problem: Keine Internetverbindung nach Installation",{"depth":51,"slug":213,"text":214},"problem-tools-fehlen-nach-update","Problem: Tools fehlen nach Update",{"depth":51,"slug":216,"text":217},"problem-permission-denied-bei-tools","Problem: „Permission Denied“ bei Tools",{"depth":47,"slug":94,"text":95},[],[],[],"kali-linux.md","velociraptor",{"id":223,"data":225,"body":239,"filePath":240,"digest":241,"rendered":242,"legacyId":287},{"title":226,"tool_name":227,"description":228,"last_updated":229,"author":16,"difficulty":230,"categories":231,"tags":232,"sections":238,"review_status":34},"Velociraptor – Skalierbare Endpoint-Forensik mit VQL","Velociraptor","Detaillierte Anleitung und Best Practices für Velociraptor – Remote-Forensik der nächsten Generation",["Date","2025-07-20T00:00:00.000Z"],"advanced",[19,21,22],[25,233,234,235,236,237],"endpoint-monitoring","artifact-extraction","scripting","live-forensics","hunting",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":32},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\nVelociraptor ist ein Open-Source-Tool zur Endpoint-Forensik mit Fokus auf Skalierbarkeit, Präzision und Geschwindigkeit. Es ermöglicht die zielgerichtete Erfassung und Analyse digitaler Artefakte über eine eigene Query Language – VQL (Velociraptor Query Language). Die Architektur erlaubt remote Zugriff auf tausende Endpoints gleichzeitig, ohne dass vollständige Disk-Images erforderlich sind.\n\n## Hauptmerkmale\n\n- 🌐 Web-basierte Benutzeroberfläche\n- 💡 VQL – mächtige, SQL-ähnliche Abfragesprache\n- 🚀 Hochskalierbare Hunt-Funktionalität\n- 🔍 Artefaktbasierte Sammlung (ohne Full-Image)\n- 🖥️ Plattformunterstützung für Windows, macOS, Linux\n- 📦 Apache 2.0 Lizenz – Open Source\n\nWeitere Infos: [velociraptor.app](https://www.velociraptor.app/)  \nProjektspiegel: [raptor.cc24.dev](https://raptor.cc24.dev)  \nStatus: ![Status](https://status.mikoshi.de/api/badge/33/status)\n\n---\n\n## Installation\n\n### Voraussetzungen\n\n- Python ≥ 3.9\n- Adminrechte auf dem System\n- Firewall-Freigaben für Webport (Standard: 8000)\n\n### Installation unter Linux/macOS\n\n```bash\nwget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor\nchmod +x velociraptor\nsudo mv velociraptor /usr/local/bin/\n````\n\n### Installation unter Windows\n\n1. Download der `.exe` von der [Release-Seite](https://github.com/Velocidex/velociraptor/releases)\n2. Ausführung in PowerShell mit Adminrechten:\n\n   ```powershell\n   .\\velociraptor.exe config generate > server.config.yaml\n   ```\n\n---\n\n## Konfiguration\n\n### Server Setup\n\n1. Generiere die Konfigurationsdatei:\n\n   ```bash\n   velociraptor config generate > server.config.yaml\n   ```\n2. Starte den Server:\n\n   ```bash\n   velociraptor --config server.config.yaml frontend\n   ```\n3. Zugriff über Browser via `https://\u003Chostname>:8000`\n\n### Client Deployment\n\n* MSI/EXE für Windows, oder `deb/rpm` für Linux\n* Unterstützt automatische Registrierung am Server\n* Deployment über GPO, Puppet, Ansible etc. möglich\n\n---\n\n## Verwendungsbeispiele\n\n### 1. Live-Memory-Artefakte sammeln\n\n```vql\nSELECT * FROM Artifact.MemoryInfo()\n```\n\n### 2. Hunt starten auf verdächtige Prozesse\n\n```vql\nSELECT * FROM pslist()\nWHERE Name =~ \"mimikatz|cobaltstrike\"\n```\n\n### 3. Dateiinhalt extrahieren\n\n```vql\nSELECT * FROM glob(globs=\"C:\\\\Users\\\\*\\\\AppData\\\\*.dat\")\n```\n\n---\n\n## Best Practices\n\n* Erstelle eigene Artefakte für unternehmensspezifische Bedrohungsmodelle\n* Verwende \"Notebook\"-Funktion für strukturierte Analysen\n* Nutze \"Labels\", um Endpoints zu organisieren (z. B. `location:Berlin`)\n* Kombiniere Velociraptor mit SIEM/EDR-Systemen über REST API\n\n---\n\n## Troubleshooting\n\n### Problem: Keine Verbindung vom Client zum Server\n\n**Lösung:**\n\n* Ports freigegeben? (Default: 8000/tcp)\n* TLS-Zertifikate korrekt generiert?\n* `server.config.yaml` auf korrekte `public_ip` prüfen\n\n### Problem: Hunt hängt in Warteschleife\n\n**Lösung:**\n\n* Genügend Worker-Prozesse aktiv?\n* Endpoint online?\n* `log_level` auf `debug` setzen und Log analysieren\n\n---\n\n## Weiterführende Themen\n\n* Eigene Artefakte schreiben mit VQL\n* Integration mit ELK Stack\n* Automatisiertes Incident Response Playbook\n* Velociraptor als IR-as-a-Service einsetzen\n\n---\n\n🧠 **Tipp:** Die Lernkurve bei VQL ist steil – aber mit hohem ROI. Testumgebung aufsetzen und mit Community-Artefakten starten.\n\n📚 Weitere Ressourcen:\n\n* [Offizielle Doku](https://docs.velociraptor.app/)\n* [YouTube Channel](https://www.youtube.com/c/VelociraptorDFIR)\n* [Community auf Discord](https://www.velociraptor.app/community/)","src/content/knowledgebase/velociraptor.md","05636b9b97e61d17",{"html":243,"metadata":244},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Velociraptor ist ein Open-Source-Tool zur Endpoint-Forensik mit Fokus auf Skalierbarkeit, Präzision und Geschwindigkeit. Es ermöglicht die zielgerichtete Erfassung und Analyse digitaler Artefakte über eine eigene Query Language – VQL (Velociraptor Query Language). Die Architektur erlaubt remote Zugriff auf tausende Endpoints gleichzeitig, ohne dass vollständige Disk-Images erforderlich sind.\u003C/p>\n\u003Ch2 id=\"hauptmerkmale\">Hauptmerkmale\u003C/h2>\n\u003Cul>\n\u003Cli>🌐 Web-basierte Benutzeroberfläche\u003C/li>\n\u003Cli>💡 VQL – mächtige, SQL-ähnliche Abfragesprache\u003C/li>\n\u003Cli>🚀 Hochskalierbare Hunt-Funktionalität\u003C/li>\n\u003Cli>🔍 Artefaktbasierte Sammlung (ohne Full-Image)\u003C/li>\n\u003Cli>🖥️ Plattformunterstützung für Windows, macOS, Linux\u003C/li>\n\u003Cli>📦 Apache 2.0 Lizenz – Open Source\u003C/li>\n\u003C/ul>\n\u003Cp>Weitere Infos: \u003Ca href=\"https://www.velociraptor.app/\">velociraptor.app\u003C/a>\u003Cbr>\nProjektspiegel: \u003Ca href=\"https://raptor.cc24.dev\">raptor.cc24.dev\u003C/a>\u003Cbr>\nStatus: \u003Cimg src=\"https://status.mikoshi.de/api/badge/33/status\" alt=\"Status\">\u003C/p>\n\u003Chr>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"voraussetzungen\">Voraussetzungen\u003C/h3>\n\u003Cul>\n\u003Cli>Python ≥ 3.9\u003C/li>\n\u003Cli>Adminrechte auf dem System\u003C/li>\n\u003Cli>Firewall-Freigaben für Webport (Standard: 8000)\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installation-unter-linuxmacos\">Installation unter Linux/macOS\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">wget\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">chmod\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> +x\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> velociraptor\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mv\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> velociraptor\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /usr/local/bin/\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"installation-unter-windows\">Installation unter Windows\u003C/h3>\n\u003Col>\n\u003Cli>\n\u003Cp>Download der \u003Ccode>.exe\u003C/code> von der \u003Ca href=\"https://github.com/Velocidex/velociraptor/releases\">Release-Seite\u003C/a>\u003C/p>\n\u003C/li>\n\u003Cli>\n\u003Cp>Ausführung in PowerShell mit Adminrechten:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"powershell\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">.\\\u003C/span>\u003Cspan style=\"color:#79B8FF\">velociraptor.exe\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> config generate \u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> server.config.yaml\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003C/ol>\n\u003Chr>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Ch3 id=\"server-setup\">Server Setup\u003C/h3>\n\u003Col>\n\u003Cli>\n\u003Cp>Generiere die Konfigurationsdatei:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">velociraptor\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> config\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> generate\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> server.config.yaml\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003Cli>\n\u003Cp>Starte den Server:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">velociraptor\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --config\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> server.config.yaml\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> frontend\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003Cli>\n\u003Cp>Zugriff über Browser via \u003Ccode>https://<hostname>:8000\u003C/code>\u003C/p>\n\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"client-deployment\">Client Deployment\u003C/h3>\n\u003Cul>\n\u003Cli>MSI/EXE für Windows, oder \u003Ccode>deb/rpm\u003C/code> für Linux\u003C/li>\n\u003Cli>Unterstützt automatische Registrierung am Server\u003C/li>\n\u003Cli>Deployment über GPO, Puppet, Ansible etc. möglich\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"1-live-memory-artefakte-sammeln\">1. Live-Memory-Artefakte sammeln\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>SELECT * FROM Artifact.MemoryInfo()\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"2-hunt-starten-auf-verdächtige-prozesse\">2. Hunt starten auf verdächtige Prozesse\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>SELECT * FROM pslist()\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan>WHERE Name =~ \"mimikatz|cobaltstrike\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"3-dateiinhalt-extrahieren\">3. Dateiinhalt extrahieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>SELECT * FROM glob(globs=\"C:\\\\Users\\\\*\\\\AppData\\\\*.dat\")\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Chr>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Erstelle eigene Artefakte für unternehmensspezifische Bedrohungsmodelle\u003C/li>\n\u003Cli>Verwende “Notebook”-Funktion für strukturierte Analysen\u003C/li>\n\u003Cli>Nutze “Labels”, um Endpoints zu organisieren (z. B. \u003Ccode>location:Berlin\u003C/code>)\u003C/li>\n\u003Cli>Kombiniere Velociraptor mit SIEM/EDR-Systemen über REST API\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-keine-verbindung-vom-client-zum-server\">Problem: Keine Verbindung vom Client zum Server\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Ports freigegeben? (Default: 8000/tcp)\u003C/li>\n\u003Cli>TLS-Zertifikate korrekt generiert?\u003C/li>\n\u003Cli>\u003Ccode>server.config.yaml\u003C/code> auf korrekte \u003Ccode>public_ip\u003C/code> prüfen\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"problem-hunt-hängt-in-warteschleife\">Problem: Hunt hängt in Warteschleife\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Genügend Worker-Prozesse aktiv?\u003C/li>\n\u003Cli>Endpoint online?\u003C/li>\n\u003Cli>\u003Ccode>log_level\u003C/code> auf \u003Ccode>debug\u003C/code> setzen und Log analysieren\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>Eigene Artefakte schreiben mit VQL\u003C/li>\n\u003Cli>Integration mit ELK Stack\u003C/li>\n\u003Cli>Automatisiertes Incident Response Playbook\u003C/li>\n\u003Cli>Velociraptor als IR-as-a-Service einsetzen\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>🧠 \u003Cstrong>Tipp:\u003C/strong> Die Lernkurve bei VQL ist steil – aber mit hohem ROI. Testumgebung aufsetzen und mit Community-Artefakten starten.\u003C/p>\n\u003Cp>📚 Weitere Ressourcen:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://docs.velociraptor.app/\">Offizielle Doku\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://www.youtube.com/c/VelociraptorDFIR\">YouTube Channel\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://www.velociraptor.app/community/\">Community auf Discord\u003C/a>\u003C/li>\n\u003C/ul>",{"headings":245,"localImagePaths":284,"remoteImagePaths":285,"frontmatter":225,"imagePaths":286},[246,247,250,251,252,255,258,259,262,265,266,269,272,275,276,277,280,283],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":248,"text":249},"hauptmerkmale","Hauptmerkmale",{"depth":47,"slug":48,"text":49},{"depth":51,"slug":52,"text":53},{"depth":51,"slug":253,"text":254},"installation-unter-linuxmacos","Installation unter Linux/macOS",{"depth":51,"slug":256,"text":257},"installation-unter-windows","Installation unter Windows",{"depth":47,"slug":58,"text":59},{"depth":51,"slug":260,"text":261},"server-setup","Server Setup",{"depth":51,"slug":263,"text":264},"client-deployment","Client Deployment",{"depth":47,"slug":70,"text":71},{"depth":51,"slug":267,"text":268},"1-live-memory-artefakte-sammeln","1. Live-Memory-Artefakte sammeln",{"depth":51,"slug":270,"text":271},"2-hunt-starten-auf-verdächtige-prozesse","2. Hunt starten auf verdächtige Prozesse",{"depth":51,"slug":273,"text":274},"3-dateiinhalt-extrahieren","3. Dateiinhalt extrahieren",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":82,"text":83},{"depth":51,"slug":278,"text":279},"problem-keine-verbindung-vom-client-zum-server","Problem: Keine Verbindung vom Client zum Server",{"depth":51,"slug":281,"text":282},"problem-hunt-hängt-in-warteschleife","Problem: Hunt hängt in Warteschleife",{"depth":47,"slug":94,"text":95},[],[],[],"velociraptor.md","nextcloud",{"id":288,"data":290,"body":304,"filePath":305,"digest":306,"rendered":307,"legacyId":343},{"title":291,"tool_name":292,"description":293,"last_updated":294,"author":16,"difficulty":295,"categories":296,"tags":298,"sections":303,"review_status":34},"Nextcloud - Sichere Kollaborationsplattform","Nextcloud","Detaillierte Anleitung und Best Practices für Nextcloud in forensischen Einsatzszenarien",["Date","2025-07-20T00:00:00.000Z"],"novice",[297],"collaboration-general",[25,299,300,27,301,302],"collaboration","file-sharing","encryption","document-management",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":33},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\nNextcloud ist eine Open-Source-Cloud-Suite, die speziell für die sichere Zusammenarbeit entwickelt wurde. Sie eignet sich ideal für forensische Teams, da sie eine DSGVO-konforme Umgebung mit verschlüsselter Dateiablage, Office-Integration und Videokonferenzen bereitstellt. Zusätzlich bietet Nextcloud einen integrierten SSO-Provider, der das Identitätsmanagement für andere forensische Tools stark vereinfacht.\n\nSkalierbar von kleinen Raspberry-Pi-Installationen bis hin zu hochverfügbaren Multi-Node-Setups.\n\n- **Website:** [nextcloud.com](https://nextcloud.com/)\n- **Demo/Projektinstanz:** [cloud.cc24.dev](https://cloud.cc24.dev)\n- **Statusseite:** [Mikoshi Status](https://status.mikoshi.de/api/badge/11/status)\n- **Lizenz:** AGPL-3.0\n\n---\n\n## Installation\n\n### Voraussetzungen\n\n- Linux-Server oder Raspberry Pi\n- PHP 8.1 oder höher\n- MariaDB/PostgreSQL\n- Webserver (Apache/Nginx)\n- SSL-Zertifikat (empfohlen: Let's Encrypt)\n\n### Installationsschritte (Ubuntu Beispiel)\n\n```bash\nsudo apt update && sudo apt upgrade\nsudo apt install apache2 mariadb-server libapache2-mod-php php php-mysql \\\n  php-gd php-xml php-mbstring php-curl php-zip php-intl php-bcmath unzip\n\nwget https://download.nextcloud.com/server/releases/latest.zip\nunzip latest.zip -d /var/www/\nchown -R www-data:www-data /var/www/nextcloud\n````\n\nDanach den Web-Installer im Browser aufrufen (`https://\u003Cyour-domain>/nextcloud`) und Setup abschließen.\n\n## Konfiguration\n\n* **Trusted Domains** in `config.php` definieren\n* SSO mit OpenID Connect aktivieren\n* Dateiverschlüsselung aktivieren (`Settings → Security`)\n* Benutzer und Gruppen über LDAP oder SAML integrieren\n\n## Verwendungsbeispiele\n\n### Gemeinsame Fallbearbeitung\n\n1. Ermittlungsordner als geteiltes Gruppenverzeichnis anlegen\n2. Versionierung und Kommentare zu forensischen Berichten aktivieren\n3. Vorschau für Office-Dateien, PDFs und Bilder direkt im Browser nutzen\n\n### Videokonferenzen mit \"Nextcloud Talk\"\n\n* Sichere Kommunikation zwischen Ermittlern und Sachverständigen\n* Ende-zu-Ende-verschlüsselt\n* Bildschirmfreigabe möglich\n\n### Automatischer Dateiimport per API\n\n* REST-Schnittstelle nutzen, um z. B. automatisch Logdateien oder Exportdaten hochzuladen\n* Ideal für Anbindung an SIEM, DLP oder Analyse-Pipelines\n\n## Best Practices\n\n* Zwei-Faktor-Authentifizierung aktivieren\n* Tägliche Backups der Datenbank und Datenstruktur\n* Nutzung von OnlyOffice oder Collabora für revisionssichere Dokumentenbearbeitung\n* Zugriff regelmäßig überprüfen, insbesondere bei externen Partnern\n\n## Troubleshooting\n\n### Problem: Langsame Performance\n\n**Lösung:** APCu aktivieren und Caching optimieren (`config.php → 'memcache.local'`).\n\n### Problem: Dateien erscheinen nicht im Sync\n\n**Lösung:** Cronjob für `files:scan` konfigurieren oder manuell ausführen:\n\n```bash\nsudo -u www-data php /var/www/nextcloud/occ files:scan --all\n```\n\n### Problem: Fehlermeldung \"Trusted domain not set\"\n\n**Lösung:** In `config/config.php` Eintrag `trusted_domains` korrekt konfigurieren:\n\n```php\n'trusted_domains' =>\n  array (\n    0 => 'yourdomain.tld',\n    1 => 'cloud.cc24.dev',\n  ),\n```\n\n## Weiterführende Themen\n\n* **Integration mit Forensik-Plattformen** (über WebDAV, API oder SSO)\n* **Custom Apps entwickeln** für spezielle Ermittlungs-Workflows\n* **Auditing aktivieren**: Nutzung und Änderungen nachvollziehen mit Protokollierungsfunktionen","src/content/knowledgebase/nextcloud.md","9294074e6083e37b",{"html":308,"metadata":309},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Nextcloud ist eine Open-Source-Cloud-Suite, die speziell für die sichere Zusammenarbeit entwickelt wurde. Sie eignet sich ideal für forensische Teams, da sie eine DSGVO-konforme Umgebung mit verschlüsselter Dateiablage, Office-Integration und Videokonferenzen bereitstellt. Zusätzlich bietet Nextcloud einen integrierten SSO-Provider, der das Identitätsmanagement für andere forensische Tools stark vereinfacht.\u003C/p>\n\u003Cp>Skalierbar von kleinen Raspberry-Pi-Installationen bis hin zu hochverfügbaren Multi-Node-Setups.\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cstrong>Website:\u003C/strong> \u003Ca href=\"https://nextcloud.com/\">nextcloud.com\u003C/a>\u003C/li>\n\u003Cli>\u003Cstrong>Demo/Projektinstanz:\u003C/strong> \u003Ca href=\"https://cloud.cc24.dev\">cloud.cc24.dev\u003C/a>\u003C/li>\n\u003Cli>\u003Cstrong>Statusseite:\u003C/strong> \u003Ca href=\"https://status.mikoshi.de/api/badge/11/status\">Mikoshi Status\u003C/a>\u003C/li>\n\u003Cli>\u003Cstrong>Lizenz:\u003C/strong> AGPL-3.0\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"voraussetzungen\">Voraussetzungen\u003C/h3>\n\u003Cul>\n\u003Cli>Linux-Server oder Raspberry Pi\u003C/li>\n\u003Cli>PHP 8.1 oder höher\u003C/li>\n\u003Cli>MariaDB/PostgreSQL\u003C/li>\n\u003Cli>Webserver (Apache/Nginx)\u003C/li>\n\u003Cli>SSL-Zertifikat (empfohlen: Let’s Encrypt)\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installationsschritte-ubuntu-beispiel\">Installationsschritte (Ubuntu Beispiel)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> upgrade\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apache2\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mariadb-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> libapache2-mod-php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-mysql\u003C/span>\u003Cspan style=\"color:#79B8FF\"> \\\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#9ECBFF\">  php-gd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-xml\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-mbstring\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-curl\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-zip\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-intl\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-bcmath\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unzip\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">wget\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://download.nextcloud.com/server/releases/latest.zip\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">unzip\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> latest.zip\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -d\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">chown\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -R\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> www-data:www-data\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/nextcloud\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Danach den Web-Installer im Browser aufrufen (\u003Ccode>https://<your-domain>/nextcloud\u003C/code>) und Setup abschließen.\u003C/p>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Trusted Domains\u003C/strong> in \u003Ccode>config.php\u003C/code> definieren\u003C/li>\n\u003Cli>SSO mit OpenID Connect aktivieren\u003C/li>\n\u003Cli>Dateiverschlüsselung aktivieren (\u003Ccode>Settings → Security\u003C/code>)\u003C/li>\n\u003Cli>Benutzer und Gruppen über LDAP oder SAML integrieren\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"gemeinsame-fallbearbeitung\">Gemeinsame Fallbearbeitung\u003C/h3>\n\u003Col>\n\u003Cli>Ermittlungsordner als geteiltes Gruppenverzeichnis anlegen\u003C/li>\n\u003Cli>Versionierung und Kommentare zu forensischen Berichten aktivieren\u003C/li>\n\u003Cli>Vorschau für Office-Dateien, PDFs und Bilder direkt im Browser nutzen\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"videokonferenzen-mit-nextcloud-talk\">Videokonferenzen mit “Nextcloud Talk”\u003C/h3>\n\u003Cul>\n\u003Cli>Sichere Kommunikation zwischen Ermittlern und Sachverständigen\u003C/li>\n\u003Cli>Ende-zu-Ende-verschlüsselt\u003C/li>\n\u003Cli>Bildschirmfreigabe möglich\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"automatischer-dateiimport-per-api\">Automatischer Dateiimport per API\u003C/h3>\n\u003Cul>\n\u003Cli>REST-Schnittstelle nutzen, um z. B. automatisch Logdateien oder Exportdaten hochzuladen\u003C/li>\n\u003Cli>Ideal für Anbindung an SIEM, DLP oder Analyse-Pipelines\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Zwei-Faktor-Authentifizierung aktivieren\u003C/li>\n\u003Cli>Tägliche Backups der Datenbank und Datenstruktur\u003C/li>\n\u003Cli>Nutzung von OnlyOffice oder Collabora für revisionssichere Dokumentenbearbeitung\u003C/li>\n\u003Cli>Zugriff regelmäßig überprüfen, insbesondere bei externen Partnern\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-langsame-performance\">Problem: Langsame Performance\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> APCu aktivieren und Caching optimieren (\u003Ccode>config.php → 'memcache.local'\u003C/code>).\u003C/p>\n\u003Ch3 id=\"problem-dateien-erscheinen-nicht-im-sync\">Problem: Dateien erscheinen nicht im Sync\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Cronjob für \u003Ccode>files:scan\u003C/code> konfigurieren oder manuell ausführen:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -u\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> www-data\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/nextcloud/occ\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> files:scan\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --all\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"problem-fehlermeldung-trusted-domain-not-set\">Problem: Fehlermeldung “Trusted domain not set”\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> In \u003Ccode>config/config.php\u003C/code> Eintrag \u003Ccode>trusted_domains\u003C/code> korrekt konfigurieren:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"php\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#9ECBFF\">'trusted_domains'\u003C/span>\u003Cspan style=\"color:#F97583\"> =>\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">  array\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> (\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">    0\u003C/span>\u003Cspan style=\"color:#F97583\"> =>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 'yourdomain.tld'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">,\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">    1\u003C/span>\u003Cspan style=\"color:#F97583\"> =>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 'cloud.cc24.dev'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">,\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">  ),\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Integration mit Forensik-Plattformen\u003C/strong> (über WebDAV, API oder SSO)\u003C/li>\n\u003Cli>\u003Cstrong>Custom Apps entwickeln\u003C/strong> für spezielle Ermittlungs-Workflows\u003C/li>\n\u003Cli>\u003Cstrong>Auditing aktivieren\u003C/strong>: Nutzung und Änderungen nachvollziehen mit Protokollierungsfunktionen\u003C/li>\n\u003C/ul>",{"headings":310,"localImagePaths":340,"remoteImagePaths":341,"frontmatter":290,"imagePaths":342},[311,312,313,314,317,318,319,322,325,328,329,330,333,336,339],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":48,"text":49},{"depth":51,"slug":52,"text":53},{"depth":51,"slug":315,"text":316},"installationsschritte-ubuntu-beispiel","Installationsschritte (Ubuntu Beispiel)",{"depth":47,"slug":58,"text":59},{"depth":47,"slug":70,"text":71},{"depth":51,"slug":320,"text":321},"gemeinsame-fallbearbeitung","Gemeinsame Fallbearbeitung",{"depth":51,"slug":323,"text":324},"videokonferenzen-mit-nextcloud-talk","Videokonferenzen mit “Nextcloud Talk”",{"depth":51,"slug":326,"text":327},"automatischer-dateiimport-per-api","Automatischer Dateiimport per API",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":82,"text":83},{"depth":51,"slug":331,"text":332},"problem-langsame-performance","Problem: Langsame Performance",{"depth":51,"slug":334,"text":335},"problem-dateien-erscheinen-nicht-im-sync","Problem: Dateien erscheinen nicht im Sync",{"depth":51,"slug":337,"text":338},"problem-fehlermeldung-trusted-domain-not-set","Problem: Fehlermeldung “Trusted domain not set”",{"depth":47,"slug":94,"text":95},[],[],[],"nextcloud.md","android-logical-imaging",{"id":344,"data":346,"body":359,"filePath":360,"digest":361,"rendered":362,"legacyId":590},{"title":347,"tool_name":348,"description":349,"last_updated":350,"author":351,"difficulty":230,"categories":352,"tags":354,"sections":358,"review_status":34},"Extraktion logischer Dateisysteme alter Android-Smartphones - eine KI-Recherche","Android Logical Imaging","Wie man alte Android-Handys aufbekommen könnte - eine Recherche von Claude",["Date","2025-07-21T00:00:00.000Z"],"Claude 4 Sonnet (Research)",[353],"data-collection",[355,356,357],"imaging","filesystem","hardware-interface",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":32},"# Übersicht\n\nOpen-Source Android Forensik bietet robuste Alternativen zu kommerziellen Lösungen wie Cellebrite UFED und Magnet AXIOM. Besonders für ältere Android-Geräte (5+ Jahre) existieren bewährte Methoden zur Datenextraktion und -analyse.\n\n## Kernkomponenten des Open-Source Forensik-Stacks\n\n**Autopsy Digital Forensics Platform** bildet das Fundament mit GUI-basierter Analyse und integrierten Android-Parsing-Fähigkeiten. Die Plattform unterstützt **ALEAPP (Android Logs Events And Protobuf Parser)**, das über 100 Artefakt-Kategorien aus Android-Extraktionen parst.\n\n**Mobile Verification Toolkit (MVT)** von Amnesty International bietet spezialisierte Command-Line-Tools für Android-Analyse mit Fokus auf Kompromittierungserkennung.\n\n**SIFT Workstation** stellt eine komplette Ubuntu-basierte forensische Umgebung mit 125+ vorinstallierten Tools bereit.\n\n## Erfolgsraten nach Gerätealter\n\n- **Pre-2017 Geräte**: 85-98% logische Extraktion, 30-70% physische Extraktion\n- **2017-2019 Geräte**: 80-95% logische Extraktion, 15-35% physische Extraktion  \n- **2020+ Geräte**: 70-85% logische Extraktion, 5-15% physische Extraktion\n\n# Installation\n\n## SIFT Workstation Setup\n\n### Systemanforderungen\n- Quad-Core CPU 2.5GHz+\n- 16GB+ RAM\n- 500GB+ SSD Speicher\n- USB 3.0+ Anschlüsse\n\n### Installation\n1. Download von [SANS SIFT Workstation](https://www.sans.org/tools/sift-workstation/)\n2. VMware/VirtualBox Import der OVA-Datei\n3. VM-Konfiguration: 8GB+ RAM, 4+ CPU-Kerne\n\n```bash\n# Update nach Installation\nsudo apt update && sudo apt upgrade -y\nsudo sift update\n```\n\n## Autopsy Installation\n\n### Windows Installation\n1. Download von [autopsy.com](https://www.autopsy.com/)\n2. Java 8+ Installation erforderlich\n3. Installation mit Administratorrechten\n\n### Linux Installation\n```bash\n# Ubuntu/Debian\nsudo apt install autopsy sleuthkit\n# Oder manueller Download und Installation\nwget https://github.com/sleuthkit/autopsy/releases/latest\n```\n\n## Essential Tools Installation\n\n### Android Debug Bridge (ADB)\n```bash\n# Ubuntu/Debian\nsudo apt install android-tools-adb android-tools-fastboot\n\n# Windows - Download Android Platform Tools\n# https://developer.android.com/studio/releases/platform-tools\n```\n\n### ALEAPP Installation\n```bash\ngit clone https://github.com/abrignoni/ALEAPP.git\ncd ALEAPP\npip3 install -r requirements.txt\n```\n\n### Mobile Verification Toolkit (MVT)\n```bash\npip3 install mvt\n# Oder via GitHub für neueste Version\ngit clone https://github.com/mvt-project/mvt.git\ncd mvt && pip3 install .\n```\n\n### Andriller Installation\n```bash\ngit clone https://github.com/den4uk/andriller.git\ncd andriller\npip3 install -r requirements.txt\n```\n\n# Konfiguration\n\n## ADB Setup und Gerätevorbereitung\n\n### USB-Debugging aktivieren\n1. Entwickleroptionen freischalten (7x Build-Nummer antippen)\n2. USB-Debugging aktivieren\n3. Gerät via USB verbinden\n4. RSA-Fingerprint akzeptieren\n\n### ADB Verbindung testen\n```bash\nadb devices\n# Sollte Gerät mit \"device\" Status zeigen\nadb shell getprop ro.build.version.release  # Android Version\nadb shell getprop ro.product.model         # Gerätemodell\n```\n\n## Autopsy Projektkonfiguration\n\n### Case-Setup\n1. Neuen Fall erstellen\n2. Ermittler-Informationen eingeben\n3. Case-Verzeichnis festlegen (ausreichend Speicherplatz)\n\n### Android Analyzer Module aktivieren\n- Tools → Options → Modules\n- Android Analyzer aktivieren\n- ALEAPP Integration konfigurieren\n\n### Hash-Algorithmen konfigurieren\n- MD5, SHA-1, SHA-256 für Integritätsprüfung\n- Automatische Hash-Berechnung bei Import aktivieren\n\n## MVT Konfiguration\n\n### Konfigurationsdatei erstellen\n```yaml\n# ~/.mvt/config.yaml\nadb_path: \"/usr/bin/adb\"\noutput_folder: \"/home/user/mvt_output\"\n```\n\n# Verwendungsbeispiele\n\n## Fall 1: Logische Datenextraktion mit ADB\n\n### Geräteinformationen sammeln\n```bash\n# Systeminfo\nadb shell getprop > device_properties.txt\nadb shell cat /proc/version > kernel_info.txt\nadb shell mount > mount_info.txt\n\n# Installierte Apps\nadb shell pm list packages -f > installed_packages.txt\n```\n\n### Datenbank-Extraktion\n```bash\n# SMS/MMS Datenbank\nadb pull /data/data/com.android.providers.telephony/databases/mmssms.db\n\n# Kontakte\nadb pull /data/data/com.android.providers.contacts/databases/contacts2.db\n\n# Anrufliste  \nadb pull /data/data/com.android.providers.contacts/databases/calllog.db\n```\n\n### WhatsApp Datenextraktion\n```bash\n# WhatsApp Datenbanken (Root erforderlich)\nadb shell su -c \"cp -r /data/data/com.whatsapp/ /sdcard/whatsapp_backup/\"\nadb pull /sdcard/whatsapp_backup/\n```\n\n## Fall 2: Android Backup-Analyse\n\n### Vollständiges Backup erstellen\n```bash\n# Umfassendes Backup (ohne Root)\nadb backup -all -system -apk -shared -f backup.ab\n\n# Backup entschlüsseln (falls verschlüsselt)\njava -jar abe.jar unpack backup.ab backup.tar\ntar -xf backup.tar\n```\n\n### Backup mit ALEAPP analysieren\n```bash\npython3 aleappGUI.py\n# Oder Command-Line\npython3 aleapp.py -t tar -i backup.tar -o output_folder\n```\n\n## Fall 3: MVT Kompromittierungsanalyse\n\n### Live-Geräteanalyse\n```bash\n# ADB-basierte Analyse\nmvt-android check-adb --output /path/to/output/\n\n# Backup-Analyse\nmvt-android check-backup --output /path/to/output/ backup.ab\n```\n\n### IOC-Suche mit Pegasus-Indikatoren\n```bash\n# Mit vorgefertigten IOCs\nmvt-android check-adb --iocs /path/to/pegasus.stix2 --output results/\n```\n\n## Fall 4: Physische Extraktion (Root erforderlich)\n\n### Device Rooting - MediaTek Geräte\n```bash\n# MTKClient für MediaTek-Chipsets\ngit clone https://github.com/bkerler/mtkclient.git\ncd mtkclient\npython3 mtk payload\n\n# Nach erfolgreichem Root\nadb shell su\n```\n\n### Vollständiges Memory Dump\n```bash\n# Partitionslayout ermitteln\nadb shell su -c \"cat /proc/partitions\"\nadb shell su -c \"ls -la /dev/block/\"\n\n# Vollständiges Device Image (Root erforderlich)\nadb shell su -c \"dd if=/dev/block/mmcblk0 of=/sdcard/full_device.img bs=4096\"\nadb pull /sdcard/full_device.img\n```\n\n# Best Practices\n\n## Rechtliche Compliance\n\n### Dokumentation und Chain of Custody\n- **Vollständige Dokumentation**: Wer, Was, Wann, Wo, Warum\n- **Hash-Verifikation**: MD5/SHA-256 für alle extrahierten Daten\n- **Nur forensische Kopien analysieren**, niemals Originaldaten\n- **Schriftliche Genehmigung** für Geräteanalyse einholen\n\n### Familiengeräte und Nachlässe\n- Genehmigung durch Nachlassverwalter erforderlich\n- Gerichtsbeschlüsse für Cloud-Zugang eventuell nötig\n- Drittpartei-Kommunikation kann weiterhin geschützt sein\n\n## Technische Best Practices\n\n### Hash-Integrität sicherstellen\n```bash\n# Hash vor und nach Transfer prüfen\nmd5sum original_file.db\nsha256sum original_file.db\n\n# Hash-Verifikation dokumentieren\necho \"$(date): MD5: $(md5sum file.db)\" >> chain_of_custody.log\n```\n\n### Sichere Arbeitsumgebung\n- Isolierte VM für Forensik-Arbeit\n- Netzwerk-Isolation während Analyse\n- Verschlüsselte Speicherung aller Evidenz\n- Regelmäßige Backups der Case-Datenbanken\n\n### Qualitätssicherung\n- Peer-Review kritischer Analysen\n- Standardisierte Arbeitsabläufe (SOPs)\n- Regelmäßige Tool-Validierung\n- Kontinuierliche Weiterbildung\n\n## Erfolgsmaximierung nach Gerätehersteller\n\n### MediaTek-Geräte (Höchste Erfolgsrate)\n- BootROM-Exploits für MT6735, MT6737, MT6750, MT6753, MT6797\n- MTKClient für Hardware-Level-Zugang\n- Erfolgsrate: 80%+ für Geräte 2015-2019\n\n### Samsung-Geräte\n- Ältere Knox-Implementierungen umgehbar\n- Emergency Dialer Exploits für Android 4.x\n- Erfolgsrate: 40-70% je nach Knox-Version\n\n### Pixel/Nexus-Geräte\n- Bootloader-Unlocking oft möglich\n- Fastboot-basierte Recovery-Installation\n- Erfolgsrate: 60-80% bei freigeschaltetem Bootloader\n\n# Troubleshooting\n\n## Problem: ADB erkennt Gerät nicht\n\n### Lösung: USB-Treiber und Berechtigungen\n```bash\n# Linux: USB-Berechtigungen prüfen\nlsusb | grep -i android\nsudo chmod 666 /dev/bus/usb/XXX/XXX\n\n# udev-Regeln erstellen\necho 'SUBSYSTEM==\"usb\", ATTR{idVendor}==\"18d1\", MODE=\"0666\", GROUP=\"plugdev\"' | sudo tee /etc/udev/rules.d/51-android.rules\nsudo udevadm control --reload-rules\n```\n\n### Windows: Treiber-Installation\n1. Geräte-Manager öffnen\n2. Android-Gerät mit Warnsymbol finden\n3. Treiber manuell installieren (Android USB Driver)\n\n## Problem: Verschlüsselte Android Backups\n\n### Lösung: Android Backup Extractor\n```bash\n# ADB Backup Extractor installieren\ngit clone https://github.com/nelenkov/android-backup-extractor.git\ncd android-backup-extractor\ngradle build\n\n# Backup entschlüsseln\njava -jar abe.jar unpack backup.ab backup.tar [password]\n```\n\n## Problem: Unzureichende Berechtigungen für Datenextraktion\n\n### Lösung: Alternative Extraktionsmethoden\n```bash\n# AFLogical OSE für begrenzte Extraktion ohne Root\n# WhatsApp Key/DB Extractor für spezifische Apps\n# Backup-basierte Extraktion als Fallback\n\n# Custom Recovery für erweiterten Zugang\nfastboot flash recovery twrp-device.img\n```\n\n## Problem: ALEAPP Parsing-Fehler\n\n### Lösung: Datenformat-Probleme beheben\n```bash\n# Log-Dateien prüfen\npython3 aleapp.py -t dir -i /path/to/data -o output --debug\n\n# Spezifische Parser deaktivieren\n# Manuelle SQLite-Analyse bei Parser-Fehlern\nsqlite3 database.db \".tables\"\nsqlite3 database.db \".schema table_name\"\n```\n\n# Erweiterte Techniken\n\n## Memory Forensics mit LiME\n\n### LiME für ARM-Devices kompilieren\n```bash\n# Cross-Compilation Setup\nexport ARCH=arm\nexport CROSS_COMPILE=arm-linux-gnueabi-\nexport KERNEL_DIR=/path/to/kernel/source\n\n# LiME Module kompilieren\ngit clone https://github.com/504ensicsLabs/LiME.git\ncd LiME/src\nmake\n\n# Memory Dump erstellen (Root erforderlich)\nadb push lime.ko /data/local/tmp/\nadb shell su -c \"insmod /data/local/tmp/lime.ko 'path=/sdcard/memory.lime format=lime'\"\n```\n\n### Volatility-Analyse von Android Memory\n```bash\n# Memory Dump analysieren\npython vol.py -f memory.lime --profile=Linux \u003Cprofile> linux.pslist\npython vol.py -f memory.lime --profile=Linux \u003Cprofile> linux.bash\npython vol.py -f memory.lime --profile=Linux \u003Cprofile> linux.netstat\n```\n\n## FRIDA-basierte Runtime-Analyse\n\n### FRIDA für Kryptographie-Hooks\n```javascript\n// crypto_hooks.js - SSL/TLS Traffic abfangen\nJava.perform(function() {\n    var SSLContext = Java.use(\"javax.net.ssl.SSLContext\");\n    SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(keyManagers, trustManagers, secureRandom) {\n        console.log(\"[+] SSLContext.init() called\");\n        this.init(keyManagers, trustManagers, secureRandom);\n    };\n});\n```\n\n### FRIDA Installation und Verwendung\n```bash\n# FRIDA Server auf Android-Gerät installieren\nadb push frida-server /data/local/tmp/\nadb shell su -c \"chmod 755 /data/local/tmp/frida-server\"\nadb shell su -c \"/data/local/tmp/frida-server &\"\n\n# Script ausführen\nfrida -U -l crypto_hooks.js com.target.package\n```\n\n## Custom Recovery und Fastboot-Exploits\n\n### TWRP Installation für forensischen Zugang\n```bash\n# Bootloader entsperren (Herstellerabhängig)\nfastboot oem unlock\n# Oder\nfastboot flashing unlock\n\n# TWRP flashen\nfastboot flash recovery twrp-device.img\nfastboot boot twrp-device.img  # Temporäre Installation\n\n# In TWRP: ADB-Zugang mit Root-Berechtigungen\nadb shell mount /system\nadb shell mount /data\n```\n\n### Partitions-Imaging mit dd\n```bash\n# Vollständige Partition-Liste\nadb shell cat /proc/partitions\n\n# Kritische Partitionen extrahieren\nadb shell dd if=/dev/block/bootdevice/by-name/system of=/external_sd/system.img\nadb shell dd if=/dev/block/bootdevice/by-name/userdata of=/external_sd/userdata.img\nadb shell dd if=/dev/block/bootdevice/by-name/boot of=/external_sd/boot.img\n```\n\n## SQLite Forensics und gelöschte Daten\n\n### Erweiterte SQLite-Analyse\n```bash\n# Freelist-Analyse für gelöschte Einträge\nsqlite3 database.db \"PRAGMA freelist_count;\"\nsqlite3 database.db \"PRAGMA page_size;\"\n\n# WAL-Datei Analyse\nsqlite3 database.db \"PRAGMA wal_checkpoint;\"\nstrings database.db-wal | grep -i \"search_term\"\n\n# Undark für Deleted Record Recovery\nundark database.db --freelist --export-csv\n```\n\n### Timeline-Rekonstruktion\n```bash\n# Autopsy Timeline-Generierung\n# Tools → Generate Timeline\n# Analyse von MAC-Times (Modified, Accessed, Created)\n\n# Plaso Timeline-Tools\nlog2timeline.py timeline.plaso /path/to/android/data/\npsort.py -o dynamic timeline.plaso\n```\n\n## Weiterführende Ressourcen\n\n### Dokumentation und Standards\n- [NIST SP 800-101 Rev. 1 - Mobile Device Forensics Guidelines](https://csrc.nist.gov/pubs/sp/800/101/r1/final)\n- [SANS FOR585 - Smartphone Forensics](https://www.sans.org/cyber-security-courses/advanced-smartphone-mobile-device-forensics/)\n- [ALEAPP GitHub Repository](https://github.com/abrignoni/ALEAPP)\n- [MVT Documentation](https://docs.mvt.re/en/latest/)\n\n### Community und Weiterbildung\n- [Autopsy User Documentation](https://sleuthkit.org/autopsy/docs/)\n- [Android Forensics References](https://github.com/impillar/AndroidReferences/blob/master/AndroidTools.md)\n- [Digital Forensics Framework Collection](https://github.com/mesquidar/ForensicsTools)\n\n### Spezialisierte Tools\n- [MTKClient für MediaTek Exploits](https://github.com/bkerler/mtkclient)\n- [Android Forensics Framework](https://github.com/nowsecure/android-forensics)\n- [Santoku Linux Mobile Forensics Distribution](https://santoku-linux.com/)\n\n---\n\n**Wichtiger Hinweis**: Diese Anleitung dient ausschließlich für autorisierte forensische Untersuchungen. Stellen Sie sicher, dass Sie über entsprechende rechtliche Befugnisse verfügen, bevor Sie diese Techniken anwenden. Bei Zweifeln konsultieren Sie Rechtsberatung.","src/content/knowledgebase/android-logical-imaging.md","0bb3f1d2c872d2bf",{"html":363,"metadata":364},"\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Open-Source Android Forensik bietet robuste Alternativen zu kommerziellen Lösungen wie Cellebrite UFED und Magnet AXIOM. Besonders für ältere Android-Geräte (5+ Jahre) existieren bewährte Methoden zur Datenextraktion und -analyse.\u003C/p>\n\u003Ch2 id=\"kernkomponenten-des-open-source-forensik-stacks\">Kernkomponenten des Open-Source Forensik-Stacks\u003C/h2>\n\u003Cp>\u003Cstrong>Autopsy Digital Forensics Platform\u003C/strong> bildet das Fundament mit GUI-basierter Analyse und integrierten Android-Parsing-Fähigkeiten. Die Plattform unterstützt \u003Cstrong>ALEAPP (Android Logs Events And Protobuf Parser)\u003C/strong>, das über 100 Artefakt-Kategorien aus Android-Extraktionen parst.\u003C/p>\n\u003Cp>\u003Cstrong>Mobile Verification Toolkit (MVT)\u003C/strong> von Amnesty International bietet spezialisierte Command-Line-Tools für Android-Analyse mit Fokus auf Kompromittierungserkennung.\u003C/p>\n\u003Cp>\u003Cstrong>SIFT Workstation\u003C/strong> stellt eine komplette Ubuntu-basierte forensische Umgebung mit 125+ vorinstallierten Tools bereit.\u003C/p>\n\u003Ch2 id=\"erfolgsraten-nach-gerätealter\">Erfolgsraten nach Gerätealter\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Pre-2017 Geräte\u003C/strong>: 85-98% logische Extraktion, 30-70% physische Extraktion\u003C/li>\n\u003Cli>\u003Cstrong>2017-2019 Geräte\u003C/strong>: 80-95% logische Extraktion, 15-35% physische Extraktion\u003C/li>\n\u003Cli>\u003Cstrong>2020+ Geräte\u003C/strong>: 70-85% logische Extraktion, 5-15% physische Extraktion\u003C/li>\n\u003C/ul>\n\u003Ch1 id=\"installation\">Installation\u003C/h1>\n\u003Ch2 id=\"sift-workstation-setup\">SIFT Workstation Setup\u003C/h2>\n\u003Ch3 id=\"systemanforderungen\">Systemanforderungen\u003C/h3>\n\u003Cul>\n\u003Cli>Quad-Core CPU 2.5GHz+\u003C/li>\n\u003Cli>16GB+ RAM\u003C/li>\n\u003Cli>500GB+ SSD Speicher\u003C/li>\n\u003Cli>USB 3.0+ Anschlüsse\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installation-1\">Installation\u003C/h3>\n\u003Col>\n\u003Cli>Download von \u003Ca href=\"https://www.sans.org/tools/sift-workstation/\">SANS SIFT Workstation\u003C/a>\u003C/li>\n\u003Cli>VMware/VirtualBox Import der OVA-Datei\u003C/li>\n\u003Cli>VM-Konfiguration: 8GB+ RAM, 4+ CPU-Kerne\u003C/li>\n\u003C/ol>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Update nach Installation\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> upgrade\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -y\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> sift\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"autopsy-installation\">Autopsy Installation\u003C/h2>\n\u003Ch3 id=\"windows-installation\">Windows Installation\u003C/h3>\n\u003Col>\n\u003Cli>Download von \u003Ca href=\"https://www.autopsy.com/\">autopsy.com\u003C/a>\u003C/li>\n\u003Cli>Java 8+ Installation erforderlich\u003C/li>\n\u003Cli>Installation mit Administratorrechten\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"linux-installation\">Linux Installation\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Ubuntu/Debian\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> autopsy\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> sleuthkit\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder manueller Download und Installation\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">wget\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/sleuthkit/autopsy/releases/latest\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"essential-tools-installation\">Essential Tools Installation\u003C/h2>\n\u003Ch3 id=\"android-debug-bridge-adb\">Android Debug Bridge (ADB)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Ubuntu/Debian\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android-tools-adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android-tools-fastboot\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Windows - Download Android Platform Tools\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># https://developer.android.com/studio/releases/platform-tools\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"aleapp-installation\">ALEAPP Installation\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/abrignoni/ALEAPP.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> ALEAPP\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -r\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> requirements.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"mobile-verification-toolkit-mvt\">Mobile Verification Toolkit (MVT)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mvt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder via GitHub für neueste Version\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/mvt-project/mvt.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mvt\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> .\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"andriller-installation\">Andriller Installation\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/den4uk/andriller.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> andriller\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -r\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> requirements.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"konfiguration\">Konfiguration\u003C/h1>\n\u003Ch2 id=\"adb-setup-und-gerätevorbereitung\">ADB Setup und Gerätevorbereitung\u003C/h2>\n\u003Ch3 id=\"usb-debugging-aktivieren\">USB-Debugging aktivieren\u003C/h3>\n\u003Col>\n\u003Cli>Entwickleroptionen freischalten (7x Build-Nummer antippen)\u003C/li>\n\u003Cli>USB-Debugging aktivieren\u003C/li>\n\u003Cli>Gerät via USB verbinden\u003C/li>\n\u003Cli>RSA-Fingerprint akzeptieren\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"adb-verbindung-testen\">ADB Verbindung testen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> devices\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Sollte Gerät mit \"device\" Status zeigen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> getprop\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> ro.build.version.release\u003C/span>\u003Cspan style=\"color:#6A737D\">  # Android Version\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> getprop\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> ro.product.model\u003C/span>\u003Cspan style=\"color:#6A737D\">         # Gerätemodell\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"autopsy-projektkonfiguration\">Autopsy Projektkonfiguration\u003C/h2>\n\u003Ch3 id=\"case-setup\">Case-Setup\u003C/h3>\n\u003Col>\n\u003Cli>Neuen Fall erstellen\u003C/li>\n\u003Cli>Ermittler-Informationen eingeben\u003C/li>\n\u003Cli>Case-Verzeichnis festlegen (ausreichend Speicherplatz)\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"android-analyzer-module-aktivieren\">Android Analyzer Module aktivieren\u003C/h3>\n\u003Cul>\n\u003Cli>Tools → Options → Modules\u003C/li>\n\u003Cli>Android Analyzer aktivieren\u003C/li>\n\u003Cli>ALEAPP Integration konfigurieren\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"hash-algorithmen-konfigurieren\">Hash-Algorithmen konfigurieren\u003C/h3>\n\u003Cul>\n\u003Cli>MD5, SHA-1, SHA-256 für Integritätsprüfung\u003C/li>\n\u003Cli>Automatische Hash-Berechnung bei Import aktivieren\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"mvt-konfiguration\">MVT Konfiguration\u003C/h2>\n\u003Ch3 id=\"konfigurationsdatei-erstellen\">Konfigurationsdatei erstellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"yaml\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># ~/.mvt/config.yaml\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#85E89D\">adb_path\u003C/span>\u003Cspan style=\"color:#E1E4E8\">: \u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"/usr/bin/adb\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#85E89D\">output_folder\u003C/span>\u003Cspan style=\"color:#E1E4E8\">: \u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"/home/user/mvt_output\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h1>\n\u003Ch2 id=\"fall-1-logische-datenextraktion-mit-adb\">Fall 1: Logische Datenextraktion mit ADB\u003C/h2>\n\u003Ch3 id=\"geräteinformationen-sammeln\">Geräteinformationen sammeln\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Systeminfo\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> getprop\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> device_properties.txt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> cat\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /proc/version\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> kernel_info.txt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount_info.txt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Installierte Apps\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pm\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> list\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> packages\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> installed_packages.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"datenbank-extraktion\">Datenbank-Extraktion\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># SMS/MMS Datenbank\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/data/com.android.providers.telephony/databases/mmssms.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Kontakte\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/data/com.android.providers.contacts/databases/contacts2.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Anrufliste  \u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/data/com.android.providers.contacts/databases/calllog.db\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"whatsapp-datenextraktion\">WhatsApp Datenextraktion\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># WhatsApp Datenbanken (Root erforderlich)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"cp -r /data/data/com.whatsapp/ /sdcard/whatsapp_backup/\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /sdcard/whatsapp_backup/\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"fall-2-android-backup-analyse\">Fall 2: Android Backup-Analyse\u003C/h2>\n\u003Ch3 id=\"vollständiges-backup-erstellen\">Vollständiges Backup erstellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Umfassendes Backup (ohne Root)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -all\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -system\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -apk\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -shared\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup entschlüsseln (falls verschlüsselt)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">java\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> abe.jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unpack\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">tar\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -xf\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"backup-mit-aleapp-analysieren\">Backup mit ALEAPP analysieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> aleappGUI.py\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder Command-Line\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> aleapp.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -t\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> tar\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -o\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> output_folder\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"fall-3-mvt-kompromittierungsanalyse\">Fall 3: MVT Kompromittierungsanalyse\u003C/h2>\n\u003Ch3 id=\"live-geräteanalyse\">Live-Geräteanalyse\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># ADB-basierte Analyse\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">mvt-android\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> check-adb\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --output\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/output/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup-Analyse\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">mvt-android\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> check-backup\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --output\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/output/\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"ioc-suche-mit-pegasus-indikatoren\">IOC-Suche mit Pegasus-Indikatoren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Mit vorgefertigten IOCs\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">mvt-android\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> check-adb\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --iocs\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/pegasus.stix2\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --output\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> results/\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"fall-4-physische-extraktion-root-erforderlich\">Fall 4: Physische Extraktion (Root erforderlich)\u003C/h2>\n\u003Ch3 id=\"device-rooting---mediatek-geräte\">Device Rooting - MediaTek Geräte\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># MTKClient für MediaTek-Chipsets\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/bkerler/mtkclient.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mtkclient\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mtk\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> payload\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Nach erfolgreichem Root\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"vollständiges-memory-dump\">Vollständiges Memory Dump\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Partitionslayout ermitteln\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"cat /proc/partitions\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"ls -la /dev/block/\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Vollständiges Device Image (Root erforderlich)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"dd if=/dev/block/mmcblk0 of=/sdcard/full_device.img bs=4096\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /sdcard/full_device.img\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"best-practices\">Best Practices\u003C/h1>\n\u003Ch2 id=\"rechtliche-compliance\">Rechtliche Compliance\u003C/h2>\n\u003Ch3 id=\"dokumentation-und-chain-of-custody\">Dokumentation und Chain of Custody\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Vollständige Dokumentation\u003C/strong>: Wer, Was, Wann, Wo, Warum\u003C/li>\n\u003Cli>\u003Cstrong>Hash-Verifikation\u003C/strong>: MD5/SHA-256 für alle extrahierten Daten\u003C/li>\n\u003Cli>\u003Cstrong>Nur forensische Kopien analysieren\u003C/strong>, niemals Originaldaten\u003C/li>\n\u003Cli>\u003Cstrong>Schriftliche Genehmigung\u003C/strong> für Geräteanalyse einholen\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"familiengeräte-und-nachlässe\">Familiengeräte und Nachlässe\u003C/h3>\n\u003Cul>\n\u003Cli>Genehmigung durch Nachlassverwalter erforderlich\u003C/li>\n\u003Cli>Gerichtsbeschlüsse für Cloud-Zugang eventuell nötig\u003C/li>\n\u003Cli>Drittpartei-Kommunikation kann weiterhin geschützt sein\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"technische-best-practices\">Technische Best Practices\u003C/h2>\n\u003Ch3 id=\"hash-integrität-sicherstellen\">Hash-Integrität sicherstellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Hash vor und nach Transfer prüfen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">md5sum\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> original_file.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sha256sum\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> original_file.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Hash-Verifikation dokumentieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">echo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"$(\u003C/span>\u003Cspan style=\"color:#B392F0\">date\u003C/span>\u003Cspan style=\"color:#9ECBFF\">): MD5: $(\u003C/span>\u003Cspan style=\"color:#B392F0\">md5sum\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> file.db)\"\u003C/span>\u003Cspan style=\"color:#F97583\"> >>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> chain_of_custody.log\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"sichere-arbeitsumgebung\">Sichere Arbeitsumgebung\u003C/h3>\n\u003Cul>\n\u003Cli>Isolierte VM für Forensik-Arbeit\u003C/li>\n\u003Cli>Netzwerk-Isolation während Analyse\u003C/li>\n\u003Cli>Verschlüsselte Speicherung aller Evidenz\u003C/li>\n\u003Cli>Regelmäßige Backups der Case-Datenbanken\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"qualitätssicherung\">Qualitätssicherung\u003C/h3>\n\u003Cul>\n\u003Cli>Peer-Review kritischer Analysen\u003C/li>\n\u003Cli>Standardisierte Arbeitsabläufe (SOPs)\u003C/li>\n\u003Cli>Regelmäßige Tool-Validierung\u003C/li>\n\u003Cli>Kontinuierliche Weiterbildung\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"erfolgsmaximierung-nach-gerätehersteller\">Erfolgsmaximierung nach Gerätehersteller\u003C/h2>\n\u003Ch3 id=\"mediatek-geräte-höchste-erfolgsrate\">MediaTek-Geräte (Höchste Erfolgsrate)\u003C/h3>\n\u003Cul>\n\u003Cli>BootROM-Exploits für MT6735, MT6737, MT6750, MT6753, MT6797\u003C/li>\n\u003Cli>MTKClient für Hardware-Level-Zugang\u003C/li>\n\u003Cli>Erfolgsrate: 80%+ für Geräte 2015-2019\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"samsung-geräte\">Samsung-Geräte\u003C/h3>\n\u003Cul>\n\u003Cli>Ältere Knox-Implementierungen umgehbar\u003C/li>\n\u003Cli>Emergency Dialer Exploits für Android 4.x\u003C/li>\n\u003Cli>Erfolgsrate: 40-70% je nach Knox-Version\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"pixelnexus-geräte\">Pixel/Nexus-Geräte\u003C/h3>\n\u003Cul>\n\u003Cli>Bootloader-Unlocking oft möglich\u003C/li>\n\u003Cli>Fastboot-basierte Recovery-Installation\u003C/li>\n\u003Cli>Erfolgsrate: 60-80% bei freigeschaltetem Bootloader\u003C/li>\n\u003C/ul>\n\u003Ch1 id=\"troubleshooting\">Troubleshooting\u003C/h1>\n\u003Ch2 id=\"problem-adb-erkennt-gerät-nicht\">Problem: ADB erkennt Gerät nicht\u003C/h2>\n\u003Ch3 id=\"lösung-usb-treiber-und-berechtigungen\">Lösung: USB-Treiber und Berechtigungen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Linux: USB-Berechtigungen prüfen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">lsusb\u003C/span>\u003Cspan style=\"color:#F97583\"> |\u003C/span>\u003Cspan style=\"color:#B392F0\"> grep\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> chmod\u003C/span>\u003Cspan style=\"color:#79B8FF\"> 666\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /dev/bus/usb/XXX/XXX\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># udev-Regeln erstellen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">echo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 'SUBSYSTEM==\"usb\", ATTR{idVendor}==\"18d1\", MODE=\"0666\", GROUP=\"plugdev\"'\u003C/span>\u003Cspan style=\"color:#F97583\"> |\u003C/span>\u003Cspan style=\"color:#B392F0\"> sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> tee\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /etc/udev/rules.d/51-android.rules\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> udevadm\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> control\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --reload-rules\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"windows-treiber-installation\">Windows: Treiber-Installation\u003C/h3>\n\u003Col>\n\u003Cli>Geräte-Manager öffnen\u003C/li>\n\u003Cli>Android-Gerät mit Warnsymbol finden\u003C/li>\n\u003Cli>Treiber manuell installieren (Android USB Driver)\u003C/li>\n\u003C/ol>\n\u003Ch2 id=\"problem-verschlüsselte-android-backups\">Problem: Verschlüsselte Android Backups\u003C/h2>\n\u003Ch3 id=\"lösung-android-backup-extractor\">Lösung: Android Backup Extractor\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># ADB Backup Extractor installieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/nelenkov/android-backup-extractor.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android-backup-extractor\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">gradle\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> build\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup entschlüsseln\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">java\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> abe.jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unpack\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> [password]\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"problem-unzureichende-berechtigungen-für-datenextraktion\">Problem: Unzureichende Berechtigungen für Datenextraktion\u003C/h2>\n\u003Ch3 id=\"lösung-alternative-extraktionsmethoden\">Lösung: Alternative Extraktionsmethoden\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># AFLogical OSE für begrenzte Extraktion ohne Root\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># WhatsApp Key/DB Extractor für spezifische Apps\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup-basierte Extraktion als Fallback\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Custom Recovery für erweiterten Zugang\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> flash\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> recovery\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> twrp-device.img\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"problem-aleapp-parsing-fehler\">Problem: ALEAPP Parsing-Fehler\u003C/h2>\n\u003Ch3 id=\"lösung-datenformat-probleme-beheben\">Lösung: Datenformat-Probleme beheben\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Log-Dateien prüfen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> aleapp.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -t\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dir\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/data\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -o\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> output\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --debug\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Spezifische Parser deaktivieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Manuelle SQLite-Analyse bei Parser-Fehlern\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \".tables\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \".schema table_name\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"erweiterte-techniken\">Erweiterte Techniken\u003C/h1>\n\u003Ch2 id=\"memory-forensics-mit-lime\">Memory Forensics mit LiME\u003C/h2>\n\u003Ch3 id=\"lime-für-arm-devices-kompilieren\">LiME für ARM-Devices kompilieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Cross-Compilation Setup\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">export\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> ARCH\u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\">arm\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">export\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> CROSS_COMPILE\u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\">arm-linux-gnueabi-\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">export\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> KERNEL_DIR\u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\">/path/to/kernel/source\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># LiME Module kompilieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/504ensicsLabs/LiME.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> LiME/src\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">make\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Memory Dump erstellen (Root erforderlich)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> push\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> lime.ko\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/local/tmp/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"insmod /data/local/tmp/lime.ko 'path=/sdcard/memory.lime format=lime'\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"volatility-analyse-von-android-memory\">Volatility-Analyse von Android Memory\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Memory Dump analysieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> vol.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> memory.lime\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --profile=Linux\u003C/span>\u003Cspan style=\"color:#F97583\"> <\u003C/span>\u003Cspan style=\"color:#9ECBFF\">profil\u003C/span>\u003Cspan style=\"color:#E1E4E8\">e\u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> linux.pslist\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> vol.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> memory.lime\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --profile=Linux\u003C/span>\u003Cspan style=\"color:#F97583\"> <\u003C/span>\u003Cspan style=\"color:#9ECBFF\">profil\u003C/span>\u003Cspan style=\"color:#E1E4E8\">e\u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> linux.bash\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> vol.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> memory.lime\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --profile=Linux\u003C/span>\u003Cspan style=\"color:#F97583\"> <\u003C/span>\u003Cspan style=\"color:#9ECBFF\">profil\u003C/span>\u003Cspan style=\"color:#E1E4E8\">e\u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> linux.netstat\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"frida-basierte-runtime-analyse\">FRIDA-basierte Runtime-Analyse\u003C/h2>\n\u003Ch3 id=\"frida-für-kryptographie-hooks\">FRIDA für Kryptographie-Hooks\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"javascript\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\">// crypto_hooks.js - SSL/TLS Traffic abfangen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">Java.\u003C/span>\u003Cspan style=\"color:#B392F0\">perform\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#F97583\">function\u003C/span>\u003Cspan style=\"color:#E1E4E8\">() {\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">    var\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> SSLContext \u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> Java.\u003C/span>\u003Cspan style=\"color:#B392F0\">use\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"javax.net.ssl.SSLContext\"\u003C/span>\u003Cspan style=\"color:#E1E4E8\">);\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">    SSLContext.init.\u003C/span>\u003Cspan style=\"color:#B392F0\">overload\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#9ECBFF\">'[Ljavax.net.ssl.KeyManager;'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#9ECBFF\">'[Ljavax.net.ssl.TrustManager;'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#9ECBFF\">'java.security.SecureRandom'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">).\u003C/span>\u003Cspan style=\"color:#B392F0\">implementation\u003C/span>\u003Cspan style=\"color:#F97583\"> =\u003C/span>\u003Cspan style=\"color:#F97583\"> function\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#FFAB70\">keyManagers\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#FFAB70\">trustManagers\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#FFAB70\">secureRandom\u003C/span>\u003Cspan style=\"color:#E1E4E8\">) {\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">        console.\u003C/span>\u003Cspan style=\"color:#B392F0\">log\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"[+] SSLContext.init() called\"\u003C/span>\u003Cspan style=\"color:#E1E4E8\">);\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">        this\u003C/span>\u003Cspan style=\"color:#E1E4E8\">.\u003C/span>\u003Cspan style=\"color:#B392F0\">init\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(keyManagers, trustManagers, secureRandom);\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">    };\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">});\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"frida-installation-und-verwendung\">FRIDA Installation und Verwendung\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># FRIDA Server auf Android-Gerät installieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> push\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> frida-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/local/tmp/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"chmod 755 /data/local/tmp/frida-server\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"/data/local/tmp/frida-server &\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Script ausführen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">frida\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -U\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -l\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> crypto_hooks.js\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> com.target.package\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"custom-recovery-und-fastboot-exploits\">Custom Recovery und Fastboot-Exploits\u003C/h2>\n\u003Ch3 id=\"twrp-installation-für-forensischen-zugang\">TWRP Installation für forensischen Zugang\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Bootloader entsperren (Herstellerabhängig)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> oem\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unlock\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> flashing\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unlock\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># TWRP flashen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> flash\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> recovery\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> twrp-device.img\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> boot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> twrp-device.img\u003C/span>\u003Cspan style=\"color:#6A737D\">  # Temporäre Installation\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># In TWRP: ADB-Zugang mit Root-Berechtigungen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /system\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"partitions-imaging-mit-dd\">Partitions-Imaging mit dd\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Vollständige Partition-Liste\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> cat\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /proc/partitions\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Kritische Partitionen extrahieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> if=/dev/block/bootdevice/by-name/system\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> of=/external_sd/system.img\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> if=/dev/block/bootdevice/by-name/userdata\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> of=/external_sd/userdata.img\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> if=/dev/block/bootdevice/by-name/boot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> of=/external_sd/boot.img\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"sqlite-forensics-und-gelöschte-daten\">SQLite Forensics und gelöschte Daten\u003C/h2>\n\u003Ch3 id=\"erweiterte-sqlite-analyse\">Erweiterte SQLite-Analyse\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Freelist-Analyse für gelöschte Einträge\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"PRAGMA freelist_count;\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"PRAGMA page_size;\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># WAL-Datei Analyse\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"PRAGMA wal_checkpoint;\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">strings\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db-wal\u003C/span>\u003Cspan style=\"color:#F97583\"> |\u003C/span>\u003Cspan style=\"color:#B392F0\"> grep\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"search_term\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Undark für Deleted Record Recovery\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">undark\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --freelist\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --export-csv\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"timeline-rekonstruktion\">Timeline-Rekonstruktion\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Autopsy Timeline-Generierung\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Tools → Generate Timeline\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Analyse von MAC-Times (Modified, Accessed, Created)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Plaso Timeline-Tools\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">log2timeline.py\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> timeline.plaso\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/android/data/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">psort.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -o\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dynamic\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> timeline.plaso\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"weiterführende-ressourcen\">Weiterführende Ressourcen\u003C/h2>\n\u003Ch3 id=\"dokumentation-und-standards\">Dokumentation und Standards\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://csrc.nist.gov/pubs/sp/800/101/r1/final\">NIST SP 800-101 Rev. 1 - Mobile Device Forensics Guidelines\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://www.sans.org/cyber-security-courses/advanced-smartphone-mobile-device-forensics/\">SANS FOR585 - Smartphone Forensics\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/abrignoni/ALEAPP\">ALEAPP GitHub Repository\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://docs.mvt.re/en/latest/\">MVT Documentation\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"community-und-weiterbildung\">Community und Weiterbildung\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://sleuthkit.org/autopsy/docs/\">Autopsy User Documentation\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/impillar/AndroidReferences/blob/master/AndroidTools.md\">Android Forensics References\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/mesquidar/ForensicsTools\">Digital Forensics Framework Collection\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"spezialisierte-tools\">Spezialisierte Tools\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://github.com/bkerler/mtkclient\">MTKClient für MediaTek Exploits\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/nowsecure/android-forensics\">Android Forensics Framework\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://santoku-linux.com/\">Santoku Linux Mobile Forensics Distribution\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>\u003Cstrong>Wichtiger Hinweis\u003C/strong>: Diese Anleitung dient ausschließlich für autorisierte forensische Untersuchungen. Stellen Sie sicher, dass Sie über entsprechende rechtliche Befugnisse verfügen, bevor Sie diese Techniken anwenden. Bei Zweifeln konsultieren Sie Rechtsberatung.\u003C/p>",{"headings":365,"localImagePaths":587,"remoteImagePaths":588,"frontmatter":346,"imagePaths":589},[366,367,370,373,374,377,380,382,385,388,391,394,397,400,403,406,407,410,413,416,419,422,425,428,431,434,435,438,441,444,447,450,453,456,459,462,465,468,471,474,475,478,481,484,487,490,493,496,499,502,505,508,509,512,515,518,521,524,527,530,533,536,539,542,545,548,551,554,557,560,563,566,569,572,575,578,581,584],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":368,"text":369},"kernkomponenten-des-open-source-forensik-stacks","Kernkomponenten des Open-Source Forensik-Stacks",{"depth":47,"slug":371,"text":372},"erfolgsraten-nach-gerätealter","Erfolgsraten nach Gerätealter",{"depth":43,"slug":48,"text":49},{"depth":47,"slug":375,"text":376},"sift-workstation-setup","SIFT Workstation Setup",{"depth":51,"slug":378,"text":379},"systemanforderungen","Systemanforderungen",{"depth":51,"slug":381,"text":49},"installation-1",{"depth":47,"slug":383,"text":384},"autopsy-installation","Autopsy Installation",{"depth":51,"slug":386,"text":387},"windows-installation","Windows Installation",{"depth":51,"slug":389,"text":390},"linux-installation","Linux Installation",{"depth":47,"slug":392,"text":393},"essential-tools-installation","Essential Tools Installation",{"depth":51,"slug":395,"text":396},"android-debug-bridge-adb","Android Debug Bridge (ADB)",{"depth":51,"slug":398,"text":399},"aleapp-installation","ALEAPP Installation",{"depth":51,"slug":401,"text":402},"mobile-verification-toolkit-mvt","Mobile Verification Toolkit (MVT)",{"depth":51,"slug":404,"text":405},"andriller-installation","Andriller Installation",{"depth":43,"slug":58,"text":59},{"depth":47,"slug":408,"text":409},"adb-setup-und-gerätevorbereitung","ADB Setup und Gerätevorbereitung",{"depth":51,"slug":411,"text":412},"usb-debugging-aktivieren","USB-Debugging aktivieren",{"depth":51,"slug":414,"text":415},"adb-verbindung-testen","ADB Verbindung testen",{"depth":47,"slug":417,"text":418},"autopsy-projektkonfiguration","Autopsy Projektkonfiguration",{"depth":51,"slug":420,"text":421},"case-setup","Case-Setup",{"depth":51,"slug":423,"text":424},"android-analyzer-module-aktivieren","Android Analyzer Module aktivieren",{"depth":51,"slug":426,"text":427},"hash-algorithmen-konfigurieren","Hash-Algorithmen konfigurieren",{"depth":47,"slug":429,"text":430},"mvt-konfiguration","MVT Konfiguration",{"depth":51,"slug":432,"text":433},"konfigurationsdatei-erstellen","Konfigurationsdatei erstellen",{"depth":43,"slug":70,"text":71},{"depth":47,"slug":436,"text":437},"fall-1-logische-datenextraktion-mit-adb","Fall 1: Logische Datenextraktion mit ADB",{"depth":51,"slug":439,"text":440},"geräteinformationen-sammeln","Geräteinformationen sammeln",{"depth":51,"slug":442,"text":443},"datenbank-extraktion","Datenbank-Extraktion",{"depth":51,"slug":445,"text":446},"whatsapp-datenextraktion","WhatsApp Datenextraktion",{"depth":47,"slug":448,"text":449},"fall-2-android-backup-analyse","Fall 2: Android Backup-Analyse",{"depth":51,"slug":451,"text":452},"vollständiges-backup-erstellen","Vollständiges Backup erstellen",{"depth":51,"slug":454,"text":455},"backup-mit-aleapp-analysieren","Backup mit ALEAPP analysieren",{"depth":47,"slug":457,"text":458},"fall-3-mvt-kompromittierungsanalyse","Fall 3: MVT Kompromittierungsanalyse",{"depth":51,"slug":460,"text":461},"live-geräteanalyse","Live-Geräteanalyse",{"depth":51,"slug":463,"text":464},"ioc-suche-mit-pegasus-indikatoren","IOC-Suche mit Pegasus-Indikatoren",{"depth":47,"slug":466,"text":467},"fall-4-physische-extraktion-root-erforderlich","Fall 4: Physische Extraktion (Root erforderlich)",{"depth":51,"slug":469,"text":470},"device-rooting---mediatek-geräte","Device Rooting - MediaTek Geräte",{"depth":51,"slug":472,"text":473},"vollständiges-memory-dump","Vollständiges Memory Dump",{"depth":43,"slug":79,"text":80},{"depth":47,"slug":476,"text":477},"rechtliche-compliance","Rechtliche Compliance",{"depth":51,"slug":479,"text":480},"dokumentation-und-chain-of-custody","Dokumentation und Chain of Custody",{"depth":51,"slug":482,"text":483},"familiengeräte-und-nachlässe","Familiengeräte und Nachlässe",{"depth":47,"slug":485,"text":486},"technische-best-practices","Technische Best Practices",{"depth":51,"slug":488,"text":489},"hash-integrität-sicherstellen","Hash-Integrität sicherstellen",{"depth":51,"slug":491,"text":492},"sichere-arbeitsumgebung","Sichere Arbeitsumgebung",{"depth":51,"slug":494,"text":495},"qualitätssicherung","Qualitätssicherung",{"depth":47,"slug":497,"text":498},"erfolgsmaximierung-nach-gerätehersteller","Erfolgsmaximierung nach Gerätehersteller",{"depth":51,"slug":500,"text":501},"mediatek-geräte-höchste-erfolgsrate","MediaTek-Geräte (Höchste Erfolgsrate)",{"depth":51,"slug":503,"text":504},"samsung-geräte","Samsung-Geräte",{"depth":51,"slug":506,"text":507},"pixelnexus-geräte","Pixel/Nexus-Geräte",{"depth":43,"slug":82,"text":83},{"depth":47,"slug":510,"text":511},"problem-adb-erkennt-gerät-nicht","Problem: ADB erkennt Gerät nicht",{"depth":51,"slug":513,"text":514},"lösung-usb-treiber-und-berechtigungen","Lösung: USB-Treiber und Berechtigungen",{"depth":51,"slug":516,"text":517},"windows-treiber-installation","Windows: Treiber-Installation",{"depth":47,"slug":519,"text":520},"problem-verschlüsselte-android-backups","Problem: Verschlüsselte Android Backups",{"depth":51,"slug":522,"text":523},"lösung-android-backup-extractor","Lösung: Android Backup Extractor",{"depth":47,"slug":525,"text":526},"problem-unzureichende-berechtigungen-für-datenextraktion","Problem: Unzureichende Berechtigungen für Datenextraktion",{"depth":51,"slug":528,"text":529},"lösung-alternative-extraktionsmethoden","Lösung: Alternative Extraktionsmethoden",{"depth":47,"slug":531,"text":532},"problem-aleapp-parsing-fehler","Problem: ALEAPP Parsing-Fehler",{"depth":51,"slug":534,"text":535},"lösung-datenformat-probleme-beheben","Lösung: Datenformat-Probleme beheben",{"depth":43,"slug":537,"text":538},"erweiterte-techniken","Erweiterte Techniken",{"depth":47,"slug":540,"text":541},"memory-forensics-mit-lime","Memory Forensics mit LiME",{"depth":51,"slug":543,"text":544},"lime-für-arm-devices-kompilieren","LiME für ARM-Devices kompilieren",{"depth":51,"slug":546,"text":547},"volatility-analyse-von-android-memory","Volatility-Analyse von Android Memory",{"depth":47,"slug":549,"text":550},"frida-basierte-runtime-analyse","FRIDA-basierte Runtime-Analyse",{"depth":51,"slug":552,"text":553},"frida-für-kryptographie-hooks","FRIDA für Kryptographie-Hooks",{"depth":51,"slug":555,"text":556},"frida-installation-und-verwendung","FRIDA Installation und Verwendung",{"depth":47,"slug":558,"text":559},"custom-recovery-und-fastboot-exploits","Custom Recovery und Fastboot-Exploits",{"depth":51,"slug":561,"text":562},"twrp-installation-für-forensischen-zugang","TWRP Installation für forensischen Zugang",{"depth":51,"slug":564,"text":565},"partitions-imaging-mit-dd","Partitions-Imaging mit dd",{"depth":47,"slug":567,"text":568},"sqlite-forensics-und-gelöschte-daten","SQLite Forensics und gelöschte Daten",{"depth":51,"slug":570,"text":571},"erweiterte-sqlite-analyse","Erweiterte SQLite-Analyse",{"depth":51,"slug":573,"text":574},"timeline-rekonstruktion","Timeline-Rekonstruktion",{"depth":47,"slug":576,"text":577},"weiterführende-ressourcen","Weiterführende Ressourcen",{"depth":51,"slug":579,"text":580},"dokumentation-und-standards","Dokumentation und Standards",{"depth":51,"slug":582,"text":583},"community-und-weiterbildung","Community und Weiterbildung",{"depth":51,"slug":585,"text":586},"spezialisierte-tools","Spezialisierte Tools",[],[],[],"android-logical-imaging.md"]
\ No newline at end of file
+[["Map",1,2,7,8],"meta::meta",["Map",3,4,5,6],"astro-version","5.12.6","astro-config-digest","{\"root\":{},\"srcDir\":{},\"publicDir\":{},\"outDir\":{},\"cacheDir\":{},\"compressHTML\":true,\"base\":\"/\",\"trailingSlash\":\"ignore\",\"output\":\"server\",\"scopedStyleStrategy\":\"attribute\",\"build\":{\"format\":\"directory\",\"client\":{},\"server\":{},\"assets\":\"_astro\",\"serverEntry\":\"entry.mjs\",\"redirects\":true,\"inlineStylesheets\":\"auto\",\"concurrency\":1},\"server\":{\"open\":false,\"host\":true,\"port\":4321,\"streaming\":true,\"allowedHosts\":[]},\"redirects\":{},\"image\":{\"endpoint\":{\"route\":\"/_image\",\"entrypoint\":\"astro/assets/endpoint/node\"},\"service\":{\"entrypoint\":\"astro/assets/services/sharp\",\"config\":{}},\"domains\":[],\"remotePatterns\":[],\"responsiveStyles\":false},\"devToolbar\":{\"enabled\":true},\"markdown\":{\"syntaxHighlight\":{\"type\":\"shiki\",\"excludeLangs\":[\"math\"]},\"shikiConfig\":{\"langs\":[],\"langAlias\":{},\"theme\":\"github-dark\",\"themes\":{},\"wrap\":false,\"transformers\":[]},\"remarkPlugins\":[],\"rehypePlugins\":[],\"remarkRehype\":{},\"gfm\":true,\"smartypants\":true},\"security\":{\"checkOrigin\":true},\"env\":{\"schema\":{},\"validateSecrets\":false},\"experimental\":{\"clientPrerender\":false,\"contentIntellisense\":false,\"headingIdCompat\":false,\"preserveScriptOrder\":false,\"liveContentCollections\":false,\"csp\":false,\"rawEnvValues\":false},\"legacy\":{\"collections\":false},\"session\":{\"driver\":\"fs-lite\",\"options\":{\"base\":\"/var/home/user01/Projekte/forensic-pathways/node_modules/.astro/sessions\"}}}","knowledgebase",["Map",9,10,100,101,174,175,223,224,288,289,535,536],"misp",{"id":9,"data":11,"body":35,"filePath":36,"digest":37,"rendered":38,"legacyId":99},{"title":12,"tool_name":13,"description":14,"last_updated":15,"author":16,"difficulty":17,"categories":18,"tags":24,"sections":31,"review_status":34},"MISP - Plattform für Threat Intelligence Sharing","MISP","Das Rückgrat des modernen Threat-Intelligence-Sharings mit über 40.000 aktiven Instanzen weltweit.",["Date","2025-07-20T00:00:00.000Z"],"Claude 4 Sonnet","intermediate",[19,20,21,22,23],"incident-response","static-investigations","malware-analysis","network-forensics","cloud-forensics",[25,26,27,28,29,30],"web-based","threat-intelligence","api","correlation","ioc-sharing","automation",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":33},true,false,"published","> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\n**MISP (Malware Information Sharing Platform & Threat Sharing)** ist eine freie Open-Source-Plattform zur strukturierten Erfassung, Speicherung, Analyse und gemeinsamen Nutzung von Cyber-Bedrohungsdaten. Mit über 40.000 Instanzen weltweit ist MISP der De-facto-Standard für den Austausch von Indicators of Compromise (IoCs) und Threat Intelligence zwischen CERTs, SOCs, Strafverfolgungsbehörden und anderen sicherheitsrelevanten Organisationen.\n\nDie föderierte Architektur ermöglicht einen kontrollierten, dezentralen Austausch von Informationen über vertrauenswürdige Partner hinweg. Durch Taxonomien, Tags und integrierte APIs ist eine automatische Anreicherung, Korrelation und Verarbeitung von Informationen in SIEMs, Firewalls oder Endpoint-Lösungen möglich.\n\n## Installation\n\n### Voraussetzungen\n\n- **Server-Betriebssystem:** Linux (empfohlen: Debian/Ubuntu)\n- **Abhängigkeiten:** MariaDB/MySQL, PHP, Apache/Nginx, Redis\n- **Ressourcen:** Mindestens 4 GB RAM, SSD empfohlen\n\n### Installationsschritte\n\n```bash\n# Beispiel für Debian/Ubuntu:\nsudo apt update && sudo apt install -y curl gnupg git python3 python3-pip redis-server mariadb-server apache2 php libapache2-mod-php\n\n# MISP klonen\ngit clone https://github.com/MISP/MISP.git /var/www/MISP\n\n# Setup-Skript nutzen\ncd /var/www/MISP && bash INSTALL/INSTALL.debian.sh\n````\n\nWeitere Details: [Offizielle Installationsanleitung](https://misp.github.io/MISP/INSTALL.debian/)\n\n## Konfiguration\n\n### Webserver\n\n* HTTPS aktivieren (Let's Encrypt oder Reverse Proxy)\n* PHP-Konfiguration anpassen (`upload_max_filesize`, `memory_limit`, `post_max_size`)\n\n### Benutzerrollen\n\n* Administrator, Org-Admin, Analyst etc.\n* Zugriffsbeschränkungen nach Organisation/Feed definierbar\n\n### Feeds und Galaxies\n\n* Aktivierung von Feeds (z. B. CIRCL, Abuse.ch, OpenCTI)\n* Nutzung von Galaxies zur Klassifizierung (APT-Gruppen, Malware-Familien)\n\n## Verwendungsbeispiele\n\n### Beispiel 1: Import von IoCs aus externem Feed\n\n1. Feed aktivieren unter **Administration → List Feeds**\n2. Feed synchronisieren\n3. Ereignisse durchsuchen, analysieren, ggf. mit eigenen Daten korrelieren\n\n### Beispiel 2: Automatisierte Anbindung an SIEM\n\n* REST-API-Token erstellen\n* API-Calls zur Abfrage neuer Events (z. B. mit Python, Logstash oder MISP Workbench)\n* Integration in Security-Systeme über JSON/STIX export\n\n## Best Practices\n\n* Regelmäßige Backups der Datenbank\n* Taxonomien konsistent verwenden\n* Nutzung der Sighting-Funktion zur Validierung von IoCs\n* Vertrauensstufen (TLP, PAP) korrekt setzen\n* Nicht nur konsumieren – auch teilen!\n\n## Troubleshooting\n\n### Problem: MISP-Feeds laden nicht\n\n**Lösung:**\n\n* Internetverbindung prüfen\n* Cronjobs aktiv?\n* Logs prüfen: `/var/www/MISP/app/tmp/logs/error.log`\n\n### Problem: API gibt 403 zurück\n\n**Lösung:**\n\n* Ist der API-Key korrekt und aktiv?\n* Rechte des Benutzers überprüfen\n* IP-Filter im MISP-Backend beachten\n\n### Problem: Hohe Datenbanklast\n\n**Lösung:**\n\n* Indizes optimieren\n* Redis aktivieren\n* Alte Events regelmäßig archivieren oder löschen\n\n## Weiterführende Themen\n\n* STIX2-Import/Export\n* Erweiterungen mit MISP Modules (z. B. für Virustotal, YARA)\n* Föderierte Netzwerke und Community-Portale\n* Integration mit OpenCTI oder TheHive\n\n---\n\n**Links:**\n\n* 🌐 [Offizielle Projektseite](https://misp-project.org/)\n* 📦 [CC24-MISP-Instanz](https://misp.cc24.dev)\n* 📊 [Status-Monitoring](https://status.mikoshi.de/api/badge/34/status)\n\nLizenz: **AGPL-3.0**","src/content/knowledgebase/misp.md","35930fa919a46964",{"html":39,"metadata":40},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>\u003Cstrong>MISP (Malware Information Sharing Platform & Threat Sharing)\u003C/strong> ist eine freie Open-Source-Plattform zur strukturierten Erfassung, Speicherung, Analyse und gemeinsamen Nutzung von Cyber-Bedrohungsdaten. Mit über 40.000 Instanzen weltweit ist MISP der De-facto-Standard für den Austausch von Indicators of Compromise (IoCs) und Threat Intelligence zwischen CERTs, SOCs, Strafverfolgungsbehörden und anderen sicherheitsrelevanten Organisationen.\u003C/p>\n\u003Cp>Die föderierte Architektur ermöglicht einen kontrollierten, dezentralen Austausch von Informationen über vertrauenswürdige Partner hinweg. Durch Taxonomien, Tags und integrierte APIs ist eine automatische Anreicherung, Korrelation und Verarbeitung von Informationen in SIEMs, Firewalls oder Endpoint-Lösungen möglich.\u003C/p>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"voraussetzungen\">Voraussetzungen\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Server-Betriebssystem:\u003C/strong> Linux (empfohlen: Debian/Ubuntu)\u003C/li>\n\u003Cli>\u003Cstrong>Abhängigkeiten:\u003C/strong> MariaDB/MySQL, PHP, Apache/Nginx, Redis\u003C/li>\n\u003Cli>\u003Cstrong>Ressourcen:\u003C/strong> Mindestens 4 GB RAM, SSD empfohlen\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installationsschritte\">Installationsschritte\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Beispiel für Debian/Ubuntu:\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -y\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> curl\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> gnupg\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> python3-pip\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> redis-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mariadb-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apache2\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> libapache2-mod-php\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># MISP klonen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/MISP/MISP.git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/MISP\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Setup-Skript nutzen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/MISP\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">bash\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> INSTALL/INSTALL.debian.sh\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Weitere Details: \u003Ca href=\"https://misp.github.io/MISP/INSTALL.debian/\">Offizielle Installationsanleitung\u003C/a>\u003C/p>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Ch3 id=\"webserver\">Webserver\u003C/h3>\n\u003Cul>\n\u003Cli>HTTPS aktivieren (Let’s Encrypt oder Reverse Proxy)\u003C/li>\n\u003Cli>PHP-Konfiguration anpassen (\u003Ccode>upload_max_filesize\u003C/code>, \u003Ccode>memory_limit\u003C/code>, \u003Ccode>post_max_size\u003C/code>)\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"benutzerrollen\">Benutzerrollen\u003C/h3>\n\u003Cul>\n\u003Cli>Administrator, Org-Admin, Analyst etc.\u003C/li>\n\u003Cli>Zugriffsbeschränkungen nach Organisation/Feed definierbar\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"feeds-und-galaxies\">Feeds und Galaxies\u003C/h3>\n\u003Cul>\n\u003Cli>Aktivierung von Feeds (z. B. CIRCL, Abuse.ch, OpenCTI)\u003C/li>\n\u003Cli>Nutzung von Galaxies zur Klassifizierung (APT-Gruppen, Malware-Familien)\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"beispiel-1-import-von-iocs-aus-externem-feed\">Beispiel 1: Import von IoCs aus externem Feed\u003C/h3>\n\u003Col>\n\u003Cli>Feed aktivieren unter \u003Cstrong>Administration → List Feeds\u003C/strong>\u003C/li>\n\u003Cli>Feed synchronisieren\u003C/li>\n\u003Cli>Ereignisse durchsuchen, analysieren, ggf. mit eigenen Daten korrelieren\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"beispiel-2-automatisierte-anbindung-an-siem\">Beispiel 2: Automatisierte Anbindung an SIEM\u003C/h3>\n\u003Cul>\n\u003Cli>REST-API-Token erstellen\u003C/li>\n\u003Cli>API-Calls zur Abfrage neuer Events (z. B. mit Python, Logstash oder MISP Workbench)\u003C/li>\n\u003Cli>Integration in Security-Systeme über JSON/STIX export\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Regelmäßige Backups der Datenbank\u003C/li>\n\u003Cli>Taxonomien konsistent verwenden\u003C/li>\n\u003Cli>Nutzung der Sighting-Funktion zur Validierung von IoCs\u003C/li>\n\u003Cli>Vertrauensstufen (TLP, PAP) korrekt setzen\u003C/li>\n\u003Cli>Nicht nur konsumieren – auch teilen!\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-misp-feeds-laden-nicht\">Problem: MISP-Feeds laden nicht\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Internetverbindung prüfen\u003C/li>\n\u003Cli>Cronjobs aktiv?\u003C/li>\n\u003Cli>Logs prüfen: \u003Ccode>/var/www/MISP/app/tmp/logs/error.log\u003C/code>\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"problem-api-gibt-403-zurück\">Problem: API gibt 403 zurück\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Ist der API-Key korrekt und aktiv?\u003C/li>\n\u003Cli>Rechte des Benutzers überprüfen\u003C/li>\n\u003Cli>IP-Filter im MISP-Backend beachten\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"problem-hohe-datenbanklast\">Problem: Hohe Datenbanklast\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Indizes optimieren\u003C/li>\n\u003Cli>Redis aktivieren\u003C/li>\n\u003Cli>Alte Events regelmäßig archivieren oder löschen\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>STIX2-Import/Export\u003C/li>\n\u003Cli>Erweiterungen mit MISP Modules (z. B. für Virustotal, YARA)\u003C/li>\n\u003Cli>Föderierte Netzwerke und Community-Portale\u003C/li>\n\u003Cli>Integration mit OpenCTI oder TheHive\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>\u003Cstrong>Links:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>🌐 \u003Ca href=\"https://misp-project.org/\">Offizielle Projektseite\u003C/a>\u003C/li>\n\u003Cli>📦 \u003Ca href=\"https://misp.cc24.dev\">CC24-MISP-Instanz\u003C/a>\u003C/li>\n\u003Cli>📊 \u003Ca href=\"https://status.mikoshi.de/api/badge/34/status\">Status-Monitoring\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Cp>Lizenz: \u003Cstrong>AGPL-3.0\u003C/strong>\u003C/p>",{"headings":41,"localImagePaths":96,"remoteImagePaths":97,"frontmatter":11,"imagePaths":98},[42,46,50,54,57,60,63,66,69,72,75,78,81,84,87,90,93],{"depth":43,"slug":44,"text":45},1,"übersicht","Übersicht",{"depth":47,"slug":48,"text":49},2,"installation","Installation",{"depth":51,"slug":52,"text":53},3,"voraussetzungen","Voraussetzungen",{"depth":51,"slug":55,"text":56},"installationsschritte","Installationsschritte",{"depth":47,"slug":58,"text":59},"konfiguration","Konfiguration",{"depth":51,"slug":61,"text":62},"webserver","Webserver",{"depth":51,"slug":64,"text":65},"benutzerrollen","Benutzerrollen",{"depth":51,"slug":67,"text":68},"feeds-und-galaxies","Feeds und Galaxies",{"depth":47,"slug":70,"text":71},"verwendungsbeispiele","Verwendungsbeispiele",{"depth":51,"slug":73,"text":74},"beispiel-1-import-von-iocs-aus-externem-feed","Beispiel 1: Import von IoCs aus externem Feed",{"depth":51,"slug":76,"text":77},"beispiel-2-automatisierte-anbindung-an-siem","Beispiel 2: Automatisierte Anbindung an SIEM",{"depth":47,"slug":79,"text":80},"best-practices","Best Practices",{"depth":47,"slug":82,"text":83},"troubleshooting","Troubleshooting",{"depth":51,"slug":85,"text":86},"problem-misp-feeds-laden-nicht","Problem: MISP-Feeds laden nicht",{"depth":51,"slug":88,"text":89},"problem-api-gibt-403-zurück","Problem: API gibt 403 zurück",{"depth":51,"slug":91,"text":92},"problem-hohe-datenbanklast","Problem: Hohe Datenbanklast",{"depth":47,"slug":94,"text":95},"weiterführende-themen","Weiterführende Themen",[],[],[],"misp.md","kali-linux",{"id":100,"data":102,"body":117,"filePath":118,"digest":119,"rendered":120,"legacyId":173},{"title":103,"tool_name":104,"description":105,"last_updated":106,"author":16,"difficulty":17,"categories":107,"tags":110,"sections":116,"review_status":34},"Kali Linux - Die Hacker-Distribution für Forensik & Penetration Testing","Kali Linux","Leitfaden zur Installation, Nutzung und Best Practices für Kali Linux – die All-in-One-Plattform für Security-Profis.",["Date","2025-07-20T00:00:00.000Z"],[19,108,109],"forensics","penetration-testing",[111,112,109,113,114,115],"live-boot","tool-collection","forensics-suite","virtualization","arm-support",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":32},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\nKali Linux ist eine auf Debian basierende Linux-Distribution, die speziell für Penetration Testing, digitale Forensik, Reverse Engineering und Incident Response entwickelt wurde. Mit über 600 vorinstallierten Tools ist sie ein unverzichtbares Werkzeug für Security-Experten, Ermittler und forensische Analysten. Die Live-Boot-Funktion erlaubt es, Systeme ohne Spuren zu hinterlassen zu analysieren – ideal für forensische Untersuchungen.\n\n## Installation\n\n### Option 1: Live-System (USB/DVD)\n\n1. ISO-Image von [kali.org](https://www.kali.org/get-kali/) herunterladen.\n2. Mit **Rufus** oder **balenaEtcher** auf einen USB-Stick schreiben.\n3. Vom USB-Stick booten (ggf. Boot-Reihenfolge im BIOS anpassen).\n4. Kali kann direkt ohne Installation im Live-Modus verwendet werden.\n\n### Option 2: Installation auf Festplatte\n\n1. ISO-Image booten und **Graphical Install** wählen.\n2. Schritt-für-Schritt durch den Installationsassistenten navigieren:\n   - Sprache, Zeitzone und Tastaturlayout auswählen\n   - Partitionierung konfigurieren (automatisch oder manuell)\n   - Benutzerkonten erstellen\n3. Nach Installation Neustart durchführen.\n\n### Option 3: Virtuelle Maschine (VM)\n\n- Offizielle VM-Images für VirtualBox und VMware von der [Kali-Website](https://www.kali.org/get-kali/#kali-virtual-machines)\n- Importieren, ggf. Netzwerkbrücke und Shared Folders aktivieren\n\n## Konfiguration\n\n### Netzwerkeinstellungen\n\n- Konfiguration über `nmtui` oder `/etc/network/interfaces`\n- VPN und Proxy-Integration über GUI oder Terminal\n\n### Updates & Paketquellen\n\n```bash\nsudo apt update && sudo apt full-upgrade\n````\n\n> Hinweis: `kali-rolling` ist die Standard-Distribution für kontinuierliche Updates.\n\n### Sprache & Lokalisierung\n\n```bash\nsudo dpkg-reconfigure locales\nsudo dpkg-reconfigure keyboard-configuration\n```\n\n## Verwendungsbeispiele\n\n### 1. Netzwerkscan mit Nmap\n\n```bash\nnmap -sS -T4 -A 192.168.1.0/24\n```\n\n### 2. Passwort-Cracking mit John the Ripper\n\n```bash\njohn --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt\n```\n\n### 3. Forensik mit Autopsy\n\n```bash\nautopsy &\n```\n\n### 4. Android-Analyse mit MobSF (in Docker)\n\n```bash\ndocker pull opensecurity/mobile-security-framework-mobsf\ndocker run -it -p 8000:8000 mobsf\n```\n\n## Best Practices\n\n* Nutze immer **aktuelle Snapshots** oder VM-Clones vor gefährlichen Tests\n* Verwende separate Netzwerke (z. B. Host-only oder NAT) für Tests\n* Deaktiviere automatisches WLAN bei forensischen Analysen\n* Prüfe und aktualisiere regelmäßig Toolsets (`apt`, `git`, `pip`)\n* Halte deine ISO-Images versioniert für forensische Reproduzierbarkeit\n\n## Troubleshooting\n\n### Problem: Keine Internetverbindung nach Installation\n\n**Lösung:** Netzwerkadapter prüfen, ggf. mit `ifconfig` oder `ip a` überprüfen, DHCP aktivieren.\n\n### Problem: Tools fehlen nach Update\n\n**Lösung:** Tool-Gruppen wie `kali-linux-default` manuell nachinstallieren:\n\n```bash\nsudo apt install kali-linux-default\n```\n\n### Problem: „Permission Denied“ bei Tools\n\n**Lösung:** Root-Rechte nutzen oder mit `sudo` ausführen.\n\n## Weiterführende Themen\n\n* **Kustomisierung von Kali ISOs** mit `live-build`\n* **NetHunter**: Kali für mobile Geräte (Android)\n* **Kali Purple**: Defensive Security Suite\n* Integration mit **Cloud-Infrastrukturen** via WSL oder Azure\n\n---\n\n**Links & Ressourcen:**\n\n* Offizielle Website: [https://kali.org](https://kali.org/)\n* Dokumentation: [https://docs.kali.org/](https://docs.kali.org/)\n* GitLab Repo: [https://gitlab.com/kalilinux](https://gitlab.com/kalilinux)\n* Discord-Community: [https://discord.com/invite/kali-linux](https://discord.com/invite/kali-linux)","src/content/knowledgebase/kali-linux.md","09243ebc79d75dbc",{"html":121,"metadata":122},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Kali Linux ist eine auf Debian basierende Linux-Distribution, die speziell für Penetration Testing, digitale Forensik, Reverse Engineering und Incident Response entwickelt wurde. Mit über 600 vorinstallierten Tools ist sie ein unverzichtbares Werkzeug für Security-Experten, Ermittler und forensische Analysten. Die Live-Boot-Funktion erlaubt es, Systeme ohne Spuren zu hinterlassen zu analysieren – ideal für forensische Untersuchungen.\u003C/p>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"option-1-live-system-usbdvd\">Option 1: Live-System (USB/DVD)\u003C/h3>\n\u003Col>\n\u003Cli>ISO-Image von \u003Ca href=\"https://www.kali.org/get-kali/\">kali.org\u003C/a> herunterladen.\u003C/li>\n\u003Cli>Mit \u003Cstrong>Rufus\u003C/strong> oder \u003Cstrong>balenaEtcher\u003C/strong> auf einen USB-Stick schreiben.\u003C/li>\n\u003Cli>Vom USB-Stick booten (ggf. Boot-Reihenfolge im BIOS anpassen).\u003C/li>\n\u003Cli>Kali kann direkt ohne Installation im Live-Modus verwendet werden.\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"option-2-installation-auf-festplatte\">Option 2: Installation auf Festplatte\u003C/h3>\n\u003Col>\n\u003Cli>ISO-Image booten und \u003Cstrong>Graphical Install\u003C/strong> wählen.\u003C/li>\n\u003Cli>Schritt-für-Schritt durch den Installationsassistenten navigieren:\n\u003Cul>\n\u003Cli>Sprache, Zeitzone und Tastaturlayout auswählen\u003C/li>\n\u003Cli>Partitionierung konfigurieren (automatisch oder manuell)\u003C/li>\n\u003Cli>Benutzerkonten erstellen\u003C/li>\n\u003C/ul>\n\u003C/li>\n\u003Cli>Nach Installation Neustart durchführen.\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"option-3-virtuelle-maschine-vm\">Option 3: Virtuelle Maschine (VM)\u003C/h3>\n\u003Cul>\n\u003Cli>Offizielle VM-Images für VirtualBox und VMware von der \u003Ca href=\"https://www.kali.org/get-kali/#kali-virtual-machines\">Kali-Website\u003C/a>\u003C/li>\n\u003Cli>Importieren, ggf. Netzwerkbrücke und Shared Folders aktivieren\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Ch3 id=\"netzwerkeinstellungen\">Netzwerkeinstellungen\u003C/h3>\n\u003Cul>\n\u003Cli>Konfiguration über \u003Ccode>nmtui\u003C/code> oder \u003Ccode>/etc/network/interfaces\u003C/code>\u003C/li>\n\u003Cli>VPN und Proxy-Integration über GUI oder Terminal\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"updates--paketquellen\">Updates & Paketquellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> full-upgrade\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cblockquote>\n\u003Cp>Hinweis: \u003Ccode>kali-rolling\u003C/code> ist die Standard-Distribution für kontinuierliche Updates.\u003C/p>\n\u003C/blockquote>\n\u003Ch3 id=\"sprache--lokalisierung\">Sprache & Lokalisierung\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dpkg-reconfigure\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> locales\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dpkg-reconfigure\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> keyboard-configuration\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"1-netzwerkscan-mit-nmap\">1. Netzwerkscan mit Nmap\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">nmap\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -sS\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -T4\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -A\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 192.168.1.0/24\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"2-passwort-cracking-mit-john-the-ripper\">2. Passwort-Cracking mit John the Ripper\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">john\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --wordlist=/usr/share/wordlists/rockyou.txt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> hashes.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"3-forensik-mit-autopsy\">3. Forensik mit Autopsy\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">autopsy\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> &\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"4-android-analyse-mit-mobsf-in-docker\">4. Android-Analyse mit MobSF (in Docker)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">docker\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> opensecurity/mobile-security-framework-mobsf\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">docker\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> run\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -it\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -p\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 8000:8000\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mobsf\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Nutze immer \u003Cstrong>aktuelle Snapshots\u003C/strong> oder VM-Clones vor gefährlichen Tests\u003C/li>\n\u003Cli>Verwende separate Netzwerke (z. B. Host-only oder NAT) für Tests\u003C/li>\n\u003Cli>Deaktiviere automatisches WLAN bei forensischen Analysen\u003C/li>\n\u003Cli>Prüfe und aktualisiere regelmäßig Toolsets (\u003Ccode>apt\u003C/code>, \u003Ccode>git\u003C/code>, \u003Ccode>pip\u003C/code>)\u003C/li>\n\u003Cli>Halte deine ISO-Images versioniert für forensische Reproduzierbarkeit\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-keine-internetverbindung-nach-installation\">Problem: Keine Internetverbindung nach Installation\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Netzwerkadapter prüfen, ggf. mit \u003Ccode>ifconfig\u003C/code> oder \u003Ccode>ip a\u003C/code> überprüfen, DHCP aktivieren.\u003C/p>\n\u003Ch3 id=\"problem-tools-fehlen-nach-update\">Problem: Tools fehlen nach Update\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Tool-Gruppen wie \u003Ccode>kali-linux-default\u003C/code> manuell nachinstallieren:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> kali-linux-default\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"problem-permission-denied-bei-tools\">Problem: „Permission Denied“ bei Tools\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Root-Rechte nutzen oder mit \u003Ccode>sudo\u003C/code> ausführen.\u003C/p>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Kustomisierung von Kali ISOs\u003C/strong> mit \u003Ccode>live-build\u003C/code>\u003C/li>\n\u003Cli>\u003Cstrong>NetHunter\u003C/strong>: Kali für mobile Geräte (Android)\u003C/li>\n\u003Cli>\u003Cstrong>Kali Purple\u003C/strong>: Defensive Security Suite\u003C/li>\n\u003Cli>Integration mit \u003Cstrong>Cloud-Infrastrukturen\u003C/strong> via WSL oder Azure\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>\u003Cstrong>Links & Ressourcen:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Offizielle Website: \u003Ca href=\"https://kali.org/\">https://kali.org\u003C/a>\u003C/li>\n\u003Cli>Dokumentation: \u003Ca href=\"https://docs.kali.org/\">https://docs.kali.org/\u003C/a>\u003C/li>\n\u003Cli>GitLab Repo: \u003Ca href=\"https://gitlab.com/kalilinux\">https://gitlab.com/kalilinux\u003C/a>\u003C/li>\n\u003Cli>Discord-Community: \u003Ca href=\"https://discord.com/invite/kali-linux\">https://discord.com/invite/kali-linux\u003C/a>\u003C/li>\n\u003C/ul>",{"headings":123,"localImagePaths":170,"remoteImagePaths":171,"frontmatter":102,"imagePaths":172},[124,125,126,129,132,135,136,139,142,145,146,149,152,155,158,159,160,163,166,169],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":48,"text":49},{"depth":51,"slug":127,"text":128},"option-1-live-system-usbdvd","Option 1: Live-System (USB/DVD)",{"depth":51,"slug":130,"text":131},"option-2-installation-auf-festplatte","Option 2: Installation auf Festplatte",{"depth":51,"slug":133,"text":134},"option-3-virtuelle-maschine-vm","Option 3: Virtuelle Maschine (VM)",{"depth":47,"slug":58,"text":59},{"depth":51,"slug":137,"text":138},"netzwerkeinstellungen","Netzwerkeinstellungen",{"depth":51,"slug":140,"text":141},"updates--paketquellen","Updates & Paketquellen",{"depth":51,"slug":143,"text":144},"sprache--lokalisierung","Sprache & Lokalisierung",{"depth":47,"slug":70,"text":71},{"depth":51,"slug":147,"text":148},"1-netzwerkscan-mit-nmap","1. Netzwerkscan mit Nmap",{"depth":51,"slug":150,"text":151},"2-passwort-cracking-mit-john-the-ripper","2. Passwort-Cracking mit John the Ripper",{"depth":51,"slug":153,"text":154},"3-forensik-mit-autopsy","3. Forensik mit Autopsy",{"depth":51,"slug":156,"text":157},"4-android-analyse-mit-mobsf-in-docker","4. Android-Analyse mit MobSF (in Docker)",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":82,"text":83},{"depth":51,"slug":161,"text":162},"problem-keine-internetverbindung-nach-installation","Problem: Keine Internetverbindung nach Installation",{"depth":51,"slug":164,"text":165},"problem-tools-fehlen-nach-update","Problem: Tools fehlen nach Update",{"depth":51,"slug":167,"text":168},"problem-permission-denied-bei-tools","Problem: „Permission Denied“ bei Tools",{"depth":47,"slug":94,"text":95},[],[],[],"kali-linux.md","regular-expressions-regex",{"id":174,"data":176,"body":190,"filePath":191,"digest":192,"rendered":193,"legacyId":222},{"title":177,"tool_name":178,"description":179,"last_updated":180,"author":16,"difficulty":17,"categories":181,"tags":183,"sections":189,"review_status":34},"Regular Expressions (Regex) – Musterbasierte Textanalyse","Regular Expressions (Regex)","Pattern matching language für Suche, Extraktion und Manipulation von Text in forensischen Analysen.",["Date","2025-07-20T00:00:00.000Z"],[19,21,22,182],"fraud-investigation",[184,185,186,187,188],"pattern-matching","text-processing","log-analysis","string-manipulation","search-algorithms",{"overview":32,"installation":33,"configuration":33,"usage_examples":32,"best_practices":32,"troubleshooting":33,"advanced_topics":32},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\n**Regular Expressions (Regex)** sind ein leistungsfähiges Werkzeug zur Erkennung, Extraktion und Transformation von Zeichenfolgen anhand vordefinierter Muster. In der digitalen Forensik sind Regex-Ausdrücke unverzichtbar: Sie helfen beim Auffinden von IP-Adressen, Hash-Werten, Dateipfaden, Malware-Signaturen oder Kreditkartennummern in großen Mengen unstrukturierter Daten wie Logdateien, Netzwerktraces oder Memory Dumps.\n\nRegex ist nicht auf eine bestimmte Plattform oder Software beschränkt – es wird in nahezu allen gängigen Programmiersprachen, Texteditoren und forensischen Tools unterstützt.\n\n## Verwendungsbeispiele\n\n### 1. IP-Adressen extrahieren\n\n```regex\n\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b\n````\n\nVerwendung:\n\n* Finden von IP-Adressen in Firewall-Logs oder Packet Captures.\n* Beispiel-Zeile:\n\n  ```\n  Connection from 192.168.1.101 to port 443 established\n  ```\n\n### 2. E-Mail-Adressen identifizieren\n\n```regex\n[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\n```\n\nVerwendung:\n\n* Erkennung von kompromittierten Accounts in Phishing-E-Mails.\n* Analyse von Useraktivitäten oder Kommunikationsverläufen.\n\n### 3. Hash-Werte erkennen (z. B. SHA-256)\n\n```regex\n\\b[A-Fa-f0-9]{64}\\b\n```\n\nVerwendung:\n\n* Extraktion von Malware-Hashes aus Memory Dumps oder YARA-Logs.\n\n### 4. Zeitstempel in Logdateien extrahieren\n\n```regex\n\\d{4}-\\d{2}-\\d{2}[ T]\\d{2}:\\d{2}:\\d{2}\n```\n\nVerwendung:\n\n* Zeitsensitive Korrelationsanalysen (z. B. bei Intrusion Detection oder Timeline-Rekonstruktionen).\n\n## Best Practices\n\n* **Regex testen**: Nutze Plattformen wie [regexr.com](https://regexr.com/) oder [regex101.com](https://regex101.com/) zur Validierung.\n* **Performance beachten**: Komplexe Ausdrücke können ineffizient sein und Systeme verlangsamen – verwende Lazy Quantifiers (`*?`, `+?`) bei Bedarf.\n* **Escape-Zeichen korrekt anwenden**: Spezielle Zeichen wie `.` oder `\\` müssen bei Bedarf mit `\\\\` oder `\\.` maskiert werden.\n* **Portabilität prüfen**: Unterschiedliche Regex-Engines (z. B. Python `re`, PCRE, JavaScript) interpretieren manche Syntax leicht unterschiedlich.\n* **Lesbarkeit fördern**: Verwende benannte Gruppen (`(?P\u003Cname>...)`) und Kommentare (`(?x)`), um reguläre Ausdrücke besser wartbar zu machen.\n\n## Weiterführende Themen\n\n### Lookaheads und Lookbehinds\n\nMit **Lookaheads** (`(?=...)`) und **Lookbehinds** (`(?\u003C=...)`) können Bedingungen formuliert werden, ohne dass der Text Teil des Matchs wird.\n\nBeispiel: Alle `.exe`-Dateinamen **ohne** das Wort `safe` davor matchen:\n\n```regex\n(?\u003C!safe\\s)[\\w-]+\\.exe\n```\n\n### Regex in Forensik-Tools\n\n* **YARA**: Unterstützt Regex zur Erstellung von Malware-Signaturen.\n* **Wireshark**: Filtert Payloads anhand von Regex-ähnlicher Syntax.\n* **Splunk & ELK**: Verwenden Regex für Logparsing und Visualisierung.\n* **Volatility Plugins**: Extrahieren Artefakte mit Regex-basierten Scans.\n\n---\n\n> 🔤 **Regex ist ein universelles Werkzeug für Analysten, Ermittler und Entwickler, um versteckte Informationen schnell und flexibel aufzuspüren.**\n>\n> Nutze es überall dort, wo Textdaten eine Rolle spielen.","src/content/knowledgebase/regular-expressions-regex.md","247bcf48ebdc9ba0",{"html":194,"metadata":195},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>\u003Cstrong>Regular Expressions (Regex)\u003C/strong> sind ein leistungsfähiges Werkzeug zur Erkennung, Extraktion und Transformation von Zeichenfolgen anhand vordefinierter Muster. In der digitalen Forensik sind Regex-Ausdrücke unverzichtbar: Sie helfen beim Auffinden von IP-Adressen, Hash-Werten, Dateipfaden, Malware-Signaturen oder Kreditkartennummern in großen Mengen unstrukturierter Daten wie Logdateien, Netzwerktraces oder Memory Dumps.\u003C/p>\n\u003Cp>Regex ist nicht auf eine bestimmte Plattform oder Software beschränkt – es wird in nahezu allen gängigen Programmiersprachen, Texteditoren und forensischen Tools unterstützt.\u003C/p>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"1-ip-adressen-extrahieren\">1. IP-Adressen extrahieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">\\b(?:\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{1,3}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\.)\u003C/span>\u003Cspan style=\"color:#F97583\">{3}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{1,3}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\b\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>\n\u003Cp>Finden von IP-Adressen in Firewall-Logs oder Packet Captures.\u003C/p>\n\u003C/li>\n\u003Cli>\n\u003Cp>Beispiel-Zeile:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>Connection from 192.168.1.101 to port 443 established\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"2-e-mail-adressen-identifizieren\">2. E-Mail-Adressen identifizieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">[a-zA-Z0-9._%+-]\u003C/span>\u003Cspan style=\"color:#F97583\">+\u003C/span>\u003Cspan style=\"color:#DBEDFF\">@\u003C/span>\u003Cspan style=\"color:#79B8FF\">[a-zA-Z0-9.-]\u003C/span>\u003Cspan style=\"color:#F97583\">+\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\.[a-zA-Z]\u003C/span>\u003Cspan style=\"color:#F97583\">{2,}\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>Erkennung von kompromittierten Accounts in Phishing-E-Mails.\u003C/li>\n\u003Cli>Analyse von Useraktivitäten oder Kommunikationsverläufen.\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"3-hash-werte-erkennen-zb-sha-256\">3. Hash-Werte erkennen (z. B. SHA-256)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">\\b[A-Fa-f0-9]\u003C/span>\u003Cspan style=\"color:#F97583\">{64}\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\b\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>Extraktion von Malware-Hashes aus Memory Dumps oder YARA-Logs.\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"4-zeitstempel-in-logdateien-extrahieren\">4. Zeitstempel in Logdateien extrahieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{4}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">-\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">-\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#79B8FF\">[ T]\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">:\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003Cspan style=\"color:#DBEDFF\">:\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\d\u003C/span>\u003Cspan style=\"color:#F97583\">{2}\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Verwendung:\u003C/p>\n\u003Cul>\n\u003Cli>Zeitsensitive Korrelationsanalysen (z. B. bei Intrusion Detection oder Timeline-Rekonstruktionen).\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Regex testen\u003C/strong>: Nutze Plattformen wie \u003Ca href=\"https://regexr.com/\">regexr.com\u003C/a> oder \u003Ca href=\"https://regex101.com/\">regex101.com\u003C/a> zur Validierung.\u003C/li>\n\u003Cli>\u003Cstrong>Performance beachten\u003C/strong>: Komplexe Ausdrücke können ineffizient sein und Systeme verlangsamen – verwende Lazy Quantifiers (\u003Ccode>*?\u003C/code>, \u003Ccode>+?\u003C/code>) bei Bedarf.\u003C/li>\n\u003Cli>\u003Cstrong>Escape-Zeichen korrekt anwenden\u003C/strong>: Spezielle Zeichen wie \u003Ccode>.\u003C/code> oder \u003Ccode>\\\u003C/code> müssen bei Bedarf mit \u003Ccode>\\\\\u003C/code> oder \u003Ccode>\\.\u003C/code> maskiert werden.\u003C/li>\n\u003Cli>\u003Cstrong>Portabilität prüfen\u003C/strong>: Unterschiedliche Regex-Engines (z. B. Python \u003Ccode>re\u003C/code>, PCRE, JavaScript) interpretieren manche Syntax leicht unterschiedlich.\u003C/li>\n\u003Cli>\u003Cstrong>Lesbarkeit fördern\u003C/strong>: Verwende benannte Gruppen (\u003Ccode>(?P<name>...)\u003C/code>) und Kommentare (\u003Ccode>(?x)\u003C/code>), um reguläre Ausdrücke besser wartbar zu machen.\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Ch3 id=\"lookaheads-und-lookbehinds\">Lookaheads und Lookbehinds\u003C/h3>\n\u003Cp>Mit \u003Cstrong>Lookaheads\u003C/strong> (\u003Ccode>(?=...)\u003C/code>) und \u003Cstrong>Lookbehinds\u003C/strong> (\u003Ccode>(?<=...)\u003C/code>) können Bedingungen formuliert werden, ohne dass der Text Teil des Matchs wird.\u003C/p>\n\u003Cp>Beispiel: Alle \u003Ccode>.exe\u003C/code>-Dateinamen \u003Cstrong>ohne\u003C/strong> das Wort \u003Ccode>safe\u003C/code> davor matchen:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"regex\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">(?<!\u003C/span>\u003Cspan style=\"color:#DBEDFF\">safe\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\s\u003C/span>\u003Cspan style=\"color:#F97583\">)\u003C/span>\u003Cspan style=\"color:#79B8FF\">[\\w-]\u003C/span>\u003Cspan style=\"color:#F97583\">+\u003C/span>\u003Cspan style=\"color:#79B8FF\">\\.\u003C/span>\u003Cspan style=\"color:#DBEDFF\">exe\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"regex-in-forensik-tools\">Regex in Forensik-Tools\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cstrong>YARA\u003C/strong>: Unterstützt Regex zur Erstellung von Malware-Signaturen.\u003C/li>\n\u003Cli>\u003Cstrong>Wireshark\u003C/strong>: Filtert Payloads anhand von Regex-ähnlicher Syntax.\u003C/li>\n\u003Cli>\u003Cstrong>Splunk & ELK\u003C/strong>: Verwenden Regex für Logparsing und Visualisierung.\u003C/li>\n\u003Cli>\u003Cstrong>Volatility Plugins\u003C/strong>: Extrahieren Artefakte mit Regex-basierten Scans.\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cblockquote>\n\u003Cp>🔤 \u003Cstrong>Regex ist ein universelles Werkzeug für Analysten, Ermittler und Entwickler, um versteckte Informationen schnell und flexibel aufzuspüren.\u003C/strong>\u003C/p>\n\u003Cp>Nutze es überall dort, wo Textdaten eine Rolle spielen.\u003C/p>\n\u003C/blockquote>",{"headings":196,"localImagePaths":219,"remoteImagePaths":220,"frontmatter":176,"imagePaths":221},[197,198,199,202,205,208,211,212,213,216],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":70,"text":71},{"depth":51,"slug":200,"text":201},"1-ip-adressen-extrahieren","1. IP-Adressen extrahieren",{"depth":51,"slug":203,"text":204},"2-e-mail-adressen-identifizieren","2. E-Mail-Adressen identifizieren",{"depth":51,"slug":206,"text":207},"3-hash-werte-erkennen-zb-sha-256","3. Hash-Werte erkennen (z. B. SHA-256)",{"depth":51,"slug":209,"text":210},"4-zeitstempel-in-logdateien-extrahieren","4. Zeitstempel in Logdateien extrahieren",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":94,"text":95},{"depth":51,"slug":214,"text":215},"lookaheads-und-lookbehinds","Lookaheads und Lookbehinds",{"depth":51,"slug":217,"text":218},"regex-in-forensik-tools","Regex in Forensik-Tools",[],[],[],"regular-expressions-regex.md","velociraptor",{"id":223,"data":225,"body":239,"filePath":240,"digest":241,"rendered":242,"legacyId":287},{"title":226,"tool_name":227,"description":228,"last_updated":229,"author":16,"difficulty":230,"categories":231,"tags":232,"sections":238,"review_status":34},"Velociraptor – Skalierbare Endpoint-Forensik mit VQL","Velociraptor","Detaillierte Anleitung und Best Practices für Velociraptor – Remote-Forensik der nächsten Generation",["Date","2025-07-20T00:00:00.000Z"],"advanced",[19,21,22],[25,233,234,235,236,237],"endpoint-monitoring","artifact-extraction","scripting","live-forensics","hunting",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":32},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\nVelociraptor ist ein Open-Source-Tool zur Endpoint-Forensik mit Fokus auf Skalierbarkeit, Präzision und Geschwindigkeit. Es ermöglicht die zielgerichtete Erfassung und Analyse digitaler Artefakte über eine eigene Query Language – VQL (Velociraptor Query Language). Die Architektur erlaubt remote Zugriff auf tausende Endpoints gleichzeitig, ohne dass vollständige Disk-Images erforderlich sind.\n\n## Hauptmerkmale\n\n- 🌐 Web-basierte Benutzeroberfläche\n- 💡 VQL – mächtige, SQL-ähnliche Abfragesprache\n- 🚀 Hochskalierbare Hunt-Funktionalität\n- 🔍 Artefaktbasierte Sammlung (ohne Full-Image)\n- 🖥️ Plattformunterstützung für Windows, macOS, Linux\n- 📦 Apache 2.0 Lizenz – Open Source\n\nWeitere Infos: [velociraptor.app](https://www.velociraptor.app/)  \nProjektspiegel: [raptor.cc24.dev](https://raptor.cc24.dev)  \nStatus: ![Status](https://status.mikoshi.de/api/badge/33/status)\n\n---\n\n## Installation\n\n### Voraussetzungen\n\n- Python ≥ 3.9\n- Adminrechte auf dem System\n- Firewall-Freigaben für Webport (Standard: 8000)\n\n### Installation unter Linux/macOS\n\n```bash\nwget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor\nchmod +x velociraptor\nsudo mv velociraptor /usr/local/bin/\n````\n\n### Installation unter Windows\n\n1. Download der `.exe` von der [Release-Seite](https://github.com/Velocidex/velociraptor/releases)\n2. Ausführung in PowerShell mit Adminrechten:\n\n   ```powershell\n   .\\velociraptor.exe config generate > server.config.yaml\n   ```\n\n---\n\n## Konfiguration\n\n### Server Setup\n\n1. Generiere die Konfigurationsdatei:\n\n   ```bash\n   velociraptor config generate > server.config.yaml\n   ```\n2. Starte den Server:\n\n   ```bash\n   velociraptor --config server.config.yaml frontend\n   ```\n3. Zugriff über Browser via `https://\u003Chostname>:8000`\n\n### Client Deployment\n\n* MSI/EXE für Windows, oder `deb/rpm` für Linux\n* Unterstützt automatische Registrierung am Server\n* Deployment über GPO, Puppet, Ansible etc. möglich\n\n---\n\n## Verwendungsbeispiele\n\n### 1. Live-Memory-Artefakte sammeln\n\n```vql\nSELECT * FROM Artifact.MemoryInfo()\n```\n\n### 2. Hunt starten auf verdächtige Prozesse\n\n```vql\nSELECT * FROM pslist()\nWHERE Name =~ \"mimikatz|cobaltstrike\"\n```\n\n### 3. Dateiinhalt extrahieren\n\n```vql\nSELECT * FROM glob(globs=\"C:\\\\Users\\\\*\\\\AppData\\\\*.dat\")\n```\n\n---\n\n## Best Practices\n\n* Erstelle eigene Artefakte für unternehmensspezifische Bedrohungsmodelle\n* Verwende \"Notebook\"-Funktion für strukturierte Analysen\n* Nutze \"Labels\", um Endpoints zu organisieren (z. B. `location:Berlin`)\n* Kombiniere Velociraptor mit SIEM/EDR-Systemen über REST API\n\n---\n\n## Troubleshooting\n\n### Problem: Keine Verbindung vom Client zum Server\n\n**Lösung:**\n\n* Ports freigegeben? (Default: 8000/tcp)\n* TLS-Zertifikate korrekt generiert?\n* `server.config.yaml` auf korrekte `public_ip` prüfen\n\n### Problem: Hunt hängt in Warteschleife\n\n**Lösung:**\n\n* Genügend Worker-Prozesse aktiv?\n* Endpoint online?\n* `log_level` auf `debug` setzen und Log analysieren\n\n---\n\n## Weiterführende Themen\n\n* Eigene Artefakte schreiben mit VQL\n* Integration mit ELK Stack\n* Automatisiertes Incident Response Playbook\n* Velociraptor als IR-as-a-Service einsetzen\n\n---\n\n🧠 **Tipp:** Die Lernkurve bei VQL ist steil – aber mit hohem ROI. Testumgebung aufsetzen und mit Community-Artefakten starten.\n\n📚 Weitere Ressourcen:\n\n* [Offizielle Doku](https://docs.velociraptor.app/)\n* [YouTube Channel](https://www.youtube.com/c/VelociraptorDFIR)\n* [Community auf Discord](https://www.velociraptor.app/community/)","src/content/knowledgebase/velociraptor.md","05636b9b97e61d17",{"html":243,"metadata":244},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Velociraptor ist ein Open-Source-Tool zur Endpoint-Forensik mit Fokus auf Skalierbarkeit, Präzision und Geschwindigkeit. Es ermöglicht die zielgerichtete Erfassung und Analyse digitaler Artefakte über eine eigene Query Language – VQL (Velociraptor Query Language). Die Architektur erlaubt remote Zugriff auf tausende Endpoints gleichzeitig, ohne dass vollständige Disk-Images erforderlich sind.\u003C/p>\n\u003Ch2 id=\"hauptmerkmale\">Hauptmerkmale\u003C/h2>\n\u003Cul>\n\u003Cli>🌐 Web-basierte Benutzeroberfläche\u003C/li>\n\u003Cli>💡 VQL – mächtige, SQL-ähnliche Abfragesprache\u003C/li>\n\u003Cli>🚀 Hochskalierbare Hunt-Funktionalität\u003C/li>\n\u003Cli>🔍 Artefaktbasierte Sammlung (ohne Full-Image)\u003C/li>\n\u003Cli>🖥️ Plattformunterstützung für Windows, macOS, Linux\u003C/li>\n\u003Cli>📦 Apache 2.0 Lizenz – Open Source\u003C/li>\n\u003C/ul>\n\u003Cp>Weitere Infos: \u003Ca href=\"https://www.velociraptor.app/\">velociraptor.app\u003C/a>\u003Cbr>\nProjektspiegel: \u003Ca href=\"https://raptor.cc24.dev\">raptor.cc24.dev\u003C/a>\u003Cbr>\nStatus: \u003Cimg src=\"https://status.mikoshi.de/api/badge/33/status\" alt=\"Status\">\u003C/p>\n\u003Chr>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"voraussetzungen\">Voraussetzungen\u003C/h3>\n\u003Cul>\n\u003Cli>Python ≥ 3.9\u003C/li>\n\u003Cli>Adminrechte auf dem System\u003C/li>\n\u003Cli>Firewall-Freigaben für Webport (Standard: 8000)\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installation-unter-linuxmacos\">Installation unter Linux/macOS\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">wget\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">chmod\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> +x\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> velociraptor\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mv\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> velociraptor\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /usr/local/bin/\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"installation-unter-windows\">Installation unter Windows\u003C/h3>\n\u003Col>\n\u003Cli>\n\u003Cp>Download der \u003Ccode>.exe\u003C/code> von der \u003Ca href=\"https://github.com/Velocidex/velociraptor/releases\">Release-Seite\u003C/a>\u003C/p>\n\u003C/li>\n\u003Cli>\n\u003Cp>Ausführung in PowerShell mit Adminrechten:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"powershell\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">.\\\u003C/span>\u003Cspan style=\"color:#79B8FF\">velociraptor.exe\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> config generate \u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> server.config.yaml\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003C/ol>\n\u003Chr>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Ch3 id=\"server-setup\">Server Setup\u003C/h3>\n\u003Col>\n\u003Cli>\n\u003Cp>Generiere die Konfigurationsdatei:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">velociraptor\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> config\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> generate\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> server.config.yaml\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003Cli>\n\u003Cp>Starte den Server:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">velociraptor\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --config\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> server.config.yaml\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> frontend\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003C/li>\n\u003Cli>\n\u003Cp>Zugriff über Browser via \u003Ccode>https://<hostname>:8000\u003C/code>\u003C/p>\n\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"client-deployment\">Client Deployment\u003C/h3>\n\u003Cul>\n\u003Cli>MSI/EXE für Windows, oder \u003Ccode>deb/rpm\u003C/code> für Linux\u003C/li>\n\u003Cli>Unterstützt automatische Registrierung am Server\u003C/li>\n\u003Cli>Deployment über GPO, Puppet, Ansible etc. möglich\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"1-live-memory-artefakte-sammeln\">1. Live-Memory-Artefakte sammeln\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>SELECT * FROM Artifact.MemoryInfo()\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"2-hunt-starten-auf-verdächtige-prozesse\">2. Hunt starten auf verdächtige Prozesse\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>SELECT * FROM pslist()\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan>WHERE Name =~ \"mimikatz|cobaltstrike\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"3-dateiinhalt-extrahieren\">3. Dateiinhalt extrahieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"plaintext\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan>SELECT * FROM glob(globs=\"C:\\\\Users\\\\*\\\\AppData\\\\*.dat\")\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Chr>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Erstelle eigene Artefakte für unternehmensspezifische Bedrohungsmodelle\u003C/li>\n\u003Cli>Verwende “Notebook”-Funktion für strukturierte Analysen\u003C/li>\n\u003Cli>Nutze “Labels”, um Endpoints zu organisieren (z. B. \u003Ccode>location:Berlin\u003C/code>)\u003C/li>\n\u003Cli>Kombiniere Velociraptor mit SIEM/EDR-Systemen über REST API\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-keine-verbindung-vom-client-zum-server\">Problem: Keine Verbindung vom Client zum Server\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Ports freigegeben? (Default: 8000/tcp)\u003C/li>\n\u003Cli>TLS-Zertifikate korrekt generiert?\u003C/li>\n\u003Cli>\u003Ccode>server.config.yaml\u003C/code> auf korrekte \u003Ccode>public_ip\u003C/code> prüfen\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"problem-hunt-hängt-in-warteschleife\">Problem: Hunt hängt in Warteschleife\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong>\u003C/p>\n\u003Cul>\n\u003Cli>Genügend Worker-Prozesse aktiv?\u003C/li>\n\u003Cli>Endpoint online?\u003C/li>\n\u003Cli>\u003Ccode>log_level\u003C/code> auf \u003Ccode>debug\u003C/code> setzen und Log analysieren\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>Eigene Artefakte schreiben mit VQL\u003C/li>\n\u003Cli>Integration mit ELK Stack\u003C/li>\n\u003Cli>Automatisiertes Incident Response Playbook\u003C/li>\n\u003Cli>Velociraptor als IR-as-a-Service einsetzen\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>🧠 \u003Cstrong>Tipp:\u003C/strong> Die Lernkurve bei VQL ist steil – aber mit hohem ROI. Testumgebung aufsetzen und mit Community-Artefakten starten.\u003C/p>\n\u003Cp>📚 Weitere Ressourcen:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://docs.velociraptor.app/\">Offizielle Doku\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://www.youtube.com/c/VelociraptorDFIR\">YouTube Channel\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://www.velociraptor.app/community/\">Community auf Discord\u003C/a>\u003C/li>\n\u003C/ul>",{"headings":245,"localImagePaths":284,"remoteImagePaths":285,"frontmatter":225,"imagePaths":286},[246,247,250,251,252,255,258,259,262,265,266,269,272,275,276,277,280,283],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":248,"text":249},"hauptmerkmale","Hauptmerkmale",{"depth":47,"slug":48,"text":49},{"depth":51,"slug":52,"text":53},{"depth":51,"slug":253,"text":254},"installation-unter-linuxmacos","Installation unter Linux/macOS",{"depth":51,"slug":256,"text":257},"installation-unter-windows","Installation unter Windows",{"depth":47,"slug":58,"text":59},{"depth":51,"slug":260,"text":261},"server-setup","Server Setup",{"depth":51,"slug":263,"text":264},"client-deployment","Client Deployment",{"depth":47,"slug":70,"text":71},{"depth":51,"slug":267,"text":268},"1-live-memory-artefakte-sammeln","1. Live-Memory-Artefakte sammeln",{"depth":51,"slug":270,"text":271},"2-hunt-starten-auf-verdächtige-prozesse","2. Hunt starten auf verdächtige Prozesse",{"depth":51,"slug":273,"text":274},"3-dateiinhalt-extrahieren","3. Dateiinhalt extrahieren",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":82,"text":83},{"depth":51,"slug":278,"text":279},"problem-keine-verbindung-vom-client-zum-server","Problem: Keine Verbindung vom Client zum Server",{"depth":51,"slug":281,"text":282},"problem-hunt-hängt-in-warteschleife","Problem: Hunt hängt in Warteschleife",{"depth":47,"slug":94,"text":95},[],[],[],"velociraptor.md","android-logical-imaging",{"id":288,"data":290,"body":303,"filePath":304,"digest":305,"rendered":306,"legacyId":534},{"title":291,"tool_name":292,"description":293,"last_updated":294,"author":295,"difficulty":230,"categories":296,"tags":298,"sections":302,"review_status":34},"Extraktion logischer Dateisysteme alter Android-Smartphones - eine KI-Recherche","Android Logical Imaging","Wie man alte Android-Handys aufbekommen könnte - eine Recherche von Claude",["Date","2025-07-21T00:00:00.000Z"],"Claude 4 Sonnet (Research)",[297],"data-collection",[299,300,301],"imaging","filesystem","hardware-interface",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":32},"# Übersicht\n\nOpen-Source Android Forensik bietet robuste Alternativen zu kommerziellen Lösungen wie Cellebrite UFED und Magnet AXIOM. Besonders für ältere Android-Geräte (5+ Jahre) existieren bewährte Methoden zur Datenextraktion und -analyse.\n\n## Kernkomponenten des Open-Source Forensik-Stacks\n\n**Autopsy Digital Forensics Platform** bildet das Fundament mit GUI-basierter Analyse und integrierten Android-Parsing-Fähigkeiten. Die Plattform unterstützt **ALEAPP (Android Logs Events And Protobuf Parser)**, das über 100 Artefakt-Kategorien aus Android-Extraktionen parst.\n\n**Mobile Verification Toolkit (MVT)** von Amnesty International bietet spezialisierte Command-Line-Tools für Android-Analyse mit Fokus auf Kompromittierungserkennung.\n\n**SIFT Workstation** stellt eine komplette Ubuntu-basierte forensische Umgebung mit 125+ vorinstallierten Tools bereit.\n\n## Erfolgsraten nach Gerätealter\n\n- **Pre-2017 Geräte**: 85-98% logische Extraktion, 30-70% physische Extraktion\n- **2017-2019 Geräte**: 80-95% logische Extraktion, 15-35% physische Extraktion  \n- **2020+ Geräte**: 70-85% logische Extraktion, 5-15% physische Extraktion\n\n# Installation\n\n## SIFT Workstation Setup\n\n### Systemanforderungen\n- Quad-Core CPU 2.5GHz+\n- 16GB+ RAM\n- 500GB+ SSD Speicher\n- USB 3.0+ Anschlüsse\n\n### Installation\n1. Download von [SANS SIFT Workstation](https://www.sans.org/tools/sift-workstation/)\n2. VMware/VirtualBox Import der OVA-Datei\n3. VM-Konfiguration: 8GB+ RAM, 4+ CPU-Kerne\n\n```bash\n# Update nach Installation\nsudo apt update && sudo apt upgrade -y\nsudo sift update\n```\n\n## Autopsy Installation\n\n### Windows Installation\n1. Download von [autopsy.com](https://www.autopsy.com/)\n2. Java 8+ Installation erforderlich\n3. Installation mit Administratorrechten\n\n### Linux Installation\n```bash\n# Ubuntu/Debian\nsudo apt install autopsy sleuthkit\n# Oder manueller Download und Installation\nwget https://github.com/sleuthkit/autopsy/releases/latest\n```\n\n## Essential Tools Installation\n\n### Android Debug Bridge (ADB)\n```bash\n# Ubuntu/Debian\nsudo apt install android-tools-adb android-tools-fastboot\n\n# Windows - Download Android Platform Tools\n# https://developer.android.com/studio/releases/platform-tools\n```\n\n### ALEAPP Installation\n```bash\ngit clone https://github.com/abrignoni/ALEAPP.git\ncd ALEAPP\npip3 install -r requirements.txt\n```\n\n### Mobile Verification Toolkit (MVT)\n```bash\npip3 install mvt\n# Oder via GitHub für neueste Version\ngit clone https://github.com/mvt-project/mvt.git\ncd mvt && pip3 install .\n```\n\n### Andriller Installation\n```bash\ngit clone https://github.com/den4uk/andriller.git\ncd andriller\npip3 install -r requirements.txt\n```\n\n# Konfiguration\n\n## ADB Setup und Gerätevorbereitung\n\n### USB-Debugging aktivieren\n1. Entwickleroptionen freischalten (7x Build-Nummer antippen)\n2. USB-Debugging aktivieren\n3. Gerät via USB verbinden\n4. RSA-Fingerprint akzeptieren\n\n### ADB Verbindung testen\n```bash\nadb devices\n# Sollte Gerät mit \"device\" Status zeigen\nadb shell getprop ro.build.version.release  # Android Version\nadb shell getprop ro.product.model         # Gerätemodell\n```\n\n## Autopsy Projektkonfiguration\n\n### Case-Setup\n1. Neuen Fall erstellen\n2. Ermittler-Informationen eingeben\n3. Case-Verzeichnis festlegen (ausreichend Speicherplatz)\n\n### Android Analyzer Module aktivieren\n- Tools → Options → Modules\n- Android Analyzer aktivieren\n- ALEAPP Integration konfigurieren\n\n### Hash-Algorithmen konfigurieren\n- MD5, SHA-1, SHA-256 für Integritätsprüfung\n- Automatische Hash-Berechnung bei Import aktivieren\n\n## MVT Konfiguration\n\n### Konfigurationsdatei erstellen\n```yaml\n# ~/.mvt/config.yaml\nadb_path: \"/usr/bin/adb\"\noutput_folder: \"/home/user/mvt_output\"\n```\n\n# Verwendungsbeispiele\n\n## Fall 1: Logische Datenextraktion mit ADB\n\n### Geräteinformationen sammeln\n```bash\n# Systeminfo\nadb shell getprop > device_properties.txt\nadb shell cat /proc/version > kernel_info.txt\nadb shell mount > mount_info.txt\n\n# Installierte Apps\nadb shell pm list packages -f > installed_packages.txt\n```\n\n### Datenbank-Extraktion\n```bash\n# SMS/MMS Datenbank\nadb pull /data/data/com.android.providers.telephony/databases/mmssms.db\n\n# Kontakte\nadb pull /data/data/com.android.providers.contacts/databases/contacts2.db\n\n# Anrufliste  \nadb pull /data/data/com.android.providers.contacts/databases/calllog.db\n```\n\n### WhatsApp Datenextraktion\n```bash\n# WhatsApp Datenbanken (Root erforderlich)\nadb shell su -c \"cp -r /data/data/com.whatsapp/ /sdcard/whatsapp_backup/\"\nadb pull /sdcard/whatsapp_backup/\n```\n\n## Fall 2: Android Backup-Analyse\n\n### Vollständiges Backup erstellen\n```bash\n# Umfassendes Backup (ohne Root)\nadb backup -all -system -apk -shared -f backup.ab\n\n# Backup entschlüsseln (falls verschlüsselt)\njava -jar abe.jar unpack backup.ab backup.tar\ntar -xf backup.tar\n```\n\n### Backup mit ALEAPP analysieren\n```bash\npython3 aleappGUI.py\n# Oder Command-Line\npython3 aleapp.py -t tar -i backup.tar -o output_folder\n```\n\n## Fall 3: MVT Kompromittierungsanalyse\n\n### Live-Geräteanalyse\n```bash\n# ADB-basierte Analyse\nmvt-android check-adb --output /path/to/output/\n\n# Backup-Analyse\nmvt-android check-backup --output /path/to/output/ backup.ab\n```\n\n### IOC-Suche mit Pegasus-Indikatoren\n```bash\n# Mit vorgefertigten IOCs\nmvt-android check-adb --iocs /path/to/pegasus.stix2 --output results/\n```\n\n## Fall 4: Physische Extraktion (Root erforderlich)\n\n### Device Rooting - MediaTek Geräte\n```bash\n# MTKClient für MediaTek-Chipsets\ngit clone https://github.com/bkerler/mtkclient.git\ncd mtkclient\npython3 mtk payload\n\n# Nach erfolgreichem Root\nadb shell su\n```\n\n### Vollständiges Memory Dump\n```bash\n# Partitionslayout ermitteln\nadb shell su -c \"cat /proc/partitions\"\nadb shell su -c \"ls -la /dev/block/\"\n\n# Vollständiges Device Image (Root erforderlich)\nadb shell su -c \"dd if=/dev/block/mmcblk0 of=/sdcard/full_device.img bs=4096\"\nadb pull /sdcard/full_device.img\n```\n\n# Best Practices\n\n## Rechtliche Compliance\n\n### Dokumentation und Chain of Custody\n- **Vollständige Dokumentation**: Wer, Was, Wann, Wo, Warum\n- **Hash-Verifikation**: MD5/SHA-256 für alle extrahierten Daten\n- **Nur forensische Kopien analysieren**, niemals Originaldaten\n- **Schriftliche Genehmigung** für Geräteanalyse einholen\n\n### Familiengeräte und Nachlässe\n- Genehmigung durch Nachlassverwalter erforderlich\n- Gerichtsbeschlüsse für Cloud-Zugang eventuell nötig\n- Drittpartei-Kommunikation kann weiterhin geschützt sein\n\n## Technische Best Practices\n\n### Hash-Integrität sicherstellen\n```bash\n# Hash vor und nach Transfer prüfen\nmd5sum original_file.db\nsha256sum original_file.db\n\n# Hash-Verifikation dokumentieren\necho \"$(date): MD5: $(md5sum file.db)\" >> chain_of_custody.log\n```\n\n### Sichere Arbeitsumgebung\n- Isolierte VM für Forensik-Arbeit\n- Netzwerk-Isolation während Analyse\n- Verschlüsselte Speicherung aller Evidenz\n- Regelmäßige Backups der Case-Datenbanken\n\n### Qualitätssicherung\n- Peer-Review kritischer Analysen\n- Standardisierte Arbeitsabläufe (SOPs)\n- Regelmäßige Tool-Validierung\n- Kontinuierliche Weiterbildung\n\n## Erfolgsmaximierung nach Gerätehersteller\n\n### MediaTek-Geräte (Höchste Erfolgsrate)\n- BootROM-Exploits für MT6735, MT6737, MT6750, MT6753, MT6797\n- MTKClient für Hardware-Level-Zugang\n- Erfolgsrate: 80%+ für Geräte 2015-2019\n\n### Samsung-Geräte\n- Ältere Knox-Implementierungen umgehbar\n- Emergency Dialer Exploits für Android 4.x\n- Erfolgsrate: 40-70% je nach Knox-Version\n\n### Pixel/Nexus-Geräte\n- Bootloader-Unlocking oft möglich\n- Fastboot-basierte Recovery-Installation\n- Erfolgsrate: 60-80% bei freigeschaltetem Bootloader\n\n# Troubleshooting\n\n## Problem: ADB erkennt Gerät nicht\n\n### Lösung: USB-Treiber und Berechtigungen\n```bash\n# Linux: USB-Berechtigungen prüfen\nlsusb | grep -i android\nsudo chmod 666 /dev/bus/usb/XXX/XXX\n\n# udev-Regeln erstellen\necho 'SUBSYSTEM==\"usb\", ATTR{idVendor}==\"18d1\", MODE=\"0666\", GROUP=\"plugdev\"' | sudo tee /etc/udev/rules.d/51-android.rules\nsudo udevadm control --reload-rules\n```\n\n### Windows: Treiber-Installation\n1. Geräte-Manager öffnen\n2. Android-Gerät mit Warnsymbol finden\n3. Treiber manuell installieren (Android USB Driver)\n\n## Problem: Verschlüsselte Android Backups\n\n### Lösung: Android Backup Extractor\n```bash\n# ADB Backup Extractor installieren\ngit clone https://github.com/nelenkov/android-backup-extractor.git\ncd android-backup-extractor\ngradle build\n\n# Backup entschlüsseln\njava -jar abe.jar unpack backup.ab backup.tar [password]\n```\n\n## Problem: Unzureichende Berechtigungen für Datenextraktion\n\n### Lösung: Alternative Extraktionsmethoden\n```bash\n# AFLogical OSE für begrenzte Extraktion ohne Root\n# WhatsApp Key/DB Extractor für spezifische Apps\n# Backup-basierte Extraktion als Fallback\n\n# Custom Recovery für erweiterten Zugang\nfastboot flash recovery twrp-device.img\n```\n\n## Problem: ALEAPP Parsing-Fehler\n\n### Lösung: Datenformat-Probleme beheben\n```bash\n# Log-Dateien prüfen\npython3 aleapp.py -t dir -i /path/to/data -o output --debug\n\n# Spezifische Parser deaktivieren\n# Manuelle SQLite-Analyse bei Parser-Fehlern\nsqlite3 database.db \".tables\"\nsqlite3 database.db \".schema table_name\"\n```\n\n# Erweiterte Techniken\n\n## Memory Forensics mit LiME\n\n### LiME für ARM-Devices kompilieren\n```bash\n# Cross-Compilation Setup\nexport ARCH=arm\nexport CROSS_COMPILE=arm-linux-gnueabi-\nexport KERNEL_DIR=/path/to/kernel/source\n\n# LiME Module kompilieren\ngit clone https://github.com/504ensicsLabs/LiME.git\ncd LiME/src\nmake\n\n# Memory Dump erstellen (Root erforderlich)\nadb push lime.ko /data/local/tmp/\nadb shell su -c \"insmod /data/local/tmp/lime.ko 'path=/sdcard/memory.lime format=lime'\"\n```\n\n### Volatility-Analyse von Android Memory\n```bash\n# Memory Dump analysieren\npython vol.py -f memory.lime --profile=Linux \u003Cprofile> linux.pslist\npython vol.py -f memory.lime --profile=Linux \u003Cprofile> linux.bash\npython vol.py -f memory.lime --profile=Linux \u003Cprofile> linux.netstat\n```\n\n## FRIDA-basierte Runtime-Analyse\n\n### FRIDA für Kryptographie-Hooks\n```javascript\n// crypto_hooks.js - SSL/TLS Traffic abfangen\nJava.perform(function() {\n    var SSLContext = Java.use(\"javax.net.ssl.SSLContext\");\n    SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(keyManagers, trustManagers, secureRandom) {\n        console.log(\"[+] SSLContext.init() called\");\n        this.init(keyManagers, trustManagers, secureRandom);\n    };\n});\n```\n\n### FRIDA Installation und Verwendung\n```bash\n# FRIDA Server auf Android-Gerät installieren\nadb push frida-server /data/local/tmp/\nadb shell su -c \"chmod 755 /data/local/tmp/frida-server\"\nadb shell su -c \"/data/local/tmp/frida-server &\"\n\n# Script ausführen\nfrida -U -l crypto_hooks.js com.target.package\n```\n\n## Custom Recovery und Fastboot-Exploits\n\n### TWRP Installation für forensischen Zugang\n```bash\n# Bootloader entsperren (Herstellerabhängig)\nfastboot oem unlock\n# Oder\nfastboot flashing unlock\n\n# TWRP flashen\nfastboot flash recovery twrp-device.img\nfastboot boot twrp-device.img  # Temporäre Installation\n\n# In TWRP: ADB-Zugang mit Root-Berechtigungen\nadb shell mount /system\nadb shell mount /data\n```\n\n### Partitions-Imaging mit dd\n```bash\n# Vollständige Partition-Liste\nadb shell cat /proc/partitions\n\n# Kritische Partitionen extrahieren\nadb shell dd if=/dev/block/bootdevice/by-name/system of=/external_sd/system.img\nadb shell dd if=/dev/block/bootdevice/by-name/userdata of=/external_sd/userdata.img\nadb shell dd if=/dev/block/bootdevice/by-name/boot of=/external_sd/boot.img\n```\n\n## SQLite Forensics und gelöschte Daten\n\n### Erweiterte SQLite-Analyse\n```bash\n# Freelist-Analyse für gelöschte Einträge\nsqlite3 database.db \"PRAGMA freelist_count;\"\nsqlite3 database.db \"PRAGMA page_size;\"\n\n# WAL-Datei Analyse\nsqlite3 database.db \"PRAGMA wal_checkpoint;\"\nstrings database.db-wal | grep -i \"search_term\"\n\n# Undark für Deleted Record Recovery\nundark database.db --freelist --export-csv\n```\n\n### Timeline-Rekonstruktion\n```bash\n# Autopsy Timeline-Generierung\n# Tools → Generate Timeline\n# Analyse von MAC-Times (Modified, Accessed, Created)\n\n# Plaso Timeline-Tools\nlog2timeline.py timeline.plaso /path/to/android/data/\npsort.py -o dynamic timeline.plaso\n```\n\n## Weiterführende Ressourcen\n\n### Dokumentation und Standards\n- [NIST SP 800-101 Rev. 1 - Mobile Device Forensics Guidelines](https://csrc.nist.gov/pubs/sp/800/101/r1/final)\n- [SANS FOR585 - Smartphone Forensics](https://www.sans.org/cyber-security-courses/advanced-smartphone-mobile-device-forensics/)\n- [ALEAPP GitHub Repository](https://github.com/abrignoni/ALEAPP)\n- [MVT Documentation](https://docs.mvt.re/en/latest/)\n\n### Community und Weiterbildung\n- [Autopsy User Documentation](https://sleuthkit.org/autopsy/docs/)\n- [Android Forensics References](https://github.com/impillar/AndroidReferences/blob/master/AndroidTools.md)\n- [Digital Forensics Framework Collection](https://github.com/mesquidar/ForensicsTools)\n\n### Spezialisierte Tools\n- [MTKClient für MediaTek Exploits](https://github.com/bkerler/mtkclient)\n- [Android Forensics Framework](https://github.com/nowsecure/android-forensics)\n- [Santoku Linux Mobile Forensics Distribution](https://santoku-linux.com/)\n\n---\n\n**Wichtiger Hinweis**: Diese Anleitung dient ausschließlich für autorisierte forensische Untersuchungen. Stellen Sie sicher, dass Sie über entsprechende rechtliche Befugnisse verfügen, bevor Sie diese Techniken anwenden. Bei Zweifeln konsultieren Sie Rechtsberatung.","src/content/knowledgebase/android-logical-imaging.md","0bb3f1d2c872d2bf",{"html":307,"metadata":308},"\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Open-Source Android Forensik bietet robuste Alternativen zu kommerziellen Lösungen wie Cellebrite UFED und Magnet AXIOM. Besonders für ältere Android-Geräte (5+ Jahre) existieren bewährte Methoden zur Datenextraktion und -analyse.\u003C/p>\n\u003Ch2 id=\"kernkomponenten-des-open-source-forensik-stacks\">Kernkomponenten des Open-Source Forensik-Stacks\u003C/h2>\n\u003Cp>\u003Cstrong>Autopsy Digital Forensics Platform\u003C/strong> bildet das Fundament mit GUI-basierter Analyse und integrierten Android-Parsing-Fähigkeiten. Die Plattform unterstützt \u003Cstrong>ALEAPP (Android Logs Events And Protobuf Parser)\u003C/strong>, das über 100 Artefakt-Kategorien aus Android-Extraktionen parst.\u003C/p>\n\u003Cp>\u003Cstrong>Mobile Verification Toolkit (MVT)\u003C/strong> von Amnesty International bietet spezialisierte Command-Line-Tools für Android-Analyse mit Fokus auf Kompromittierungserkennung.\u003C/p>\n\u003Cp>\u003Cstrong>SIFT Workstation\u003C/strong> stellt eine komplette Ubuntu-basierte forensische Umgebung mit 125+ vorinstallierten Tools bereit.\u003C/p>\n\u003Ch2 id=\"erfolgsraten-nach-gerätealter\">Erfolgsraten nach Gerätealter\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Pre-2017 Geräte\u003C/strong>: 85-98% logische Extraktion, 30-70% physische Extraktion\u003C/li>\n\u003Cli>\u003Cstrong>2017-2019 Geräte\u003C/strong>: 80-95% logische Extraktion, 15-35% physische Extraktion\u003C/li>\n\u003Cli>\u003Cstrong>2020+ Geräte\u003C/strong>: 70-85% logische Extraktion, 5-15% physische Extraktion\u003C/li>\n\u003C/ul>\n\u003Ch1 id=\"installation\">Installation\u003C/h1>\n\u003Ch2 id=\"sift-workstation-setup\">SIFT Workstation Setup\u003C/h2>\n\u003Ch3 id=\"systemanforderungen\">Systemanforderungen\u003C/h3>\n\u003Cul>\n\u003Cli>Quad-Core CPU 2.5GHz+\u003C/li>\n\u003Cli>16GB+ RAM\u003C/li>\n\u003Cli>500GB+ SSD Speicher\u003C/li>\n\u003Cli>USB 3.0+ Anschlüsse\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installation-1\">Installation\u003C/h3>\n\u003Col>\n\u003Cli>Download von \u003Ca href=\"https://www.sans.org/tools/sift-workstation/\">SANS SIFT Workstation\u003C/a>\u003C/li>\n\u003Cli>VMware/VirtualBox Import der OVA-Datei\u003C/li>\n\u003Cli>VM-Konfiguration: 8GB+ RAM, 4+ CPU-Kerne\u003C/li>\n\u003C/ol>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Update nach Installation\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> upgrade\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -y\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> sift\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"autopsy-installation\">Autopsy Installation\u003C/h2>\n\u003Ch3 id=\"windows-installation\">Windows Installation\u003C/h3>\n\u003Col>\n\u003Cli>Download von \u003Ca href=\"https://www.autopsy.com/\">autopsy.com\u003C/a>\u003C/li>\n\u003Cli>Java 8+ Installation erforderlich\u003C/li>\n\u003Cli>Installation mit Administratorrechten\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"linux-installation\">Linux Installation\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Ubuntu/Debian\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> autopsy\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> sleuthkit\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder manueller Download und Installation\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">wget\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/sleuthkit/autopsy/releases/latest\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"essential-tools-installation\">Essential Tools Installation\u003C/h2>\n\u003Ch3 id=\"android-debug-bridge-adb\">Android Debug Bridge (ADB)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Ubuntu/Debian\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android-tools-adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android-tools-fastboot\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Windows - Download Android Platform Tools\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># https://developer.android.com/studio/releases/platform-tools\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"aleapp-installation\">ALEAPP Installation\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/abrignoni/ALEAPP.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> ALEAPP\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -r\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> requirements.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"mobile-verification-toolkit-mvt\">Mobile Verification Toolkit (MVT)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mvt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder via GitHub für neueste Version\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/mvt-project/mvt.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mvt\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> .\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"andriller-installation\">Andriller Installation\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/den4uk/andriller.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> andriller\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">pip3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -r\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> requirements.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"konfiguration\">Konfiguration\u003C/h1>\n\u003Ch2 id=\"adb-setup-und-gerätevorbereitung\">ADB Setup und Gerätevorbereitung\u003C/h2>\n\u003Ch3 id=\"usb-debugging-aktivieren\">USB-Debugging aktivieren\u003C/h3>\n\u003Col>\n\u003Cli>Entwickleroptionen freischalten (7x Build-Nummer antippen)\u003C/li>\n\u003Cli>USB-Debugging aktivieren\u003C/li>\n\u003Cli>Gerät via USB verbinden\u003C/li>\n\u003Cli>RSA-Fingerprint akzeptieren\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"adb-verbindung-testen\">ADB Verbindung testen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> devices\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Sollte Gerät mit \"device\" Status zeigen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> getprop\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> ro.build.version.release\u003C/span>\u003Cspan style=\"color:#6A737D\">  # Android Version\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> getprop\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> ro.product.model\u003C/span>\u003Cspan style=\"color:#6A737D\">         # Gerätemodell\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"autopsy-projektkonfiguration\">Autopsy Projektkonfiguration\u003C/h2>\n\u003Ch3 id=\"case-setup\">Case-Setup\u003C/h3>\n\u003Col>\n\u003Cli>Neuen Fall erstellen\u003C/li>\n\u003Cli>Ermittler-Informationen eingeben\u003C/li>\n\u003Cli>Case-Verzeichnis festlegen (ausreichend Speicherplatz)\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"android-analyzer-module-aktivieren\">Android Analyzer Module aktivieren\u003C/h3>\n\u003Cul>\n\u003Cli>Tools → Options → Modules\u003C/li>\n\u003Cli>Android Analyzer aktivieren\u003C/li>\n\u003Cli>ALEAPP Integration konfigurieren\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"hash-algorithmen-konfigurieren\">Hash-Algorithmen konfigurieren\u003C/h3>\n\u003Cul>\n\u003Cli>MD5, SHA-1, SHA-256 für Integritätsprüfung\u003C/li>\n\u003Cli>Automatische Hash-Berechnung bei Import aktivieren\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"mvt-konfiguration\">MVT Konfiguration\u003C/h2>\n\u003Ch3 id=\"konfigurationsdatei-erstellen\">Konfigurationsdatei erstellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"yaml\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># ~/.mvt/config.yaml\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#85E89D\">adb_path\u003C/span>\u003Cspan style=\"color:#E1E4E8\">: \u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"/usr/bin/adb\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#85E89D\">output_folder\u003C/span>\u003Cspan style=\"color:#E1E4E8\">: \u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"/home/user/mvt_output\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h1>\n\u003Ch2 id=\"fall-1-logische-datenextraktion-mit-adb\">Fall 1: Logische Datenextraktion mit ADB\u003C/h2>\n\u003Ch3 id=\"geräteinformationen-sammeln\">Geräteinformationen sammeln\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Systeminfo\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> getprop\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> device_properties.txt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> cat\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /proc/version\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> kernel_info.txt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount_info.txt\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Installierte Apps\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pm\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> list\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> packages\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#F97583\"> >\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> installed_packages.txt\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"datenbank-extraktion\">Datenbank-Extraktion\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># SMS/MMS Datenbank\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/data/com.android.providers.telephony/databases/mmssms.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Kontakte\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/data/com.android.providers.contacts/databases/contacts2.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Anrufliste  \u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/data/com.android.providers.contacts/databases/calllog.db\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"whatsapp-datenextraktion\">WhatsApp Datenextraktion\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># WhatsApp Datenbanken (Root erforderlich)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"cp -r /data/data/com.whatsapp/ /sdcard/whatsapp_backup/\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /sdcard/whatsapp_backup/\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"fall-2-android-backup-analyse\">Fall 2: Android Backup-Analyse\u003C/h2>\n\u003Ch3 id=\"vollständiges-backup-erstellen\">Vollständiges Backup erstellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Umfassendes Backup (ohne Root)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -all\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -system\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -apk\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -shared\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup entschlüsseln (falls verschlüsselt)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">java\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> abe.jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unpack\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">tar\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -xf\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"backup-mit-aleapp-analysieren\">Backup mit ALEAPP analysieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> aleappGUI.py\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder Command-Line\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> aleapp.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -t\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> tar\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -o\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> output_folder\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"fall-3-mvt-kompromittierungsanalyse\">Fall 3: MVT Kompromittierungsanalyse\u003C/h2>\n\u003Ch3 id=\"live-geräteanalyse\">Live-Geräteanalyse\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># ADB-basierte Analyse\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">mvt-android\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> check-adb\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --output\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/output/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup-Analyse\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">mvt-android\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> check-backup\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --output\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/output/\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"ioc-suche-mit-pegasus-indikatoren\">IOC-Suche mit Pegasus-Indikatoren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Mit vorgefertigten IOCs\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">mvt-android\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> check-adb\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --iocs\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/pegasus.stix2\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --output\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> results/\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"fall-4-physische-extraktion-root-erforderlich\">Fall 4: Physische Extraktion (Root erforderlich)\u003C/h2>\n\u003Ch3 id=\"device-rooting---mediatek-geräte\">Device Rooting - MediaTek Geräte\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># MTKClient für MediaTek-Chipsets\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/bkerler/mtkclient.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mtkclient\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mtk\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> payload\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Nach erfolgreichem Root\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"vollständiges-memory-dump\">Vollständiges Memory Dump\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Partitionslayout ermitteln\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"cat /proc/partitions\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"ls -la /dev/block/\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Vollständiges Device Image (Root erforderlich)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"dd if=/dev/block/mmcblk0 of=/sdcard/full_device.img bs=4096\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> pull\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /sdcard/full_device.img\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"best-practices\">Best Practices\u003C/h1>\n\u003Ch2 id=\"rechtliche-compliance\">Rechtliche Compliance\u003C/h2>\n\u003Ch3 id=\"dokumentation-und-chain-of-custody\">Dokumentation und Chain of Custody\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Vollständige Dokumentation\u003C/strong>: Wer, Was, Wann, Wo, Warum\u003C/li>\n\u003Cli>\u003Cstrong>Hash-Verifikation\u003C/strong>: MD5/SHA-256 für alle extrahierten Daten\u003C/li>\n\u003Cli>\u003Cstrong>Nur forensische Kopien analysieren\u003C/strong>, niemals Originaldaten\u003C/li>\n\u003Cli>\u003Cstrong>Schriftliche Genehmigung\u003C/strong> für Geräteanalyse einholen\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"familiengeräte-und-nachlässe\">Familiengeräte und Nachlässe\u003C/h3>\n\u003Cul>\n\u003Cli>Genehmigung durch Nachlassverwalter erforderlich\u003C/li>\n\u003Cli>Gerichtsbeschlüsse für Cloud-Zugang eventuell nötig\u003C/li>\n\u003Cli>Drittpartei-Kommunikation kann weiterhin geschützt sein\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"technische-best-practices\">Technische Best Practices\u003C/h2>\n\u003Ch3 id=\"hash-integrität-sicherstellen\">Hash-Integrität sicherstellen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Hash vor und nach Transfer prüfen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">md5sum\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> original_file.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sha256sum\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> original_file.db\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Hash-Verifikation dokumentieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">echo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"$(\u003C/span>\u003Cspan style=\"color:#B392F0\">date\u003C/span>\u003Cspan style=\"color:#9ECBFF\">): MD5: $(\u003C/span>\u003Cspan style=\"color:#B392F0\">md5sum\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> file.db)\"\u003C/span>\u003Cspan style=\"color:#F97583\"> >>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> chain_of_custody.log\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"sichere-arbeitsumgebung\">Sichere Arbeitsumgebung\u003C/h3>\n\u003Cul>\n\u003Cli>Isolierte VM für Forensik-Arbeit\u003C/li>\n\u003Cli>Netzwerk-Isolation während Analyse\u003C/li>\n\u003Cli>Verschlüsselte Speicherung aller Evidenz\u003C/li>\n\u003Cli>Regelmäßige Backups der Case-Datenbanken\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"qualitätssicherung\">Qualitätssicherung\u003C/h3>\n\u003Cul>\n\u003Cli>Peer-Review kritischer Analysen\u003C/li>\n\u003Cli>Standardisierte Arbeitsabläufe (SOPs)\u003C/li>\n\u003Cli>Regelmäßige Tool-Validierung\u003C/li>\n\u003Cli>Kontinuierliche Weiterbildung\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"erfolgsmaximierung-nach-gerätehersteller\">Erfolgsmaximierung nach Gerätehersteller\u003C/h2>\n\u003Ch3 id=\"mediatek-geräte-höchste-erfolgsrate\">MediaTek-Geräte (Höchste Erfolgsrate)\u003C/h3>\n\u003Cul>\n\u003Cli>BootROM-Exploits für MT6735, MT6737, MT6750, MT6753, MT6797\u003C/li>\n\u003Cli>MTKClient für Hardware-Level-Zugang\u003C/li>\n\u003Cli>Erfolgsrate: 80%+ für Geräte 2015-2019\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"samsung-geräte\">Samsung-Geräte\u003C/h3>\n\u003Cul>\n\u003Cli>Ältere Knox-Implementierungen umgehbar\u003C/li>\n\u003Cli>Emergency Dialer Exploits für Android 4.x\u003C/li>\n\u003Cli>Erfolgsrate: 40-70% je nach Knox-Version\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"pixelnexus-geräte\">Pixel/Nexus-Geräte\u003C/h3>\n\u003Cul>\n\u003Cli>Bootloader-Unlocking oft möglich\u003C/li>\n\u003Cli>Fastboot-basierte Recovery-Installation\u003C/li>\n\u003Cli>Erfolgsrate: 60-80% bei freigeschaltetem Bootloader\u003C/li>\n\u003C/ul>\n\u003Ch1 id=\"troubleshooting\">Troubleshooting\u003C/h1>\n\u003Ch2 id=\"problem-adb-erkennt-gerät-nicht\">Problem: ADB erkennt Gerät nicht\u003C/h2>\n\u003Ch3 id=\"lösung-usb-treiber-und-berechtigungen\">Lösung: USB-Treiber und Berechtigungen\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Linux: USB-Berechtigungen prüfen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">lsusb\u003C/span>\u003Cspan style=\"color:#F97583\"> |\u003C/span>\u003Cspan style=\"color:#B392F0\"> grep\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> chmod\u003C/span>\u003Cspan style=\"color:#79B8FF\"> 666\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /dev/bus/usb/XXX/XXX\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># udev-Regeln erstellen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">echo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 'SUBSYSTEM==\"usb\", ATTR{idVendor}==\"18d1\", MODE=\"0666\", GROUP=\"plugdev\"'\u003C/span>\u003Cspan style=\"color:#F97583\"> |\u003C/span>\u003Cspan style=\"color:#B392F0\"> sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> tee\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /etc/udev/rules.d/51-android.rules\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> udevadm\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> control\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --reload-rules\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"windows-treiber-installation\">Windows: Treiber-Installation\u003C/h3>\n\u003Col>\n\u003Cli>Geräte-Manager öffnen\u003C/li>\n\u003Cli>Android-Gerät mit Warnsymbol finden\u003C/li>\n\u003Cli>Treiber manuell installieren (Android USB Driver)\u003C/li>\n\u003C/ol>\n\u003Ch2 id=\"problem-verschlüsselte-android-backups\">Problem: Verschlüsselte Android Backups\u003C/h2>\n\u003Ch3 id=\"lösung-android-backup-extractor\">Lösung: Android Backup Extractor\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># ADB Backup Extractor installieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/nelenkov/android-backup-extractor.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> android-backup-extractor\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">gradle\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> build\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup entschlüsseln\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">java\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> abe.jar\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unpack\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.ab\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> backup.tar\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> [password]\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"problem-unzureichende-berechtigungen-für-datenextraktion\">Problem: Unzureichende Berechtigungen für Datenextraktion\u003C/h2>\n\u003Ch3 id=\"lösung-alternative-extraktionsmethoden\">Lösung: Alternative Extraktionsmethoden\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># AFLogical OSE für begrenzte Extraktion ohne Root\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># WhatsApp Key/DB Extractor für spezifische Apps\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Backup-basierte Extraktion als Fallback\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Custom Recovery für erweiterten Zugang\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> flash\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> recovery\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> twrp-device.img\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"problem-aleapp-parsing-fehler\">Problem: ALEAPP Parsing-Fehler\u003C/h2>\n\u003Ch3 id=\"lösung-datenformat-probleme-beheben\">Lösung: Datenformat-Probleme beheben\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Log-Dateien prüfen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> aleapp.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -t\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dir\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/data\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -o\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> output\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --debug\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Spezifische Parser deaktivieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Manuelle SQLite-Analyse bei Parser-Fehlern\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \".tables\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \".schema table_name\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch1 id=\"erweiterte-techniken\">Erweiterte Techniken\u003C/h1>\n\u003Ch2 id=\"memory-forensics-mit-lime\">Memory Forensics mit LiME\u003C/h2>\n\u003Ch3 id=\"lime-für-arm-devices-kompilieren\">LiME für ARM-Devices kompilieren\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Cross-Compilation Setup\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">export\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> ARCH\u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\">arm\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">export\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> CROSS_COMPILE\u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\">arm-linux-gnueabi-\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">export\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> KERNEL_DIR\u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\">/path/to/kernel/source\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># LiME Module kompilieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">git\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> clone\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://github.com/504ensicsLabs/LiME.git\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">cd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> LiME/src\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">make\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Memory Dump erstellen (Root erforderlich)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> push\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> lime.ko\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/local/tmp/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"insmod /data/local/tmp/lime.ko 'path=/sdcard/memory.lime format=lime'\"\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"volatility-analyse-von-android-memory\">Volatility-Analyse von Android Memory\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Memory Dump analysieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> vol.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> memory.lime\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --profile=Linux\u003C/span>\u003Cspan style=\"color:#F97583\"> <\u003C/span>\u003Cspan style=\"color:#9ECBFF\">profil\u003C/span>\u003Cspan style=\"color:#E1E4E8\">e\u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> linux.pslist\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> vol.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> memory.lime\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --profile=Linux\u003C/span>\u003Cspan style=\"color:#F97583\"> <\u003C/span>\u003Cspan style=\"color:#9ECBFF\">profil\u003C/span>\u003Cspan style=\"color:#E1E4E8\">e\u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> linux.bash\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">python\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> vol.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -f\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> memory.lime\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --profile=Linux\u003C/span>\u003Cspan style=\"color:#F97583\"> <\u003C/span>\u003Cspan style=\"color:#9ECBFF\">profil\u003C/span>\u003Cspan style=\"color:#E1E4E8\">e\u003C/span>\u003Cspan style=\"color:#F97583\">>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> linux.netstat\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"frida-basierte-runtime-analyse\">FRIDA-basierte Runtime-Analyse\u003C/h2>\n\u003Ch3 id=\"frida-für-kryptographie-hooks\">FRIDA für Kryptographie-Hooks\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"javascript\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\">// crypto_hooks.js - SSL/TLS Traffic abfangen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">Java.\u003C/span>\u003Cspan style=\"color:#B392F0\">perform\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#F97583\">function\u003C/span>\u003Cspan style=\"color:#E1E4E8\">() {\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#F97583\">    var\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> SSLContext \u003C/span>\u003Cspan style=\"color:#F97583\">=\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> Java.\u003C/span>\u003Cspan style=\"color:#B392F0\">use\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"javax.net.ssl.SSLContext\"\u003C/span>\u003Cspan style=\"color:#E1E4E8\">);\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">    SSLContext.init.\u003C/span>\u003Cspan style=\"color:#B392F0\">overload\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#9ECBFF\">'[Ljavax.net.ssl.KeyManager;'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#9ECBFF\">'[Ljavax.net.ssl.TrustManager;'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#9ECBFF\">'java.security.SecureRandom'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">).\u003C/span>\u003Cspan style=\"color:#B392F0\">implementation\u003C/span>\u003Cspan style=\"color:#F97583\"> =\u003C/span>\u003Cspan style=\"color:#F97583\"> function\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#FFAB70\">keyManagers\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#FFAB70\">trustManagers\u003C/span>\u003Cspan style=\"color:#E1E4E8\">, \u003C/span>\u003Cspan style=\"color:#FFAB70\">secureRandom\u003C/span>\u003Cspan style=\"color:#E1E4E8\">) {\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">        console.\u003C/span>\u003Cspan style=\"color:#B392F0\">log\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(\u003C/span>\u003Cspan style=\"color:#9ECBFF\">\"[+] SSLContext.init() called\"\u003C/span>\u003Cspan style=\"color:#E1E4E8\">);\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">        this\u003C/span>\u003Cspan style=\"color:#E1E4E8\">.\u003C/span>\u003Cspan style=\"color:#B392F0\">init\u003C/span>\u003Cspan style=\"color:#E1E4E8\">(keyManagers, trustManagers, secureRandom);\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">    };\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">});\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"frida-installation-und-verwendung\">FRIDA Installation und Verwendung\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># FRIDA Server auf Android-Gerät installieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> push\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> frida-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data/local/tmp/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"chmod 755 /data/local/tmp/frida-server\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> su\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -c\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"/data/local/tmp/frida-server &\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Script ausführen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">frida\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -U\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -l\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> crypto_hooks.js\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> com.target.package\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"custom-recovery-und-fastboot-exploits\">Custom Recovery und Fastboot-Exploits\u003C/h2>\n\u003Ch3 id=\"twrp-installation-für-forensischen-zugang\">TWRP Installation für forensischen Zugang\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Bootloader entsperren (Herstellerabhängig)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> oem\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unlock\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Oder\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> flashing\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unlock\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># TWRP flashen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> flash\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> recovery\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> twrp-device.img\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">fastboot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> boot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> twrp-device.img\u003C/span>\u003Cspan style=\"color:#6A737D\">  # Temporäre Installation\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># In TWRP: ADB-Zugang mit Root-Berechtigungen\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /system\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mount\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /data\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"partitions-imaging-mit-dd\">Partitions-Imaging mit dd\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Vollständige Partition-Liste\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> cat\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /proc/partitions\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Kritische Partitionen extrahieren\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> if=/dev/block/bootdevice/by-name/system\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> of=/external_sd/system.img\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> if=/dev/block/bootdevice/by-name/userdata\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> of=/external_sd/userdata.img\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">adb\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> shell\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> if=/dev/block/bootdevice/by-name/boot\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> of=/external_sd/boot.img\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"sqlite-forensics-und-gelöschte-daten\">SQLite Forensics und gelöschte Daten\u003C/h2>\n\u003Ch3 id=\"erweiterte-sqlite-analyse\">Erweiterte SQLite-Analyse\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Freelist-Analyse für gelöschte Einträge\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"PRAGMA freelist_count;\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"PRAGMA page_size;\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># WAL-Datei Analyse\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sqlite3\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"PRAGMA wal_checkpoint;\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">strings\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db-wal\u003C/span>\u003Cspan style=\"color:#F97583\"> |\u003C/span>\u003Cspan style=\"color:#B392F0\"> grep\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -i\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> \"search_term\"\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Undark für Deleted Record Recovery\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">undark\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> database.db\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --freelist\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --export-csv\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"timeline-rekonstruktion\">Timeline-Rekonstruktion\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Autopsy Timeline-Generierung\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Tools → Generate Timeline\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Analyse von MAC-Times (Modified, Accessed, Created)\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#6A737D\"># Plaso Timeline-Tools\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">log2timeline.py\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> timeline.plaso\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /path/to/android/data/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">psort.py\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -o\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> dynamic\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> timeline.plaso\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"weiterführende-ressourcen\">Weiterführende Ressourcen\u003C/h2>\n\u003Ch3 id=\"dokumentation-und-standards\">Dokumentation und Standards\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://csrc.nist.gov/pubs/sp/800/101/r1/final\">NIST SP 800-101 Rev. 1 - Mobile Device Forensics Guidelines\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://www.sans.org/cyber-security-courses/advanced-smartphone-mobile-device-forensics/\">SANS FOR585 - Smartphone Forensics\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/abrignoni/ALEAPP\">ALEAPP GitHub Repository\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://docs.mvt.re/en/latest/\">MVT Documentation\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"community-und-weiterbildung\">Community und Weiterbildung\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://sleuthkit.org/autopsy/docs/\">Autopsy User Documentation\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/impillar/AndroidReferences/blob/master/AndroidTools.md\">Android Forensics References\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/mesquidar/ForensicsTools\">Digital Forensics Framework Collection\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"spezialisierte-tools\">Spezialisierte Tools\u003C/h3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https://github.com/bkerler/mtkclient\">MTKClient für MediaTek Exploits\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://github.com/nowsecure/android-forensics\">Android Forensics Framework\u003C/a>\u003C/li>\n\u003Cli>\u003Ca href=\"https://santoku-linux.com/\">Santoku Linux Mobile Forensics Distribution\u003C/a>\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Cp>\u003Cstrong>Wichtiger Hinweis\u003C/strong>: Diese Anleitung dient ausschließlich für autorisierte forensische Untersuchungen. Stellen Sie sicher, dass Sie über entsprechende rechtliche Befugnisse verfügen, bevor Sie diese Techniken anwenden. Bei Zweifeln konsultieren Sie Rechtsberatung.\u003C/p>",{"headings":309,"localImagePaths":531,"remoteImagePaths":532,"frontmatter":290,"imagePaths":533},[310,311,314,317,318,321,324,326,329,332,335,338,341,344,347,350,351,354,357,360,363,366,369,372,375,378,379,382,385,388,391,394,397,400,403,406,409,412,415,418,419,422,425,428,431,434,437,440,443,446,449,452,453,456,459,462,465,468,471,474,477,480,483,486,489,492,495,498,501,504,507,510,513,516,519,522,525,528],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":312,"text":313},"kernkomponenten-des-open-source-forensik-stacks","Kernkomponenten des Open-Source Forensik-Stacks",{"depth":47,"slug":315,"text":316},"erfolgsraten-nach-gerätealter","Erfolgsraten nach Gerätealter",{"depth":43,"slug":48,"text":49},{"depth":47,"slug":319,"text":320},"sift-workstation-setup","SIFT Workstation Setup",{"depth":51,"slug":322,"text":323},"systemanforderungen","Systemanforderungen",{"depth":51,"slug":325,"text":49},"installation-1",{"depth":47,"slug":327,"text":328},"autopsy-installation","Autopsy Installation",{"depth":51,"slug":330,"text":331},"windows-installation","Windows Installation",{"depth":51,"slug":333,"text":334},"linux-installation","Linux Installation",{"depth":47,"slug":336,"text":337},"essential-tools-installation","Essential Tools Installation",{"depth":51,"slug":339,"text":340},"android-debug-bridge-adb","Android Debug Bridge (ADB)",{"depth":51,"slug":342,"text":343},"aleapp-installation","ALEAPP Installation",{"depth":51,"slug":345,"text":346},"mobile-verification-toolkit-mvt","Mobile Verification Toolkit (MVT)",{"depth":51,"slug":348,"text":349},"andriller-installation","Andriller Installation",{"depth":43,"slug":58,"text":59},{"depth":47,"slug":352,"text":353},"adb-setup-und-gerätevorbereitung","ADB Setup und Gerätevorbereitung",{"depth":51,"slug":355,"text":356},"usb-debugging-aktivieren","USB-Debugging aktivieren",{"depth":51,"slug":358,"text":359},"adb-verbindung-testen","ADB Verbindung testen",{"depth":47,"slug":361,"text":362},"autopsy-projektkonfiguration","Autopsy Projektkonfiguration",{"depth":51,"slug":364,"text":365},"case-setup","Case-Setup",{"depth":51,"slug":367,"text":368},"android-analyzer-module-aktivieren","Android Analyzer Module aktivieren",{"depth":51,"slug":370,"text":371},"hash-algorithmen-konfigurieren","Hash-Algorithmen konfigurieren",{"depth":47,"slug":373,"text":374},"mvt-konfiguration","MVT Konfiguration",{"depth":51,"slug":376,"text":377},"konfigurationsdatei-erstellen","Konfigurationsdatei erstellen",{"depth":43,"slug":70,"text":71},{"depth":47,"slug":380,"text":381},"fall-1-logische-datenextraktion-mit-adb","Fall 1: Logische Datenextraktion mit ADB",{"depth":51,"slug":383,"text":384},"geräteinformationen-sammeln","Geräteinformationen sammeln",{"depth":51,"slug":386,"text":387},"datenbank-extraktion","Datenbank-Extraktion",{"depth":51,"slug":389,"text":390},"whatsapp-datenextraktion","WhatsApp Datenextraktion",{"depth":47,"slug":392,"text":393},"fall-2-android-backup-analyse","Fall 2: Android Backup-Analyse",{"depth":51,"slug":395,"text":396},"vollständiges-backup-erstellen","Vollständiges Backup erstellen",{"depth":51,"slug":398,"text":399},"backup-mit-aleapp-analysieren","Backup mit ALEAPP analysieren",{"depth":47,"slug":401,"text":402},"fall-3-mvt-kompromittierungsanalyse","Fall 3: MVT Kompromittierungsanalyse",{"depth":51,"slug":404,"text":405},"live-geräteanalyse","Live-Geräteanalyse",{"depth":51,"slug":407,"text":408},"ioc-suche-mit-pegasus-indikatoren","IOC-Suche mit Pegasus-Indikatoren",{"depth":47,"slug":410,"text":411},"fall-4-physische-extraktion-root-erforderlich","Fall 4: Physische Extraktion (Root erforderlich)",{"depth":51,"slug":413,"text":414},"device-rooting---mediatek-geräte","Device Rooting - MediaTek Geräte",{"depth":51,"slug":416,"text":417},"vollständiges-memory-dump","Vollständiges Memory Dump",{"depth":43,"slug":79,"text":80},{"depth":47,"slug":420,"text":421},"rechtliche-compliance","Rechtliche Compliance",{"depth":51,"slug":423,"text":424},"dokumentation-und-chain-of-custody","Dokumentation und Chain of Custody",{"depth":51,"slug":426,"text":427},"familiengeräte-und-nachlässe","Familiengeräte und Nachlässe",{"depth":47,"slug":429,"text":430},"technische-best-practices","Technische Best Practices",{"depth":51,"slug":432,"text":433},"hash-integrität-sicherstellen","Hash-Integrität sicherstellen",{"depth":51,"slug":435,"text":436},"sichere-arbeitsumgebung","Sichere Arbeitsumgebung",{"depth":51,"slug":438,"text":439},"qualitätssicherung","Qualitätssicherung",{"depth":47,"slug":441,"text":442},"erfolgsmaximierung-nach-gerätehersteller","Erfolgsmaximierung nach Gerätehersteller",{"depth":51,"slug":444,"text":445},"mediatek-geräte-höchste-erfolgsrate","MediaTek-Geräte (Höchste Erfolgsrate)",{"depth":51,"slug":447,"text":448},"samsung-geräte","Samsung-Geräte",{"depth":51,"slug":450,"text":451},"pixelnexus-geräte","Pixel/Nexus-Geräte",{"depth":43,"slug":82,"text":83},{"depth":47,"slug":454,"text":455},"problem-adb-erkennt-gerät-nicht","Problem: ADB erkennt Gerät nicht",{"depth":51,"slug":457,"text":458},"lösung-usb-treiber-und-berechtigungen","Lösung: USB-Treiber und Berechtigungen",{"depth":51,"slug":460,"text":461},"windows-treiber-installation","Windows: Treiber-Installation",{"depth":47,"slug":463,"text":464},"problem-verschlüsselte-android-backups","Problem: Verschlüsselte Android Backups",{"depth":51,"slug":466,"text":467},"lösung-android-backup-extractor","Lösung: Android Backup Extractor",{"depth":47,"slug":469,"text":470},"problem-unzureichende-berechtigungen-für-datenextraktion","Problem: Unzureichende Berechtigungen für Datenextraktion",{"depth":51,"slug":472,"text":473},"lösung-alternative-extraktionsmethoden","Lösung: Alternative Extraktionsmethoden",{"depth":47,"slug":475,"text":476},"problem-aleapp-parsing-fehler","Problem: ALEAPP Parsing-Fehler",{"depth":51,"slug":478,"text":479},"lösung-datenformat-probleme-beheben","Lösung: Datenformat-Probleme beheben",{"depth":43,"slug":481,"text":482},"erweiterte-techniken","Erweiterte Techniken",{"depth":47,"slug":484,"text":485},"memory-forensics-mit-lime","Memory Forensics mit LiME",{"depth":51,"slug":487,"text":488},"lime-für-arm-devices-kompilieren","LiME für ARM-Devices kompilieren",{"depth":51,"slug":490,"text":491},"volatility-analyse-von-android-memory","Volatility-Analyse von Android Memory",{"depth":47,"slug":493,"text":494},"frida-basierte-runtime-analyse","FRIDA-basierte Runtime-Analyse",{"depth":51,"slug":496,"text":497},"frida-für-kryptographie-hooks","FRIDA für Kryptographie-Hooks",{"depth":51,"slug":499,"text":500},"frida-installation-und-verwendung","FRIDA Installation und Verwendung",{"depth":47,"slug":502,"text":503},"custom-recovery-und-fastboot-exploits","Custom Recovery und Fastboot-Exploits",{"depth":51,"slug":505,"text":506},"twrp-installation-für-forensischen-zugang","TWRP Installation für forensischen Zugang",{"depth":51,"slug":508,"text":509},"partitions-imaging-mit-dd","Partitions-Imaging mit dd",{"depth":47,"slug":511,"text":512},"sqlite-forensics-und-gelöschte-daten","SQLite Forensics und gelöschte Daten",{"depth":51,"slug":514,"text":515},"erweiterte-sqlite-analyse","Erweiterte SQLite-Analyse",{"depth":51,"slug":517,"text":518},"timeline-rekonstruktion","Timeline-Rekonstruktion",{"depth":47,"slug":520,"text":521},"weiterführende-ressourcen","Weiterführende Ressourcen",{"depth":51,"slug":523,"text":524},"dokumentation-und-standards","Dokumentation und Standards",{"depth":51,"slug":526,"text":527},"community-und-weiterbildung","Community und Weiterbildung",{"depth":51,"slug":529,"text":530},"spezialisierte-tools","Spezialisierte Tools",[],[],[],"android-logical-imaging.md","nextcloud",{"id":535,"data":537,"body":551,"filePath":552,"digest":553,"rendered":554,"legacyId":590},{"title":538,"tool_name":539,"description":540,"last_updated":541,"author":16,"difficulty":542,"categories":543,"tags":545,"sections":550,"review_status":34},"Nextcloud - Sichere Kollaborationsplattform","Nextcloud","Detaillierte Anleitung und Best Practices für Nextcloud in forensischen Einsatzszenarien",["Date","2025-07-20T00:00:00.000Z"],"novice",[544],"collaboration-general",[25,546,547,27,548,549],"collaboration","file-sharing","encryption","document-management",{"overview":32,"installation":32,"configuration":32,"usage_examples":32,"best_practices":32,"troubleshooting":32,"advanced_topics":33},"> **⚠️ Hinweis**: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\n\n\n# Übersicht\n\nNextcloud ist eine Open-Source-Cloud-Suite, die speziell für die sichere Zusammenarbeit entwickelt wurde. Sie eignet sich ideal für forensische Teams, da sie eine DSGVO-konforme Umgebung mit verschlüsselter Dateiablage, Office-Integration und Videokonferenzen bereitstellt. Zusätzlich bietet Nextcloud einen integrierten SSO-Provider, der das Identitätsmanagement für andere forensische Tools stark vereinfacht.\n\nSkalierbar von kleinen Raspberry-Pi-Installationen bis hin zu hochverfügbaren Multi-Node-Setups.\n\n- **Website:** [nextcloud.com](https://nextcloud.com/)\n- **Demo/Projektinstanz:** [cloud.cc24.dev](https://cloud.cc24.dev)\n- **Statusseite:** [Mikoshi Status](https://status.mikoshi.de/api/badge/11/status)\n- **Lizenz:** AGPL-3.0\n\n---\n\n## Installation\n\n### Voraussetzungen\n\n- Linux-Server oder Raspberry Pi\n- PHP 8.1 oder höher\n- MariaDB/PostgreSQL\n- Webserver (Apache/Nginx)\n- SSL-Zertifikat (empfohlen: Let's Encrypt)\n\n### Installationsschritte (Ubuntu Beispiel)\n\n```bash\nsudo apt update && sudo apt upgrade\nsudo apt install apache2 mariadb-server libapache2-mod-php php php-mysql \\\n  php-gd php-xml php-mbstring php-curl php-zip php-intl php-bcmath unzip\n\nwget https://download.nextcloud.com/server/releases/latest.zip\nunzip latest.zip -d /var/www/\nchown -R www-data:www-data /var/www/nextcloud\n````\n\nDanach den Web-Installer im Browser aufrufen (`https://\u003Cyour-domain>/nextcloud`) und Setup abschließen.\n\n## Konfiguration\n\n* **Trusted Domains** in `config.php` definieren\n* SSO mit OpenID Connect aktivieren\n* Dateiverschlüsselung aktivieren (`Settings → Security`)\n* Benutzer und Gruppen über LDAP oder SAML integrieren\n\n## Verwendungsbeispiele\n\n### Gemeinsame Fallbearbeitung\n\n1. Ermittlungsordner als geteiltes Gruppenverzeichnis anlegen\n2. Versionierung und Kommentare zu forensischen Berichten aktivieren\n3. Vorschau für Office-Dateien, PDFs und Bilder direkt im Browser nutzen\n\n### Videokonferenzen mit \"Nextcloud Talk\"\n\n* Sichere Kommunikation zwischen Ermittlern und Sachverständigen\n* Ende-zu-Ende-verschlüsselt\n* Bildschirmfreigabe möglich\n\n### Automatischer Dateiimport per API\n\n* REST-Schnittstelle nutzen, um z. B. automatisch Logdateien oder Exportdaten hochzuladen\n* Ideal für Anbindung an SIEM, DLP oder Analyse-Pipelines\n\n## Best Practices\n\n* Zwei-Faktor-Authentifizierung aktivieren\n* Tägliche Backups der Datenbank und Datenstruktur\n* Nutzung von OnlyOffice oder Collabora für revisionssichere Dokumentenbearbeitung\n* Zugriff regelmäßig überprüfen, insbesondere bei externen Partnern\n\n## Troubleshooting\n\n### Problem: Langsame Performance\n\n**Lösung:** APCu aktivieren und Caching optimieren (`config.php → 'memcache.local'`).\n\n### Problem: Dateien erscheinen nicht im Sync\n\n**Lösung:** Cronjob für `files:scan` konfigurieren oder manuell ausführen:\n\n```bash\nsudo -u www-data php /var/www/nextcloud/occ files:scan --all\n```\n\n### Problem: Fehlermeldung \"Trusted domain not set\"\n\n**Lösung:** In `config/config.php` Eintrag `trusted_domains` korrekt konfigurieren:\n\n```php\n'trusted_domains' =>\n  array (\n    0 => 'yourdomain.tld',\n    1 => 'cloud.cc24.dev',\n  ),\n```\n\n## Weiterführende Themen\n\n* **Integration mit Forensik-Plattformen** (über WebDAV, API oder SSO)\n* **Custom Apps entwickeln** für spezielle Ermittlungs-Workflows\n* **Auditing aktivieren**: Nutzung und Änderungen nachvollziehen mit Protokollierungsfunktionen","src/content/knowledgebase/nextcloud.md","9294074e6083e37b",{"html":555,"metadata":556},"\u003Cblockquote>\n\u003Cp>\u003Cstrong>⚠️ Hinweis\u003C/strong>: Dies ist ein vorläufiger, KI-generierter Knowledgebase-Eintrag. Wir freuen uns über Verbesserungen und Ergänzungen durch die Community!\u003C/p>\n\u003C/blockquote>\n\u003Ch1 id=\"übersicht\">Übersicht\u003C/h1>\n\u003Cp>Nextcloud ist eine Open-Source-Cloud-Suite, die speziell für die sichere Zusammenarbeit entwickelt wurde. Sie eignet sich ideal für forensische Teams, da sie eine DSGVO-konforme Umgebung mit verschlüsselter Dateiablage, Office-Integration und Videokonferenzen bereitstellt. Zusätzlich bietet Nextcloud einen integrierten SSO-Provider, der das Identitätsmanagement für andere forensische Tools stark vereinfacht.\u003C/p>\n\u003Cp>Skalierbar von kleinen Raspberry-Pi-Installationen bis hin zu hochverfügbaren Multi-Node-Setups.\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cstrong>Website:\u003C/strong> \u003Ca href=\"https://nextcloud.com/\">nextcloud.com\u003C/a>\u003C/li>\n\u003Cli>\u003Cstrong>Demo/Projektinstanz:\u003C/strong> \u003Ca href=\"https://cloud.cc24.dev\">cloud.cc24.dev\u003C/a>\u003C/li>\n\u003Cli>\u003Cstrong>Statusseite:\u003C/strong> \u003Ca href=\"https://status.mikoshi.de/api/badge/11/status\">Mikoshi Status\u003C/a>\u003C/li>\n\u003Cli>\u003Cstrong>Lizenz:\u003C/strong> AGPL-3.0\u003C/li>\n\u003C/ul>\n\u003Chr>\n\u003Ch2 id=\"installation\">Installation\u003C/h2>\n\u003Ch3 id=\"voraussetzungen\">Voraussetzungen\u003C/h3>\n\u003Cul>\n\u003Cli>Linux-Server oder Raspberry Pi\u003C/li>\n\u003Cli>PHP 8.1 oder höher\u003C/li>\n\u003Cli>MariaDB/PostgreSQL\u003C/li>\n\u003Cli>Webserver (Apache/Nginx)\u003C/li>\n\u003Cli>SSL-Zertifikat (empfohlen: Let’s Encrypt)\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"installationsschritte-ubuntu-beispiel\">Installationsschritte (Ubuntu Beispiel)\u003C/h3>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> update\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> && \u003C/span>\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> upgrade\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apt\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> install\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> apache2\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> mariadb-server\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> libapache2-mod-php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-mysql\u003C/span>\u003Cspan style=\"color:#79B8FF\"> \\\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#9ECBFF\">  php-gd\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-xml\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-mbstring\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-curl\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-zip\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-intl\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php-bcmath\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> unzip\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">wget\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> https://download.nextcloud.com/server/releases/latest.zip\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">unzip\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> latest.zip\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -d\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">chown\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -R\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> www-data:www-data\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/nextcloud\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Cp>Danach den Web-Installer im Browser aufrufen (\u003Ccode>https://<your-domain>/nextcloud\u003C/code>) und Setup abschließen.\u003C/p>\n\u003Ch2 id=\"konfiguration\">Konfiguration\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Trusted Domains\u003C/strong> in \u003Ccode>config.php\u003C/code> definieren\u003C/li>\n\u003Cli>SSO mit OpenID Connect aktivieren\u003C/li>\n\u003Cli>Dateiverschlüsselung aktivieren (\u003Ccode>Settings → Security\u003C/code>)\u003C/li>\n\u003Cli>Benutzer und Gruppen über LDAP oder SAML integrieren\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"verwendungsbeispiele\">Verwendungsbeispiele\u003C/h2>\n\u003Ch3 id=\"gemeinsame-fallbearbeitung\">Gemeinsame Fallbearbeitung\u003C/h3>\n\u003Col>\n\u003Cli>Ermittlungsordner als geteiltes Gruppenverzeichnis anlegen\u003C/li>\n\u003Cli>Versionierung und Kommentare zu forensischen Berichten aktivieren\u003C/li>\n\u003Cli>Vorschau für Office-Dateien, PDFs und Bilder direkt im Browser nutzen\u003C/li>\n\u003C/ol>\n\u003Ch3 id=\"videokonferenzen-mit-nextcloud-talk\">Videokonferenzen mit “Nextcloud Talk”\u003C/h3>\n\u003Cul>\n\u003Cli>Sichere Kommunikation zwischen Ermittlern und Sachverständigen\u003C/li>\n\u003Cli>Ende-zu-Ende-verschlüsselt\u003C/li>\n\u003Cli>Bildschirmfreigabe möglich\u003C/li>\n\u003C/ul>\n\u003Ch3 id=\"automatischer-dateiimport-per-api\">Automatischer Dateiimport per API\u003C/h3>\n\u003Cul>\n\u003Cli>REST-Schnittstelle nutzen, um z. B. automatisch Logdateien oder Exportdaten hochzuladen\u003C/li>\n\u003Cli>Ideal für Anbindung an SIEM, DLP oder Analyse-Pipelines\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"best-practices\">Best Practices\u003C/h2>\n\u003Cul>\n\u003Cli>Zwei-Faktor-Authentifizierung aktivieren\u003C/li>\n\u003Cli>Tägliche Backups der Datenbank und Datenstruktur\u003C/li>\n\u003Cli>Nutzung von OnlyOffice oder Collabora für revisionssichere Dokumentenbearbeitung\u003C/li>\n\u003Cli>Zugriff regelmäßig überprüfen, insbesondere bei externen Partnern\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"troubleshooting\">Troubleshooting\u003C/h2>\n\u003Ch3 id=\"problem-langsame-performance\">Problem: Langsame Performance\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> APCu aktivieren und Caching optimieren (\u003Ccode>config.php → 'memcache.local'\u003C/code>).\u003C/p>\n\u003Ch3 id=\"problem-dateien-erscheinen-nicht-im-sync\">Problem: Dateien erscheinen nicht im Sync\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> Cronjob für \u003Ccode>files:scan\u003C/code> konfigurieren oder manuell ausführen:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#B392F0\">sudo\u003C/span>\u003Cspan style=\"color:#79B8FF\"> -u\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> www-data\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> php\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> /var/www/nextcloud/occ\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> files:scan\u003C/span>\u003Cspan style=\"color:#79B8FF\"> --all\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch3 id=\"problem-fehlermeldung-trusted-domain-not-set\">Problem: Fehlermeldung “Trusted domain not set”\u003C/h3>\n\u003Cp>\u003Cstrong>Lösung:\u003C/strong> In \u003Ccode>config/config.php\u003C/code> Eintrag \u003Ccode>trusted_domains\u003C/code> korrekt konfigurieren:\u003C/p>\n\u003Cpre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"php\">\u003Ccode>\u003Cspan class=\"line\">\u003Cspan style=\"color:#9ECBFF\">'trusted_domains'\u003C/span>\u003Cspan style=\"color:#F97583\"> =>\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">  array\u003C/span>\u003Cspan style=\"color:#E1E4E8\"> (\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">    0\u003C/span>\u003Cspan style=\"color:#F97583\"> =>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 'yourdomain.tld'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">,\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#79B8FF\">    1\u003C/span>\u003Cspan style=\"color:#F97583\"> =>\u003C/span>\u003Cspan style=\"color:#9ECBFF\"> 'cloud.cc24.dev'\u003C/span>\u003Cspan style=\"color:#E1E4E8\">,\u003C/span>\u003C/span>\n\u003Cspan class=\"line\">\u003Cspan style=\"color:#E1E4E8\">  ),\u003C/span>\u003C/span>\u003C/code>\u003C/pre>\n\u003Ch2 id=\"weiterführende-themen\">Weiterführende Themen\u003C/h2>\n\u003Cul>\n\u003Cli>\u003Cstrong>Integration mit Forensik-Plattformen\u003C/strong> (über WebDAV, API oder SSO)\u003C/li>\n\u003Cli>\u003Cstrong>Custom Apps entwickeln\u003C/strong> für spezielle Ermittlungs-Workflows\u003C/li>\n\u003Cli>\u003Cstrong>Auditing aktivieren\u003C/strong>: Nutzung und Änderungen nachvollziehen mit Protokollierungsfunktionen\u003C/li>\n\u003C/ul>",{"headings":557,"localImagePaths":587,"remoteImagePaths":588,"frontmatter":537,"imagePaths":589},[558,559,560,561,564,565,566,569,572,575,576,577,580,583,586],{"depth":43,"slug":44,"text":45},{"depth":47,"slug":48,"text":49},{"depth":51,"slug":52,"text":53},{"depth":51,"slug":562,"text":563},"installationsschritte-ubuntu-beispiel","Installationsschritte (Ubuntu Beispiel)",{"depth":47,"slug":58,"text":59},{"depth":47,"slug":70,"text":71},{"depth":51,"slug":567,"text":568},"gemeinsame-fallbearbeitung","Gemeinsame Fallbearbeitung",{"depth":51,"slug":570,"text":571},"videokonferenzen-mit-nextcloud-talk","Videokonferenzen mit “Nextcloud Talk”",{"depth":51,"slug":573,"text":574},"automatischer-dateiimport-per-api","Automatischer Dateiimport per API",{"depth":47,"slug":79,"text":80},{"depth":47,"slug":82,"text":83},{"depth":51,"slug":578,"text":579},"problem-langsame-performance","Problem: Langsame Performance",{"depth":51,"slug":581,"text":582},"problem-dateien-erscheinen-nicht-im-sync","Problem: Dateien erscheinen nicht im Sync",{"depth":51,"slug":584,"text":585},"problem-fehlermeldung-trusted-domain-not-set","Problem: Fehlermeldung “Trusted domain not set”",{"depth":47,"slug":94,"text":95},[],[],[],"nextcloud.md"]
\ No newline at end of file
diff --git a/.env.example b/.env.example
index cf2ad4b..1814d9f 100644
--- a/.env.example
+++ b/.env.example
@@ -1,79 +1,257 @@
-# ===========================================
-# ForensicPathways Environment Configuration
-# ===========================================
+# ============================================================================
+# ForensicPathways Environment Configuration - COMPLETE
+# ============================================================================
+# Copy this file to .env and adjust the values below.
+# This file covers ALL environment variables used in the codebase.
 
-# === Authentication Configuration ===
+# ============================================================================
+# 1. CORE APPLICATION SETTINGS (REQUIRED)
+# ============================================================================
+
+# Your application's public URL (used for redirects and links)
+PUBLIC_BASE_URL=http://localhost:4321
+
+# Application environment
+NODE_ENV=development
+
+# Secret key for session encryption (CHANGE IN PRODUCTION!)
+AUTH_SECRET=your-secret-key-change-in-production-please
+
+# ============================================================================
+# 2. AI SERVICES CONFIGURATION (REQUIRED FOR AI FEATURES)
+# ============================================================================
+
+# Main AI Analysis Service (for query processing and recommendations)
+# Examples: http://localhost:11434 (Ollama), https://api.mistral.ai, https://api.openai.com
+AI_ANALYZER_ENDPOINT=https://api.mistral.ai/v1/chat/completions
+AI_ANALYZER_API_KEY=
+AI_ANALYZER_MODEL=mistral/mistral-small-latest
+
+# Vector Embeddings Service (for semantic search)
+# Leave API_KEY empty for Ollama, use actual key for cloud services
+AI_EMBEDDINGS_ENABLED=true
+AI_EMBEDDINGS_ENDPOINT=https://api.mistral.ai/v1/embeddings
+AI_EMBEDDINGS_API_KEY=
+AI_EMBEDDINGS_MODEL=mistral-embed
+
+# ============================================================================
+# 3. AI PIPELINE CONFIGURATION (CONTEXT & PERFORMANCE TUNING)
+# ============================================================================
+
+# === SIMILARITY SEARCH STAGE ===
+# How many similar tools/concepts embeddings search returns as candidates
+# 🔍 This is the FIRST filter - vector similarity matching
+# Lower = faster, less comprehensive | Higher = slower, more comprehensive
+AI_EMBEDDING_CANDIDATES=50
+
+# Minimum similarity score threshold (0.0-1.0)
+# Lower = more results but less relevant | Higher = fewer but more relevant
+AI_SIMILARITY_THRESHOLD=0.3
+
+# === AI SELECTION FROM EMBEDDINGS ===
+# When embeddings are enabled, how many top tools to send with full context
+# 🎯 This is the SECOND filter - take best N from embeddings results
+AI_EMBEDDING_SELECTION_LIMIT=30
+AI_EMBEDDING_CONCEPTS_LIMIT=15
+
+# Maximum tools/concepts sent to AI when embeddings are DISABLED
+# Set to 0 for no limit (WARNING: may cause token overflow with large datasets)
+AI_NO_EMBEDDINGS_TOOL_LIMIT=0
+AI_NO_EMBEDDINGS_CONCEPT_LIMIT=0
+
+# === AI SELECTION STAGE ===
+# Maximum tools the AI can select from embedding candidates
+# 🤖 This is the SECOND filter - AI intelligent selection
+# Should be ≤ AI_EMBEDDING_CANDIDATES
+AI_MAX_SELECTED_ITEMS=25
+
+# === EMBEDDINGS EFFICIENCY THRESHOLDS ===
+# Minimum tools required for embeddings to be considered useful
+AI_EMBEDDINGS_MIN_TOOLS=8
+
+# Maximum percentage of total tools that embeddings can return to be considered "filtering"
+AI_EMBEDDINGS_MAX_REDUCTION_RATIO=0.75
+
+# === CONTEXT FLOW SUMMARY ===
+# 1. Vector Search: 111 total tools → AI_EMBEDDING_CANDIDATES (40) most similar
+# 2. AI Selection: 40 candidates → AI_MAX_SELECTED_ITEMS (25) best matches  
+# 3. Final Output: Recommendations based on analyzed subset
+
+# ============================================================================
+# 4. AI PERFORMANCE & RATE LIMITING
+# ============================================================================
+
+# === USER RATE LIMITS (per minute) ===
+# Main queries per user per minute
+AI_RATE_LIMIT_MAX_REQUESTS=4
+
+# Total AI micro-task calls per user per minute (across all micro-tasks)
+AI_MICRO_TASK_TOTAL_LIMIT=30
+
+# === PIPELINE TIMING ===
+# Delay between micro-tasks within a single query (milliseconds)
+# Higher = gentler on AI service | Lower = faster responses
+AI_MICRO_TASK_DELAY_MS=500
+
+# Delay between queued requests (milliseconds)
+AI_RATE_LIMIT_DELAY_MS=2000
+
+# === EMBEDDINGS BATCH PROCESSING ===
+# How many embeddings to generate per API call
+AI_EMBEDDINGS_BATCH_SIZE=10
+
+# Delay between embedding batches (milliseconds)
+AI_EMBEDDINGS_BATCH_DELAY_MS=1000
+
+# Maximum tools sent to AI for detailed analysis (micro-tasks)
+AI_MAX_TOOLS_TO_ANALYZE=20
+AI_MAX_CONCEPTS_TO_ANALYZE=10
+
+# ============================================================================
+# 5. AI CONTEXT & TOKEN MANAGEMENT
+# ============================================================================
+
+# Maximum context tokens to maintain across micro-tasks
+# Controls how much conversation history is preserved between AI calls
+AI_MAX_CONTEXT_TOKENS=4000
+
+# Maximum tokens per individual AI prompt
+# Larger = more context per call | Smaller = faster responses
+AI_MAX_PROMPT_TOKENS=2500
+
+# ============================================================================
+# 6. AUTHENTICATION & AUTHORIZATION (OPTIONAL)
+# ============================================================================
+
+# Enable authentication for different features
 AUTHENTICATION_NECESSARY=false
 AUTHENTICATION_NECESSARY_CONTRIBUTIONS=false
 AUTHENTICATION_NECESSARY_AI=false
-AUTH_SECRET=your-secret-key-change-in-production
 
-# OIDC Configuration (if authentication enabled)
+# OIDC Provider Settings (only needed if authentication enabled)
 OIDC_ENDPOINT=https://your-oidc-provider.com
 OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
 
-# ===================================================================
-# AI CONFIGURATION - Complete Reference for Improved Pipeline
-# ===================================================================
+# ============================================================================
+# 7. FILE UPLOADS - NEXTCLOUD INTEGRATION (OPTIONAL)
+# ============================================================================
 
-# === CORE AI ENDPOINTS & MODELS ===
-AI_API_ENDPOINT=https://llm.mikoshi.de
-AI_API_KEY=sREDACTED3w
-AI_MODEL='mistral/mistral-small-latest'
-
-# === IMPROVED PIPELINE: Use separate analyzer model (mistral-small is fine) ===
-AI_ANALYZER_ENDPOINT=https://llm.mikoshi.de
-AI_ANALYZER_API_KEY=skREDACTEDw3w  
-AI_ANALYZER_MODEL='mistral/mistral-small-latest'
-
-# === EMBEDDINGS CONFIGURATION ===
-AI_EMBEDDINGS_ENABLED=true
-AI_EMBEDDINGS_ENDPOINT=https://api.mistral.ai/v1/embeddings
-AI_EMBEDDINGS_API_KEY=ZREDACTED3wL
-AI_EMBEDDINGS_MODEL=mistral-embed
-AI_EMBEDDINGS_BATCH_SIZE=20
-AI_EMBEDDINGS_BATCH_DELAY_MS=1000
-
-# === PIPELINE: VectorIndex (HNSW) Configuration ===
-AI_MAX_SELECTED_ITEMS=60                    # Tools visible to each micro-task 
-AI_EMBEDDING_CANDIDATES=60                  # VectorIndex candidates (HNSW is more efficient)
-AI_SIMILARITY_THRESHOLD=0.3                # Not used by VectorIndex (uses cosine distance internally)
-
-# === MICRO-TASK CONFIGURATION ===
-AI_MICRO_TASK_DELAY_MS=500                 # Delay between micro-tasks  
-AI_MICRO_TASK_TIMEOUT_MS=25000             # Timeout per micro-task (increased for full context)
-
-# === RATE LIMITING ===
-AI_RATE_LIMIT_DELAY_MS=3000                # Main rate limit delay
-AI_RATE_LIMIT_MAX_REQUESTS=6               # Main requests per minute (reduced - fewer but richer calls)
-AI_MICRO_TASK_RATE_LIMIT=15                # Micro-task requests per minute (was 30)
-
-# === QUEUE MANAGEMENT ===
-AI_QUEUE_MAX_SIZE=50
-AI_QUEUE_CLEANUP_INTERVAL_MS=300000
-
-# === PERFORMANCE & MONITORING ===
-AI_MICRO_TASK_DEBUG=true
-AI_PERFORMANCE_METRICS=true
-AI_RESPONSE_CACHE_TTL_MS=3600000
-
-# ===================================================================
-# LEGACY VARIABLES (still used but less important)
-# ===================================================================
-
-# These are still used by other parts of the system:
-AI_RESPONSE_CACHE_TTL_MS=3600000           # For caching responses
-AI_QUEUE_MAX_SIZE=50                       # Queue management
-AI_QUEUE_CLEANUP_INTERVAL_MS=300000       # Queue cleanup
-
-# === Application Configuration ===
-PUBLIC_BASE_URL=http://localhost:4321
-NODE_ENV=development
-
-# Nextcloud Integration (Optional)
+# Nextcloud server for file uploads (knowledgebase contributions)
+# Leave empty to disable file upload functionality
 NEXTCLOUD_ENDPOINT=https://your-nextcloud.com
+
+# Nextcloud credentials (app password recommended)
 NEXTCLOUD_USERNAME=your-username
-NEXTCLOUD_PASSWORD=your-password
+NEXTCLOUD_PASSWORD=your-app-password
+
+# Upload directory on Nextcloud (will be created if doesn't exist)
 NEXTCLOUD_UPLOAD_PATH=/kb-media
-NEXTCLOUD_PUBLIC_URL=https://your-nextcloud.com/s/
\ No newline at end of file
+
+# Public URL base for sharing uploaded files
+# Usually your Nextcloud base URL + share path
+NEXTCLOUD_PUBLIC_URL=https://your-nextcloud.com/s/
+
+# ============================================================================
+# 8. GIT CONTRIBUTIONS - ISSUE CREATION (OPTIONAL)
+# ============================================================================
+
+# Git provider: gitea, github, or gitlab
+GIT_PROVIDER=gitea
+
+# Repository URL (used to extract owner/name)
+# Example: https://git.example.com/owner/forensic-pathways.git
+GIT_REPO_URL=https://git.example.com/owner/forensic-pathways.git
+
+# API endpoint for your git provider
+# Gitea: https://git.example.com/api/v1
+# GitHub: https://api.github.com
+# GitLab: https://gitlab.example.com/api/v4
+GIT_API_ENDPOINT=https://git.example.com/api/v1
+
+# Personal access token or API token for creating issues
+# Generate this in your git provider's settings
+GIT_API_TOKEN=your-git-api-token
+
+# ============================================================================
+# 9. AUDIT & DEBUGGING (OPTIONAL)
+# ============================================================================
+
+# Enable detailed audit trail of AI decision-making
+FORENSIC_AUDIT_ENABLED=true
+
+# Audit detail level: minimal, standard, verbose
+FORENSIC_AUDIT_DETAIL_LEVEL=standard
+
+# Audit retention time (hours)
+FORENSIC_AUDIT_RETENTION_HOURS=24
+
+# Maximum audit entries per request
+FORENSIC_AUDIT_MAX_ENTRIES=50
+
+# ============================================================================
+# 10. SIMPLIFIED CONFIDENCE SCORING SYSTEM  
+# ============================================================================
+
+# Confidence component weights (must sum to 1.0)
+CONFIDENCE_SEMANTIC_WEIGHT=0.5         # Weight for vector similarity quality  
+CONFIDENCE_SUITABILITY_WEIGHT=0.5      # Weight for AI-determined task fitness
+
+# Confidence thresholds (0-100)
+CONFIDENCE_MINIMUM_THRESHOLD=50        # Below this = weak recommendation
+CONFIDENCE_MEDIUM_THRESHOLD=70         # 40-59 = weak, 60-79 = moderate  
+CONFIDENCE_HIGH_THRESHOLD=80           # 80+ = strong recommendation
+
+# ============================================================================
+# PERFORMANCE TUNING PRESETS
+# ============================================================================
+
+# 🚀 FOR FASTER RESPONSES (prevent token overflow):
+# AI_NO_EMBEDDINGS_TOOL_LIMIT=25
+# AI_NO_EMBEDDINGS_CONCEPT_LIMIT=10
+
+# 🎯 FOR FULL DATABASE ACCESS (risk of truncation):
+# AI_NO_EMBEDDINGS_TOOL_LIMIT=0
+# AI_NO_EMBEDDINGS_CONCEPT_LIMIT=0
+
+# 🔋 FOR LOW-POWER SYSTEMS:
+# AI_NO_EMBEDDINGS_TOOL_LIMIT=15
+
+# ============================================================================
+# FEATURE COMBINATIONS GUIDE
+# ============================================================================
+
+# 📝 BASIC SETUP (AI only):
+# - Configure AI_ANALYZER_* and AI_EMBEDDINGS_*
+# - Leave authentication, file uploads, and git disabled
+
+# 🔐 WITH AUTHENTICATION:
+# - Set AUTHENTICATION_NECESSARY_* to true
+# - Configure OIDC_* settings
+
+# 📁 WITH FILE UPLOADS:
+# - Configure all NEXTCLOUD_* settings
+# - Test connection before enabling in UI
+
+# 🔄 WITH CONTRIBUTIONS:
+# - Configure all GIT_* settings
+# - Test API token permissions for issue creation
+
+# 🔍 WITH FULL MONITORING:
+# - Enable FORENSIC_AUDIT_ENABLED=true
+# - Configure audit retention and detail level
+
+# ============================================================================
+# SETUP CHECKLIST
+# ============================================================================
+# ✅ 1. Set PUBLIC_BASE_URL to your domain
+# ✅ 2. Change AUTH_SECRET to a secure random string  
+# ✅ 3. Configure AI endpoints (Ollama: leave API_KEY empty)
+# ✅ 4. Start with default AI values, tune based on performance
+# ✅ 5. Enable authentication if needed (configure OIDC)
+# ✅ 6. Configure Nextcloud if file uploads needed
+# ✅ 7. Configure Git provider if contributions needed
+# ✅ 8. Test with a simple query to verify pipeline works
+# ✅ 9. Enable audit trail for transparency if desired
+# ✅ 10. Tune performance settings based on usage patterns
+# ============================================================================
\ No newline at end of file
diff --git a/README.md b/README.md
index 89aac12..b6f72a2 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ Ein kuratiertes Verzeichnis für Digital Forensics und Incident Response (DFIR)
 
 ### AI Service (Mistral/OpenAI-kompatibel)
 - **Zweck:** KI-gestützte Tool-Empfehlungen
-- **Konfiguration:** `AI_API_ENDPOINT`, `AI_API_KEY`, `AI_MODEL`
+- **Konfiguration:** `AI_ANALYZER_ENDPOINT`, `AI_ANALYZER_API_KEY`, `AI_ANALYZER_MODEL`
 
 ### Uptime Kuma
 - **Zweck:** Status-Monitoring für gehostete Services
@@ -157,9 +157,9 @@ PUBLIC_BASE_URL=https://your-domain.com
 NODE_ENV=production
 
 # AI Service Configuration (Required for AI features)
-AI_MODEL=mistral-large-latest
-AI_API_ENDPOINT=https://api.mistral.ai
-AI_API_KEY=your-mistral-api-key
+AI_ANALYZER_MODEL=mistral-large-latest
+AI_ANALYZER_ENDPOINT=https://api.mistral.ai
+AI_ANALYZER_API_KEY=your-mistral-api-key
 AI_RATE_LIMIT_DELAY_MS=1000
 
 # Git Integration (Required for contributions)
diff --git a/context.md b/context.md
deleted file mode 100644
index c806167..0000000
--- a/context.md
+++ /dev/null
@@ -1,337 +0,0 @@
-# ForensicPathways Architecture System Prompt
-
-## Project Overview
-ForensicPathways is a curated directory of Digital Forensics and Incident Response (DFIR) tools, methods, and concepts built with Astro and TypeScript. It serves as an educational and professional resource for forensic investigators, following the NIST SP 800-86 framework (Kent, Chevalier, Grance & Dang).
-
-## Core Technology Stack
-- **Framework**: Astro (static site generator with islands architecture)
-- **Language**: TypeScript with strict typing
-- **Styling**: Vanilla CSS with custom properties (CSS variables)
-- **Data Storage**: YAML files for tool catalog
-- **Content**: Astro Content Collections for knowledge base articles
-- **Authentication**: OIDC (OpenID Connect) with configurable requirements
-- **AI Integration**: Mistral API for workflow recommendations
-- **File Storage**: Nextcloud with local fallback
-- **Version Control**: Git integration for community contributions
-
-## Data Model Architecture
-
-### Core Entity: Tool
-```yaml
-name: string           # Tool identifier
-icon: string?          # Emoji icon
-type: 'software'|'method'|'concept'  # Tool classification
-description: string    # Detailed description
-domains: string[]      # Forensic domains (incident-response, malware-analysis, etc.)
-phases: string[]       # NIST framework phases (data-collection, examination, analysis, reporting)
-platforms: string[]   # Operating systems (for software only)
-skillLevel: string     # novice|beginner|intermediate|advanced|expert
-url: string           # Primary documentation/homepage
-projectUrl: string?   # Hosted instance URL (CC24 server)
-license: string?      # Software license
-knowledgebase: boolean? # Has detailed documentation
-tags: string[]        # Searchable keywords
-related_concepts: string[]? # Links to concept-type tools
-related_software: string[]? #Links to software-type-tools
-```
-
-### Taxonomies
-- **Domains**: Forensic specializations (7 main domains)
-- **Phases**: NIST investigation phases (4 phases)
-- **Domain-Agnostic-Software**: Cross-cutting tools and platforms
-- **Skill Levels**: Standardized competency requirements
-
-## Component Architecture
-
-### Layout System
-- **BaseLayout.astro**: Global layout with theme system, authentication setup, shared utilities
-- **Navigation.astro**: Main navigation with active state management
-- **Footer.astro**: Site footer with links and licensing info
-
-### Core Components
-- **ToolCard.astro**: Individual tool display with metadata, actions, and type-specific styling
-- **ToolMatrix.astro**: Matrix view showing tools by domain/phase intersection
-- **ToolFilters.astro**: Search, filtering, and view controls
-- **AIQueryInterface.astro**: AI-powered workflow recommendation system
-
-### Utility Components
-- **ShareButton.astro**: URL sharing with multiple view options
-- **ContributionButton.astro**: Authenticated contribution links
-- **ThemeToggle.astro**: Light/dark/auto theme switching
-
-## Feature Systems
-
-### 1. Authentication System (`src/utils/auth.ts`)
-- **OIDC Integration**: Uses environment-configured provider
-- **Contextual Requirements**: Different auth requirements for contributions vs AI features
-- **Session Management**: JWT-based with configurable expiration
-- **Client-Side Utilities**: Window-level auth checking functions
-
-### 2. AI Recommendation System
-- **Dual Modes**: 
-  - Workflow mode: Multi-phase recommendations for scenarios
-  - Tool mode: Specific tool recommendations for problems
-- **Rate Limiting**: Queue-based system with status updates
-- **Data Integration**: Uses compressed tool database for AI context
-- **Response Validation**: Ensures AI only recommends existing tools
-
-### 3. Contribution System
-- **Git Integration**: Automated issue creation via Gitea/GitHub/GitLab APIs
-- **Tool Contributions**: Form-based tool submissions
-- **Knowledge Base**: Rich text with file upload support
-- **Validation**: Client and server-side validation with Zod schemas
-
-### 4. File Upload System
-- **Primary**: Nextcloud integration with public link generation
-- **Fallback**: Local file storage with public URL generation
-- **Validation**: File type and size restrictions
-- **Rate Limiting**: Per-user upload quotas
-
-## Styling Architecture
-
-### CSS Custom Properties System
-```css
-/* Core color system */
---color-primary: /* Adaptive based on theme */
---color-accent: /* Secondary brand color */
---color-bg: /* Main background */
---color-text: /* Primary text */
-
-/* Component-specific colors */
---color-hosted: /* CC24 server hosted tools */
---color-oss: /* Open source tools */
---color-method: /* Methodology entries */
---color-concept: /* Knowledge concepts */
-
-/* Theme system */
-[data-theme="light"] { /* Light theme values */ }
-[data-theme="dark"] { /* Dark theme values */ }
-```
-
-### Component Styling Patterns
-- **Card System**: Consistent `.card` base with type-specific variants
-- **Badge System**: Status and metadata indicators
-- **Button System**: Semantic button classes with size variants
-- **Grid System**: CSS Grid with responsive breakpoints
-
-## Data Flow Architecture
-
-### 1. Data Loading (`src/utils/dataService.ts`)
-```typescript
-// Daily randomization with seeded shuffle
-getToolsData() → shuffled tools array
-getCompressedToolsDataForAI() → AI-optimized dataset
-clearCache() → cache invalidation
-```
-
-### 2. Client-Side State Management
-- **Global Tools Data**: Attached to `window.toolsData`
-- **Filter State**: Component-local state with event emission
-- **View State**: Grid/Matrix/AI view switching
-- **Modal State**: Tool detail overlays with multi-modal support
-
-### 3. Search and Filtering
-- **Text Search**: Name, description, tags
-- **Faceted Filtering**: Domain, phase, skill level, license type
-- **Tag Cloud**: Frequency-weighted tag selection
-- **Real-time Updates**: Immediate filtering with event system
-
-## API Architecture
-
-### Endpoint Structure
-```
-/api/auth/         # Authentication endpoints
-  login.ts         # OIDC initiation
-  process.ts       # OIDC callback processing
-  status.ts        # Auth status checking
-
-/api/contribute/   # Contribution endpoints
-  tool.ts          # Tool submissions
-  knowledgebase.ts # KB article submissions
-
-/api/ai/          # AI features
-  query.ts         # Workflow recommendations
-  queue-status.ts  # Queue monitoring
-
-/api/upload/      # File handling
-  media.ts         # File upload processing
-
-/api/health.ts    # System health check
-```
-
-### Response Patterns
-All APIs use consolidated response utilities (`src/utils/api.ts`):
-- **Success**: `apiResponse.success()`, `apiResponse.created()`
-- **Errors**: `apiError.badRequest()`, `apiError.unauthorized()`, etc.
-- **Server Errors**: `apiServerError.internal()`, etc.
-
-## File Organization Patterns
-
-### Page Structure
-- **Static Pages**: About, impressum, status
-- **Dynamic Pages**: Tool details, knowledge base articles
-- **Authenticated Pages**: Contribution forms
-- **API Routes**: RESTful endpoints with consistent naming
-
-### Utility Organization
-- **Tool Operations**: `toolHelpers.ts` - Core tool manipulation
-- **Data Management**: `dataService.ts` - YAML loading and caching
-- **Authentication**: `auth.ts` - OIDC flow and session management
-- **External APIs**: `gitContributions.ts`, `nextcloud.ts`
-- **Rate Limiting**: `rateLimitedQueue.ts` - AI request queuing
-
-## Key Architectural Decisions
-
-### 1. Static-First with Dynamic Islands
-- Astro's islands architecture for interactivity
-- Static generation for performance
-- Selective hydration for complex components
-
-### 2. YAML-Based Data Management
-- Human-readable tool catalog
-- Git-friendly versioning
-- Type-safe loading with Zod validation
-
-### 3. Contextual Authentication
-- Optional authentication based on feature
-- Graceful degradation for unauthenticated users
-- Environment-configurable requirements
-
-### 4. Multi-Modal UI Patterns
-- Grid view for browsing
-- Matrix view for relationship visualization
-- AI interface for guided recommendations
-
-### 5. Progressive Enhancement
-- Core functionality works without JavaScript
-- Enhanced features require client-side hydration
-- Responsive design with mobile-first approach
-
-## Development Patterns
-
-### Component Design
-- Props interfaces with TypeScript
-- Consistent styling via CSS classes
-- Event-driven communication between components
-- Server-side rendering with client-side enhancement
-
-### Error Handling
-- Comprehensive try-catch in API routes
-- User-friendly error messages
-- Graceful fallbacks for external services
-- Logging for debugging and monitoring
-
-### Performance Optimizations
-- Daily data randomization with caching
-- Compressed datasets for AI context
-- Rate limiting for external API calls
-- Efficient DOM updates with targeted selectors
-
-This architecture emphasizes maintainability, user experience, and extensibility while managing the complexity of a multi-feature forensics tool directory.
-
-
-## Absolutely Essential (Core Architecture - 8 files)
-
-**File**: `src/data/tools.yaml.example`
-**Why**: Defines the core data model - what a "tool" is, the schema, domains, phases, etc. Without this, an AI can't understand what the application manages.
-
-**File**: `src/pages/index.astro` 
-**Why**: Main application entry point showing the core functionality (filters, matrix, AI interface, tool grid). Contains the primary application logic flow.
-
-**File**: `src/layouts/BaseLayout.astro`
-**Why**: Global layout with theme system, authentication setup, and shared utility functions. Shows the overall app structure.
-
-**File**: `src/utils/dataService.ts`
-**Why**: Core data loading and processing logic. Essential for understanding how data flows through the application.
-
-**File**: `src/utils/toolHelpers.ts`
-**Why**: Core utility functions used throughout the app (slug creation, tool identification, hosting checks).
-
-**File**: `src/styles/global.css`
-**Why**: Complete styling system - defines visual architecture, component styling, theme system, responsive design.
-
-**File**: `src/env.d.ts`
-**Why**: Global TypeScript definitions and window interface extensions. Shows the global API surface.
-
-**File**: `src/components/ToolCard.astro`
-**Why**: Shows how the core entity (tools) are rendered and structured. Represents the component architecture pattern.
-
-## Secondary Priority (Major Features - 4 files)
-
-**File**: `src/components/ToolMatrix.astro` - Matrix view functionality
-**File**: `src/components/AIQueryInterface.astro` - AI recommendation system  
-**File**: `src/utils/auth.ts` - Authentication system
-**File**: `src/content/config.ts` - Content collection schema
-
-## Strategy for Context Management
-
-1. **Always provide**: The 8 essential files above
-2. **Add selectively**: Include 1-3 secondary files based on the specific development task
-3. **Reference others**: Mention other relevant files by name/purpose without including full content
-
-user01@altiera /v/h/u/P/forensic-pathways (main)> tree src
-src
-├── components
-│   ├── AIQueryInterface.astro
-│   ├── ContributionButton.astro
-│   ├── Footer.astro
-│   ├── Navigation.astro
-│   ├── ShareButton.astro
-│   ├── ThemeToggle.astro
-│   ├── ToolCard.astro
-│   ├── ToolFilters.astro
-│   └── ToolMatrix.astro
-├── content
-│   ├── config.ts
-│   └── knowledgebase
-│       ├── android-logical-imaging.md
-│       ├── kali-linux.md
-│       ├── misp.md
-│       ├── nextcloud.md
-│       ├── regular-expressions-regex.md
-│       └── velociraptor.md
-├── data
-│   ├── tools.yaml
-│   └── tools.yaml.example
-├── env.d.ts
-├── layouts
-│   └── BaseLayout.astro
-├── pages
-│   ├── about.astro
-│   ├── api
-│   │   ├── ai
-│   │   │   ├── query.ts
-│   │   │   └── queue-status.ts
-│   │   ├── auth
-│   │   │   ├── login.ts
-│   │   │   ├── process.ts
-│   │   │   └── status.ts
-│   │   ├── contribute
-│   │   │   ├── knowledgebase.ts
-│   │   │   └── tool.ts
-│   │   ├── health.ts
-│   │   └── upload
-│   │       └── media.ts
-│   ├── auth
-│   │   └── callback.astro
-│   ├── contribute
-│   │   ├── index.astro
-│   │   ├── knowledgebase.astro
-│   │   └── tool.astro
-│   ├── impressum.astro
-│   ├── index.astro
-│   ├── knowledgebase
-│   │   └── [slug].astro
-│   ├── knowledgebase.astro
-│   └── status.astro
-├── styles
-│   └── global.css
-└── utils
-    ├── api.ts
-    ├── auth.ts
-    ├── dataService.ts
-    ├── gitContributions.ts
-    ├── nextcloud.ts
-    ├── rateLimitedQueue.ts
-    └── toolHelpers.ts
-17 directories, 47 files
\ No newline at end of file
diff --git a/dfir_yaml_editor.html b/dfir_yaml_editor.html
deleted file mode 100644
index 784d1dd..0000000
--- a/dfir_yaml_editor.html
+++ /dev/null
@@ -1,2016 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>DFIR Tools YAML Editor</title>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/js-yaml/4.1.0/js-yaml.min.js"></script>
-    <style>
-        * {
-            margin: 0;
-            padding: 0;
-            box-sizing: border-box;
-        }
-
-        :root {
-            --primary: #3498db;
-            --secondary: #95a5a6;
-            --success: #27ae60;
-            --warning: #f39c12;
-            --danger: #e74c3c;
-            --dark: #2c3e50;
-            --light: #ecf0f1;
-            --border: #dee2e6;
-            --accent: #9b59b6;
-        }
-
-        body {
-            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-            min-height: 100vh;
-            padding: 20px;
-        }
-
-        .container {
-            max-width: 1400px;
-            margin: 0 auto;
-            background: white;
-            border-radius: 15px;
-            box-shadow: 0 20px 40px rgba(0,0,0,0.1);
-            overflow: hidden;
-        }
-
-        .header {
-            background: linear-gradient(135deg, var(--dark) 0%, var(--primary) 100%);
-            color: white;
-            padding: 25px;
-            text-align: center;
-        }
-
-        .tabs {
-            background: var(--light);
-            display: flex;
-            border-bottom: 2px solid var(--border);
-            overflow-x: auto;
-        }
-
-        .tab {
-            padding: 15px 25px;
-            cursor: pointer;
-            border-bottom: 3px solid transparent;
-            transition: all 0.3s ease;
-            font-weight: 500;
-            white-space: nowrap;
-            min-width: 120px;
-        }
-
-        .tab:hover {
-            background: var(--border);
-        }
-
-        .tab.active {
-            background: white;
-            border-bottom-color: var(--primary);
-            color: var(--primary);
-        }
-
-        .tab-content {
-            display: none;
-            padding: 30px;
-            min-height: 600px;
-        }
-
-        .tab-content.active {
-            display: block;
-        }
-
-        .btn {
-            background: var(--primary);
-            color: white;
-            border: none;
-            padding: 12px 24px;
-            border-radius: 8px;
-            cursor: pointer;
-            font-weight: 500;
-            margin: 5px;
-            transition: all 0.3s ease;
-            text-decoration: none;
-            display: inline-block;
-        }
-
-        .btn:hover {
-            transform: translateY(-2px);
-            box-shadow: 0 4px 12px rgba(52, 152, 219, 0.3);
-        }
-
-        .btn:disabled {
-            opacity: 0.6;
-            cursor: not-allowed;
-            transform: none;
-            box-shadow: none;
-        }
-
-        .btn-secondary { background: var(--secondary); }
-        .btn-danger { background: var(--danger); }
-        .btn-success { background: var(--success); }
-        .btn-warning { background: var(--warning); }
-        .btn-accent { background: var(--accent); }
-
-        .search-container {
-            background: var(--light);
-            padding: 15px;
-            border-radius: 8px;
-            margin-bottom: 20px;
-        }
-
-        .search-input {
-            width: 100%;
-            padding: 12px;
-            border: 2px solid var(--border);
-            border-radius: 8px;
-            font-size: 16px;
-            transition: border-color 0.3s ease;
-        }
-
-        .search-input:focus {
-            outline: none;
-            border-color: var(--primary);
-        }
-
-        .search-results-info {
-            margin-top: 10px;
-            font-size: 14px;
-            color: var(--secondary);
-        }
-
-        .stats-grid {
-            display: grid;
-            grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
-            gap: 20px;
-            margin-bottom: 30px;
-        }
-
-        .stat-card {
-            background: var(--primary);
-            color: white;
-            padding: 20px;
-            border-radius: 10px;
-            text-align: center;
-        }
-
-        .tools-grid {
-            display: grid;
-            grid-template-columns: repeat(auto-fill, minmax(300px, 1fr));
-            gap: 20px;
-            margin-top: 20px;
-        }
-
-        .tool-card {
-            background: white;
-            border: 1px solid var(--border);
-            border-radius: 10px;
-            padding: 20px;
-            transition: all 0.3s ease;
-        }
-
-        .tool-card:hover {
-            transform: translateY(-2px);
-            box-shadow: 0 4px 12px rgba(0,0,0,0.1);
-        }
-
-        .tool-card.software { border-left: 4px solid var(--primary); }
-        .tool-card.method { border-left: 4px solid var(--accent); }
-        .tool-card.concept { border-left: 4px solid #e67e22; }
-
-        .form-group {
-            margin-bottom: 20px;
-        }
-
-        .form-group label {
-            display: block;
-            margin-bottom: 8px;
-            font-weight: 600;
-            color: var(--dark);
-        }
-
-        .form-group input,
-        .form-group select,
-        .form-group textarea {
-            width: 100%;
-            padding: 12px;
-            border: 2px solid var(--border);
-            border-radius: 8px;
-            font-size: 14px;
-            transition: border-color 0.3s ease;
-        }
-
-        .form-group input:focus,
-        .form-group select:focus,
-        .form-group textarea:focus {
-            outline: none;
-            border-color: var(--primary);
-        }
-
-        .checkbox-group {
-            display: grid;
-            grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
-            gap: 12px;
-            margin-top: 10px;
-            padding: 15px;
-            background: #f8f9fa;
-            border-radius: 8px;
-        }
-
-        .checkbox-item {
-            display: flex;
-            align-items: center;
-            gap: 8px;
-            padding: 8px;
-            border-radius: 6px;
-            transition: background-color 0.2s ease;
-        }
-
-        .checkbox-item:hover {
-            background: rgba(52, 152, 219, 0.1);
-        }
-
-        .checkbox-item input[type="checkbox"] {
-            width: auto;
-            margin: 0;
-        }
-
-        .tags-input {
-            display: flex;
-            flex-wrap: wrap;
-            gap: 8px;
-            min-height: 50px;
-            padding: 12px;
-            border: 2px solid var(--border);
-            border-radius: 8px;
-            background: white;
-            transition: border-color 0.3s ease;
-        }
-
-        .tags-input:focus-within {
-            border-color: var(--primary);
-        }
-
-        .tag {
-            background: var(--light);
-            padding: 6px 12px;
-            border-radius: 20px;
-            font-size: 0.9em;
-            display: flex;
-            align-items: center;
-            gap: 8px;
-            border: 1px solid var(--border);
-        }
-
-        .tag-remove {
-            cursor: pointer;
-            font-weight: bold;
-            color: #666;
-            background: rgba(231, 76, 60, 0.1);
-            border-radius: 50%;
-            width: 18px;
-            height: 18px;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-            font-size: 12px;
-        }
-
-        .tag-remove:hover {
-            background: var(--danger);
-            color: white;
-        }
-
-        .bulk-section {
-            background: var(--light);
-            padding: 20px;
-            border-radius: 10px;
-            margin-bottom: 20px;
-            border: 2px solid var(--border);
-        }
-
-        .bulk-controls {
-            display: grid;
-            grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
-            gap: 10px;
-            margin-top: 15px;
-        }
-
-        .message {
-            padding: 15px;
-            border-radius: 8px;
-            margin: 10px 0;
-            position: fixed;
-            top: 20px;
-            right: 20px;
-            z-index: 1000;
-            min-width: 300px;
-            box-shadow: 0 4px 12px rgba(0,0,0,0.15);
-        }
-
-        .message.success {
-            background: #d4edda;
-            color: #155724;
-            border: 1px solid #c3e6cb;
-        }
-
-        .message.error {
-            background: #f8d7da;
-            color: #721c24;
-            border: 1px solid #f5c6cb;
-        }
-
-        .hidden { display: none !important; }
-
-        .filter-section {
-            display: flex;
-            gap: 15px;
-            align-items: center;
-            flex-wrap: wrap;
-            margin-top: 15px;
-        }
-
-        .filter-section select {
-            min-width: 150px;
-        }
-
-        .form-section {
-            background: #f8f9fa;
-            padding: 20px;
-            border-radius: 10px;
-            margin-bottom: 20px;
-            border-left: 4px solid var(--primary);
-        }
-
-        .form-section h4 {
-            margin: 0 0 15px 0;
-            color: var(--dark);
-            display: flex;
-            align-items: center;
-            gap: 8px;
-        }
-
-        .loading {
-            opacity: 0.7;
-            pointer-events: none;
-        }
-
-        @media (max-width: 768px) {
-            .tabs { 
-                flex-direction: column; 
-            }
-            .tab {
-                min-width: auto;
-                text-align: center;
-            }
-            .stats-grid { 
-                grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); 
-            }
-            .tools-grid { 
-                grid-template-columns: 1fr; 
-            }
-            .checkbox-group {
-                grid-template-columns: 1fr;
-            }
-            .bulk-controls {
-                grid-template-columns: 1fr;
-            }
-            .filter-section {
-                flex-direction: column;
-                align-items: stretch;
-            }
-            .message {
-                position: relative;
-                top: auto;
-                right: auto;
-                min-width: auto;
-            }
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="header">
-            <h1>🔧 DFIR Tools YAML Editor</h1>
-            <p>Enhanced editor for Digital Forensics and Incident Response tools, methods, and concepts</p>
-        </div>
-
-        <div class="tabs">
-            <div class="tab active" onclick="showTab('overview')">📊 Overview</div>
-            <div class="tab" onclick="showTab('tools')">🛠️ Tools & Concepts</div>
-            <div class="tab" onclick="showTab('editor')">✏️ Editor</div>
-            <div class="tab" onclick="showTab('bulk')">📋 Bulk Edit</div>
-            <div class="tab" onclick="showTab('knowledge')">📚 Knowledge Generator</div>
-            <div class="tab" onclick="showTab('export')">💾 Export</div>
-        </div>
-
-        <!-- Overview Tab -->
-        <div id="overview" class="tab-content active">
-            <div style="background: var(--light); padding: 20px; border-radius: 10px; margin-bottom: 20px; border: 2px dashed var(--border); text-align: center;">
-                <h3>📁 Load YAML File</h3>
-                <input type="file" id="fileInput" accept=".yaml,.yml" onchange="loadFile()">
-                <p>Select a YAML file to load existing tools data</p>
-            </div>
-
-            <div id="stats" class="stats-grid"></div>
-
-            <div id="validationResults" class="hidden">
-                <h3>🔍 Validation Results</h3>
-                <div id="validationContent"></div>
-            </div>
-
-            <div style="text-align: center; margin-top: 20px;">
-                <button class="btn" onclick="validateYAML()">🔍 Validate YAML</button>
-                <button class="btn btn-secondary" onclick="previewYAML()">👁️ Preview YAML</button>
-            </div>
-        </div>
-
-        <!-- Tools Tab with Enhanced Search -->
-        <div id="tools" class="tab-content">
-            <div class="search-container">
-                <h3>🔍 Search & Filter Tools</h3>
-                <input type="text" 
-                       id="searchInput" 
-                       class="search-input" 
-                       placeholder="Search by name, description, tags, related concepts, related software, or scenarios..." 
-                       oninput="applySearch()">
-                <div class="search-results-info" id="searchResults"></div>
-                
-                <div class="filter-section">
-                    <label>Type:</label>
-                    <select id="typeFilter" onchange="applyFilters()">
-                        <option value="">All Types</option>
-                        <option value="software">Software</option>
-                        <option value="method">Method</option>
-                        <option value="concept">Concept</option>
-                    </select>
-                    <label>Skill Level:</label>
-                    <select id="skillFilter" onchange="applyFilters()">
-                        <option value="">All Levels</option>
-                        <option value="novice">Novice</option>
-                        <option value="beginner">Beginner</option>
-                        <option value="intermediate">Intermediate</option>
-                        <option value="advanced">Advanced</option>
-                        <option value="expert">Expert</option>
-                    </select>
-                    <button class="btn btn-secondary" onclick="clearFilters()">Clear All</button>
-                </div>
-            </div>
-            <div id="toolsGrid" class="tools-grid"></div>
-        </div>
-
-        <!-- Enhanced Editor Tab -->
-        <div id="editor" class="tab-content">
-            <h3>✏️ Add/Edit Tool, Method, or Concept</h3>
-            
-            <form id="toolForm">
-                <div class="form-section">
-                    <h4>📝 Basic Information</h4>
-                    <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 15px;">
-                        <div class="form-group">
-                            <label for="toolType">Type *</label>
-                            <select id="toolType" onchange="toggleConditionalFields()" required>
-                                <option value="software">Software</option>
-                                <option value="method">Method</option>
-                                <option value="concept">Concept</option>
-                            </select>
-                        </div>
-                        <div class="form-group">
-                            <label for="skillLevel">Skill Level *</label>
-                            <select id="skillLevel" required>
-                                <option value="novice">Novice</option>
-                                <option value="beginner">Beginner</option>
-                                <option value="intermediate">Intermediate</option>
-                                <option value="advanced">Advanced</option>
-                                <option value="expert">Expert</option>
-                            </select>
-                        </div>
-                    </div>
-
-                    <div style="display: grid; grid-template-columns: 1fr auto; gap: 15px; align-items: end;">
-                        <div class="form-group">
-                            <label for="toolName">Name *</label>
-                            <input type="text" id="toolName" required>
-                        </div>
-                        <div class="form-group">
-                            <label for="toolIcon">Icon</label>
-                            <input type="text" id="toolIcon" placeholder="🔧" maxlength="4" style="width: 80px; text-align: center; font-size: 1.5em;">
-                        </div>
-                    </div>
-
-                    <div class="form-group">
-                        <label for="description">Description *</label>
-                        <textarea id="description" required rows="4" placeholder="Detailed description of the tool, method, or concept..."></textarea>
-                    </div>
-
-                    <div class="form-group">
-                        <label for="url">URL *</label>
-                        <input type="url" id="url" required placeholder="https://example.com">
-                    </div>
-                </div>
-
-                <div class="form-section">
-                    <h4>🎯 Classification</h4>
-                    <div class="form-group">
-                        <label>Domains</label>
-                        <div id="domainsCheckbox" class="checkbox-group"></div>
-                    </div>
-
-                    <div class="form-group">
-                        <label>Phases</label>
-                        <div id="phasesCheckbox" class="checkbox-group"></div>
-                    </div>
-
-                    <div class="form-group">
-                        <label>🎮 Scenario Tags <small style="color: #666;">(adds scenario: prefix to tags)</small></label>
-                        <div id="scenariosCheckbox" class="checkbox-group"></div>
-                    </div>
-                </div>
-
-                <!-- Software/Method specific fields -->
-                <div id="softwareMethodFields" class="form-section">
-                    <h4>⚙️ Technical Details</h4>
-                    <div class="form-group">
-                        <label>Platforms</label>
-                        <div id="platformsCheckbox" class="checkbox-group">
-                            <div class="checkbox-item">
-                                <input type="checkbox" value="Windows" id="platform-windows">
-                                <label for="platform-windows">Windows</label>
-                            </div>
-                            <div class="checkbox-item">
-                                <input type="checkbox" value="Linux" id="platform-linux">
-                                <label for="platform-linux">Linux</label>
-                            </div>
-                            <div class="checkbox-item">
-                                <input type="checkbox" value="macOS" id="platform-macos">
-                                <label for="platform-macos">macOS</label>
-                            </div>
-                            <div class="checkbox-item">
-                                <input type="checkbox" value="Web" id="platform-web">
-                                <label for="platform-web">Web</label>
-                            </div>
-                            <div class="checkbox-item">
-                                <input type="checkbox" value="Cloud" id="platform-cloud">
-                                <label for="platform-cloud">Cloud</label>
-                            </div>
-                        </div>
-                    </div>
-
-                    <div class="form-group">
-                        <label>Domain-Agnostic Categories</label>
-                        <div id="domainAgnosticCheckbox" class="checkbox-group"></div>
-                    </div>
-                </div>
-
-                <!-- Software specific fields -->
-                <div id="softwareFields" class="form-section">
-                    <h4>💻 Software Specific</h4>
-                    <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 15px;">
-                        <div class="form-group">
-                            <label for="accessType">Access Type</label>
-                            <select id="accessType">
-                                <option value="">Select Access Type</option>
-                                <option value="download">Download</option>
-                                <option value="web">Web Application</option>
-                                <option value="api">API</option>
-                                <option value="cli">Command Line</option>
-                                <option value="service">Service</option>
-                            </select>
-                        </div>
-
-                        <div class="form-group">
-                            <label for="license">License</label>
-                            <input type="text" id="license" placeholder="e.g., Apache 2.0, MIT, Proprietary">
-                        </div>
-                    </div>
-
-                    <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 15px;">
-                        <div class="form-group">
-                            <label for="projectUrl">Project URL (CC24 Server)</label>
-                            <input type="url" id="projectUrl" placeholder="https://cc24-server.example.com">
-                        </div>
-
-                        <div class="form-group">
-                            <label for="statusUrl">Status URL</label>
-                            <input type="url" id="statusUrl" placeholder="https://status.example.com">
-                        </div>
-                    </div>
-                </div>
-
-                <div class="form-section">
-                    <h4>🔗 Relationships</h4>
-                    <div class="form-group">
-                        <div class="checkbox-item" style="background: #e8f5e8; padding: 12px; border-radius: 8px;">
-                            <input type="checkbox" id="knowledgebase">
-                            <label for="knowledgebase">📚 Has Extended Knowledgebase</label>
-                        </div>
-                    </div>
-
-                    <div class="form-group">
-                        <label for="tagsInput">🏷️ Tags</label>
-                        <div class="tags-input" id="tagsInput" onclick="focusTagInput()">
-                            <input type="text" id="tagInputField" placeholder="Add tags..." onkeydown="handleTagInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">
-                        </div>
-                    </div>
-
-                    <div class="form-group">
-                        <label for="relatedConceptsInput">💡 Related Concepts</label>
-                        <div class="tags-input" id="relatedConceptsInput" onclick="focusRelatedConceptInput()">
-                            <input type="text" id="relatedConceptInputField" placeholder="Add concept names..." onkeydown="handleRelatedConceptInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">
-                        </div>
-                    </div>
-
-                    <div class="form-group">
-                        <label for="relatedSoftwareInput">🛠️ Related Software</label>
-                        <div class="tags-input" id="relatedSoftwareInput" onclick="focusRelatedSoftwareInput()">
-                            <input type="text" id="relatedSoftwareInputField" placeholder="Add software names..." onkeydown="handleRelatedSoftwareInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">
-                        </div>
-                    </div>
-                </div>
-
-                <div style="text-align: center; margin-top: 30px; padding: 20px; background: var(--light); border-radius: 10px;">
-                    <button type="button" class="btn btn-success" onclick="saveTool()">💾 Save Tool</button>
-                    <button type="button" class="btn btn-secondary" onclick="clearForm()">🔄 Clear Form</button>
-                    <button type="button" class="btn btn-warning" onclick="cancelEdit()">❌ Cancel Edit</button>
-                </div>
-            </form>
-        </div>
-
-        <!-- Enhanced Bulk Edit Tab -->
-        <div id="bulk" class="tab-content">
-            <div class="bulk-section">
-                <h3>📋 Bulk Operations</h3>
-                <div id="selectionInfo" style="margin-bottom: 15px; padding: 15px; background: white; border-radius: 8px; font-weight: 600; text-align: center; border: 2px solid var(--primary);">
-                    No tools selected
-                </div>
-
-                <div class="bulk-controls">
-                    <button class="btn" onclick="selectAllTools()">✅ Select All</button>
-                    <button class="btn btn-secondary" onclick="clearSelection()">❌ Clear Selection</button>
-                    <button class="btn btn-warning" onclick="bulkSetType()">🔄 Set Type</button>
-                    <button class="btn btn-warning" onclick="bulkSetSkillLevel()">📊 Set Skill Level</button>
-                </div>
-
-                <h4 style="margin: 25px 0 10px 0; color: var(--dark); border-bottom: 2px solid var(--border); padding-bottom: 5px;">🏷️ Tags Operations</h4>
-                <div class="bulk-controls">
-                    <button class="btn btn-accent" onclick="bulkAddTags()">➕ Add Tags</button>
-                    <button class="btn btn-danger" onclick="bulkRemoveTags()">➖ Remove Tags</button>
-                    <button class="btn btn-secondary" onclick="bulkReplaceTags()">🔄 Replace Tags</button>
-                    <button class="btn btn-danger" onclick="bulkClearTags()">🗑️ Clear All Tags</button>
-                </div>
-
-                <h4 style="margin: 25px 0 10px 0; color: var(--dark); border-bottom: 2px solid var(--border); padding-bottom: 5px;">🎯 Classification Operations</h4>
-                <div class="bulk-controls">
-                    <button class="btn btn-accent" onclick="bulkAddDomains()">➕ Add Domains</button>
-                    <button class="btn btn-danger" onclick="bulkRemoveDomains()">➖ Remove Domains</button>
-                    <button class="btn btn-danger" onclick="bulkClearDomains()">🗑️ Clear Domains</button>
-                    <button class="btn btn-accent" onclick="bulkAddPhases()">➕ Add Phases</button>
-                    <button class="btn btn-danger" onclick="bulkRemovePhases()">➖ Remove Phases</button>
-                    <button class="btn btn-danger" onclick="bulkClearPhases()">🗑️ Clear Phases</button>
-                </div>
-
-                <h4 style="margin: 25px 0 10px 0; color: var(--dark); border-bottom: 2px solid var(--border); padding-bottom: 5px;">🎮 Scenarios Operations</h4>
-                <div class="bulk-controls">
-                    <button class="btn btn-accent" onclick="bulkAddScenarios()">➕ Add Scenarios</button>
-                    <button class="btn btn-danger" onclick="bulkRemoveScenarios()">➖ Remove Scenarios</button>
-                    <button class="btn btn-danger" onclick="bulkClearScenarios()">🗑️ Clear Scenarios</button>
-                </div>
-
-                <h4 style="margin: 25px 0 10px 0; color: var(--dark); border-bottom: 2px solid var(--border); padding-bottom: 5px;">💻 Platform Operations</h4>
-                <div class="bulk-controls">
-                    <button class="btn btn-accent" onclick="bulkAddPlatforms()">➕ Add Platforms</button>
-                    <button class="btn btn-danger" onclick="bulkRemovePlatforms()">➖ Remove Platforms</button>
-                    <button class="btn btn-danger" onclick="bulkClearPlatforms()">🗑️ Clear Platforms</button>
-                </div>
-
-                <h4 style="margin: 25px 0 10px 0; color: var(--dark); border-bottom: 2px solid var(--border); padding-bottom: 5px;">🔗 Relationships Operations</h4>
-                <div class="bulk-controls">
-                    <button class="btn btn-accent" onclick="bulkAddRelatedConcepts()">➕ Add Related Concepts</button>
-                    <button class="btn btn-danger" onclick="bulkRemoveRelatedConcepts()">➖ Remove Related Concepts</button>
-                    <button class="btn btn-danger" onclick="bulkClearRelatedConcepts()">🗑️ Clear Related Concepts</button>
-                    <button class="btn btn-accent" onclick="bulkAddRelatedSoftware()">➕ Add Related Software</button>
-                    <button class="btn btn-danger" onclick="bulkRemoveRelatedSoftware()">➖ Remove Related Software</button>
-                    <button class="btn btn-danger" onclick="bulkClearRelatedSoftware()">🗑️ Clear Related Software</button>
-                </div>
-
-                <h4 style="margin: 25px 0 10px 0; color: var(--danger); border-bottom: 2px solid var(--danger); padding-bottom: 5px;">⚠️ Dangerous Operations</h4>
-                <div class="bulk-controls">
-                    <button class="btn btn-danger" onclick="bulkDelete()">💀 Delete Selected Tools</button>
-                </div>
-            </div>
-            <div id="bulkToolsGrid" class="tools-grid"></div>
-        </div>
-
-        <!-- Knowledge Generator Tab -->
-        <div id="knowledge" class="tab-content">
-            <div style="background: #fff3cd; border: 1px solid #ffeaa7; border-radius: 8px; padding: 20px; margin-top: 20px;">
-                <h3>📚 Knowledgebase Entry Generator</h3>
-                <p>Generate properly formatted markdown files for ForensicPathways knowledgebase.</p>
-                
-                <div class="form-group">
-                    <label for="knowledgeToolSelect">Select Tool/Concept:</label>
-                    <select id="knowledgeToolSelect" onchange="generateKnowledgeTemplate()">
-                        <option value="">Choose a tool or concept...</option>
-                    </select>
-                </div>
-
-                <div id="knowledgePreview" class="hidden">
-                    <h4>Generated Markdown Template:</h4>
-                    <textarea id="markdownContent" readonly style="width: 100%; height: 400px; font-family: monospace; background: var(--light); border: 1px solid var(--border); border-radius: 4px; padding: 15px;"></textarea>
-                    <div style="margin-top: 10px;">
-                        <button class="btn" onclick="downloadMarkdown()">💾 Download Markdown</button>
-                        <button class="btn btn-secondary" onclick="copyMarkdown()">📋 Copy to Clipboard</button>
-                    </div>
-                </div>
-            </div>
-        </div>
-
-        <!-- Export Tab -->
-        <div id="export" class="tab-content">
-            <h3>💾 Export & Preview</h3>
-            
-            <div id="yamlPreview" class="hidden">
-                <h4>YAML Preview:</h4>
-                <textarea id="yamlPreviewText" readonly style="width: 100%; height: 400px; font-family: monospace; border: 2px solid var(--border); border-radius: 8px; padding: 15px;"></textarea>
-            </div>
-
-            <div style="text-align: center; margin-top: 20px;">
-                <button class="btn" onclick="previewYAML()">👁️ Preview YAML</button>
-                <button class="btn btn-success" onclick="exportYAML()">📥 Export YAML</button>
-                <button class="btn btn-secondary" onclick="exportJSON()">📄 Export JSON</button>
-            </div>
-        </div>
-    </div>
-
-    <script>
-        let yamlData = null;
-        let currentEditingIndex = -1;
-        let selectedTools = new Set();
-        let filteredToolsCache = [];
-
-        // Initialize with correct YAML structure including scenarios
-        function init() {
-            yamlData = {
-                tools: [],
-                domains: [
-                    { id: 'incident-response', name: 'Incident Response & Breach-Untersuchung' },
-                    { id: 'static-investigations', name: 'Datenträgerforensik & Ermittlungen' },
-                    { id: 'malware-analysis', name: 'Malware-Analyse & Reverse Engineering' },
-                    { id: 'fraud-investigation', name: 'Betrugs- & Finanzkriminalität' },
-                    { id: 'network-forensics', name: 'Netzwerk-Forensik & Traffic-Analyse' },
-                    { id: 'mobile-forensics', name: 'Mobile Geräte & App-Forensik' },
-                    { id: 'cloud-forensics', name: 'Cloud & Virtuelle Umgebungen' },
-                    { id: 'ics-forensics', name: 'Industrielle Kontrollsysteme (ICS/SCADA)' }
-                ],
-                phases: [
-                    { id: 'data-collection', name: 'Datensammlung', description: 'Imaging, Acquisition, Remote Collection Tools' },
-                    { id: 'examination', name: 'Auswertung', description: 'Parsing, Extraction, Initial Analysis Tools' },
-                    { id: 'analysis', name: 'Analyse', description: 'Deep Analysis, Correlation, Visualization Tools' },
-                    { id: 'reporting', name: 'Bericht & Präsentation', description: 'Documentation, Visualization, Presentation Tools' }
-                ],
-                'domain-agnostic-software': [
-                    { id: 'collaboration-general', name: 'Übergreifend & Kollaboration', description: 'Cross-cutting tools and collaboration platforms' },
-                    { id: 'specific-os', name: 'Betriebssysteme', description: 'Operating Systems which focus on forensics' }
-                ],
-                scenarios: [
-                    { id: 'scenario:disk_imaging', icon: '💽', friendly_name: 'Datenträgerabbild' },
-                    { id: 'scenario:memory_dump', icon: '🧠', friendly_name: 'RAM-Analyse' },
-                    { id: 'scenario:file_recovery', icon: '🗑️', friendly_name: 'Datenrettung' },
-                    { id: 'scenario:browser_history', icon: '🌍', friendly_name: 'Browser-Spuren' },
-                    { id: 'scenario:credential_theft', icon: '🛑', friendly_name: 'Zugangsdiebstahl' },
-                    { id: 'scenario:remote_access', icon: '📡', friendly_name: 'Fernzugriffe' },
-                    { id: 'scenario:persistence', icon: '♻️', friendly_name: 'Persistenzsuche' },
-                    { id: 'scenario:windows-registry', icon: '📜', friendly_name: 'Registry-Analyse' }
-                ]
-            };
-            
-            populateFormOptions();
-            updateStats();
-            renderToolsGrid();
-            updateKnowledgeToolSelect();
-        }
-
-        function showTab(tabName) {
-            document.querySelectorAll('.tab-content').forEach(content => content.classList.remove('active'));
-            document.querySelectorAll('.tab').forEach(tab => tab.classList.remove('active'));
-            
-            document.getElementById(tabName).classList.add('active');
-            event.target.classList.add('active');
-
-            if (tabName === 'tools') renderToolsGrid();
-            else if (tabName === 'bulk') renderBulkGrid();
-            else if (tabName === 'knowledge') updateKnowledgeToolSelect();
-        }
-
-        // Enhanced Search Functionality including scenarios and related_software
-        function applySearch() {
-            applyFilters();
-        }
-
-        function searchTools(tools, searchTerm) {
-            if (!searchTerm) return tools;
-            
-            const term = searchTerm.toLowerCase();
-            return tools.filter(tool => {
-                // Search in name
-                if (tool.name && tool.name.toLowerCase().includes(term)) return true;
-                
-                // Search in description
-                if (tool.description && tool.description.toLowerCase().includes(term)) return true;
-                
-                // Search in tags (includes scenarios as scenario: prefixed tags)
-                if (tool.tags && tool.tags.some(tag => tag.toLowerCase().includes(term))) return true;
-                
-                // Search in related concepts
-                if (tool.related_concepts && tool.related_concepts.some(concept => concept.toLowerCase().includes(term))) return true;
-                
-                // Search in related software
-                if (tool.related_software && tool.related_software.some(software => software.toLowerCase().includes(term))) return true;
-                
-                // Search in scenario friendly names (from tags that start with scenario:)
-                if (tool.tags && tool.tags.some(tag => {
-                    if (tag.startsWith('scenario:')) {
-                        const scenarioData = yamlData.scenarios.find(s => s.id === tag);
-                        return scenarioData && scenarioData.friendly_name.toLowerCase().includes(term);
-                    }
-                    return false;
-                })) return true;
-                
-                // Search in type
-                if (tool.type && tool.type.toLowerCase().includes(term)) return true;
-                
-                // Search in platforms
-                if (tool.platforms && tool.platforms.some(platform => platform.toLowerCase().includes(term))) return true;
-                
-                return false;
-            });
-        }
-
-        function populateFormOptions() {
-            // Populate domains
-            const domainsContainer = document.getElementById('domainsCheckbox');
-            domainsContainer.innerHTML = '';
-            yamlData.domains.forEach(domain => {
-                const div = document.createElement('div');
-                div.className = 'checkbox-item';
-                div.innerHTML = `<input type="checkbox" value="${domain.id}" id="domain-${domain.id}"><label for="domain-${domain.id}">${domain.name}</label>`;
-                domainsContainer.appendChild(div);
-            });
-
-            // Populate phases
-            const phasesContainer = document.getElementById('phasesCheckbox');
-            phasesContainer.innerHTML = '';
-            yamlData.phases.forEach(phase => {
-                const div = document.createElement('div');
-                div.className = 'checkbox-item';
-                div.innerHTML = `<input type="checkbox" value="${phase.id}" id="phase-${phase.id}"><label for="phase-${phase.id}">${phase.name}</label>`;
-                phasesContainer.appendChild(div);
-            });
-
-            // Populate scenarios
-            const scenariosContainer = document.getElementById('scenariosCheckbox');
-            scenariosContainer.innerHTML = '';
-            yamlData.scenarios.forEach(scenario => {
-                const div = document.createElement('div');
-                div.className = 'checkbox-item';
-                div.innerHTML = `<input type="checkbox" value="${scenario.id}" id="scenario-${scenario.id}"><label for="scenario-${scenario.id}">${scenario.icon} ${scenario.friendly_name}</label>`;
-                scenariosContainer.appendChild(div);
-            });
-
-            // Populate domain-agnostic software
-            const domainAgnosticContainer = document.getElementById('domainAgnosticCheckbox');
-            domainAgnosticContainer.innerHTML = '';
-            yamlData['domain-agnostic-software'].forEach(category => {
-                const div = document.createElement('div');
-                div.className = 'checkbox-item';
-                div.innerHTML = `<input type="checkbox" value="${category.id}" id="domain-agnostic-${category.id}"><label for="domain-agnostic-${category.id}">${category.name}</label>`;
-                domainAgnosticContainer.appendChild(div);
-            });
-        }
-
-        function toggleConditionalFields() {
-            const toolType = document.getElementById('toolType').value;
-            const softwareMethodFields = document.getElementById('softwareMethodFields');
-            const softwareFields = document.getElementById('softwareFields');
-
-            if (toolType === 'concept') {
-                softwareMethodFields.style.display = 'none';
-                softwareFields.style.display = 'none';
-            } else if (toolType === 'method') {
-                softwareMethodFields.style.display = 'block';
-                softwareFields.style.display = 'none';
-            } else {
-                softwareMethodFields.style.display = 'block';
-                softwareFields.style.display = 'block';
-            }
-        }
-
-        function loadFile() {
-            const file = document.getElementById('fileInput').files[0];
-            if (!file) return;
-
-            const reader = new FileReader();
-            reader.onload = function(e) {
-                try {
-                    yamlData = jsyaml.load(e.target.result);
-                    showMessage('YAML file loaded successfully!', 'success');
-                    populateFormOptions();
-                    updateStats();
-                    renderToolsGrid();
-                    updateKnowledgeToolSelect();
-                } catch (error) {
-                    showMessage('Error loading YAML file: ' + error.message, 'error');
-                }
-            };
-            reader.readAsText(file);
-        }
-
-        function showMessage(message, type = 'success') {
-            // Remove existing messages
-            document.querySelectorAll('.message').forEach(msg => msg.remove());
-            
-            const messageDiv = document.createElement('div');
-            messageDiv.className = `message ${type}`;
-            messageDiv.textContent = message;
-            document.body.appendChild(messageDiv);
-            
-            setTimeout(() => {
-                if (messageDiv.parentNode) {
-                    messageDiv.remove();
-                }
-            }, 4000);
-        }
-
-        function updateStats() {
-            if (!yamlData?.tools) return;
-
-            const stats = {
-                total: yamlData.tools.length,
-                software: yamlData.tools.filter(t => t.type === 'software' || !t.type).length,
-                methods: yamlData.tools.filter(t => t.type === 'method').length,
-                concepts: yamlData.tools.filter(t => t.type === 'concept').length,
-                withKnowledgebase: yamlData.tools.filter(t => t.knowledgebase).length,
-                withRelatedSoftware: yamlData.tools.filter(t => t.related_software && t.related_software.length > 0).length
-            };
-
-            document.getElementById('stats').innerHTML = `
-                <div class="stat-card"><h3>${stats.total}</h3><p>Total Items</p></div>
-                <div class="stat-card"><h3>${stats.software}</h3><p>Software Tools</p></div>
-                <div class="stat-card"><h3>${stats.methods}</h3><p>Methods</p></div>
-                <div class="stat-card"><h3>${stats.concepts}</h3><p>Concepts</p></div>
-                <div class="stat-card"><h3>${stats.withKnowledgebase}</h3><p>With Knowledgebase</p></div>
-                <div class="stat-card"><h3>${stats.withRelatedSoftware}</h3><p>With Related Software</p></div>
-            `;
-        }
-
-        // Enhanced tag input handlers for related software
-        function focusTagInput() { document.getElementById('tagInputField').focus(); }
-        function focusRelatedConceptInput() { document.getElementById('relatedConceptInputField').focus(); }
-        function focusRelatedSoftwareInput() { document.getElementById('relatedSoftwareInputField').focus(); }
-
-        function handleTagInput(event) {
-            if (event.key === 'Enter' || event.key === ',') {
-                event.preventDefault();
-                const input = event.target;
-                const value = input.value.trim();
-                if (value) {
-                    addTag('tagsInput', value);
-                    input.value = '';
-                }
-            }
-        }
-
-        function handleRelatedConceptInput(event) {
-            if (event.key === 'Enter' || event.key === ',') {
-                event.preventDefault();
-                const input = event.target;
-                const value = input.value.trim();
-                if (value) {
-                    addTag('relatedConceptsInput', value);
-                    input.value = '';
-                }
-            }
-        }
-
-        function handleRelatedSoftwareInput(event) {
-            if (event.key === 'Enter' || event.key === ',') {
-                event.preventDefault();
-                const input = event.target;
-                const value = input.value.trim();
-                if (value) {
-                    addTag('relatedSoftwareInput', value);
-                    input.value = '';
-                }
-            }
-        }
-
-        function addTag(containerId, value) {
-            const container = document.getElementById(containerId);
-            const input = container.querySelector('input');
-            
-            const tag = document.createElement('span');
-            tag.className = 'tag';
-            tag.innerHTML = `${value} <span class="tag-remove" onclick="this.parentElement.remove()">×</span>`;
-            container.insertBefore(tag, input);
-        }
-
-        function getCheckedValues(selector) {
-            return Array.from(document.querySelectorAll(selector + ':checked')).map(cb => cb.value);
-        }
-
-        function getTags() {
-            return Array.from(document.querySelectorAll('#tagsInput .tag')).map(tag => 
-                tag.textContent.replace('×', '').trim()
-            ).filter(tag => tag);
-        }
-
-        function getRelatedConcepts() {
-            return Array.from(document.querySelectorAll('#relatedConceptsInput .tag')).map(tag => 
-                tag.textContent.replace('×', '').trim()
-            ).filter(concept => concept);
-        }
-
-        function getRelatedSoftware() {
-            return Array.from(document.querySelectorAll('#relatedSoftwareInput .tag')).map(tag => 
-                tag.textContent.replace('×', '').trim()
-            ).filter(software => software);
-        }
-
-        function saveTool() {
-            try {
-                if (!yamlData) yamlData = { tools: [] };
-                if (!yamlData.tools) yamlData.tools = [];
-
-                const toolType = document.getElementById('toolType').value;
-                const tool = {
-                    name: document.getElementById('toolName').value,
-                    type: toolType,
-                    description: document.getElementById('description').value,
-                    skillLevel: document.getElementById('skillLevel').value,
-                    url: document.getElementById('url').value
-                };
-
-                // Add icon if provided
-                const icon = document.getElementById('toolIcon').value.trim();
-                if (icon) tool.icon = icon;
-
-                // Add domains, phases
-                tool.domains = getCheckedValues('#domainsCheckbox input:checked');
-                tool.phases = getCheckedValues('#phasesCheckbox input:checked');
-
-                // Add tags and scenario tags (scenarios get added to tags with scenario: prefix)
-                const tags = getTags();
-                const scenarioTags = getCheckedValues('#scenariosCheckbox input:checked');
-                const allTags = [...tags, ...scenarioTags];
-                if (allTags.length > 0) tool.tags = allTags;
-
-                const relatedConcepts = getRelatedConcepts();
-                if (relatedConcepts.length > 0) tool.related_concepts = relatedConcepts;
-
-                const relatedSoftware = getRelatedSoftware();
-                if (relatedSoftware.length > 0) tool.related_software = relatedSoftware;
-
-                // Type-specific fields
-                if (toolType === 'software') {
-                    tool.platforms = getCheckedValues('#platformsCheckbox input:checked');
-                    
-                    const accessType = document.getElementById('accessType').value;
-                    if (accessType) tool.accessType = accessType;
-                    
-                    const license = document.getElementById('license').value.trim();
-                    if (license) tool.license = license;
-                    
-                    const projectUrl = document.getElementById('projectUrl').value.trim();
-                    if (projectUrl) tool.projectUrl = projectUrl;
-                    
-                    const statusUrl = document.getElementById('statusUrl').value.trim();
-                    if (statusUrl) tool.statusUrl = statusUrl;
-
-                    tool.knowledgebase = document.getElementById('knowledgebase').checked;
-
-                    const domainAgnostic = getCheckedValues('#domainAgnosticCheckbox input:checked');
-                    if (domainAgnostic.length > 0) tool['domain-agnostic-software'] = domainAgnostic;
-                } else if (toolType === 'method') {
-                    tool.platforms = getCheckedValues('#platformsCheckbox input:checked');
-                    const domainAgnostic = getCheckedValues('#domainAgnosticCheckbox input:checked');
-                    if (domainAgnostic.length > 0) tool['domain-agnostic-software'] = domainAgnostic;
-                    tool.knowledgebase = document.getElementById('knowledgebase').checked;
-                } else if (toolType === 'concept') {
-                    tool.knowledgebase = document.getElementById('knowledgebase').checked;
-                }
-
-                if (currentEditingIndex >= 0) {
-                    yamlData.tools[currentEditingIndex] = tool;
-                    showMessage('Tool updated successfully!');
-                    currentEditingIndex = -1;
-                } else {
-                    yamlData.tools.push(tool);
-                    showMessage('Tool added successfully!');
-                }
-
-                clearForm();
-                updateStats();
-                renderToolsGrid();
-                updateKnowledgeToolSelect();
-            } catch (error) {
-                showMessage('Error saving tool: ' + error.message, 'error');
-            }
-        }
-
-        function clearForm() {
-            document.getElementById('toolForm').reset();
-            
-            // Clear all tag inputs properly
-            document.getElementById('tagsInput').innerHTML = '<input type="text" id="tagInputField" placeholder="Add tags..." onkeydown="handleTagInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
-            document.getElementById('relatedConceptsInput').innerHTML = '<input type="text" id="relatedConceptInputField" placeholder="Add concept names..." onkeydown="handleRelatedConceptInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
-            document.getElementById('relatedSoftwareInput').innerHTML = '<input type="text" id="relatedSoftwareInputField" placeholder="Add software names..." onkeydown="handleRelatedSoftwareInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
-            
-            // Clear all checkboxes
-            document.querySelectorAll('#domainsCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
-            document.querySelectorAll('#phasesCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
-            document.querySelectorAll('#scenariosCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
-            document.querySelectorAll('#platformsCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
-            document.querySelectorAll('#domainAgnosticCheckbox input[type="checkbox"]').forEach(cb => cb.checked = false);
-            
-            currentEditingIndex = -1;
-            toggleConditionalFields();
-        }
-
-        function cancelEdit() {
-            clearForm();
-            showMessage('Edit cancelled');
-        }
-
-        function editTool(index) {
-            const tool = yamlData.tools[index];
-            currentEditingIndex = index;
-
-            // Populate form fields
-            document.getElementById('toolType').value = tool.type || 'software';
-            document.getElementById('toolName').value = tool.name || '';
-            document.getElementById('toolIcon').value = tool.icon || '';
-            document.getElementById('description').value = tool.description || '';
-            document.getElementById('skillLevel').value = tool.skillLevel || 'intermediate';
-            document.getElementById('url').value = tool.url || '';
-
-            // Software-specific fields
-            if (tool.type === 'software' || !tool.type) {
-                document.getElementById('accessType').value = tool.accessType || '';
-                document.getElementById('projectUrl').value = tool.projectUrl || '';
-                document.getElementById('license').value = tool.license || '';
-                document.getElementById('statusUrl').value = tool.statusUrl || '';
-            }
-
-            document.getElementById('knowledgebase').checked = tool.knowledgebase || false;
-
-            // Set checkboxes
-            setCheckboxValues('#domainsCheckbox input', tool.domains || []);
-            setCheckboxValues('#phasesCheckbox input', tool.phases || []);
-            setCheckboxValues('#platformsCheckbox input', tool.platforms || []);
-            setCheckboxValues('#domainAgnosticCheckbox input', tool['domain-agnostic-software'] || []);
-
-            // Separate scenario tags from regular tags
-            const allTags = tool.tags || [];
-            const scenarioTags = allTags.filter(tag => tag.startsWith('scenario:'));
-            const regularTags = allTags.filter(tag => !tag.startsWith('scenario:'));
-            
-            // Set scenario checkboxes based on scenario tags
-            setCheckboxValues('#scenariosCheckbox input', scenarioTags);
-
-            // Set regular tags
-            const tagsContainer = document.getElementById('tagsInput');
-            tagsContainer.innerHTML = '<input type="text" id="tagInputField" placeholder="Add tags..." onkeydown="handleTagInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
-            regularTags.forEach(tag => addTag('tagsInput', tag));
-
-            // Set related concepts
-            const conceptsContainer = document.getElementById('relatedConceptsInput');
-            conceptsContainer.innerHTML = '<input type="text" id="relatedConceptInputField" placeholder="Add concept names..." onkeydown="handleRelatedConceptInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
-            (tool.related_concepts || []).forEach(concept => addTag('relatedConceptsInput', concept));
-
-            // Set related software
-            const softwareContainer = document.getElementById('relatedSoftwareInput');
-            softwareContainer.innerHTML = '<input type="text" id="relatedSoftwareInputField" placeholder="Add software names..." onkeydown="handleRelatedSoftwareInput(event)" style="border: none; outline: none; flex: 1; min-width: 100px;">';
-            (tool.related_software || []).forEach(software => addTag('relatedSoftwareInput', software));
-
-            toggleConditionalFields();
-            showTab('editor');
-        }
-
-        function setCheckboxValues(selector, values) {
-            document.querySelectorAll(selector).forEach(cb => {
-                cb.checked = values.includes(cb.value);
-            });
-        }
-
-        function deleteTool(index) {
-            if (confirm('Are you sure you want to delete this tool?')) {
-                yamlData.tools.splice(index, 1);
-                showMessage('Tool deleted successfully!');
-                updateStats();
-                renderToolsGrid();
-                updateKnowledgeToolSelect();
-            }
-        }
-
-        function renderToolsGrid() {
-            const container = document.getElementById('toolsGrid');
-            container.innerHTML = '';
-            
-            if (!yamlData?.tools) return;
-
-            let filteredTools = yamlData.tools;
-            
-            // Apply search filter
-            const searchTerm = document.getElementById('searchInput')?.value;
-            if (searchTerm) {
-                filteredTools = searchTools(filteredTools, searchTerm);
-            }
-            
-            // Apply type and skill filters
-            const typeFilter = document.getElementById('typeFilter')?.value;
-            const skillFilter = document.getElementById('skillFilter')?.value;
-
-            if (typeFilter) filteredTools = filteredTools.filter(tool => (tool.type || 'software') === typeFilter);
-            if (skillFilter) filteredTools = filteredTools.filter(tool => tool.skillLevel === skillFilter);
-
-            // Cache filtered results
-            filteredToolsCache = filteredTools;
-
-            // Update search results info
-            const searchResults = document.getElementById('searchResults');
-            if (searchResults) {
-                const totalTools = yamlData.tools.length;
-                const filteredCount = filteredTools.length;
-                if (searchTerm || typeFilter || skillFilter) {
-                    searchResults.textContent = `Showing ${filteredCount} of ${totalTools} tools`;
-                } else {
-                    searchResults.textContent = `Showing all ${totalTools} tools`;
-                }
-            }
-
-            filteredTools.forEach((tool, index) => {
-                const originalIndex = yamlData.tools.indexOf(tool);
-                const card = createToolCard(tool, originalIndex);
-                container.appendChild(card);
-            });
-        }
-
-        function createToolCard(tool, index) {
-            const card = document.createElement('div');
-            card.className = `tool-card ${tool.type || 'software'}`;
-            
-            const tags = (tool.tags || []).filter(tag => !tag.startsWith('scenario:')).map(tag => `<span class="tag">${tag}</span>`).join('');
-            const knowledgebaseIndicator = tool.knowledgebase ? '<span class="tag" style="background: #e8f5e8; color: #27ae60;">📚 KB</span>' : '';
-            const relatedSoftwareIndicator = (tool.related_software && tool.related_software.length > 0) ? '<span class="tag" style="background: #e3f2fd; color: #1976d2;">🔗 SW</span>' : '';
-            const scenarioTags = (tool.tags || []).filter(tag => tag.startsWith('scenario:'));
-            const scenariosIndicator = scenarioTags.length > 0 ? '<span class="tag" style="background: #f3e5f5; color: #7b1fa2;">🎮 SC</span>' : '';
-            
-            card.innerHTML = `
-                <h3>${tool.icon ? tool.icon + ' ' : ''}${tool.name} <span style="font-size: 0.7em; color: #666;">[${tool.type || 'software'}]</span></h3>
-                <p style="margin-bottom: 15px;">${tool.description}</p>
-                <div style="margin: 10px 0; min-height: 30px;">${tags} ${knowledgebaseIndicator} ${relatedSoftwareIndicator} ${scenariosIndicator}</div>
-                <div style="display: flex; gap: 5px; margin-top: auto;">
-                    <button class="btn btn-secondary" onclick="editTool(${index})" style="flex: 1; padding: 8px;">✏️ Edit</button>
-                    <button class="btn btn-danger" onclick="deleteTool(${index})" style="flex: 1; padding: 8px;">🗑️ Delete</button>
-                </div>
-            `;
-            
-            return card;
-        }
-
-        function applyFilters() { renderToolsGrid(); }
-        
-        function clearFilters() {
-            document.getElementById('typeFilter').value = '';
-            document.getElementById('skillFilter').value = '';
-            document.getElementById('searchInput').value = '';
-            renderToolsGrid();
-        }
-
-        // Enhanced Bulk Operations including scenarios and related software
-        function renderBulkGrid() {
-            const container = document.getElementById('bulkToolsGrid');
-            container.innerHTML = '';
-            
-            if (!yamlData?.tools) return;
-
-            yamlData.tools.forEach((tool, index) => {
-                const card = createBulkToolCard(tool, index);
-                container.appendChild(card);
-            });
-
-            updateSelectionCount();
-        }
-
-        function createBulkToolCard(tool, index) {
-            const card = document.createElement('div');
-            card.className = `tool-card ${tool.type || 'software'}`;
-            
-            const isSelected = selectedTools.has(index);
-            card.style.opacity = isSelected ? '1' : '0.7';
-            card.style.border = isSelected ? '2px solid var(--primary)' : '1px solid var(--border)';
-            
-            const indicators = [];
-            if (tool.knowledgebase) indicators.push('📚');
-            if (tool.related_software?.length > 0) indicators.push('🔗');
-            
-            // Check for scenario tags
-            const scenarioTags = (tool.tags || []).filter(tag => tag.startsWith('scenario:'));
-            if (scenarioTags.length > 0) indicators.push('🎮');
-            
-            card.innerHTML = `
-                <div style="display: flex; align-items: center; gap: 10px; margin-bottom: 10px;">
-                    <input type="checkbox" ${isSelected ? 'checked' : ''} onchange="toggleToolSelection(${index})" style="transform: scale(1.2);">
-                    <h3 style="margin: 0; flex: 1;">${tool.icon ? tool.icon + ' ' : ''}${tool.name}</h3>
-                    <div style="font-size: 1.2em;">${indicators.join(' ')}</div>
-                </div>
-                <p style="margin-bottom: 10px;">${tool.description}</p>
-                <div style="display: flex; gap: 8px; flex-wrap: wrap;">
-                    <span style="background: var(--light); padding: 2px 6px; border-radius: 10px; font-size: 0.8em;">${tool.type || 'software'}</span>
-                    <span style="background: var(--light); padding: 2px 6px; border-radius: 10px; font-size: 0.8em;">${tool.skillLevel}</span>
-                </div>
-            `;
-            
-            return card;
-        }
-
-        function toggleToolSelection(index) {
-            if (selectedTools.has(index)) {
-                selectedTools.delete(index);
-            } else {
-                selectedTools.add(index);
-            }
-            updateSelectionCount();
-            renderBulkGrid();
-        }
-
-        function selectAllTools() {
-            selectedTools.clear();
-            yamlData.tools.forEach((_, index) => selectedTools.add(index));
-            updateSelectionCount();
-            renderBulkGrid();
-        }
-
-        function clearSelection() {
-            selectedTools.clear();
-            updateSelectionCount();
-            renderBulkGrid();
-        }
-
-        function updateSelectionCount() {
-            const count = selectedTools.size;
-            const info = document.getElementById('selectionInfo');
-            if (count === 0) {
-                info.textContent = 'No tools selected';
-                info.style.background = 'white';
-                info.style.borderColor = 'var(--border)';
-            } else {
-                info.textContent = `${count} tool(s) selected`;
-                info.style.background = '#e3f2fd';
-                info.style.borderColor = 'var(--primary)';
-            }
-        }
-
-        // Enhanced bulk operations with scenarios and related software
-        function bulkSetType() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const newType = prompt('Enter new type (software/method/concept):');
-            if (newType && ['software', 'method', 'concept'].includes(newType)) {
-                selectedTools.forEach(index => yamlData.tools[index].type = newType);
-                showMessage(`Updated type for ${selectedTools.size} tools`);
-                updateStats();
-                renderBulkGrid();
-            }
-        }
-
-        function bulkSetSkillLevel() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const newLevel = prompt('Enter skill level (novice/beginner/intermediate/advanced/expert):');
-            if (newLevel && ['novice', 'beginner', 'intermediate', 'advanced', 'expert'].includes(newLevel)) {
-                selectedTools.forEach(index => yamlData.tools[index].skillLevel = newLevel);
-                showMessage(`Updated skill level for ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkAddTags() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const tags = prompt('Enter tags to add (comma-separated):');
-            if (tags) {
-                const tagList = tags.split(',').map(t => t.trim()).filter(t => t);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    tool.tags = [...new Set([...(tool.tags || []), ...tagList])];
-                });
-                showMessage(`Added tags to ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkRemoveTags() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const tags = prompt('Enter tags to remove (comma-separated):');
-            if (tags) {
-                const tagList = tags.split(',').map(t => t.trim()).filter(t => t);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.tags) {
-                        tool.tags = tool.tags.filter(tag => !tagList.includes(tag));
-                        if (tool.tags.length === 0) delete tool.tags;
-                    }
-                });
-                showMessage(`Removed tags from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkReplaceTags() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const tags = prompt('Enter new tags (comma-separated, will replace all existing tags):');
-            if (tags !== null) {
-                const tagList = tags.split(',').map(t => t.trim()).filter(t => t);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tagList.length > 0) {
-                        tool.tags = tagList;
-                    } else {
-                        delete tool.tags;
-                    }
-                });
-                showMessage(`Replaced tags for ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkClearTags() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to clear ALL tags from ${selectedTools.size} selected tools?`)) {
-                selectedTools.forEach(index => {
-                    delete yamlData.tools[index].tags;
-                });
-                showMessage(`Cleared tags from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        // Domain operations
-        function bulkAddDomains() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const domains = prompt('Enter domain IDs to add (comma-separated):');
-            if (domains) {
-                const domainList = domains.split(',').map(d => d.trim()).filter(d => d);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    tool.domains = [...new Set([...(tool.domains || []), ...domainList])];
-                });
-                showMessage(`Added domains to ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkRemoveDomains() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const domains = prompt('Enter domain IDs to remove (comma-separated):');
-            if (domains) {
-                const domainList = domains.split(',').map(d => d.trim()).filter(d => d);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.domains) {
-                        tool.domains = tool.domains.filter(domain => !domainList.includes(domain));
-                        if (tool.domains.length === 0) delete tool.domains;
-                    }
-                });
-                showMessage(`Removed domains from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkClearDomains() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to clear ALL domains from ${selectedTools.size} selected tools?`)) {
-                selectedTools.forEach(index => {
-                    delete yamlData.tools[index].domains;
-                });
-                showMessage(`Cleared domains from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        // Phase operations
-        function bulkAddPhases() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const phases = prompt('Enter phase IDs to add (comma-separated):');
-            if (phases) {
-                const phaseList = phases.split(',').map(p => p.trim()).filter(p => p);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    tool.phases = [...new Set([...(tool.phases || []), ...phaseList])];
-                });
-                showMessage(`Added phases to ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkRemovePhases() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const phases = prompt('Enter phase IDs to remove (comma-separated):');
-            if (phases) {
-                const phaseList = phases.split(',').map(p => p.trim()).filter(p => p);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.phases) {
-                        tool.phases = tool.phases.filter(phase => !phaseList.includes(phase));
-                        if (tool.phases.length === 0) delete tool.phases;
-                    }
-                });
-                showMessage(`Removed phases from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkClearPhases() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to clear ALL phases from ${selectedTools.size} selected tools?`)) {
-                selectedTools.forEach(index => {
-                    delete yamlData.tools[index].phases;
-                });
-                showMessage(`Cleared phases from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        // Scenario operations (work with tags that have scenario: prefix)
-        function bulkAddScenarios() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const scenarios = prompt('Enter scenario IDs to add (comma-separated, e.g., scenario:memory_dump,scenario:registry):');
-            if (scenarios) {
-                const scenarioList = scenarios.split(',').map(s => {
-                    const trimmed = s.trim();
-                    return trimmed.startsWith('scenario:') ? trimmed : `scenario:${trimmed}`;
-                }).filter(s => s !== 'scenario:');
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    tool.tags = [...new Set([...(tool.tags || []), ...scenarioList])];
-                });
-                showMessage(`Added scenario tags to ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkRemoveScenarios() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const scenarios = prompt('Enter scenario IDs to remove (comma-separated):');
-            if (scenarios) {
-                const scenarioList = scenarios.split(',').map(s => {
-                    const trimmed = s.trim();
-                    return trimmed.startsWith('scenario:') ? trimmed : `scenario:${trimmed}`;
-                }).filter(s => s !== 'scenario:');
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.tags) {
-                        tool.tags = tool.tags.filter(tag => !scenarioList.includes(tag));
-                        if (tool.tags.length === 0) delete tool.tags;
-                    }
-                });
-                showMessage(`Removed scenario tags from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkClearScenarios() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to clear ALL scenario tags from ${selectedTools.size} selected tools?`)) {
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.tags) {
-                        tool.tags = tool.tags.filter(tag => !tag.startsWith('scenario:'));
-                        if (tool.tags.length === 0) delete tool.tags;
-                    }
-                });
-                showMessage(`Cleared scenario tags from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        // Platform operations
-        function bulkAddPlatforms() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const platforms = prompt('Enter platforms to add (comma-separated, e.g., Windows,Linux,macOS):');
-            if (platforms) {
-                const platformList = platforms.split(',').map(p => p.trim()).filter(p => p);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    tool.platforms = [...new Set([...(tool.platforms || []), ...platformList])];
-                });
-                showMessage(`Added platforms to ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkRemovePlatforms() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const platforms = prompt('Enter platforms to remove (comma-separated):');
-            if (platforms) {
-                const platformList = platforms.split(',').map(p => p.trim()).filter(p => p);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.platforms) {
-                        tool.platforms = tool.platforms.filter(platform => !platformList.includes(platform));
-                        if (tool.platforms.length === 0) delete tool.platforms;
-                    }
-                });
-                showMessage(`Removed platforms from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkClearPlatforms() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to clear ALL platforms from ${selectedTools.size} selected tools?`)) {
-                selectedTools.forEach(index => {
-                    delete yamlData.tools[index].platforms;
-                });
-                showMessage(`Cleared platforms from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        // Related concepts operations
-        function bulkAddRelatedConcepts() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const concepts = prompt('Enter related concept names to add (comma-separated):');
-            if (concepts) {
-                const conceptList = concepts.split(',').map(c => c.trim()).filter(c => c);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    tool.related_concepts = [...new Set([...(tool.related_concepts || []), ...conceptList])];
-                });
-                showMessage(`Added related concepts to ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkRemoveRelatedConcepts() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const concepts = prompt('Enter related concept names to remove (comma-separated):');
-            if (concepts) {
-                const conceptList = concepts.split(',').map(c => c.trim()).filter(c => c);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.related_concepts) {
-                        tool.related_concepts = tool.related_concepts.filter(concept => !conceptList.includes(concept));
-                        if (tool.related_concepts.length === 0) delete tool.related_concepts;
-                    }
-                });
-                showMessage(`Removed related concepts from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkClearRelatedConcepts() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to clear ALL related concepts from ${selectedTools.size} selected tools?`)) {
-                selectedTools.forEach(index => {
-                    delete yamlData.tools[index].related_concepts;
-                });
-                showMessage(`Cleared related concepts from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        // NEW: Related software operations
-        function bulkAddRelatedSoftware() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const software = prompt('Enter related software names to add (comma-separated):');
-            if (software) {
-                const softwareList = software.split(',').map(s => s.trim()).filter(s => s);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    tool.related_software = [...new Set([...(tool.related_software || []), ...softwareList])];
-                });
-                showMessage(`Added related software to ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkRemoveRelatedSoftware() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            const software = prompt('Enter related software names to remove (comma-separated):');
-            if (software) {
-                const softwareList = software.split(',').map(s => s.trim()).filter(s => s);
-                selectedTools.forEach(index => {
-                    const tool = yamlData.tools[index];
-                    if (tool.related_software) {
-                        tool.related_software = tool.related_software.filter(sw => !softwareList.includes(sw));
-                        if (tool.related_software.length === 0) delete tool.related_software;
-                    }
-                });
-                showMessage(`Removed related software from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkClearRelatedSoftware() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to clear ALL related software from ${selectedTools.size} selected tools?`)) {
-                selectedTools.forEach(index => {
-                    delete yamlData.tools[index].related_software;
-                });
-                showMessage(`Cleared related software from ${selectedTools.size} tools`);
-                renderBulkGrid();
-            }
-        }
-
-        function bulkDelete() {
-            if (selectedTools.size === 0) return showMessage('No tools selected', 'error');
-            if (confirm(`Are you sure you want to delete ${selectedTools.size} selected tools? This action cannot be undone!`)) {
-                const indicesToDelete = Array.from(selectedTools).sort((a, b) => b - a);
-                indicesToDelete.forEach(index => yamlData.tools.splice(index, 1));
-                selectedTools.clear();
-                showMessage(`Deleted ${indicesToDelete.length} tools successfully!`);
-                updateStats();
-                renderBulkGrid();
-                updateKnowledgeToolSelect();
-            }
-        }
-
-        // Knowledge Generator - Enhanced for ForensicPathways format with scenarios and related_software
-        function updateKnowledgeToolSelect() {
-            const select = document.getElementById('knowledgeToolSelect');
-            select.innerHTML = '<option value="">Choose a tool or concept...</option>';
-            
-            if (!yamlData?.tools) return;
-
-            yamlData.tools.forEach((tool, index) => {
-                const option = document.createElement('option');
-                option.value = index;
-                option.textContent = `${tool.icon ? tool.icon + ' ' : ''}${tool.name} (${tool.type || 'software'})`;
-                select.appendChild(option);
-            });
-        }
-
-        function generateKnowledgeTemplate() {
-            const select = document.getElementById('knowledgeToolSelect');
-            const index = parseInt(select.value);
-            
-            if (isNaN(index)) {
-                document.getElementById('knowledgePreview').classList.add('hidden');
-                return;
-            }
-
-            const tool = yamlData.tools[index];
-            const template = createCC24MarkdownTemplate(tool);
-            
-            document.getElementById('markdownContent').value = template;
-            document.getElementById('knowledgePreview').classList.remove('hidden');
-        }
-
-        function createCC24MarkdownTemplate(tool) {
-            const toolSlug = tool.name.toLowerCase()
-                .replace(/[^a-z0-9\s-]/g, '')
-                .replace(/\s+/g, '-')
-                .replace(/-+/g, '-')
-                .replace(/^-|-$/g, '');
-
-            return `---
-title: "${tool.name}"
-description: "${tool.description.split('\n')[0].trim()}"
-last_updated: ${new Date().toISOString().split('T')[0]}
-tool_name: "${tool.name}"
-related_tools: ${JSON.stringify([...(tool.related_concepts || []), ...(tool.related_software || [])])}
-author: "CC24-Team"
-difficulty: "${tool.skillLevel || 'intermediate'}"
-categories: ${tool.type === 'concept' ? '["concepts"]' : tool.type === 'method' ? '["methods"]' : '["tools"]'}
-tags: ${tool.tags ? JSON.stringify(tool.tags) : '[]'}
-published: true
----
-
-# ${tool.icon ? tool.icon + ' ' : ''}${tool.name}
-
-## Übersicht
-
-${tool.description}
-
-**Typ**: ${tool.type || 'software'}  
-**Skill Level**: ${tool.skillLevel || 'intermediate'}  
-**Offizielle URL**: [${tool.name}](${tool.url})
-
-${tool.license ? `**Lizenz**: ${tool.license}\n` : ''}${tool.platforms && tool.platforms.length > 0 ? `**Plattformen**: ${tool.platforms.join(', ')}\n` : ''}${tool.accessType ? `**Zugriff**: ${tool.accessType}\n` : ''}
-
-${tool.domains && tool.domains.length > 0 ? `## Anwendungsbereiche
-
-${tool.domains.map(domain => `- ${domain}`).join('\n')}\n\n` : ''}${tool.phases && tool.phases.length > 0 ? `## Ermittlungsphasen
-
-${tool.phases.map(phase => `- ${phase}`).join('\n')}\n\n` : ''}${(() => {
-    const scenarioTags = (tool.tags || []).filter(tag => tag.startsWith('scenario:'));
-    return scenarioTags.length > 0 ? `## Anwendungsszenarien
-
-${scenarioTags.map(scenarioTag => {
-    const scenarioData = yamlData.scenarios.find(s => s.id === scenarioTag);
-    return scenarioData ? `- ${scenarioData.icon} ${scenarioData.friendly_name}` : `- ${scenarioTag}`;
-}).join('\n')}\n\n` : '';
-})()}## ${tool.type === 'concept' ? 'Grundlagen' : tool.type === 'method' ? 'Vorgehensweise' : 'Installation & Nutzung'}
-
-${tool.type === 'concept' ? 
-`### Kernkonzepte
-
-TODO: Beschreibe die wichtigsten Konzepte und Prinzipien.
-
-### Anwendungsbereiche
-
-TODO: Erkläre, wo und wie dieses Konzept angewendet wird.` :
-tool.type === 'method' ?
-`### Schritt-für-Schritt Anleitung
-
-1. TODO: Erster Schritt
-2. TODO: Zweiter Schritt  
-3. TODO: Dritter Schritt
-
-### Voraussetzungen
-
-TODO: Liste die erforderlichen Voraussetzungen auf.` :
-`### Installation
-
-TODO: Beschreibe die Installation für die relevanten Plattformen.
-
-### Grundlegende Nutzung
-
-TODO: Erkläre die wichtigsten Funktionen und Befehle.
-
-### Workflow-Beispiele
-
-TODO: Zeige typische Anwendungsfälle und Workflows.`}
-
-## Best Practices
-
-TODO: Teile bewährte Praktiken und Tipps für die optimale Nutzung.
-
-## Häufige Probleme
-
-TODO: Beschreibe häufige Stolpersteine und deren Lösungen.
-
-${(tool.related_concepts && tool.related_concepts.length > 0) || (tool.related_software && tool.related_software.length > 0) ? `## Verwandte Tools und Konzepte
-
-${(tool.related_concepts || []).map(concept => `- 💡 ${concept} (Konzept)`).join('\n')}${(tool.related_concepts || []).length > 0 && (tool.related_software || []).length > 0 ? '\n' : ''}${(tool.related_software || []).map(software => `- 🛠️ ${software} (Software)`).join('\n')}\n\n` : ''}## Weitere Ressourcen
-
-- [Offizielle Dokumentation](${tool.url})${tool.projectUrl ? `\n- [CC24 Server Zugang](${tool.projectUrl})` : ''}
-
-TODO: Füge weitere nützliche Links und Ressourcen hinzu.
-
----
-
-*Zuletzt aktualisiert: ${new Date().toLocaleDateString('de-DE')}*
-`;
-        }
-
-        function downloadMarkdown() {
-            const content = document.getElementById('markdownContent').value;
-            const select = document.getElementById('knowledgeToolSelect');
-            const index = parseInt(select.value);
-            const tool = yamlData.tools[index];
-            
-            const toolSlug = tool.name.toLowerCase()
-                .replace(/[^a-z0-9\s-]/g, '')
-                .replace(/\s+/g, '-')
-                .replace(/-+/g, '-')
-                .replace(/^-|-$/g, '');
-            
-            const blob = new Blob([content], { type: 'text/markdown' });
-            const url = URL.createObjectURL(blob);
-            
-            const a = document.createElement('a');
-            a.href = url;
-            a.download = `${toolSlug}.md`;
-            document.body.appendChild(a);
-            a.click();
-            document.body.removeChild(a);
-            URL.revokeObjectURL(url);
-            
-            showMessage('Markdown template downloaded successfully!');
-        }
-
-        function copyMarkdown() {
-            const content = document.getElementById('markdownContent').value;
-            navigator.clipboard.writeText(content).then(() => {
-                showMessage('Markdown copied to clipboard!');
-            }).catch(() => {
-                showMessage('Failed to copy to clipboard', 'error');
-            });
-        }
-
-        // Enhanced Validation 
-        function validateYAML() {
-            if (!yamlData) return showMessage('No data to validate', 'error');
-
-            const validationResults = [];
-            
-            // Check required sections
-            if (!yamlData.tools) validationResults.push('❌ Missing tools section');
-            if (!yamlData.domains) validationResults.push('❌ Missing domains section');
-            if (!yamlData.phases) validationResults.push('❌ Missing phases section');
-            if (!yamlData.scenarios) validationResults.push('⚠️ Missing scenarios section (for reference)');
-            
-            // Validate tools
-            yamlData.tools?.forEach((tool, index) => {
-                if (!tool.name) validationResults.push(`❌ Tool ${index + 1}: Missing name`);
-                if (!tool.description) validationResults.push(`❌ Tool ${index + 1}: Missing description`);
-                if (!tool.skillLevel) validationResults.push(`❌ Tool ${index + 1}: Missing skillLevel`);
-                if (!tool.url) validationResults.push(`❌ Tool ${index + 1}: Missing url`);
-                if (tool.type && !['software', 'method', 'concept'].includes(tool.type)) {
-                    validationResults.push(`❌ Tool ${index + 1}: Invalid type`);
-                }
-                
-                // Type-specific validation
-                if (tool.type === 'software' && (!tool.platforms || tool.platforms.length === 0)) {
-                    validationResults.push(`⚠️ Tool ${index + 1}: Software should have platforms`);
-                }
-                
-                if (tool.type === 'concept' && tool.platforms?.length > 0) {
-                    validationResults.push(`⚠️ Tool ${index + 1}: Concepts should not have platforms`);
-                }
-
-                // Validate related_software references
-                if (tool.related_software && tool.related_software.length > 0) {
-                    tool.related_software.forEach(relatedName => {
-                        const exists = yamlData.tools.some(t => t.name === relatedName);
-                        if (!exists) {
-                            validationResults.push(`⚠️ Tool ${index + 1}: Related software "${relatedName}" not found in tools`);
-                        }
-                    });
-                }
-
-                // Validate scenario tags (check tags that start with scenario:)
-                if (tool.tags && tool.tags.length > 0) {
-                    const scenarioTags = tool.tags.filter(tag => tag.startsWith('scenario:'));
-                    scenarioTags.forEach(scenarioTag => {
-                        const exists = yamlData.scenarios?.some(s => s.id === scenarioTag);
-                        if (!exists) {
-                            validationResults.push(`⚠️ Tool ${index + 1}: Scenario tag "${scenarioTag}" not found in scenarios reference`);
-                        }
-                    });
-                }
-            });
-
-            const container = document.getElementById('validationContent');
-            if (validationResults.length === 0) {
-                container.innerHTML = '<div class="message success">✅ YAML structure is valid!</div>';
-            } else {
-                container.innerHTML = '<div class="message error">' + validationResults.join('<br>') + '</div>';
-            }
-            
-            document.getElementById('validationResults').classList.remove('hidden');
-        }
-
-        function previewYAML() {
-            if (!yamlData) return showMessage('No data to preview', 'error');
-
-            const yamlString = jsyaml.dump(yamlData, { indent: 2 });
-            document.getElementById('yamlPreviewText').value = yamlString;
-            document.getElementById('yamlPreview').classList.remove('hidden');
-        }
-
-        function exportYAML() {
-            if (!yamlData) return showMessage('No data to export', 'error');
-
-            const yamlString = jsyaml.dump(yamlData, { indent: 2 });
-            const blob = new Blob([yamlString], { type: 'text/yaml' });
-            const url = URL.createObjectURL(blob);
-            
-            const a = document.createElement('a');
-            a.href = url;
-            a.download = 'tools.yaml';
-            document.body.appendChild(a);
-            a.click();
-            document.body.removeChild(a);
-            URL.revokeObjectURL(url);
-            
-            showMessage('YAML file exported successfully!');
-        }
-
-        function exportJSON() {
-            if (!yamlData) return showMessage('No data to export', 'error');
-
-            const jsonString = JSON.stringify(yamlData, null, 2);
-            const blob = new Blob([jsonString], { type: 'application/json' });
-            const url = URL.createObjectURL(blob);
-            
-            const a = document.createElement('a');
-            a.href = url;
-            a.download = 'tools.json';
-            document.body.appendChild(a);
-            a.click();
-            document.body.removeChild(a);
-            URL.revokeObjectURL(url);
-            
-            showMessage('JSON file exported successfully!');
-        }
-
-        // Initialize
-        init();
-    </script>
-</body>
-</html>
\ No newline at end of file
diff --git a/package.json b/package.json
index 12677b7..7367a40 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,11 @@
     "zod": "^3.25.76"
   },
   "devDependencies": {
-    "@types/js-yaml": "^4.0.9"
+    "@types/js-yaml": "^4.0.9",
+    "fast-glob": "^3.3.3",
+    "picocolors": "^1.1.1",
+    "postcss": "^8.5.6",
+    "postcss-safe-parser": "^7.0.1"
   },
   "engines": {
     "node": ">=18.0.0"
diff --git a/src/components/AIQueryInterface.astro b/src/components/AIQueryInterface.astro
index 2061bed..e8a7604 100644
--- a/src/components/AIQueryInterface.astro
+++ b/src/components/AIQueryInterface.astro
@@ -1,5 +1,6 @@
 ---
 import { getToolsData } from '../utils/dataService.js';
+import { isToolHosted } from '../utils/toolHelpers.js';
 
 const data = await getToolsData();
 const tools = data.tools;
@@ -15,7 +16,7 @@ const domainAgnosticSoftware = data['domain-agnostic-software'] || [];
           <path d="M9 11H5a2 2 0 0 0-2 2v7a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7a2 2 0 0 0-2-2h-4"/>
           <path d="M9 11V7a3 3 0 0 1 6 0v4"/>
         </svg>
-        KI-gestützte Workflow-Empfehlungen
+        Forensic AI
       </h2>
       <p id="ai-description" class="text-muted" style="max-width: 700px; margin: 0 auto; line-height: 1.6;">
         Beschreiben Sie Ihr forensisches Szenario und erhalten Sie maßgeschneiderte Workflow-Empfehlungen 
@@ -169,16 +170,16 @@ const domainAgnosticSoftware = data['domain-agnostic-software'] || [];
           <!-- Micro-task Progress -->
           <div id="micro-task-progress" class="micro-task-progress hidden">
             <div class="micro-task-header">
-              <span class="micro-task-label">🔬 Micro-Task Analyse</span>
+              <span class="micro-task-label">🔬 micro-Agent-Analysis</span>
               <span id="micro-task-counter" class="micro-task-counter">1/6</span>
             </div>
             <div class="micro-task-steps">
-              <div class="micro-step" data-step="scenario">📋 Szenario</div>
-              <div class="micro-step" data-step="approach">🎯 Ansatz</div>
-              <div class="micro-step" data-step="considerations">⚠️ Kritisches</div>
-              <div class="micro-step" data-step="tools">🔧 Tools</div>
-              <div class="micro-step" data-step="knowledge">📚 Wissen</div>
-              <div class="micro-step" data-step="final">✅ Final</div>
+              <div class="micro-step" data-step="scenario">📋 Problemanalyse</div>
+              <div class="micro-step" data-step="approach">🎯 Ermittlungsansatz</div>
+              <div class="micro-step" data-step="considerations">⚠️ Herausforderungen</div>
+              <div class="micro-step" data-step="tools">🔧 Methoden</div>
+              <div class="micro-step" data-step="knowledge">📚 Evaluation</div>
+              <div class="micro-step" data-step="final">✅ Audit-Trail</div>
             </div>
           </div>
           
@@ -292,13 +293,13 @@ class AIQueryInterface {
     return {
       workflow: {
         placeholder: "Beschreiben Sie Ihr forensisches Szenario... z.B. 'Verdacht auf Ransomware-Angriff auf Windows-Domänencontroller'",
-        description: "Beschreiben Sie Ihr forensisches Szenario und erhalten Sie maßgeschneiderte Workflow-Empfehlungen.",
+        description: "Beschreiben Sie Ihre Untersuchungssituation und erhalten Empfehlungen für alle Phasen der Untersuchung.",
         submitText: "Empfehlungen generieren",
         loadingText: "Analysiere Szenario und generiere Empfehlungen..."
       },
       tool: {
         placeholder: "Beschreiben Sie Ihr Problem... z.B. 'Analyse von Android-Backups mit WhatsApp-Nachrichten'",
-        description: "Beschreiben Sie Ihr Problem und erhalten Sie 1-3 gezielt passende Empfehlungen.",
+        description: "Beschreiben Sie Ihre Untersuchungssituation und erhalten Empfehlungen für eine spezifische Aufgabenstellung.",
         submitText: "Empfehlungen finden",
         loadingText: "Analysiere Anforderungen und suche passende Methode..."
       }
@@ -671,6 +672,15 @@ class AIQueryInterface {
   }
 
   displayResults(recommendation, originalQuery) {
+    console.log('[AI DEBUG] Full recommendation object:', recommendation);
+    console.log('[AI DEBUG] Recommended tools:', recommendation.recommended_tools);
+    
+    if (recommendation.recommended_tools) {
+      recommendation.recommended_tools.forEach((tool, index) => {
+        console.log(`[AI DEBUG] Tool ${index}:`, tool.name, 'Confidence:', tool.confidence);
+      });
+    }
+    
     if (this.currentMode === 'workflow') {
       this.displayWorkflowResults(recommendation, originalQuery);
     } else {
@@ -692,13 +702,22 @@ class AIQueryInterface {
       toolsByPhase[phase] = [];
     });
 
+    console.log('[AI Results] Recommendation structure:', recommendation);
+    console.log('[AI Results] Recommended tools:', recommendation.recommended_tools);
+
     recommendation.recommended_tools?.forEach(recTool => {
+      console.log('[AI Results] Tool confidence data:', recTool.name, recTool.confidence);
+      
       if (toolsByPhase[recTool.phase]) {
         const fullTool = tools.find(t => t.name === recTool.name);
         if (fullTool) {
           toolsByPhase[recTool.phase].push({
             ...fullTool,
-            recommendation: recTool
+            recommendation: recTool,
+            confidence: recTool.confidence, 
+            justification: recTool.justification,
+            priority: recTool.priority,
+            recommendationStrength: recTool.recommendationStrength
           });
         }
       }
@@ -706,11 +725,12 @@ class AIQueryInterface {
 
     const html = `
       <div class="workflow-container">
-        ${this.renderHeader('Empfohlener DFIR-Workflow', originalQuery)}
+        ${this.renderHeader('Untersuchungsansatz', originalQuery)}
         ${this.renderContextualAnalysis(recommendation, 'workflow')}
         ${this.renderBackgroundKnowledge(recommendation.background_knowledge)}
         ${this.renderWorkflowPhases(toolsByPhase, phaseOrder, phaseNames)}
         ${this.renderWorkflowSuggestion(recommendation.workflow_suggestion)}
+        ${this.renderAuditTrail(recommendation.auditTrail)}
       </div>
     `;
     
@@ -719,18 +739,434 @@ class AIQueryInterface {
 
   displayToolResults(recommendation, originalQuery) {
     const html = `
-      <div class="tool-results-container">
-        ${this.renderHeader('Passende Empfehlungen', originalQuery)}
+      <div class="workflow-container">
+        ${this.renderHeader('Handlungsempfehlung', originalQuery)}
         ${this.renderContextualAnalysis(recommendation, 'tool')}
         ${this.renderBackgroundKnowledge(recommendation.background_knowledge)}
         ${this.renderToolRecommendations(recommendation.recommended_tools)}
         ${this.renderAdditionalConsiderations(recommendation.additional_considerations)}
+        ${this.renderAuditTrail(recommendation.auditTrail)}
       </div>
     `;
     
     this.elements.results.innerHTML = html;
   }
 
+  renderConfidenceTooltip(confidence) {
+    if (!confidence || typeof confidence.overall !== 'number') {
+      return '';
+    }
+    
+    const confidenceColor = confidence.overall >= 80 ? 'var(--color-accent)' : 
+                          confidence.overall >= 60 ? 'var(--color-warning)' : 'var(--color-error)';
+    
+    const tooltipId = `tooltip-${Math.random().toString(36).substr(2, 9)}`;
+    
+    return `
+      <span class="confidence-tooltip-trigger" 
+            style="display: inline-flex; align-items: center; gap: 0.125rem; cursor: help; margin-left: 0.25rem;"
+            onmouseenter="document.getElementById('${tooltipId}').style.display = 'block'"
+            onmouseleave="document.getElementById('${tooltipId}').style.display = 'none'"
+            onclick="event.stopPropagation();">
+        <div style="width: 6px; height: 6px; border-radius: 50%; background-color: ${confidenceColor}; flex-shrink: 0;"></div>
+        <span style="font-size: 0.625rem; color: white; font-weight: 600; text-shadow: 0 1px 2px rgba(0,0,0,0.5);">${confidence.overall}%</span>
+        
+        <div id="${tooltipId}" style="display: none; position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%); z-index: 1001; background: var(--color-bg); border: 1px solid var(--color-border); border-radius: 0.5rem; padding: 1rem; min-width: 320px; max-width: 400px; box-shadow: var(--shadow-lg); font-size: 0.75rem; color: var(--color-text);">
+          <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.75rem;">
+            <strong style="font-size: 0.875rem;">KI-Vertrauenswertung</strong>
+            <span class="badge badge-mini" style="background-color: ${confidenceColor}; color: white; font-weight: 600;">${confidence.overall}%</span>
+          </div>
+          
+          <div style="display: grid; grid-template-columns: 1fr; gap: 0.625rem; margin-bottom: 0.75rem;">
+            <div style="background: var(--color-bg-secondary); padding: 0.5rem; border-radius: 0.375rem; border-left: 3px solid var(--color-accent);">
+              <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.25rem;">
+                <span style="font-weight: 600; font-size: 0.6875rem;">🔍 Semantische Relevanz</span>
+                <strong style="color: var(--color-accent);">${confidence.semanticRelevance}%</strong>
+              </div>
+              <div style="font-size: 0.625rem; color: var(--color-text-secondary); line-height: 1.3;">
+                Wie gut die Tool-Beschreibung semantisch zu Ihrer Anfrage passt (Vektor-Ähnlichkeit)
+              </div>
+            </div>
+            
+            <div style="background: var(--color-bg-secondary); padding: 0.5rem; border-radius: 0.375rem; border-left: 3px solid var(--color-primary);">
+              <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.25rem;">
+                <span style="font-weight: 600; font-size: 0.6875rem;">🎯 Aufgaben-Eignung</span>
+                <strong style="color: var(--color-primary);">${confidence.taskSuitability}%</strong>
+              </div>
+              <div style="font-size: 0.625rem; color: var(--color-text-secondary); line-height: 1.3;">
+                KI-bewertete Eignung des Tools für Ihre spezifische forensische Aufgabenstellung
+              </div>
+            </div>
+          </div>
+          
+          ${confidence.strengthIndicators && confidence.strengthIndicators.length > 0 ? `
+            <div style="margin-bottom: 0.75rem; padding: 0.5rem; background: var(--color-oss-bg); border-radius: 0.375rem; border-left: 3px solid var(--color-accent);">
+              <strong style="color: var(--color-accent); font-size: 0.6875rem; display: flex; align-items: center; gap: 0.25rem; margin-bottom: 0.375rem;">
+                <span>✓</span> Stärken dieser Empfehlung:
+              </strong>
+              <ul style="margin: 0; padding-left: 1rem; font-size: 0.625rem; line-height: 1.4;">
+                ${confidence.strengthIndicators.slice(0, 3).map(s => `<li style="margin-bottom: 0.25rem;">${this.sanitizeText(s)}</li>`).join('')}
+              </ul>
+            </div>
+          ` : ''}
+          
+          ${confidence.uncertaintyFactors && confidence.uncertaintyFactors.length > 0 ? `
+            <div style="padding: 0.5rem; background: var(--color-hosted-bg); border-radius: 0.375rem; border-left: 3px solid var(--color-warning);">
+              <strong style="color: var(--color-warning); font-size: 0.6875rem; display: flex; align-items: center; gap: 0.25rem; margin-bottom: 0.375rem;">
+                <span>⚠</span> Mögliche Einschränkungen:
+              </strong>
+              <ul style="margin: 0; padding-left: 1rem; font-size: 0.625rem; line-height: 1.4;">
+                ${confidence.uncertaintyFactors.slice(0, 3).map(f => `<li style="margin-bottom: 0.25rem;">${this.sanitizeText(f)}</li>`).join('')}
+              </ul>
+            </div>
+          ` : ''}
+          
+          <div style="margin-top: 0.75rem; padding-top: 0.75rem; border-top: 1px solid var(--color-border); font-size: 0.625rem; color: var(--color-text-secondary); text-align: center;">
+            Forensisch fundierte KI-Analyse
+          </div>
+        </div>
+      </span>
+    `;
+  }
+
+  renderAuditTrail(auditTrail) {
+    if (!auditTrail || !Array.isArray(auditTrail) || auditTrail.length === 0) {
+      return '';
+    }
+    
+    const totalTime = auditTrail.reduce((sum, entry) => sum + entry.processingTimeMs, 0);
+    const avgConfidence = auditTrail.reduce((sum, entry) => sum + entry.confidence, 0) / auditTrail.length;
+    const lowConfidenceSteps = auditTrail.filter(entry => entry.confidence < 60).length;
+    const highConfidenceSteps = auditTrail.filter(entry => entry.confidence >= 80).length;
+    
+    const groupedEntries = auditTrail.reduce((groups, entry) => {
+      if (!groups[entry.phase]) groups[entry.phase] = [];
+      groups[entry.phase].push(entry);
+      return groups;
+    }, {});
+    
+    return `
+      <div class="card-info-sm mt-4" style="border-left: 4px solid var(--color-accent);">
+        <div class="flex items-center justify-between mb-3 cursor-pointer" onclick="const container = this.closest('.card-info-sm'); const details = container.querySelector('.audit-trail-details'); const isHidden = details.style.display === 'none'; details.style.display = isHidden ? 'block' : 'none'; this.querySelector('.toggle-icon').style.transform = isHidden ? 'rotate(180deg)' : 'rotate(0deg)';">
+          <div class="flex items-center gap-3">
+            <div class="flex items-center gap-2">
+              <div style="width: 24px; height: 24px; background: linear-gradient(135deg, var(--color-accent) 0%, var(--color-primary) 100%); border-radius: 50%; display: flex; align-items: center; justify-content: center; color: white; font-size: 0.75rem; font-weight: bold;">
+                ✓
+              </div>
+              <h4 class="text-sm font-semibold text-accent mb-0">KI-Entscheidungspfad</h4>
+            </div>
+            
+            <div class="flex gap-3 text-xs">
+              <div class="flex items-center gap-1">
+                <div class="w-2 h-2 rounded-full" style="background-color: var(--color-accent);"></div>
+                <span class="text-muted">${this.formatDuration(totalTime)}</span>
+              </div>
+              <div class="flex items-center gap-1">
+                <div class="w-2 h-2 rounded-full" style="background-color: ${avgConfidence >= 80 ? 'var(--color-accent)' : avgConfidence >= 60 ? 'var(--color-warning)' : 'var(--color-error)'};"></div>
+                <span class="text-muted">${Math.round(avgConfidence)}% Vertrauen</span>
+              </div>
+              <div class="flex items-center gap-1">
+                <span class="text-muted">${auditTrail.length} Schritte</span>
+              </div>
+            </div>
+          </div>
+          
+          <div class="toggle-icon" style="transition: transform 0.2s ease;">
+            <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+              <polyline points="6 9 12 15 18 9"/>
+            </svg>
+          </div>
+        </div>
+        
+        <div style="display: none;" class="audit-trail-details">
+          <div class="grid gap-4">
+            <!-- Summary Section -->
+            <div class="p-3 rounded-lg" style="background-color: var(--color-bg-tertiary);">
+              <div class="text-xs font-medium mb-2 text-accent">📊 Analyse-Qualität</div>
+              <div class="grid grid-cols-3 gap-3 text-xs">
+                <div class="text-center">
+                  <div class="font-semibold" style="color: var(--color-accent);">${highConfidenceSteps}</div>
+                  <div class="text-muted">Hohe Sicherheit</div>
+                </div>
+                <div class="text-center">
+                  <div class="font-semibold" style="color: ${lowConfidenceSteps > 0 ? 'var(--color-warning)' : 'var(--color-accent)'};">${lowConfidenceSteps}</div>
+                  <div class="text-muted">Unsichere Schritte</div>
+                </div>
+                <div class="text-center">
+                  <div class="font-semibold">${this.formatDuration(totalTime)}</div>
+                  <div class="text-muted">Verarbeitungszeit</div>
+                </div>
+              </div>
+            </div>
+            
+            <!-- Process Flow -->
+            <div class="audit-process-flow">
+              ${Object.entries(groupedEntries).map(([phase, entries]) => this.renderPhaseGroup(phase, entries)).join('')}
+            </div>
+            
+            <!-- Technical Details Toggle -->
+            <div class="text-center">
+              <button class="text-xs text-muted hover:text-primary transition-colors cursor-pointer border-none bg-none" onclick="const techDetails = this.nextElementSibling; const isHidden = techDetails.style.display === 'none'; techDetails.style.display = isHidden ? 'block' : 'none'; this.textContent = isHidden ? '🔧 Technische Details ausblenden' : '🔧 Technische Details anzeigen';">
+                🔧 Technische Details anzeigen
+              </button>
+              <div style="display: none;" class="mt-3 p-3 rounded-lg bg-gray-50 dark:bg-gray-800 text-xs">
+                ${auditTrail.map(entry => this.renderTechnicalEntry(entry)).join('')}
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    `;
+  }
+
+  renderPhaseGroup(phase, entries) {
+    const phaseIcons = {
+      'initialization': '🚀',
+      'retrieval': '🔍',
+      'selection': '🎯',
+      'micro-task': '⚡',
+      'completion': '✅'
+    };
+    
+    const phaseNames = {
+      'initialization': 'Initialisierung',
+      'retrieval': 'Datensuche',
+      'selection': 'Tool-Auswahl',
+      'micro-task': 'Detail-Analyse',
+      'completion': 'Finalisierung'
+    };
+    
+    const avgConfidence = entries.reduce((sum, entry) => sum + entry.confidence, 0) / entries.length;
+    const totalTime = entries.reduce((sum, entry) => sum + entry.processingTimeMs, 0);
+    
+    return `
+      <div class="phase-group mb-4">
+        <div class="flex items-center gap-3 mb-3">
+          <div class="flex items-center gap-2">
+            <span class="text-lg">${phaseIcons[phase] || '📋'}</span>
+            <span class="font-medium text-sm">${phaseNames[phase] || phase}</span>
+          </div>
+          <div class="flex-1 h-px bg-border"></div>
+          <div class="flex items-center gap-2 text-xs text-muted">
+            <div class="confidence-indicator w-12 h-2 rounded-full overflow-hidden" style="background-color: var(--color-bg-tertiary);">
+              <div class="h-full rounded-full transition-all" style="width: ${avgConfidence}%; background-color: ${avgConfidence >= 80 ? 'var(--color-accent)' : avgConfidence >= 60 ? 'var(--color-warning)' : 'var(--color-error)'};"></div>
+            </div>
+            <span>${Math.round(avgConfidence)}%</span>
+          </div>
+        </div>
+        
+        <div class="grid gap-2 ml-6">
+          ${entries.map(entry => this.renderSimplifiedEntry(entry)).join('')}
+        </div>
+      </div>
+    `;
+  }
+
+  renderSimplifiedEntry(entry) {
+    const actionIcons = {
+      'pipeline-start': '▶️',
+      'embeddings-search': '🔍',
+      'ai-tool-selection': '🎯',
+      'ai-analysis': '🧠',
+      'phase-tool-selection': '⚙️',
+      'tool-evaluation': '📊',
+      'background-knowledge-selection': '📚',
+      'pipeline-end': '🏁'
+    };
+    
+    const actionNames = {
+      'pipeline-start': 'Analyse gestartet',
+      'embeddings-search': 'Ähnliche Tools gesucht',
+      'ai-tool-selection': 'Tools automatisch ausgewählt',
+      'ai-analysis': 'KI-Analyse durchgeführt',
+      'phase-tool-selection': 'Phasen-Tools evaluiert',
+      'tool-evaluation': 'Tool-Bewertung erstellt',
+      'background-knowledge-selection': 'Hintergrundwissen ausgewählt',
+      'pipeline-end': 'Analyse abgeschlossen'
+    };
+    
+    const confidenceColor = entry.confidence >= 80 ? 'var(--color-accent)' : 
+                            entry.confidence >= 60 ? 'var(--color-warning)' : 'var(--color-error)';
+    
+    return `
+      <div class="flex items-center gap-3 py-2 px-3 rounded-lg hover:bg-secondary transition-colors">
+        <span class="text-sm">${actionIcons[entry.action] || '📋'}</span>
+        <div class="flex-1 min-w-0">
+          <div class="text-sm font-medium">${actionNames[entry.action] || entry.action}</div>
+          ${entry.output && typeof entry.output === 'object' && entry.output.selectedToolCount ? 
+            `<div class="text-xs text-muted">${entry.output.selectedToolCount} Tools ausgewählt</div>` : ''}
+        </div>
+        <div class="flex items-center gap-2 text-xs">
+          <div class="w-8 h-1.5 rounded-full overflow-hidden" style="background-color: var(--color-bg-tertiary);">
+            <div class="h-full rounded-full" style="width: ${entry.confidence}%; background-color: ${confidenceColor};"></div>
+          </div>
+          <span class="text-muted w-8 text-right">${entry.confidence}%</span>
+          <span class="text-muted w-12 text-right">${entry.processingTimeMs}ms</span>
+        </div>
+      </div>
+    `;
+  }
+
+  renderTechnicalEntry(entry) {
+    const formattedTime = new Date(entry.timestamp).toLocaleTimeString('de-DE', { 
+      hour: '2-digit', 
+      minute: '2-digit', 
+      second: '2-digit' 
+    });
+    
+    return `
+      <div class="border rounded p-2 mb-2" style="border-color: var(--color-border);">
+        <div class="flex justify-between items-center mb-1">
+          <span class="font-mono text-xs">${entry.phase}/${entry.action}</span>
+          <span class="text-xs text-muted">${formattedTime} • ${entry.processingTimeMs}ms</span>
+        </div>
+        ${entry.input && Object.keys(entry.input).length > 0 ? `
+          <div class="text-xs mb-1">
+            <strong>Input:</strong> ${this.formatAuditData(entry.input)}
+          </div>
+        ` : ''}
+        ${entry.output && Object.keys(entry.output).length > 0 ? `
+          <div class="text-xs">
+            <strong>Output:</strong> ${this.formatAuditData(entry.output)}
+          </div>
+        ` : ''}
+      </div>
+    `;
+  }
+
+  renderAuditEntry(entry) {
+    const confidenceColor = entry.confidence >= 80 ? 'var(--color-accent)' : 
+                            entry.confidence >= 60 ? 'var(--color-warning)' : 'var(--color-error)';
+    
+    const formattedTime = new Date(entry.timestamp).toLocaleTimeString('de-DE', { 
+      hour: '2-digit', 
+      minute: '2-digit', 
+      second: '2-digit' 
+    });
+    
+    return `
+      <div class="border-l-2 pl-3 py-2 mb-2" style="border-left-color: ${confidenceColor};">
+        <div class="flex justify-between items-center mb-1">
+          <span class="text-xs font-medium">${entry.phase} → ${entry.action}</span>
+          <div class="flex items-center gap-2">
+            <span class="badge badge-mini" style="background-color: ${confidenceColor}; color: white;">
+              ${entry.confidence}% confidence
+            </span>
+            <span class="text-xs text-muted">${entry.processingTimeMs}ms</span>
+            <span class="text-xs text-muted">${formattedTime}</span>
+          </div>
+        </div>
+        <div class="text-xs text-muted grid-cols-2 gap-2" style="display: grid;">
+          <div><strong>Input:</strong> ${this.formatAuditData(entry.input)}</div>
+          <div><strong>Output:</strong> ${this.formatAuditData(entry.output)}</div>
+        </div>
+        ${entry.metadata && Object.keys(entry.metadata).length > 0 ? `
+          <div class="text-xs text-muted mt-1 pt-1 border-t border-dashed">
+            <strong>Metadata:</strong> ${this.formatAuditData(entry.metadata)}
+          </div>
+        ` : ''}
+      </div>
+    `;
+  }
+
+  formatAuditData(data) {
+    if (data === null || data === undefined) return 'null';
+    if (typeof data === 'string') {
+      return data.length > 100 ? data.slice(0, 100) + '...' : data;
+    }
+    if (typeof data === 'number') return data.toString();
+    if (typeof data === 'boolean') return data.toString();
+    if (Array.isArray(data)) {
+      if (data.length === 0) return '[]';
+      if (data.length <= 3) return JSON.stringify(data);
+      return `[${data.slice(0, 3).map(i => typeof i === 'string' ? i : JSON.stringify(i)).join(', ')}, ...+${data.length - 3}]`;
+    }
+    if (typeof data === 'object') {
+      const keys = Object.keys(data);
+      if (keys.length === 0) return '{}';
+      if (keys.length <= 3) {
+        return '{' + keys.map(k => `${k}: ${typeof data[k] === 'string' ? data[k].slice(0, 20) + (data[k].length > 20 ? '...' : '') : JSON.stringify(data[k])}`).join(', ') + '}';
+      }
+      return `{${keys.slice(0, 3).join(', ')}, ...+${keys.length - 3} keys}`;
+    }
+    return String(data);
+  }
+
+  renderWorkflowTool(tool) {
+    const hasValidProjectUrl = isToolHosted(tool);
+    const priorityColors = {
+      high: 'var(--color-error)',
+      medium: 'var(--color-warning)', 
+      low: 'var(--color-accent)'
+    };
+
+    return `
+      <div class="tool-recommendation ${this.getToolClass(tool, 'recommendation')}" onclick="window.showToolDetails('${tool.name}')" style="position: relative;">
+        <div class="tool-rec-header">
+          <h4 class="tool-rec-name">
+            ${tool.icon ? `<span style="margin-right: 0.5rem;">${tool.icon}</span>` : ''}
+            ${tool.name}
+          </h4>
+          <div class="flex items-center gap-2">
+            <span class="tool-rec-priority ${tool.recommendation ? tool.recommendation.priority : tool.priority}" 
+                  style="background-color: ${priorityColors[tool.recommendation ? tool.recommendation.priority : tool.priority]}; color: white; padding: 0.25rem 0.5rem; border-radius: 1rem; font-size: 0.75rem; position: relative;">
+              ${tool.recommendation ? tool.recommendation.priority : tool.priority}
+              ${tool.confidence ? this.renderConfidenceTooltip(tool.confidence, 'priority') : ''}
+            </span>
+          </div>
+        </div>
+        
+        <div class="tool-rec-justification" style="background-color: var(--color-bg-tertiary); padding: 0.75rem; border-radius: 0.375rem; border-left: 3px solid var(--color-primary); margin: 0.75rem 0; font-style: italic; white-space: pre-wrap; word-wrap: break-word;">
+          "${this.sanitizeText(tool.justification || (tool.recommendation && tool.recommendation.justification) || `Empfohlen für ${tool.phase}`)}"
+        </div>
+        
+        <div style="font-size: 0.75rem; color: var(--color-text-secondary);">
+          ${this.renderToolBadges(tool)}
+          <div style="margin-top: 0.5rem;">
+            ${tool.type === 'method' ? 'Methode' : tool.platforms.join(', ') + ' • ' + tool.license}
+          </div>
+        </div>
+      </div>
+    `;
+  }
+
+  renderDetailedTool(tool, recommendation, rank) {
+    const rankColors = { 1: 'var(--color-accent)', 2: 'var(--color-primary)', 3: 'var(--color-warning)' };
+    const suitabilityColors = { high: 'var(--color-accent)', medium: 'var(--color-warning)', low: 'var(--color-text-secondary)' };
+    
+    return `
+      <div class="card ${this.getToolClass(tool, 'card')}" style="cursor: pointer; position: relative;" onclick="window.showToolDetails('${tool.name}')">
+        <div style="position: absolute; top: -8px; right: -8px; width: 32px; height: 32px; background-color: ${rankColors[rank]}; color: white; border-radius: 50%; display: flex; align-items: center; justify-content: center; font-weight: bold; font-size: 1.125rem;">
+          ${rank}
+        </div>
+
+        <div style="margin-bottom: 1rem;">
+          <h3 style="margin: 0 0 0.5rem 0;">${tool.name}</h3>
+          <div style="display: flex; flex-wrap: wrap; gap: 0.5rem; align-items: center; margin-bottom: 0.75rem;">
+            <span class="badge" style="background-color: ${suitabilityColors[recommendation.suitability_score]}; color: white; position: relative;">
+              ${this.getSuitabilityText(recommendation.suitability_score, recommendation.confidence)}
+            </span>
+            ${this.renderToolBadges(tool)}
+          </div>
+        </div>
+
+        <div style="margin-bottom: 1.5rem;">
+          <h4 style="margin: 0.8rem 0 0.75rem 0; color: var(--color-accent);">Warum diese Methode?</h4>
+          <div style="margin: 0; line-height: 1.6; white-space: pre-wrap; word-wrap: break-word;">${this.sanitizeText(recommendation.detailed_explanation)}</div>
+          
+          ${recommendation.implementation_approach ? `
+            <h4 style="margin: 0.8rem 0 0.75rem 0; color: var(--color-primary);">Anwendungsansatz</h4>
+            <div style="margin: 0; line-height: 1.6; white-space: pre-wrap; word-wrap: break-word;">${this.sanitizeText(recommendation.implementation_approach)}</div>
+          ` : ''}
+        </div>
+
+        ${this.renderProsAndCons(recommendation.pros, recommendation.cons)}
+        ${this.renderToolMetadata(tool)}
+        ${recommendation.alternatives ? this.renderAlternatives(recommendation.alternatives) : ''}
+      </div>
+    `;
+  }
+
   renderHeader(title, query) {
     return `
       <div style="text-align: center; margin-bottom: 2rem; padding: 1.5rem; background: linear-gradient(135deg, var(--color-primary) 0%, #525252 100%); color: white; border-radius: 0.75rem;">
@@ -813,6 +1249,8 @@ class AIQueryInterface {
       const phaseTools = toolsByPhase[phase];
       if (phaseTools.length === 0) return '';
 
+      console.log(`[AI DEBUG] Phase ${phase} tools:`, phaseTools.map(t => ({name: t.name, hasConfidence: !!t.confidence})));
+
       return `
         <div class="workflow-phase">
           <div class="phase-header">
@@ -820,7 +1258,10 @@ class AIQueryInterface {
             <div class="phase-info">
               <h3 class="phase-title">${phaseNames[phase]}</h3>
               <div class="phase-tools">
-                ${phaseTools.map(tool => this.renderWorkflowTool(tool)).join('')}
+                ${phaseTools.map(tool => {
+                  console.log(`[AI DEBUG] Rendering tool ${tool.name} with confidence:`, tool.confidence);
+                  return this.renderWorkflowTool(tool);
+                }).join('')}
               </div>
             </div>
           </div>
@@ -831,28 +1272,38 @@ class AIQueryInterface {
   }
 
   renderWorkflowTool(tool) {
-    const hasValidProjectUrl = this.isToolHosted(tool);
+    console.log(`[AI DEBUG] renderWorkflowTool called for ${tool.name}, confidence:`, tool.confidence);
+    
+    const hasValidProjectUrl = isToolHosted(tool);
     const priorityColors = {
       high: 'var(--color-error)',
       medium: 'var(--color-warning)', 
       low: 'var(--color-accent)'
     };
 
+    const priority = tool.recommendation ? tool.recommendation.priority : tool.priority;
+    const confidenceTooltip = tool.confidence ? this.renderConfidenceTooltip(tool.confidence) : '';
+    
+    console.log(`[AI DEBUG] Priority: ${priority}, Confidence tooltip:`, confidenceTooltip ? 'generated' : 'empty');
+
     return `
-      <div class="tool-recommendation ${this.getToolClass(tool, 'recommendation')}" onclick="window.showToolDetails('${tool.name}')">
+      <div class="tool-recommendation ${this.getToolClass(tool, 'recommendation')}" onclick="window.showToolDetails('${tool.name}')" style="position: relative;">
         <div class="tool-rec-header">
           <h4 class="tool-rec-name">
             ${tool.icon ? `<span style="margin-right: 0.5rem;">${tool.icon}</span>` : ''}
             ${tool.name}
           </h4>
-          <span class="tool-rec-priority ${tool.recommendation.priority}" 
-                style="background-color: ${priorityColors[tool.recommendation.priority]}; color: white; padding: 0.25rem 0.5rem; border-radius: 1rem; font-size: 0.75rem;">
-            ${tool.recommendation.priority}
-          </span>
+          <div class="flex items-center gap-2">
+            <span class="tool-rec-priority ${priority}" 
+                  style="background-color: ${priorityColors[priority]}; color: white; padding: 0.25rem 0.5rem; border-radius: 1rem; font-size: 0.75rem; position: relative; display: flex; align-items: center; gap: 0.25rem;">
+              ${priority}
+              ${confidenceTooltip}
+            </span>
+          </div>
         </div>
         
         <div class="tool-rec-justification" style="background-color: var(--color-bg-tertiary); padding: 0.75rem; border-radius: 0.375rem; border-left: 3px solid var(--color-primary); margin: 0.75rem 0; font-style: italic; white-space: pre-wrap; word-wrap: break-word;">
-          "${this.sanitizeText(tool.recommendation.justification)}"
+          "${this.sanitizeText(tool.justification || (tool.recommendation && tool.recommendation.justification) || `Empfohlen für ${tool.phase}`)}"
         </div>
         
         <div style="font-size: 0.75rem; color: var(--color-text-secondary);">
@@ -874,16 +1325,23 @@ class AIQueryInterface {
           const fullTool = tools.find(t => t.name === toolRec.name);
           if (!fullTool) return '';
           
-          return this.renderDetailedTool(fullTool, toolRec, index + 1);
+          return this.renderDetailedTool(fullTool, {
+            ...toolRec,
+            confidence: toolRec.confidence 
+          }, index + 1);
         }).join('')}
       </div>
     `;
   }
 
   renderDetailedTool(tool, recommendation, rank) {
+    console.log(`[AI DEBUG] renderDetailedTool called for ${tool.name}, recommendation confidence:`, recommendation.confidence);
+    
     const rankColors = { 1: 'var(--color-accent)', 2: 'var(--color-primary)', 3: 'var(--color-warning)' };
     const suitabilityColors = { high: 'var(--color-accent)', medium: 'var(--color-warning)', low: 'var(--color-text-secondary)' };
     
+    const confidenceTooltip = recommendation.confidence ? this.renderConfidenceTooltip(recommendation.confidence) : '';
+    
     return `
       <div class="card ${this.getToolClass(tool, 'card')}" style="cursor: pointer; position: relative;" onclick="window.showToolDetails('${tool.name}')">
         <div style="position: absolute; top: -8px; right: -8px; width: 32px; height: 32px; background-color: ${rankColors[rank]}; color: white; border-radius: 50%; display: flex; align-items: center; justify-content: center; font-weight: bold; font-size: 1.125rem;">
@@ -892,9 +1350,10 @@ class AIQueryInterface {
 
         <div style="margin-bottom: 1rem;">
           <h3 style="margin: 0 0 0.5rem 0;">${tool.name}</h3>
-          <div style="display: flex; flex-wrap: wrap; gap: 0.5rem;">
-            <span class="badge" style="background-color: ${suitabilityColors[recommendation.suitability_score]}; color: white;">
+          <div style="display: flex; flex-wrap: wrap; gap: 0.5rem; align-items: center; margin-bottom: 0.75rem;">
+            <span class="badge" style="background-color: ${suitabilityColors[recommendation.suitability_score]}; color: white; position: relative; display: flex; align-items: center; gap: 0.25rem;">
               ${this.getSuitabilityText(recommendation.suitability_score)}
+              ${confidenceTooltip}
             </span>
             ${this.renderToolBadges(tool)}
           </div>
@@ -988,7 +1447,7 @@ class AIQueryInterface {
 
   renderToolBadges(tool) {
     const isMethod = tool.type === 'method';
-    const hasValidProjectUrl = this.isToolHosted(tool);
+    const hasValidProjectUrl = isToolHosted(tool);
     
     let badges = '';
     if (isMethod) {
@@ -1032,16 +1491,9 @@ class AIQueryInterface {
       .trim();
   }
 
-  isToolHosted(tool) {
-    return tool.projectUrl !== undefined && 
-           tool.projectUrl !== null && 
-           tool.projectUrl !== "" && 
-           tool.projectUrl.trim() !== "";
-  }
-
   getToolClass(tool, context = 'card') {
     const isMethod = tool.type === 'method';
-    const hasValidProjectUrl = this.isToolHosted(tool);
+    const hasValidProjectUrl = isToolHosted(tool);
     
     if (context === 'recommendation') {
       if (isMethod) return 'method';
@@ -1056,13 +1508,18 @@ class AIQueryInterface {
     }
   }
 
-  getSuitabilityText(score) {
+  getSuitabilityText(score, confidence = null) {
     const texts = {
       high: 'GUT GEEIGNET',
       medium: 'GEEIGNET', 
       low: 'VIELLEICHT GEEIGNET'
     };
-    return texts[score] || 'GEEIGNET';
+    const baseText = texts[score] || 'GEEIGNET';
+    
+    if (confidence) {
+      return `${baseText} ${this.renderConfidenceTooltip(confidence, 'suitability')}`;
+    }
+    return baseText;
   }
 
   escapeHtml(text) {
@@ -1134,5 +1591,6 @@ document.addEventListener('DOMContentLoaded', () => {
       aiInterface.hideError();
     }
   };
+  window.isToolHosted = window.isToolHosted || isToolHosted
 });
 </script>
\ No newline at end of file
diff --git a/src/config/prompts.ts b/src/config/prompts.ts
new file mode 100644
index 0000000..86467b5
--- /dev/null
+++ b/src/config/prompts.ts
@@ -0,0 +1,243 @@
+// src/config/prompts.ts - Centralized German prompts for AI pipeline
+
+export const AI_PROMPTS = {
+  
+  toolSelection: (mode: string, userQuery: string, selectionMethod: string, maxSelectedItems: number) => {
+    const modeInstruction = mode === 'workflow' 
+      ? 'Der Benutzer möchte einen UMFASSENDEN WORKFLOW mit mehreren Tools/Methoden über verschiedene Phasen. Wählen Sie 15-25 Tools aus, die den vollständigen Untersuchungslebenszyklus abdecken.'
+      : 'Der Benutzer möchte SPEZIFISCHE TOOLS/METHODEN, die ihr konkretes Problem direkt lösen. Wählen Sie 3-8 Tools aus, die am relevantesten und effektivsten sind.';
+
+    return `Sie sind ein DFIR-Experte mit Zugang zur kompletten forensischen Tool-Datenbank. Sie müssen die relevantesten Tools und Konzepte für diese spezifische Anfrage auswählen.
+
+AUSWAHLMETHODE: ${selectionMethod}
+${selectionMethod === 'embeddings_candidates' ? 
+  'Diese Tools wurden durch Vektor-Ähnlichkeit vorgefiltert, sie sind bereits relevant. Ihre Aufgabe ist es, die BESTEN aus diesem relevanten Set auszuwählen.' :
+  'Sie haben Zugang zur vollständigen Tool-Datenbank. Wählen Sie die relevantesten Tools für die Anfrage aus.'}
+
+${modeInstruction}
+
+BENUTZER-ANFRAGE: "${userQuery}"
+
+KRITISCHE AUSWAHLPRINZIPIEN:
+1. **KONTEXT ÜBER POPULARITÄT**: Verwenden Sie nicht automatisch "berühmte" Tools wie Volatility, Wireshark oder Autopsy nur weil sie bekannt sind. Wählen Sie basierend auf den SPEZIFISCHEN Szenario-Anforderungen.
+
+2. **METHODOLOGIE vs SOFTWARE**: 
+   - Für SCHNELLE/DRINGENDE Szenarien → Priorisieren Sie METHODEN und schnelle Antwort-Ansätze
+   - Für ZEITKRITISCHE Vorfälle → Wählen Sie Triage-Methoden über tiefe Analyse-Tools
+   - Für UMFASSENDE Analysen → Dann betrachten Sie detaillierte Software-Tools
+   - METHODEN (Typ: "method") sind oft besser als SOFTWARE für prozedurale Anleitung
+
+3. **SZENARIO-SPEZIFISCHE LOGIK**:
+   - "Schnell/Quick/Dringend/Triage" Szenarien → Rapid Incident Response und Triage METHODE > Volatility
+   - "Industrial/SCADA/ICS" Szenarien → Spezialisierte ICS-Tools > generische Netzwerk-Tools
+   - "Mobile/Android/iOS" Szenarien → Mobile-spezifische Tools > Desktop-Forensik-Tools
+   - "Speicher-Analyse dringend benötigt" → Schnelle Speicher-Tools/Methoden > umfassende Volatility-Analyse
+
+ANALYSE-ANWEISUNGEN:
+1. Lesen Sie die VOLLSTÄNDIGE Beschreibung jedes Tools/Konzepts
+2. Berücksichtigen Sie ALLE Tags, Plattformen, verwandte Tools und Metadaten
+3. **PASSENDE DRINGLICHKEIT**: Schnelle Szenarien brauchen schnelle Methoden, nicht tiefe Analyse-Tools
+4. **PASSENDE SPEZIFITÄT**: Spezialisierte Szenarien brauchen spezialisierte Tools, nicht generische
+5. **BERÜCKSICHTIGEN SIE DEN TYP**: Methoden bieten prozedurale Anleitung, Software bietet technische Fähigkeiten
+
+Wählen Sie die relevantesten Elemente aus (max ${maxSelectedItems} insgesamt).
+
+Antworten Sie NUR mit diesem JSON-Format:
+{
+  "selectedTools": ["Tool Name 1", "Tool Name 2", ...],
+  "selectedConcepts": ["Konzept Name 1", "Konzept Name 2", ...],
+  "reasoning": "Detaillierte Erklärung, warum diese spezifischen Tools für diese Anfrage ausgewählt wurden, und warum bestimmte populäre Tools NICHT ausgewählt wurden, falls sie für den Szenario-Kontext ungeeignet waren"
+}`;
+  },
+
+  scenarioAnalysis: (isWorkflow: boolean, userQuery: string) => {
+    const analysisType = isWorkflow ? 'forensische Szenario' : 'technische Problem';
+    const considerations = isWorkflow ? 
+      `- Angriffsvektoren und Bedrohungsmodellierung nach MITRE ATT&CK
+- Betroffene Systeme und kritische Infrastrukturen
+- Zeitkritische Faktoren und Beweiserhaltung
+- Forensische Artefakte und Datenquellen` :
+      `- Spezifische forensische Herausforderungen
+- Verfügbare Datenquellen und deren Integrität
+- Methodische Anforderungen für rechtssichere Analyse`;
+
+    return `Sie sind ein erfahrener DFIR-Experte. Analysieren Sie das folgende ${analysisType}.
+
+${isWorkflow ? 'FORENSISCHES SZENARIO' : 'TECHNISCHES PROBLEM'}: "${userQuery}"
+
+Führen Sie eine systematische ${isWorkflow ? 'Szenario-Analyse' : 'Problem-Analyse'} durch und berücksichtigen Sie dabei:
+
+${considerations}
+
+WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen, Aufzählungen oder Markdown-Formatierung. Maximum 150 Wörter.`;
+  },
+
+  investigationApproach: (isWorkflow: boolean, userQuery: string) => {
+    const approachType = isWorkflow ? 'Untersuchungsansatz' : 'Lösungsansatz';
+    const considerations = isWorkflow ?
+      `- Triage-Prioritäten nach forensischer Dringlichkeit
+- Phasenabfolge nach NIST-Methodik
+- Kontaminationsvermeidung und forensische Isolierung` :
+      `- Methodik-Auswahl nach wissenschaftlichen Kriterien
+- Validierung und Verifizierung der gewählten Ansätze
+- Integration in bestehende forensische Workflows`;
+
+    return `Basierend auf der Analyse entwickeln Sie einen fundierten ${approachType} nach NIST SP 800-86 Methodik.
+
+${isWorkflow ? 'SZENARIO' : 'PROBLEM'}: "${userQuery}"
+
+Entwickeln Sie einen systematischen ${approachType} unter Berücksichtigung von:
+
+${considerations}
+
+WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 150 Wörter.`;
+  },
+
+  criticalConsiderations: (isWorkflow: boolean, userQuery: string) => {
+    const considerationType = isWorkflow ? 'kritische forensische Überlegungen' : 'wichtige methodische Voraussetzungen';
+    const aspects = isWorkflow ?
+      `- Time-sensitive evidence preservation
+- Chain of custody requirements und rechtliche Verwertbarkeit
+- Incident containment vs. evidence preservation Dilemma
+- Privacy- und Compliance-Anforderungen` :
+      `- Tool-Validierung und Nachvollziehbarkeit
+- False positive/negative Risiken bei der gewählten Methodik
+- Qualifikationsanforderungen für die Durchführung
+- Dokumentations- und Reporting-Standards`;
+
+    return `Identifizieren Sie ${considerationType} für diesen Fall.
+
+${isWorkflow ? 'SZENARIO' : 'PROBLEM'}: "${userQuery}"
+
+Berücksichtigen Sie folgende forensische Aspekte:
+
+${aspects}
+
+WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 120 Wörter.`;
+  },
+
+  phaseToolSelection: (userQuery: string, phase: any, phaseTools: any[]) => {
+    return `Wählen Sie 2-3 Methoden/Tools für die Phase "${phase.name}" und bewerten Sie deren Aufgaben-Eignung VERGLEICHEND.
+
+SZENARIO: "${userQuery}"
+SPEZIFISCHE PHASE: ${phase.name} - ${phase.description || 'Forensische Untersuchungsphase'}
+
+VERFÜGBARE TOOLS FÜR ${phase.name.toUpperCase()}:
+${phaseTools.map((tool: any, index: number) => `${index + 1}. ${tool.name}: ${tool.description.slice(0, 150)}...
+  - Plattformen: ${tool.platforms?.join(', ') || 'N/A'}
+  - Skill Level: ${tool.skillLevel}
+  - Tags: ${tool.tags?.join(', ') || 'N/A'}`).join('\n\n')}
+
+Bewerten Sie ALLE Tools vergleichend für diese spezifische Aufgabe UND Phase. Wählen Sie die 2-3 besten aus.
+
+BEWERTUNGSKRITERIEN:
+- Wie gut löst das Tool das forensische Problem im SZENARIO-Kontext?
+- Wie gut passt es zur spezifischen PHASE "${phase.name}"?
+- Wie vergleicht es sich mit den anderen verfügbaren Tools für diese Phase?
+
+Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format:
+[
+  {
+    "toolName": "Exakter Tool-Name",
+    "taskRelevance": 85,
+    "justification": "Vergleichende Begründung warum dieses Tool für diese Phase und Aufgabe besser/schlechter als die anderen geeignet ist",
+    "limitations": ["Spezifische Einschränkung 1", "Einschränkung 2"]
+  }
+]
+
+WICHTIG:
+- taskRelevance: 0-100 Score basierend auf Szenario-Eignung UND Phasen-Passung im VERGLEICH zu anderen Tools
+- Nur die 2-3 BESTEN Tools auswählen und bewerten
+- justification soll VERGLEICHEND sein ("besser als X weil...", "für diese Phase ideal weil...")`;
+  },
+
+  toolEvaluation: (userQuery: string, tool: any, rank: number, taskRelevance: number) => {
+    return `Sie sind ein DFIR-Experte. Erklären Sie DETAILLIERT die Anwendung dieses bereits bewerteten Tools.
+
+PROBLEM: "${userQuery}"
+TOOL: ${tool.name} (bereits bewertet mit ${taskRelevance}% Aufgaben-Eignung)
+BESCHREIBUNG: ${tool.description}
+
+Das Tool wurde bereits als Rang ${rank} für diese Aufgabe bewertet. Erklären Sie nun:
+
+Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format:
+{
+  "detailed_explanation": "Detaillierte Erklärung warum und wie dieses Tool für diese spezifische Aufgabe eingesetzt wird",
+  "implementation_approach": "Konkrete Schritt-für-Schritt Anleitung zur korrekten Anwendung",
+  "pros": ["Spezifischer Vorteil 1", "Spezifischer Vorteil 2"],
+  "limitations": ["Spezifische Einschränkung 1", "Spezifische Einschränkung 2"],
+  "alternatives": "Alternative Ansätze oder Tools falls dieses nicht verfügbar ist"
+}
+
+WICHTIG: 
+- Keine erneute Bewertung - nur detaillierte Erklärung der bereits bewerteten Eignung
+- "limitations" soll spezifische technische/methodische Einschränkungen des Tools auflisten
+- "pros" soll die Stärken für diese spezifische Aufgabe hervorheben`;
+  },
+
+  backgroundKnowledgeSelection: (userQuery: string, mode: string, selectedToolNames: string[], availableConcepts: any[]) => {
+    return `Wählen Sie relevante forensische Konzepte für das Verständnis der empfohlenen Methodik.
+
+${mode === 'workflow' ? 'SZENARIO' : 'PROBLEM'}: "${userQuery}"
+EMPFOHLENE TOOLS: ${selectedToolNames.join(', ')}
+
+VERFÜGBARE KONZEPTE:
+${availableConcepts.slice(0, 15).map((concept: any) => `- ${concept.name}: ${concept.description.slice(0, 80)}...`).join('\n')}
+
+Wählen Sie 2-4 Konzepte aus, die für das Verständnis der forensischen Methodik essentiell sind.
+
+Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format:
+[
+  {
+    "conceptName": "Exakter Konzept-Name",
+    "relevance": "Forensische Relevanz: Warum dieses Konzept für das Verständnis der Methodik kritisch ist"
+  }
+]`;
+  },
+
+  finalRecommendations: (isWorkflow: boolean, userQuery: string, selectedToolNames: string[]) => {
+    const prompt = isWorkflow ? 
+      `Erstellen Sie eine Workflow-Empfehlung basierend auf DFIR-Prinzipien.
+
+SZENARIO: "${userQuery}"
+AUSGEWÄHLTE TOOLS: ${selectedToolNames.join(', ') || 'Keine Tools ausgewählt'}
+
+Erstellen Sie konkrete methodische Workflow-Schritte für dieses spezifische Szenario unter Berücksichtigung forensischer Best Practices, Objektivität und rechtlicher Verwertbarkeit.
+
+WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 120 Wörter.` :
+      
+      `Erstellen Sie wichtige methodische Überlegungen für die korrekte Methoden-/Tool-Anwendung.
+
+PROBLEM: "${userQuery}"
+EMPFOHLENE TOOLS: ${selectedToolNames.join(', ') || 'Keine Methoden/Tools ausgewählt'}
+
+Geben Sie kritische methodische Überlegungen, Validierungsanforderungen und Qualitätssicherungsmaßnahmen für die korrekte Anwendung der empfohlenen Methoden/Tools.
+
+WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 100 Wörter.`;
+
+    return prompt;
+  }
+} as const;
+
+export function getPrompt(key: 'toolSelection', mode: string, userQuery: string, selectionMethod: string, maxSelectedItems: number): string;
+export function getPrompt(key: 'scenarioAnalysis', isWorkflow: boolean, userQuery: string): string;
+export function getPrompt(key: 'investigationApproach', isWorkflow: boolean, userQuery: string): string;
+export function getPrompt(key: 'criticalConsiderations', isWorkflow: boolean, userQuery: string): string;
+export function getPrompt(key: 'phaseToolSelection', userQuery: string, phase: any, phaseTools: any[]): string;
+export function getPrompt(key: 'toolEvaluation', userQuery: string, tool: any, rank: number, taskRelevance: number): string;
+export function getPrompt(key: 'backgroundKnowledgeSelection', userQuery: string, mode: string, selectedToolNames: string[], availableConcepts: any[]): string;
+export function getPrompt(key: 'finalRecommendations', isWorkflow: boolean, userQuery: string, selectedToolNames: string[]): string;
+export function getPrompt(promptKey: keyof typeof AI_PROMPTS, ...args: any[]): string {
+  try {
+    const promptFunction = AI_PROMPTS[promptKey];
+    if (typeof promptFunction === 'function') {
+      return (promptFunction as (...args: any[]) => string)(...args);
+    } else {
+      console.error(`[PROMPTS] Invalid prompt key: ${promptKey}`);
+      return 'Error: Invalid prompt configuration';
+    }
+  } catch (error) {
+    console.error(`[PROMPTS] Error generating prompt ${promptKey}:`, error);
+    return 'Error: Failed to generate prompt';
+  }
+}
\ No newline at end of file
diff --git a/src/data/tools.yaml b/src/data/tools.yaml
index fae358a..808b804 100644
--- a/src/data/tools.yaml
+++ b/src/data/tools.yaml
@@ -113,64 +113,6 @@ tools:
     accessType: download
     license: VSL
     knowledgebase: false
-  - name: TheHive 5
-    icon: 🐝
-    type: software
-    description: >-
-      Die zentrale Incident-Response-Plattform orchestriert komplexe 
-      Sicherheitsvorfälle vom ersten Alert bis zum Abschlussbericht. Jeder Case 
-      wird strukturiert durch Observables (IOCs), Tasks und Zeitleisten 
-      abgebildet. Die Cortex-Integration automatisiert Analysen durch Dutzende 
-      Analyzer - von VirusTotal-Checks bis Sandbox-Detonation. 
-      MISP-Synchronisation reichert Cases mit Threat-Intelligence an. Das 
-      ausgeklügelte Rollen- und Rechtesystem ermöglicht sichere Zusammenarbeit 
-      zwischen SOC-Analysten, Forensikern und Management. Templates 
-      standardisieren Response-Prozesse nach Incident-Typ. Die RESTful API 
-      integriert nahtlos mit SIEM, SOAR und Ticketing-Systemen. Metrics und
-      KPIs  messen die Team-Performance. Die Community Edition bleibt kostenlos
-      für  kleinere Teams, während Gold/Platinum-Lizenzen Enterprise-Features
-      bieten.
-    domains:
-      - incident-response
-      - static-investigations
-      - malware-analysis
-      - network-forensics
-      - fraud-investigation
-    phases:
-      - data-collection
-      - examination
-      - analysis
-      - reporting
-    platforms:
-      - Web
-    related_software:
-      - MISP
-      - Cortex
-      - Elasticsearch
-    domain-agnostic-software:
-      - collaboration-general
-    skillLevel: intermediate
-    accessType: server-based
-    url: https://strangebee.com/thehive/
-    projectUrl: ''
-    license: Community Edition (Discontinued) / Commercial
-    knowledgebase: false
-    statusUrl: https://uptime.example.lab/api/badge/1/status
-    tags:
-      - web-interface
-      - case-management
-      - collaboration
-      - api
-      - workflow
-      - multi-user-support
-      - cortex-analyzer
-      - misp-integration
-      - playbooks
-      - metrics
-      - rbac
-      - template-driven
-    related_concepts:
-      - Digital Evidence Chain of Custody
   - name: MISP
     icon: 🌐
     type: software
@@ -223,7 +165,6 @@ tools:
     related_concepts:
       - Hash Functions & Digital Signatures
     related_software:
-      - TheHive 5
       - Cortex
       - OpenCTI
   - name: DFIR-IRIS
@@ -260,7 +201,6 @@ tools:
     platforms:
       - Web
     related_software:
-      - TheHive 5
       - MISP
       - OpenCTI
     domain-agnostic-software:
@@ -3427,6 +3367,244 @@ tools:
     accessType: download
     license: "MPL\_/ AGPL"
     knowledgebase: false
+  - name: ShadowExplorer
+    icon: 🗂️
+    type: software
+    description: >-
+      Das schlanke Windows-Tool macht Volume-Shadow-Copy-Snapshots auch in Home-Editionen sichtbar und erlaubt das komfortable Durchstöbern sowie Wiederherstellen früherer Datei-Versionen. Damit lassen sich versehentlich gelöschte oder überschriebene Dateien in Sekunden zurückholen – geeignet für schnelle Triage und klassische Datenträgerforensik.
+    domains:
+      - static-investigations
+      - incident-response
+    phases:
+      - examination
+      - analysis
+    platforms:
+      - Windows
+    related_software:
+      - OSFMount
+      - PhotoRec
+    domain-agnostic-software: null
+    skillLevel: novice
+    accessType: download
+    url: https://www.shadowexplorer.com/
+    license: Freeware
+    knowledgebase: false
+    tags:
+      - gui
+      - shadow-copy
+      - snapshot-browsing
+      - file-recovery
+      - previous-versions
+      - scenario:file_recovery
+      - point-in-time-restore
+    related_concepts:
+      - Digital Evidence Chain of Custody
+
+
+  - name: Sonic Visualiser
+    icon: 🎵
+    type: software
+    description: >-
+      Die Open-Source-Audio-Analyse-Suite wird in der Forensik eingesetzt,
+      um Wave- und Kompressionsformate bis auf Sample-Ebene zu untersuchen.
+      Spektrogramm-Visualisierung, Zeit-/Frequenz-Annotationen und
+      Transkriptions-Plugins (Vamp) helfen, Manipulationen wie
+      Bandpass-Filter, Time-Stretching oder Insert-Edits nachzuweisen.
+      FFT- und Mel-Spectral-Views decken versteckte Audio-Watermarks oder
+      Steganografie auf. Export-Funktionen in CSV/JSON erlauben die
+      Weiterverarbeitung in Python-Notebooks oder SIEM-Pipelines.
+      Ideal für Voice-Authentication-Checks, Deep-Fake-Erkennung
+      und Beweisaufbereitung vor Gericht.
+    skillLevel: intermediate
+    url: https://www.sonicvisualiser.org/
+    domains:
+      - static-investigations
+      - fraud-investigation
+    phases:
+      - examination
+      - analysis
+      - reporting
+    platforms:
+      - Windows
+      - Linux
+      - macOS
+    accessType: download
+    license: GPL-2.0
+    knowledgebase: false
+    tags:
+      - gui
+      - audio-forensics
+      - spectrogram
+      - plugin-support
+      - annotation
+      - csv-export
+    related_concepts: []
+    related_software:
+      - Audacity
+
+  - name: Dissect
+    icon: 🧩
+    type: software
+    description: >-
+      Fox-ITs Python-Framework abstrahiert Windows- und Linux-Speicherabbilder
+      in virtuelle Objekte (Prozesse, Dateien, Registry, Kernel-Strukturen),
+      ohne zuvor ein Profil definieren zu müssen. Modularer
+      Hypervisor-Layer erlaubt das Mounten und gleichzeitige Analysieren
+      mehrerer Memory-Dumps – perfekt für großflächige Incident-Response.
+      Plugins dekodieren PTEs, handle tables, APC-Queues und liefern
+      YARA-kompatible Scans. Die Zero-Copy-Architektur beschleunigt Queries auf
+      Multi-GB-Images signifikant. Unterstützt Windows 11 24H2-Kernel sowie
+      Linux 6.x-schichten ab Juli 2025.
+    skillLevel: advanced
+    url: https://github.com/fox-it/dissect
+    domains:
+      - incident-response
+      - malware-analysis
+      - static-investigations
+    phases:
+      - examination
+      - analysis
+    platforms:
+      - Windows
+      - Linux
+      - macOS
+    accessType: download
+    license: Apache 2.0
+    knowledgebase: false
+    tags:
+      - command-line
+      - memory-analysis
+      - plugin-support
+      - python-library
+      - zero-copy
+      - profile-less
+    related_concepts:
+      - Regular Expressions (Regex)
+    related_software:
+      - Volatility 3
+      - Rekall
+
+  - name: Docker Explorer
+    icon: 🐳
+    type: software
+    description: >-
+      Googles Forensik-Toolkit zerlegt Offline-Docker-Volumes und
+      Overlay-Dateisysteme ohne laufenden Daemon. Es extrahiert
+      Container-Config, Image-Layer, ENV-Variablen, Mounted-Secrets
+      und schreibt Timeline-fähige Metadata-JSONs. Unterstützt btrfs,
+      overlay2 und zfs Storage-Driver sowie Docker Desktop (macOS/Windows).
+      Perfekt, um bösartige Images nach Supply-Chain-Attacken zu enttarnen
+      oder flüchtige Container nach einem Incident nachträglich zu analysieren.
+    skillLevel: intermediate
+    url: https://github.com/google/docker-explorer
+    domains:
+      - cloud-forensics
+      - incident-response
+      - static-investigations
+    phases:
+      - data-collection
+      - examination
+      - analysis
+    platforms:
+      - Linux
+      - macOS
+      - Windows
+    accessType: download
+    license: Apache 2.0
+    knowledgebase: false
+    tags:
+      - command-line
+      - container-forensics
+      - docker
+      - timeline
+      - json-export
+      - supply-chain
+    related_concepts: []
+    related_software:
+      - Velociraptor
+      - osquery
+
+  - name: Ghiro
+    icon: 🖼️
+    type: software
+    description: >-
+      Die Web-basierte Bild­forensik-Plattform automatisiert EXIF-Analyse,
+      Hash-Matching, Error-Level-Evaluation (ELA) und
+      Steganografie-Erkennung für große Dateibatches. Unterstützt
+      Gesichts- und NSFW-Detection sowie GPS-Reverse-Geocoding für
+      Bewegungsprofile. Reports sind gerichtsfest
+      versioniert, REST-API und Celery-Worker skalieren auf
+      Millionen Bilder – ideal für CSAM-Ermittlungen oder Fake-News-Prüfung.
+    skillLevel: intermediate
+    url: https://getghiro.org/
+    domains:
+      - static-investigations
+      - fraud-investigation
+      - mobile-forensics
+    phases:
+      - examination
+      - analysis
+      - reporting
+    platforms:
+      - Web
+      - Linux
+    accessType: server-based
+    license: GPL-2.0
+    knowledgebase: false
+    tags:
+      - web-interface
+      - image-forensics
+      - exif-analysis
+      - steganography
+      - nsfw-detection
+      - batch-processing
+    related_concepts:
+      - Hash Functions & Digital Signatures
+    related_software:
+      - ExifTool
+      - PhotoRec
+
+  - name: Sherloq
+    icon: 🔍
+    type: software
+    description: >-
+      Das Python-GUI-Toolkit für visuelle Datei-Analyse kombiniert
+      klassische Reverse-Steganografie-Techniken (LSB, Palette-Tweaking,
+      DCT-Coefficient-Scanning) mit modernen CV-Algorithmen.
+      Heatmaps und Histogramm-Diffs zeigen Manipulations-Hotspots,
+      während eine „Carve-All-Layers“-Funktion versteckte Daten in PNG,
+      JPEG, BMP, GIF und Audio-Spectra aufspürt. Plugins für zsteg,
+      binwalk und exiftool erweitern die Pipeline.
+      Eine Must-have-Ergänzung zu Ghidra & friends, wenn
+      Malware Dateien als Dead-Drop nutzt.
+    skillLevel: intermediate
+    url: https://github.com/GuidoBartoli/sherloq
+    domains:
+      - malware-analysis
+      - static-investigations
+    phases:
+      - examination
+      - analysis
+    platforms:
+      - Windows
+      - Linux
+      - macOS
+    accessType: download
+    license: MIT
+    knowledgebase: false
+    tags:
+      - gui
+      - image-forensics
+      - steganography
+      - lsb-extraction
+      - histogram-analysis
+      - plugin-support
+    related_concepts:
+      - Regular Expressions (Regex)
+    related_software:
+      - Ghiro
+      - CyberChef
+
   - name: Cortex
     type: software
     description: >-
@@ -3797,7 +3975,7 @@ tools:
   - name: KAPE
     type: software
     description: >-
-      Kroll Artifact Parser and Extractor revolutioniert Windows-Forensik durch 
+      Kroll Artifact Parser and Extractor versucht sich an Windows-Forensik durch 
       intelligente Ziel-basierte Sammlung. Statt Full-Disk-Images extrahiert
       KAPE  gezielt kritische Artefakte: Registry-Hives, Event-Logs, Prefetch,
       Browser- Daten, Scheduled-Tasks in Minuten statt Stunden. Die Target-Files
@@ -3805,12 +3983,10 @@ tools:
       Besonders clever:  Compound-Targets gruppieren zusammengehörige Artefakte
       (z.B. "Browser" sammelt  Chrome+Firefox+Edge), die gKAPE-GUI macht es auch
       für Nicht-Techniker  zugänglich. Batch-Mode verarbeitet mehrere Images
-      parallel. Output direkt  kompatibel zu Timeline-Tools wie Plaso. Die
-      ständigen Community-Updates  halten mit Windows-Entwicklungen Schritt.
+      parallel. Output direkt  kompatibel zu Timeline-Tools wie Plaso. 
       VSS-Processing analysiert Shadow- Copies automatisch. Der
-      Remote-Collection-Mode sammelt über Netzwerk.  Kostenlos aber
-      Enterprise-Support verfügbar. Der neue Standard für effiziente 
-      Windows-Forensik-Triage.
+      Remote-Collection-Mode sammelt über Netzwerk.  Kostenlos (mit Registrierung) aber
+      Enterprise-Support verfügbar.
     skillLevel: intermediate
     url: https://www.kroll.com/kape
     icon: 🧰
@@ -3825,7 +4001,7 @@ tools:
     platforms:
       - Windows
     accessType: download
-    license: Freeware
+    license: Proprietary
     knowledgebase: false
   - name: Kibana
     type: software
diff --git a/src/pages/api/ai/enhance-input.ts b/src/pages/api/ai/enhance-input.ts
index d21c317..1ebb2a8 100644
--- a/src/pages/api/ai/enhance-input.ts
+++ b/src/pages/api/ai/enhance-input.ts
@@ -1,4 +1,5 @@
-// src/pages/api/ai/enhance-input.ts - ENHANCED with forensics methodology
+// src/pages/api/ai/enhance-input.ts - Enhanced AI service compatibility
+
 import type { APIRoute } from 'astro';
 import { withAPIAuth } from '../../../utils/auth.js';
 import { apiError, apiServerError, createAuthErrorResponse } from '../../../utils/api.js';
@@ -15,12 +16,12 @@ function getEnv(key: string): string {
 }
 
 const AI_ENDPOINT = getEnv('AI_ANALYZER_ENDPOINT');
-const AI_API_KEY = getEnv('AI_ANALYZER_API_KEY');
-const AI_MODEL = getEnv('AI_ANALYZER_MODEL');
+const AI_ANALYZER_API_KEY = getEnv('AI_ANALYZER_API_KEY');
+const AI_ANALYZER_MODEL = getEnv('AI_ANALYZER_MODEL');
 
 const rateLimitStore = new Map<string, { count: number; resetTime: number }>();
 const RATE_LIMIT_WINDOW = 60 * 1000; // 1 minute
-const RATE_LIMIT_MAX = 5; 
+const RATE_LIMIT_MAX = 5;
 
 function sanitizeInput(input: string): string {
   return input
@@ -93,6 +94,39 @@ ${input}
   `.trim();
 }
 
+async function callAIService(prompt: string): Promise<Response> {
+  const endpoint = AI_ENDPOINT;
+  const apiKey = AI_ANALYZER_API_KEY;
+  const model = AI_ANALYZER_MODEL;
+  
+  let headers: Record<string, string> = {
+    'Content-Type': 'application/json'
+  };
+  
+  if (apiKey) {
+    headers['Authorization'] = `Bearer ${apiKey}`;
+    console.log('[ENHANCE API] Using API key authentication');
+  } else {
+    console.log('[ENHANCE API] No API key - making request without authentication');
+  }
+  
+  const requestBody = {
+    model,
+    messages: [{ role: 'user', content: prompt }],
+    max_tokens: 300,
+    temperature: 0.7,
+    top_p: 0.9,
+    frequency_penalty: 0.2,
+    presence_penalty: 0.1
+  };
+  
+  return fetch(`${endpoint}/v1/chat/completions`, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(requestBody)
+  });
+}
+
 export const POST: APIRoute = async ({ request }) => {
   try {
     const authResult = await withAPIAuth(request, 'ai');
@@ -121,31 +155,11 @@ export const POST: APIRoute = async ({ request }) => {
     const systemPrompt = createEnhancementPrompt(sanitizedInput);
     const taskId = `enhance_${userId}_${Date.now()}_${Math.random().toString(36).substr(2, 4)}`;
     
-    const aiResponse = await enqueueApiCall(() =>
-      fetch(`${AI_ENDPOINT}/v1/chat/completions`, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Authorization': `Bearer ${AI_API_KEY}`
-        },
-        body: JSON.stringify({
-          model: AI_MODEL,
-          messages: [
-            {
-              role: 'user',
-              content: systemPrompt
-            }
-          ],
-          max_tokens: 300,
-          temperature: 0.7,
-          top_p: 0.9,
-          frequency_penalty: 0.2,
-          presence_penalty: 0.1
-        })
-      }), taskId);
+    const aiResponse = await enqueueApiCall(() => callAIService(systemPrompt), taskId);
 
     if (!aiResponse.ok) {
-      console.error('AI enhancement error:', await aiResponse.text());
+      const errorText = await aiResponse.text();
+      console.error('[ENHANCE API] AI enhancement error:', errorText, 'Status:', aiResponse.status);
       return apiServerError.unavailable('Enhancement service unavailable');
     }
 
@@ -188,13 +202,13 @@ export const POST: APIRoute = async ({ request }) => {
       questions = [];
     }
 
-    console.log(`[AI Enhancement] User: ${userId}, Forensics Questions: ${questions.length}, Input length: ${sanitizedInput.length}`);
+    console.log(`[ENHANCE API] User: ${userId}, Forensics Questions: ${questions.length}, Input length: ${sanitizedInput.length}`);
 
     return new Response(JSON.stringify({
       success: true,
       questions,
       taskId,
-      inputComplete: questions.length === 0 // Flag to indicate if input seems complete
+      inputComplete: questions.length === 0 
     }), {
       status: 200,
       headers: { 'Content-Type': 'application/json' }
diff --git a/src/pages/index.astro b/src/pages/index.astro
index afa9d45..b5c8c35 100644
--- a/src/pages/index.astro
+++ b/src/pages/index.astro
@@ -21,6 +21,39 @@ const phases = data.phases;
       Systematische digitale Forensik nach bewährter NIST SP 800-86 Methodik.<br>
       Wählen Sie Ihren Ansatz für die Werkzeugauswahl:
     </p>
+        <div class="ai-hero-spotlight">
+          <div class="ai-spotlight-content">
+            <div class="ai-spotlight-icon">
+              <svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+                <path d="M9 11H5a2 2 0 0 0-2 2v7a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7a2 2 0 0 0-2-2h-4"/>
+                <path d="M9 11V7a3 3 0 0 1 6 0v4"/>
+                <circle cx="12" cy="12" r="2"/>
+              </svg>
+            </div>
+            <div class="ai-spotlight-text">
+              <h3>Forensic AI-Beratung</h3>
+              <p>Analyse des Untersuchungsszenarios mit Empfehlungen zum Vorgehen</p>
+            </div>
+          </div>
+          
+          <button id="ai-query-btn" class="btn btn-accent btn-lg ai-primary-btn">
+            <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+              <path d="M9 11H5a2 2 0 0 0-2 2v7a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7a2 2 0 0 0-2-2h-4"/>
+              <path d="M9 11V7a3 3 0 0 1 6 0v4"/>
+            </svg>
+            KI-Beratung starten
+            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" class="ml-2">
+              <line x1="7" y1="17" x2="17" y2="7"/>
+              <polyline points="7,7 17,7 17,17"/>
+            </svg>
+          </button>
+          
+          <div class="ai-features-mini">
+            <span class="badge badge-secondary">Workflow-Empfehlungen</span>
+            <span class="badge badge-secondary">Transparenz</span>
+            <span class="badge badge-secondary">Sofortige Analyse</span>
+          </div>
+        </div>
 
     <div class="approach-selector">
       <div class="approach-card methodology" onclick="selectApproach('methodology')">
@@ -63,7 +96,7 @@ const phases = data.phases;
         Teilnehmer der Seminargruppe CC24-w1 (oder andere Berechtigte) können die gehostete Infrastruktur nutzen.
         <a href="/about#support">Kontakt bei Problemen</a>
       </p>
-      
+
       <div class="quick-actions">
         <a href="/about" class="btn btn-secondary">
           <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -74,14 +107,6 @@ const phases = data.phases;
           Infos, SSO & Zugang
         </a>
         
-        <button id="ai-query-btn" class="btn btn-accent">
-          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
-            <path d="M9 11H5a2 2 0 0 0-2 2v7a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7a2 2 0 0 0-2-2h-4"/>
-            <path d="M9 11V7a3 3 0 0 1 6 0v4"/>
-          </svg>
-          KI-Beratung
-        </button>
-        
         <a href="/contribute" class="btn" style="background-color: var(--color-warning); color: white; border-color: var(--color-warning);" data-contribute-button="new">
           <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
             <path d="M16 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
@@ -182,7 +207,9 @@ const phases = data.phases;
     document.querySelectorAll('.approach-card').forEach(card => {
       card.classList.remove('selected');
     });
-    document.querySelector(`.approach-card.${approach}`).classList.add('selected');
+    
+    const selectedCard = document.querySelector(`.approach-card.${approach}`);
+    if (selectedCard) selectedCard.classList.add('selected');
     
     if (approach === 'methodology') {
       const methodologySection = document.getElementById('methodology-section');
@@ -239,60 +266,49 @@ const phases = data.phases;
     }
     
     if (aiQueryBtn) {
-      aiQueryBtn.addEventListener('click', async () => {
-        if (typeof window.requireClientAuth === 'function') {
-          await window.requireClientAuth(() => switchToView('ai'), `${window.location.pathname}?view=ai`, 'ai');
+      aiQueryBtn.addEventListener('click', () => {
+        aiQueryBtn.classList.add('activated');
+        setTimeout(() => aiQueryBtn.classList.remove('activated'), 400);
+        
+        switchToView('ai');
+        
+        window.dispatchEvent(new CustomEvent('viewChanged', { detail: 'ai' }));
+        
+        if (window.scrollToElementById) {
+          window.scrollToElementById('ai-interface');
         } else {
-          console.warn('[AUTH] requireClientAuth not available');
-          switchToView('ai');
+          aiInterface.scrollIntoView({ behavior: 'smooth', block: 'start' });
         }
       });
     }
 
-    function switchToView(view) {
-      toolsGrid.style.display = 'none';
-      matrixContainer.style.display = 'none';
-      aiInterface.style.display = 'none';
-      filtersSection.style.display = 'none';
-
-      const viewToggles = document.querySelectorAll('.view-toggle');
-      viewToggles.forEach(btn => {
-        btn.classList.toggle('active', btn.getAttribute('data-view') === view);
-      });
-
-      switch (view) {
-        case 'ai':
-          aiInterface.style.display = 'block';
-          filtersSection.style.display = 'block';
-          hideFilterControls();
-          if (window.restoreAIResults) {
-            window.restoreAIResults();
-          }
-          const aiInput = document.getElementById('ai-query-input');
-          if (aiInput) {
-            setTimeout(() => aiInput.focus(), 100);
-          }
-          break;
-        case 'matrix':
-          matrixContainer.style.display = 'block';
-          filtersSection.style.display = 'block';
-          showFilterControls();
-          break;
-        default: 
-          toolsGrid.style.display = 'block';
-          filtersSection.style.display = 'block';
-          showFilterControls();
-          break;
-      }
-
-      setTimeout(() => {
-        window.scrollToElementById('filters-section');
-      }, 150);
-
-      if (window.location.search) {
-        window.history.replaceState({}, '', window.location.pathname);
-      }
+  function switchToView(view) {
+    const toolsGrid = document.getElementById('tools-grid');
+    const matrixContainer = document.getElementById('matrix-container');
+    const aiInterface = document.getElementById('ai-interface');
+    const filtersSection = document.getElementById('filters-section');
+    const noResults = document.getElementById('no-results');
+    
+    if (toolsGrid) toolsGrid.style.display = 'none';
+    if (matrixContainer) matrixContainer.style.display = 'none';
+    if (aiInterface) aiInterface.style.display = 'none';
+    if (filtersSection) filtersSection.style.display = 'none';
+    if (noResults) noResults.style.display = 'none';
+    
+    switch (view) {
+      case 'grid':
+        if (toolsGrid) toolsGrid.style.display = 'block';
+        if (filtersSection) filtersSection.style.display = 'block';
+        break;
+      case 'matrix':
+        if (matrixContainer) matrixContainer.style.display = 'block';
+        if (filtersSection) filtersSection.style.display = 'block';
+        break;
+      case 'ai':
+        if (aiInterface) aiInterface.style.display = 'block';
+        break;
     }
+  }
 
     function hideFilterControls() {
       const filterSections = document.querySelectorAll('.filter-section');
diff --git a/src/styles/global copy.css b/src/styles/global copy.css
deleted file mode 100644
index 4f1952f..0000000
--- a/src/styles/global copy.css	
+++ /dev/null
@@ -1,2920 +0,0 @@
-/* CSS Reset and Base Styles */
-*,
-*::before,
-*::after {
-  box-sizing: border-box;
-  margin: 0;
-  padding: 0;
-}
-
-/* CSS Variables for Theming */
-:root {
-  /* Light Theme Colors */
-  --color-bg: #fff;
-  --color-bg-secondary: #f8fafc;
-  --color-bg-tertiary: #e2e8f0;
-  --color-text: #1e293b;
-  --color-text-secondary: #64748b;
-  --color-border: #cbd5e1;
-  --color-primary: #2563eb;
-  --color-primary-hover: #1d4ed8;
-  --color-accent: #059669;
-  --color-accent-hover: #047857;
-  --color-warning: #d97706;
-  --color-error: #dc2626;
-  
-  /* Enhanced card type colors */
-  --color-hosted: #7c3aed;
-  --color-hosted-bg: #f3f0ff;
-  --color-oss: #059669;
-  --color-oss-bg: #ecfdf5;
-  --color-method: #0891b2;
-  --color-method-bg: #f0f9ff;
-  --color-concept: #ea580c;
-  --color-concept-bg: #fff7ed;
-  
-  --shadow-sm: 0 1px 2px 0 rgb(0 0 0 / 5%);
-  --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 10%);
-  --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 10%);
-  
-  /* Common transitions */
-  --transition-fast: all 0.2s ease;
-  --transition-medium: all 0.3s ease;
-}
-
-[data-theme="dark"] {
-  --color-bg: #0f172a;
-  --color-bg-secondary: #1e293b;
-  --color-bg-tertiary: #334155;
-  --color-text: #f1f5f9;
-  --color-text-secondary: #94a3b8;
-  --color-border: #475569;
-  --color-primary: #3b82f6;
-  --color-primary-hover: #60a5fa;
-  --color-accent: #10b981;
-  --color-accent-hover: #34d399;
-  --color-warning: #f59e0b;
-  --color-error: #f87171;
-  
-  --color-hosted: #a855f7;
-  --color-hosted-bg: #2e1065;
-  --color-oss: #10b981;
-  --color-oss-bg: #064e3b;
-  --color-method: #0891b2;
-  --color-method-bg: #164e63;
-  --color-concept: #f97316;
-  --color-concept-bg: #7c2d12;
-  
-  --shadow-sm: 0 1px 2px 0 rgb(0 0 0 / 30%);
-  --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 40%);
-  --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 50%);
-}
-
-/* Base Styles */
-html {
-  font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
-  font-size: 16px;
-  line-height: 1.6;
-  color: var(--color-text);
-  background-color: var(--color-bg);
-  transition: background-color 0.3s ease, color 0.3s ease;
-}
-
-body {
-  min-height: 100vh;
-  display: flex;
-  flex-direction: column;
-}
-
-/* Typography - Consolidated */
-h1, h2, h3, h4, h5, h6 {
-  font-weight: 600;
-  line-height: 1.25;
-  margin-bottom: 0.5rem;
-}
-
-h1 { font-size: 2.5rem; }
-h2 { font-size: 2rem; }
-h3 { font-size: 1.5rem; }
-h4 { font-size: 1.25rem; }
-h5 { font-size: 1.125rem; }
-h6 { font-size: 1rem; }
-
-p { margin-bottom: 1rem; }
-
-a {
-  color: var(--color-primary);
-  text-decoration: none;
-  transition: var(--transition-fast);
-}
-
-a:hover {
-  color: var(--color-primary-hover);
-  text-decoration: underline;
-}
-
-/* Container */
-.container {
-  width: 100%;
-  max-width: 1280px;
-  margin: 0 auto;
-  padding: 0 1rem;
-}
-
-/* Navigation */
-nav {
-  background-color: var(--color-bg-secondary);
-  border-bottom: 1px solid var(--color-border);
-  position: sticky;
-  top: 0;
-  z-index: 100;
-  overflow-x: hidden;
-}
-
-.nav-wrapper {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  padding: 1rem;
-  max-width: 1280px;
-  margin: 0 auto;
-}
-
-.nav-brand {
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-  flex-shrink: 0;
-  text-decoration: none !important;
-  color: var(--color-text) !important;
-  transition: var(--transition-fast);
-}
-
-.nav-brand:hover {
-  text-decoration: none !important;
-  opacity: 0.8;
-  transform: translateY(-1px);
-}
-
-.nav-logo {
-  width: 32px;
-  height: 32px;
-}
-
-/* Logo theme switching */
-.nav-logo-light { display: block; }
-.nav-logo-dark { display: none; }
-
-[data-theme="dark"] .nav-logo-light { display: none; }
-[data-theme="dark"] .nav-logo-dark { display: block; }
-
-.nav-links {
-  display: flex;
-  align-items: center;
-  gap: 2rem;
-  list-style: none;
-  flex-wrap: wrap;
-}
-
-.nav-link {
-  color: var(--color-text);
-  font-weight: 500;
-  transition: var(--transition-fast);
-  white-space: nowrap;
-}
-
-.nav-link:hover {
-  color: var(--color-primary);
-  text-decoration: none;
-}
-
-.nav-link.active {
-  color: var(--color-primary);
-}
-
-/* Consolidated Button System */
-.btn {
-  display: inline-flex;
-  align-items: center;
-  justify-content: center;
-  padding: 0.5rem 1rem;
-  border: 1px solid transparent;
-  border-radius: 0.375rem;
-  font-weight: 500;
-  font-size: 0.875rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-  text-decoration: none;
-}
-
-.btn:hover { text-decoration: none; }
-
-.btn-primary {
-  background-color: var(--color-primary);
-  color: white;
-}
-
-.btn-primary:hover {
-  background-color: var(--color-primary-hover);
-}
-
-.btn-secondary {
-  background-color: var(--color-bg-secondary);
-  color: var(--color-text);
-  border-color: var(--color-border);
-}
-
-.btn-secondary:hover {
-  background-color: var(--color-bg-tertiary);
-}
-
-.btn-accent {
-  background-color: var(--color-accent);
-  color: white;
-  border-color: var(--color-accent);
-}
-
-.btn-accent:hover {
-  background-color: var(--color-accent-hover);
-  border-color: var(--color-accent-hover);
-}
-
-/* Button sizes */
-.btn-sm {
-  padding: 0.375rem 0.75rem;
-  font-size: 0.8125rem;
-}
-
-.btn-xs {
-  padding: 0.25rem 0.5rem;
-  font-size: 0.75rem;
-}
-
-/* Icon Button */
-.btn-icon {
-  background: none;
-  border: none;
-  color: var(--color-text-secondary);
-  cursor: pointer;
-  padding: 0.25rem;
-  border-radius: 0.25rem;
-  transition: var(--transition-fast);
-  display: inline-flex;
-  align-items: center;
-  justify-content: center;
-}
-
-.btn-icon:hover {
-  color: var(--color-text);
-  background-color: var(--color-bg-secondary);
-}
-
-/* Forms - Consolidated */
-input, select, textarea {
-  width: 100%;
-  padding: 0.5rem 0.75rem;
-  border: 1px solid var(--color-border);
-  border-radius: 0.375rem;
-  background-color: var(--color-bg);
-  color: var(--color-text);
-  font-size: 0.875rem;
-  transition: border-color var(--transition-fast), box-shadow var(--transition-fast);
-}
-
-input:focus, textarea:focus, select:focus {
-  border-color: var(--color-primary);
-  box-shadow: 0 0 0 2px rgba(var(--color-primary-rgb), 0.1);
-  outline: 2px solid var(--color-primary);
-  outline-offset: 2px;
-}
-
-/* Form validation states */
-input:invalid:not(:focus), textarea:invalid:not(:focus), select:invalid:not(:focus) {
-  border-color: var(--color-error);
-}
-
-input:valid:not(:focus), textarea:valid:not(:focus), select:valid:not(:focus) {
-  border-color: var(--color-accent);
-}
-
-select {
-  cursor: pointer;
-  appearance: none;
-  background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' viewBox='0 0 12 12'%3E%3Cpath fill='%23666' d='M6 9L1 4h10z'/%3E%3C/svg%3E");
-  background-repeat: no-repeat;
-  background-position: right 0.75rem center;
-  padding-right: 2rem;
-}
-
-.checkbox-wrapper {
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-  user-select: none;
-}
-
-.checkbox-wrapper:hover {
-  background-color: var(--color-bg-secondary);
-  border-radius: 0.25rem;
-}
-
-.checkbox-wrapper input[type="checkbox"] {
-  margin-right: 0.5rem;
-  cursor: pointer;
-}
-
-input[type="checkbox"] {
-  width: 16px;
-  height: 16px;
-  accent-color: var(--color-primary);
-  margin: 0;
-  cursor: pointer;
-}
-
-/* Consolidated Card System */
-.card {
-  background-color: var(--color-bg);
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1.5rem;
-  box-shadow: var(--shadow-sm);
-  transition: var(--transition-fast);
-}
-
-.card:hover {
-  box-shadow: var(--shadow-md);
-}
-
-/* Card type modifiers using CSS custom properties for DRY */
-.card-hosted {
-  background-color: var(--color-hosted-bg);
-  border-color: var(--color-hosted);
-  box-shadow: 0 0 0 1px var(--color-hosted);
-}
-
-.card-oss {
-  background-color: var(--color-oss-bg);
-  border-color: var(--color-oss);
-}
-
-.card-method {
-  background-color: var(--color-method-bg);
-  border-color: var(--color-method);
-}
-
-.card-concept {
-  background-color: var(--color-concept-bg);
-  border-color: var(--color-concept);
-}
-
-/* Grid Systems - Consolidated */
-.grid-auto-fit {
-  display: grid;
-  grid-template-columns: repeat(auto-fill, minmax(300px, 350px));
-  gap: 1rem;
-  justify-content: center;
-}
-
-/* Tool Cards - Consolidated */
-.tool-card {
-  height: 300px;
-  display: flex;
-  flex-direction: column;
-  padding: 1.25rem;
-}
-
-.tool-card-header {
-  display: flex;
-  justify-content: space-between;
-  align-items: flex-start;
-  min-height: 2.5rem;
-  margin-bottom: 0.75rem;
-}
-
-.tool-card-header h3 {
-  margin: 0;
-  font-size: 1.125rem;
-  line-height: 1.3;
-  flex: 1;
-  margin-right: 0.75rem;
-}
-
-.tool-card-badges {
-  display: flex;
-  gap: 0.375rem;
-  flex-wrap: wrap;
-  flex-shrink: 0;
-}
-
-.tool-card .text-muted {
-  display: -webkit-box;
-  -webkit-line-clamp: 3;
-  line-clamp: 3;
-  -webkit-box-orient: vertical;
-  overflow: hidden;
-  line-height: 1.4;
-  max-height: calc(1.4em * 3);
-  font-size: 0.875rem;
-  margin-bottom: 0.5rem;
-  word-break: break-word;
-}
-
-.tool-card-metadata {
-  display: flex;
-  align-items: center;
-  gap: 1rem;
-  margin-bottom: 0.75rem;
-  line-height: 1;
-}
-
-.metadata-item {
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-  flex-shrink: 1;
-  min-width: 0;
-}
-
-.metadata-item svg {
-  flex-shrink: 0;
-}
-
-.metadata-item span {
-  overflow: hidden;
-  text-overflow: ellipsis;
-  white-space: nowrap;
-  min-width: 0;
-}
-
-.tool-tags-container {
-  display: flex;
-  flex-wrap: wrap;
-  gap: 0.25rem;
-  max-height: 3.5rem;
-  overflow: hidden;
-  position: relative;
-  margin-bottom: 1rem;
-  flex-shrink: 0;
-}
-
-.tool-tags-container::after {
-  content: '';
-  position: absolute;
-  bottom: 0;
-  right: 0;
-  width: 3rem;
-  height: 100%;
-  background: linear-gradient(to right, transparent 0%, var(--color-bg) 70%);
-  pointer-events: none;
-  opacity: 0.8;
-}
-
-/* Card-specific gradients */
-.card-hosted .tool-tags-container::after {
-  background: linear-gradient(to right, transparent 0%, var(--color-hosted-bg) 70%);
-}
-
-.card-oss .tool-tags-container::after {
-  background: linear-gradient(to right, transparent 0%, var(--color-oss-bg) 70%);
-}
-
-.card-method .tool-tags-container::after {
-  background: linear-gradient(to right, transparent 0%, var(--color-method-bg) 70%);
-}
-
-.card-concept .tool-tags-container::after {
-  background: linear-gradient(to right, transparent 0%, var(--color-concept-bg) 70%);
-}
-
-.tool-card-buttons {
-  margin-top: auto;
-  flex-shrink: 0;
-}
-
-.button-row {
-  display: flex;
-  gap: 0.5rem;
-}
-
-.button-row .btn,
-.single-button {
-  font-size: 0.8125rem;
-  padding: 0.625rem 1rem;
-}
-
-.button-row .btn {
-  flex: 1;
-}
-
-.single-button {
-  width: 100%;
-}
-
-/* Matrix Components - Consolidated */
-.matrix-wrapper {
-  overflow-x: auto;
-  margin: 1rem 0;
-}
-
-.matrix-table {
-  width: 100%;
-  border-collapse: collapse;
-  min-width: 800px;
-  table-layout: fixed;
-  background-color: var(--color-bg);
-  border-radius: 0.75rem;
-  overflow: hidden;
-  box-shadow: var(--shadow-md);
-}
-
-.matrix-table th {
-  background: linear-gradient(135deg, var(--color-primary) 0%, #525252 100%);
-  color: white;
-  font-weight: 600;
-  position: sticky;
-  top: 0;
-  z-index: 1;
-  border: none;
-  padding: 1rem 0.75rem;
-}
-
-.matrix-table td {
-  border: 1px solid var(--color-border);
-  padding: 0.75rem;
-  text-align: left;
-  background-color: var(--color-bg);
-  transition: var(--transition-fast);
-  overflow: hidden;
-  word-wrap: break-word;
-}
-
-.matrix-table tr:hover td {
-  background-color: var(--color-bg-secondary);
-}
-
-.matrix-table th:first-child,
-.matrix-table td:first-child {
-  width: 200px;
-  min-width: 200px;
-  max-width: 200px;
-}
-
-.matrix-table th:not(:first-child),
-.matrix-table td:not(:first-child) {
-  width: 150px;
-  min-width: 150px;
-  max-width: 150px;
-}
-
-.matrix-cell {
-  min-height: 60px;
-  vertical-align: top;
-}
-
-/* Matrix highlighting - Consolidated */
-.matrix-table tr.highlight-row th,
-.matrix-table tr.highlight-row td,
-.matrix-table th.highlight-column,
-.matrix-table td.highlight-column {
-  background-color: rgb(37 99 235 / 8%);
-  border-color: rgb(37 99 235 / 20%);
-}
-
-.matrix-table tr.highlight-row th.highlight-column,
-.matrix-table tr.highlight-row td.highlight-column {
-  background-color: rgb(37 99 235 / 15%);
-  border-color: rgb(37 99 235 / 40%);
-  box-shadow: inset 0 0 0 1px rgb(37 99 235 / 30%);
-}
-
-/* Dark theme matrix adjustments */
-[data-theme="dark"] .matrix-table tr.highlight-row th,
-[data-theme="dark"] .matrix-table tr.highlight-row td,
-[data-theme="dark"] .matrix-table th.highlight-column,
-[data-theme="dark"] .matrix-table td.highlight-column {
-  background-color: rgb(59 130 246 / 12%);
-  border-color: rgb(59 130 246 / 30%);
-}
-
-[data-theme="dark"] .matrix-table tr.highlight-row th.highlight-column,
-[data-theme="dark"] .matrix-table tr.highlight-row td.highlight-column {
-  background-color: rgb(59 130 246 / 20%);
-  border-color: rgb(59 130 246 / 50%);
-  box-shadow: inset 0 0 0 1px rgb(59 130 246 / 40%);
-}
-
-/* Tool Chips - Consolidated */
-.tool-chip {
-  display: inline-block;
-  padding: 0.25rem 0.5rem;
-  margin: 0.125rem;
-  background-color: var(--color-bg-secondary);
-  border-radius: 0.25rem;
-  font-size: 0.75rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-}
-
-.tool-chip:hover {
-  background-color: var(--color-primary);
-  color: white;
-}
-
-.tool-chip-hosted {
-  background-color: var(--color-hosted);
-  color: white;
-}
-
-.tool-chip-oss {
-  background-color: var(--color-oss);
-  color: white;
-}
-
-.tool-chip-method {
-  background-color: var(--color-method);
-  color: white;
-}
-
-/* Consolidated Badge System */
-.badge {
-  display: inline-flex;
-  align-items: center;
-  padding: 0.125rem 0.5rem;
-  border-radius: 9999px;
-  font-size: 0.75rem;
-  font-weight: 500;
-  margin-left: 0.5rem;
-}
-
-.badge--mini {
-  padding: 0.0625rem 0.375rem;
-  font-size: 0.625rem;
-}
-
-.badge-primary { background-color: var(--color-primary); color: white; }
-.badge-secondary { background-color: var(--color-bg-secondary); color: var(--color-text); border: 1px solid var(--color-border); }
-.badge-success { background-color: var(--color-accent); color: white; }
-.badge-accent { background-color: var(--color-accent); color: white; }
-.badge-warning { background-color: var(--color-warning); color: white; }
-.badge-error { background-color: var(--color-error); color: white; }
-
-/* Tags */
-.tag {
-  display: inline-block;
-  padding: 0.125rem 0.5rem;
-  background-color: var(--color-bg-secondary);
-  border-radius: 0.25rem;
-  font-size: 0.75rem;
-  margin: 0.125rem;
-}
-
-/* Tool Details Modal - Consolidated */
-.tool-details {
-  display: none;
-  position: fixed;
-  top: 50%;
-  left: 50%;
-  transform: translate(-50%, -50%);
-  background-color: var(--color-bg);
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 2rem;
-  max-width: 600px;
-  width: 90%;
-  max-height: 85vh; 
-  overflow-y: auto;
-  z-index: 1000;
-  box-shadow: var(--shadow-lg);
-  transition: var(--transition-medium);
-}
-
-.tool-details.active { display: block; }
-
-.modal-overlay {
-  display: none;
-  position: fixed;
-  top: 0;
-  left: 0;
-  width: 100%;
-  height: 100%;
-  background-color: rgb(0 0 0 / 50%);
-  backdrop-filter: blur(2px);
-  z-index: 999;
-}
-
-.modal-overlay.active { display: block; }
-
-/* Side-by-side modal positioning */
-.modals-side-by-side #tool-details-primary.active {
-  left: 25%;
-  transform: translate(-50%, -50%);
-  max-width: 45vw;
-  width: 45vw;
-}
-
-.modals-side-by-side #tool-details-secondary.active {
-  left: 75%;
-  transform: translate(-50%, -50%);
-  max-width: 45vw;
-  width: 45vw;
-}
-
-/* Phase Controls - Consolidated */
-.domain-phase-container {
-  display: grid;
-  grid-template-columns: 1fr 2fr;
-  gap: 2rem;
-  align-items: start;
-}
-
-.phase-buttons {
-  display: flex;
-  flex-wrap: wrap;
-  gap: 0.5rem;
-}
-
-.phase-button {
-  padding: 0.5rem 1rem;
-  border: 1px solid var(--color-border);
-  border-radius: 0.375rem;
-  background-color: var(--color-bg);
-  color: var(--color-text);
-  font-size: 0.875rem;
-  font-weight: 500;
-  cursor: pointer;
-  transition: var(--transition-fast);
-  user-select: none;
-  white-space: nowrap;
-}
-
-.phase-button:hover {
-  border-color: var(--color-primary);
-  background-color: var(--color-bg-secondary);
-  transform: translateY(-1px);
-  box-shadow: var(--shadow-sm);
-}
-
-.phase-button.active {
-  background-color: var(--color-primary);
-  border-color: var(--color-primary);
-  color: white;
-}
-
-.phase-button.active:hover {
-  background-color: var(--color-primary-hover);
-  border-color: var(--color-primary-hover);
-}
-
-/* Tag Cloud - Consolidated */
-.tag-header {
-  display: flex;
-  align-items: center;
-  gap: 1rem;
-  margin-bottom: 0.75rem;
-}
-
-.tag-cloud {
-  display: flex;
-  flex-wrap: wrap;
-  gap: 0.5rem;
-  margin-top: 0.5rem;
-  max-height: 60px;
-  overflow: hidden;
-  transition: var(--transition-medium);
-  position: relative;
-}
-
-.tag-cloud.expanded { max-height: 1000px; }
-
-.tag-cloud::after {
-  content: '';
-  position: absolute;
-  bottom: 0;
-  left: 0;
-  right: 0;
-  height: 40px;
-  background: linear-gradient(to bottom, transparent 0%, transparent 60%, var(--color-bg) 100%);
-  pointer-events: none;
-  opacity: 1;
-  transition: var(--transition-medium);
-}
-
-.tag-cloud.expanded::after { opacity: 0; }
-
-.tag-cloud-item {
-  display: inline-flex;
-  align-items: center;
-  gap: 0.25rem;
-  padding: 0.375rem 0.75rem;
-  border: 1px solid var(--color-border);
-  border-radius: 1rem;
-  background-color: var(--color-bg);
-  color: var(--color-text);
-  font-size: 0.875rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-  user-select: none;
-}
-
-.tag-cloud-item.hidden { display: none; }
-
-.tag-cloud-item:hover {
-  border-color: var(--color-primary);
-  background-color: var(--color-bg-secondary);
-  transform: scale(1.05);
-}
-
-.tag-cloud-item.active {
-  background-color: var(--color-accent);
-  border-color: var(--color-accent);
-  color: white;
-}
-
-.tag-cloud-item.active:hover {
-  background-color: var(--color-accent-hover);
-  border-color: var(--color-accent-hover);
-}
-
-.tag-frequency {
-  font-size: 0.75rem;
-  opacity: 0.8;
-}
-
-.btn-tag-toggle {
-  padding: 0.25rem 0.75rem;
-  border: 1px solid var(--color-border);
-  border-radius: 0.25rem;
-  background-color: var(--color-bg-secondary);
-  color: var(--color-text-secondary);
-  font-size: 0.75rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-}
-
-.btn-tag-toggle:hover {
-  background-color: var(--color-bg-tertiary);
-  color: var(--color-text);
-  transform: translateY(-1px);
-}
-
-/* Loading states */
-.btn.loading {
-  opacity: 0.7;
-  pointer-events: none;
-  position: relative;
-}
-
-.btn.loading::after {
-  content: "";
-  position: absolute;
-  top: 50%;
-  left: 50%;
-  width: 16px;
-  height: 16px;
-  margin: -8px 0 0 -8px;
-  border: 2px solid transparent;
-  border-top: 2px solid currentColor;
-  border-radius: 50%;
-  animation: spin 1s linear infinite;
-}
-
-/* Collaboration Tools - Consolidated */
-.collaboration-tools-compact {
-  display: flex;
-  gap: 1rem;
-  flex-wrap: wrap;
-  flex-direction: row;
-}
-
-.collaboration-tool-compact {
-  background-color: var(--color-bg);
-  border: 1px solid var(--color-border);
-  border-radius: 0.375rem;
-  padding: 0.75rem;
-  min-width: 200px;
-  max-width: 300px;
-  flex: 1;
-  cursor: pointer;
-  transition: var(--transition-fast);
-}
-
-.collaboration-tool-compact:hover {
-  border-color: var(--color-primary);
-  box-shadow: var(--shadow-sm);
-}
-
-.collaboration-tool-compact.hosted {
-  background-color: var(--color-hosted-bg);
-  border-color: var(--color-hosted);
-}
-
-.collaboration-tool-compact.oss {
-  background-color: var(--color-oss-bg);
-  border-color: var(--color-oss);
-}
-
-.collaboration-tool-compact .text-muted {
-  display: -webkit-box;
-  -webkit-line-clamp: 3;
-  line-clamp: 3;
-  -webkit-box-orient: vertical;
-  overflow: hidden;
-  line-height: 1.3;
-  max-height: calc(1.3em * 3);
-  font-size: 0.75rem;
-  margin: 0.25rem 0;
-  word-break: break-word;
-}
-
-.collaboration-expand-icon {
-  transition: var(--transition-medium);
-  color: var(--color-text-secondary);
-}
-
-.collaboration-expand-icon svg { 
-  transition: var(--transition-medium); 
-}
-
-.collaboration-section-expanded .collaboration-expand-icon svg {
-  transform: rotate(180deg);
-}
-
-.collaboration-content {
-  animation: slideDown 0.3s ease-out;
-}
-
-.tool-compact-header {
-  display: flex;
-  justify-content: space-between;
-  align-items: start;
-  margin-bottom: 0.5rem;
-}
-
-.tool-count {
-  background: var(--color-bg-tertiary);
-  padding: 0.25rem 0.75rem;
-  border-radius: 1rem;
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-  font-weight: 500;
-}
-
-/* AI Interface - Consolidated */
-.ai-interface {
-  padding: 2rem 0;
-  max-width: 1200px;
-  margin: 0 auto;
-}
-
-.ai-query-section { margin-bottom: 3rem; }
-
-.ai-input-container textarea {
-  transition: var(--transition-fast);
-}
-
-.ai-input-layout {
-  display: flex;
-  gap: 1.5rem;
-  align-items: flex-start;
-  margin-bottom: 1rem;
-}
-
-.ai-textarea-section {
-  flex: 1;
-  min-width: 0;
-}
-
-.ai-suggestions-section {
-  flex: 0 0 320px;
-  min-height: 120px;
-}
-
-.ai-input-container textarea:focus {
-  outline: none;
-  border-color: var(--color-primary);
-  box-shadow: 0 0 0 3px rgb(37 99 235 / 10%);
-}
-
-.ai-loading, .ai-error, .ai-results {
-  animation: fadeIn 0.3s ease-in-out;
-}
-
-.ai-mode-toggle {
-  user-select: none;
-}
-
-.toggle-label {
-  display: flex;
-  align-items: center;
-  font-size: 0.875rem;
-  transition: var(--transition-fast);
-}
-
-.toggle-label:hover {
-  color: var(--color-primary) !important;
-}
-
-.toggle-label.active {
-  font-weight: 600;
-}
-
-.toggle-switch {
-  position: relative;
-  cursor: pointer;
-  transition: var(--transition-fast);
-}
-
-.toggle-switch:hover {
-  transform: scale(1.05);
-}
-
-.toggle-slider {
-  box-shadow: var(--shadow-sm);
-  transition: var(--transition-fast);
-}
-
-[data-theme="dark"] .toggle-slider {
-  box-shadow: 0 2px 4px 0 rgb(255 255 255 / 10%);
-}
-
-/* Focus states for accessibility - Consolidated */
-.toggle-switch:focus-visible {
-  outline: 2px solid var(--color-primary);
-  outline-offset: 2px;
-  border-radius: 12px;
-}
-
-.toggle-label:focus-visible {
-  outline: 2px solid var(--color-primary);
-  outline-offset: 2px;
-  border-radius: 0.25rem;
-}
-
-/* Workflow Components - Consolidated */
-.workflow-container {
-  display: flex;
-  flex-direction: column;
-  gap: 1rem;
-  max-width: 1200px;
-  margin: 0 auto;
-}
-
-.phase-header {
-  display: flex;
-  align-items: flex-start;
-  gap: 1rem;
-  padding: 1.5rem;
-  background-color: var(--color-bg);
-  border: 2px solid var(--color-border);
-  border-radius: 0.75rem;
-  transition: var(--transition-medium);
-}
-
-.phase-header:hover {
-  border-color: var(--color-primary);
-  box-shadow: var(--shadow-md);
-}
-
-.phase-number {
-  width: 2rem;
-  height: 2rem;
-  background: var(--phase-color);
-  color: white;
-  border-radius: 50%;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  font-weight: 600;
-  margin: 0 auto 0.75rem;
-}
-
-.phase-info { flex: 1; min-width: 0; }
-
-.phase-title {
-  font-weight: 600;
-  margin-bottom: 0.5rem;
-  color: var(--color-text);
-}
-
-.phase-description {
-  font-size: 0.8125rem;
-  color: var(--color-text-secondary);
-  margin-bottom: 0.75rem;
-  line-height: 1.4;
-}
-
-.phase-tools {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
-  gap: 1rem;
-}
-
-.phase-card {
-  background: var(--color-bg-secondary);
-  border: 2px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1.5rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-  text-align: center;
-  position: relative;
-}
-
-.phase-card::before {
-  content: '';
-  position: absolute;
-  top: 0;
-  left: 0;
-  right: 0;
-  height: 3px;
-  background: var(--phase-color);
-}
-
-.phase-card:hover {
-  transform: translateY(-2px);
-  border-color: var(--phase-color);
-  box-shadow: var(--shadow-md);
-}
-
-.phase-card.active {
-  border-color: var(--phase-color);
-  background: linear-gradient(135deg, var(--color-bg) 0%, color-mix(in srgb, var(--phase-color) 8%, transparent) 100%);
-}
-
-.workflow-arrow {
-  display: flex;
-  justify-content: center;
-  margin: 0.5rem 0;
-}
-
-/* Tool Recommendations - Consolidated */
-.tool-recommendation {
-  background-color: var(--color-bg);
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1.25rem;
-  transition: var(--transition-fast);
-  cursor: pointer;
-  display: flex;
-  flex-direction: column;
-  height: 100%;
-  min-height: 200px;
-  animation: fadeInUp 0.3s ease-out;
-}
-
-.tool-recommendation:hover {
-  border-color: var(--color-primary);
-  box-shadow: var(--shadow-md);
-  transform: translateY(-2px);
-}
-
-.tool-recommendation.hosted {
-  background-color: var(--color-hosted-bg);
-  border-color: var(--color-hosted);
-  box-shadow: 0 0 0 1px var(--color-hosted);
-}
-
-.tool-recommendation.oss {
-  background-color: var(--color-oss-bg);
-  border-color: var(--color-oss);
-}
-
-.tool-recommendation.method {
-  background-color: var(--color-method-bg);
-  border-color: var(--color-method);
-}
-
-.tool-rec-header {
-  display: flex;
-  justify-content: space-between;
-  align-items: start;
-  margin-bottom: 0.75rem;
-}
-
-.tool-rec-name {
-  font-weight: 600;
-  font-size: 1rem;
-  margin: 0;
-  color: var(--color-text);
-}
-
-.tool-rec-priority {
-  font-size: 0.75rem;
-  padding: 0.25rem 0.5rem;
-  border-radius: 1rem;
-  font-weight: 500;
-  text-transform: uppercase;
-}
-
-.tool-rec-priority.high { background-color: var(--color-error); color: white; }
-.tool-rec-priority.medium { background-color: var(--color-warning); color: white; }
-.tool-rec-priority.low { background-color: var(--color-accent); color: white; }
-
-.tool-rec-justification {
-  font-size: 0.875rem;
-  line-height: 1.5;
-  color: var(--color-text-secondary);
-  margin-bottom: 0.75rem;
-  font-style: italic;
-  background-color: var(--color-bg-tertiary);
-  padding: 0.75rem;
-  border-radius: 0.375rem;
-  border-left: 3px solid var(--color-primary);
-}
-
-.tool-rec-metadata {
-  display: flex;
-  flex-direction: column;
-  gap: 0.375rem;
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-}
-
-/* Tool Results - Consolidated */
-.tool-results-container {
-  max-width: 1000px;
-  margin: 0 auto;
-}
-
-.tool-recommendations-grid {
-  display: grid;
-  gap: 1.5rem;
-}
-
-.tool-detailed-recommendation {
-  position: relative;
-  transition: var(--transition-fast);
-  border: 2px solid transparent;
-  animation: fadeInUp 0.5s ease-out;
-}
-
-.tool-detailed-recommendation:nth-child(2) { animation-delay: 0.1s; }
-.tool-detailed-recommendation:nth-child(3) { animation-delay: 0.2s; }
-
-.tool-detailed-recommendation:hover {
-  transform: translateY(-2px);
-  box-shadow: var(--shadow-lg);
-  border-color: var(--color-primary);
-}
-
-.tool-detailed-recommendation.card-hosted {
-  background-color: var(--color-hosted-bg);
-  border-color: var(--color-hosted);
-}
-
-.tool-detailed-recommendation.card-hosted:hover {
-  border-color: var(--color-hosted);
-  box-shadow: 0 0 0 1px var(--color-hosted), var(--shadow-lg);
-}
-
-.tool-detailed-recommendation.card-oss {
-  background-color: var(--color-oss-bg);
-  border-color: var(--color-oss);
-}
-
-.tool-detailed-recommendation.card-method {
-  background-color: var(--color-method-bg);
-  border-color: var(--color-method);
-}
-
-.tool-detailed-recommendation.card-method:hover {
-  border-color: var(--color-method);
-  box-shadow: 0 0 0 1px var(--color-method), var(--shadow-lg);
-}
-
-.tool-rank-badge {
-  animation: fadeInUp 0.6s ease-out;
-  font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-  font-weight: 700;
-}
-
-[data-theme="dark"] .tool-rank-badge {
-  box-shadow: 0 4px 6px -1px rgb(0 0 0 / 50%);
-}
-
-.tool-detailed-explanation h4 {
-  display: flex;
-  align-items: center;
-  font-size: 1rem;
-  margin-bottom: 0.75rem;
-}
-
-/* Pros/Cons - Consolidated */
-.pros-cons-section {
-  animation: fadeIn 0.4s ease-in;
-}
-
-.pros, .cons {
-  font-size: 0.875rem;
-}
-
-.pros ul, .cons ul {
-  list-style-type: none;
-  padding-left: 0;
-}
-
-.pros li, .cons li {
-  position: relative;
-  padding-left: 1.5rem;
-  margin-bottom: 0.375rem;
-  line-height: 1.4;
-}
-
-.pros li::before {
-  content: '✓';
-  position: absolute;
-  left: 0;
-  color: var(--color-accent);
-  font-weight: bold;
-}
-
-.cons li::before {
-  content: '⚠';
-  position: absolute;
-  left: 0;
-  color: var(--color-warning);
-  font-weight: bold;
-}
-
-.tool-metadata {
-  background-color: var(--color-bg-secondary);
-  padding: 1rem;
-  border-radius: 0.5rem;
-  border-left: 3px solid var(--color-primary);
-}
-
-.alternatives {
-  border-left: 3px solid var(--color-text-secondary);
-}
-
-/* Knowledgebase - Consolidated */
-.kb-entry {
-  margin-bottom: 1rem;
-  transition: var(--transition-fast);
-  position: relative;
-  cursor: pointer;
-}
-
-.kb-entry:hover {
-  transform: translateY(-2px);
-  box-shadow: var(--shadow-md);
-}
-
-.kb-entry:target {
-  animation: highlight-flash 2s ease-out;
-}
-
-.kb-content { line-height: 1.7; }
-
-/* Footer */
-footer {
-  margin-top: auto;
-  background-color: var(--color-bg-secondary);
-  border-top: 1px solid var(--color-border);
-  padding: 2rem 0;
-}
-
-.footer-content {
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-  flex-wrap: wrap;
-  gap: 1rem;
-}
-
-/* Utility Classes - Systematic Generation */
-.text-muted { color: var(--color-text-secondary); }
-.leading-tight { line-height: 1.25; }
-.leading-relaxed { line-height: 1.625; }
-
-/* Layout utilities */
-.flex { display: flex; }
-.flex-col { flex-direction: column; }
-.flex-wrap { flex-wrap: wrap; }
-.flex-1 { flex: 1; }
-.flex-shrink-0 { flex-shrink: 0; }
-.flex-shrink-1 { flex-shrink: 1; }
-.items-center { align-items: center; }
-.items-start { align-items: flex-start; }
-.justify-center { justify-content: center; }
-.justify-between { justify-content: space-between; }
-.text-center { text-align: center; }
-
-.grid { display: grid; }
-.gap-1 { gap: 0.25rem; }
-.gap-2 { gap: 0.5rem; }
-.gap-3 { gap: 0.75rem; }
-.gap-4 { gap: 1rem; }
-
-/* Spacing utilities - systematic */
-.mb-2 { margin-bottom: 0.5rem; }
-.mb-3 { margin-bottom: 0.75rem; }
-.mb-4 { margin-bottom: 1rem; }
-.mb-6 { margin-bottom: 1.5rem; }
-.mb-8 { margin-bottom: 2rem; }
-.mt-auto { margin-top: auto; }
-.mr-2 { margin-right: 0.5rem; }
-.mr-3 { margin-right: 0.75rem; }
-
-.p-8 { padding: 2rem; }
-.pt-3 { padding-top: 0.75rem; }
-
-/* Size utilities */
-.w-full { width: 100%; }
-.max-w-lg { max-width: 32rem; }
-.max-w-6xl { max-width: 72rem; }
-.min-w-0 { min-width: 0; }
-
-/* Position utilities */
-.fixed { position: fixed; }
-.relative { position: relative; }
-.bottom-8 { bottom: 2rem; }
-.right-8 { right: 2rem; }
-.z-50 { z-index: 50; }
-
-/* Text utilities */
-.text-xs { font-size: 0.75rem; }
-.text-sm { font-size: 0.875rem; }
-.text-lg { font-size: 1.125rem; }
-.text-2xl { font-size: 1.5rem; }
-.font-semibold { font-weight: 600; }
-
-/* Visual utilities */
-.rounded-lg { border-radius: 0.75rem; }
-.border { border: 1px solid var(--color-border); }
-.cursor-pointer { cursor: pointer; }
-.overflow-hidden { overflow: hidden; }
-
-/* Color utilities */
-.bg-secondary { background-color: var(--color-bg-secondary); }
-.text-primary { color: var(--color-primary); }
-.text-secondary { color: var(--color-text-secondary); }
-
-/* Knowledgebase specific */
-#kb-entries {
-  display: grid;
-  grid-template-columns: 1fr;
-  gap: 1rem;
-}
-
-/* FAB button */
-.fab-button {
-  box-shadow: 0 4px 20px rgba(0, 0, 0, 0.15);
-  transition: all 0.3s cubic-bezier(0.4, 0, 0.2, 1);
-}
-
-.fab-button:hover {
-  transform: scale(1.1);
-  box-shadow: 0 6px 25px rgba(0, 0, 0, 0.2);
-}
-
-[data-theme="dark"] .fab-button {
-  box-shadow: 0 4px 20px rgba(0, 0, 0, 0.4);
-}
-
-[data-theme="dark"] .fab-button:hover {
-  box-shadow: 0 6px 25px rgba(0, 0, 0, 0.5);
-}
-
-/* Markdown content */
-.markdown-content h1,
-.markdown-content h2,
-.markdown-content h3,
-.markdown-content h4,
-.markdown-content h5,
-.markdown-content h6 {
-  margin-top: 2rem;
-  margin-bottom: 1rem;
-}
-
-.markdown-content h1:first-child,
-.markdown-content h2:first-child,
-.markdown-content h3:first-child {
-  margin-top: 0;
-}
-
-.markdown-content p {
-  margin-bottom: 1rem;
-}
-
-.markdown-content ul,
-.markdown-content ol {
-  margin-bottom: 1rem;
-  padding-left: 1.5rem;
-}
-
-.markdown-content li {
-  margin-bottom: 0.5rem;
-}
-
-.markdown-content pre {
-  background-color: var(--color-bg-tertiary);
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1rem;
-  margin: 1.5rem 0;
-  overflow-x: auto;
-  font-size: 0.875rem;
-}
-
-.markdown-content code:not(pre code) {
-  background-color: var(--color-bg-secondary);
-  border: 1px solid var(--color-border);
-  border-radius: 0.25rem;
-  padding: 0.125rem 0.375rem;
-  font-size: 0.875rem;
-}
-
-.markdown-content table {
-  width: 100%;
-  border-collapse: collapse;
-  margin: 1.5rem 0;
-  background-color: var(--color-bg);
-  border-radius: 0.5rem;
-  overflow: hidden;
-  border: 1px solid var(--color-border);
-}
-
-.markdown-content th,
-.markdown-content td {
-  padding: 0.75rem;
-  text-align: left;
-  border-bottom: 1px solid var(--color-border);
-}
-
-.markdown-content th {
-  background-color: var(--color-bg-secondary);
-  font-weight: 600;
-}
-
-.markdown-content blockquote {
-  border-left: 4px solid var(--color-primary);
-  background-color: var(--color-bg-secondary);
-  padding: 1rem 1.5rem;
-  margin: 1.5rem 0;
-  border-radius: 0 0.5rem 0.5rem 0;
-}
-
-.markdown-content hr {
-  border: none;
-  border-top: 1px solid var(--color-border);
-  margin: 2rem 0;
-}
-
-/* Share Button Styles */
-.share-btn {
-  background: none;
-  border: none;
-  color: var(--color-text-secondary);
-  cursor: pointer;
-  padding: 0.25rem;
-  border-radius: 0.25rem;
-  transition: var(--transition-fast);
-  display: inline-flex;
-  align-items: center;
-  justify-content: center;
-}
-
-.share-btn:hover {
-  color: var(--color-primary);
-  background-color: var(--color-bg-secondary);
-}
-
-.share-btn--small {
-  padding: 0.125rem;
-}
-
-.share-btn--medium {
-  padding: 0.375rem;
-}
-
-.share-btn svg {
-  flex-shrink: 0;
-}
-
-/* Form styling */
-.form-section {
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1rem;
-  margin-bottom: 1.5rem;
-  background-color: var(--color-bg);
-}
-
-.form-section h3 {
-  margin-top: 0;
-  margin-bottom: 1rem;
-  color: var(--color-primary);
-  font-size: 1.125rem;
-}
-
-.form-grid {
-  display: grid;
-  gap: 1rem;
-}
-
-.form-grid.two-columns {
-  grid-template-columns: 1fr 1fr;
-}
-
-.form-group {
-  margin-bottom: 1.5rem;
-}
-
-.form-group:last-child {
-  margin-bottom: 0;
-}
-
-.form-label {
-  display: block;
-  margin-bottom: 0.5rem;
-  font-weight: 600;
-  color: var(--color-text);
-}
-
-/* Animations - Consolidated */
-@keyframes fadeIn {
-  from { opacity: 0; }
-  to { opacity: 1; }
-}
-
-@keyframes slideDown {
-  from {
-    opacity: 0;
-    max-height: 0;
-    padding-top: 0;
-    margin-top: 0;
-    transform: translateY(-10px);
-  }
-  to {
-    opacity: 1;
-    max-height: 1000px;
-    padding-top: 1rem;
-    margin-top: 1rem;
-    transform: translateY(0);
-  }
-}
-
-@keyframes fadeInUp {
-  from {
-    opacity: 0;
-    transform: translateY(20px);
-  }
-  to {
-    opacity: 1;
-    transform: translateY(0);
-  }
-}
-
-@keyframes pulse {
-  0%, 100% {
-    transform: scale(1);
-    opacity: 1;
-  }
-  50% {
-    transform: scale(1.05);
-    opacity: 0.8;
-  }
-}
-
-@keyframes spin {
-  0% { transform: rotate(0deg); }
-  100% { transform: rotate(360deg); }
-}
-
-@keyframes highlight-flash {
-  0% { 
-    background-color: rgb(57 255 20 / 60%);
-    box-shadow: 0 0 0 8px rgb(255 20 147 / 50%), 0 0 20px rgb(57 255 20 / 80%);
-    transform: scale(1.12) rotate(2deg);
-    border: 3px solid rgb(255 255 0);
-  }
-  12.5% { 
-    background-color: rgb(255 20 147 / 70%);
-    box-shadow: 0 0 0 15px rgb(0 191 255 / 60%), 0 0 30px rgb(255 20 147 / 90%);
-    transform: scale(1.18) rotate(-3deg);
-    border: 3px solid rgb(57 255 20);
-  }
-  25% { 
-    background-color: rgb(0 191 255 / 65%);
-    box-shadow: 0 0 0 12px rgb(191 0 255 / 55%), 0 0 25px rgb(0 191 255 / 85%);
-    transform: scale(1.15) rotate(1deg);
-    border: 3px solid rgb(255 20 147);
-  }
-  37.5% { 
-    background-color: rgb(191 0 255 / 75%);
-    box-shadow: 0 0 0 18px rgb(255 255 0 / 65%), 0 0 35px rgb(191 0 255 / 95%);
-    transform: scale(1.20) rotate(-2deg);
-    border: 3px solid rgb(0 191 255);
-  }
-  50% { 
-    background-color: rgb(255 255 0 / 80%);
-    box-shadow: 0 0 0 10px rgb(57 255 20 / 70%), 0 0 40px rgb(255 255 0 / 100%);
-    transform: scale(1.16) rotate(3deg);
-    border: 3px solid rgb(191 0 255);
-  }
-  62.5% { 
-    background-color: rgb(255 69 0 / 70%);
-    box-shadow: 0 0 0 16px rgb(255 20 147 / 60%), 0 0 30px rgb(255 69 0 / 90%);
-    transform: scale(1.22) rotate(-1deg);
-    border: 3px solid rgb(255 255 0);
-  }
-  75% { 
-    background-color: rgb(255 20 147 / 65%);
-    box-shadow: 0 0 0 14px rgb(0 191 255 / 50%), 0 0 45px rgb(255 20 147 / 85%);
-    transform: scale(1.14) rotate(2deg);
-    border: 3px solid rgb(57 255 20);
-  }
-  87.5% { 
-    background-color: rgb(57 255 20 / 75%);
-    box-shadow: 0 0 0 20px rgb(191 0 255 / 65%), 0 0 35px rgb(57 255 20 / 95%);
-    transform: scale(1.25) rotate(-3deg);
-    border: 3px solid rgb(255 69 0);
-  }
-  100% { 
-    background-color: transparent;
-    box-shadow: none;
-    transform: scale(1) rotate(0deg);
-    border: none;
-  }
-}
-
-/* Highlight animation triggers */
-.tool-card.highlight-flash,
-.tool-chip.highlight-flash,
-.tool-recommendation.highlight-flash {
-  animation: highlight-flash 2s ease-out;
-}
-
-/* Responsive Design - Consolidated Media Queries */
-@media (width >= 768px) {
-  #kb-entries {
-    grid-template-columns: repeat(auto-fit, minmax(500px, 1fr));
-    gap: 1.5rem;
-  }
-}
-
-@media (width >= 1200px) {
-  #kb-entries {
-    grid-template-columns: repeat(auto-fit, minmax(600px, 1fr));
-    gap: 2rem;
-  }
-  
-  .modals-side-by-side #tool-details-primary.active,
-  .modals-side-by-side #tool-details-secondary.active {
-    max-width: 45vw;
-    width: 45vw;
-  }
-}
-
-@media (width <= 1200px) {
-  .modals-side-by-side #tool-details-primary.active,
-  .modals-side-by-side #tool-details-secondary.active {
-    max-width: 42vw;
-    width: 42vw;
-  }
-}
-
-@media (width <= 768px) {
-  .nav-wrapper { padding: 0.75rem; }
-  .nav-links { gap: 1rem; }
-  .nav-link { font-size: 0.875rem; }
-  
-  h1 { font-size: 2rem; }
-  h2 { font-size: 1.5rem; }
-  
-  .footer-content {
-    flex-direction: column;
-    text-align: center;
-  }
-  
-  .domain-phase-container {
-    grid-template-columns: 1fr;
-    gap: 1rem;
-  }
-  
-  .phase-buttons { gap: 0.375rem; }
-  .phase-button {
-    padding: 0.375rem 0.75rem;
-    font-size: 0.8125rem;
-  }
-  
-  .tag-cloud { max-height: 100px; }
-  .tag-header { gap: 0.75rem; }
-  
-  .matrix-table { min-width: 600px; }
-  .matrix-table th:first-child,
-  .matrix-table td:first-child {
-    width: 140px;
-    min-width: 140px;
-    max-width: 140px;
-  }
-  .matrix-table th:not(:first-child),
-  .matrix-table td:not(:first-child) {
-    width: 120px;
-    min-width: 120px;
-    max-width: 120px;
-  }
-  .matrix-cell {
-    width: 120px;
-    min-width: 120px;
-    max-width: 120px;
-    min-height: 50px;
-  }
-  
-  .modals-side-by-side #tool-details-primary.active {
-    top: 25%;
-    left: 50%;
-    max-width: 90vw;
-    width: 90vw;
-    max-height: 35vh;
-  }
-  
-  .modals-side-by-side #tool-details-secondary.active {
-    top: 75%;
-    left: 50%;
-    max-width: 90vw;
-    width: 90vw;
-    max-height: 35vh;
-  }
-  
-  .tool-details {
-    max-height: 80vh; 
-    padding: 1.5rem; 
-    width: 95%; 
-    max-width: none;
-  }
-
-  .form-grid.two-columns {
-    grid-template-columns: 1fr;
-  }
-  .hint-card {
-    padding: 1rem;
-  }
-  
-  .hint-description {
-    font-size: 0.6875rem;
-  }
-  
-  .hint-trigger {
-    flex-direction: column;
-    gap: 0.25rem;
-  }
-  .ai-input-layout {
-    gap: 0.75rem;
-    flex-direction: column;
-  }
-  .ai-suggestions-section {
-    flex: 0 0 auto;
-    width: 100%;
-    max-width: none;
-  }
-  .ai-textarea-section {
-    flex: 1;
-    min-width: 0;
-    width: 100%;
-    min-height: 100px;
-  }
-  .approach-hero { 
-    padding: 2rem 1rem; 
-    margin: 1rem 0;
-  }
-  
-  .approach-content h1 { 
-    font-size: 2rem; 
-  }
-  
-  .hero-tagline {
-    font-size: 1.125rem;
-  }
-  
-  .approach-selector { 
-    grid-template-columns: 1fr; 
-    gap: 1rem;
-    margin-bottom: 1.5rem;
-  }
-  
-  .approach-card { 
-    padding: 1.5rem; 
-  }
-  
-  .approach-header {
-    gap: 0.75rem;
-  }
-  
-  .approach-icon {
-    width: 2.5rem;
-    height: 2.5rem;
-    font-size: 1.25rem;
-  }
-  
-  .approach-card h3 {
-    font-size: 1.25rem;
-  }
-  
-  .quick-actions {
-    gap: 0.75rem;
-  }
-  
-  .quick-actions .btn {
-    padding: 0.625rem 1.25rem;
-    font-size: 0.8125rem;
-  }
-  .nist-workflow { 
-    grid-template-columns: 1fr 1fr; 
-    gap: 0.75rem;
-  }
-  .search-suggestions {
-    gap: 0.5rem;
-  }
-  
-  .suggestion-chip {
-    padding: 0.5rem 0.75rem;
-    font-size: 0.8125rem;
-  }
-  
-  .scenario-emoji {
-    font-size: 1rem;
-  }
-  
-  .targeted-search-input {
-    padding: 0.875rem 0.875rem 0.875rem 2.75rem;
-  }
-  
-  .search-icon {
-    left: 0.875rem;
-  }
-}
-
-@media (width <= 640px) {
-  .phase-buttons { justify-content: center; }
-  .phase-button {
-    flex: 1;
-    min-width: 0;
-    text-align: center;
-  }
-  
-  .tag-cloud { max-height: 80px; }
-  .tag-cloud.expanded { max-height: 800px; }
-  
-  .nav-wrapper {
-    flex-direction: column;
-    gap: 1rem;
-    padding: 0.75rem;
-  }
-  
-  .nav-links {
-    gap: 0.75rem;
-    justify-content: center;
-    width: 100%;
-  }
-  
-  .nav-link {
-    font-size: 0.8125rem;
-    padding: 0.25rem 0.5rem;
-  }
-
-  .ai-mode-toggle {
-    flex-direction: column;
-    gap: 0.75rem;
-    text-align: center;
-  }
-  
-  .toggle-label {
-    font-size: 0.8125rem;
-  }
-  
-  .toggle-switch {
-    align-self: center;
-  }
-  
-  .pros-cons-section {
-    grid-template-columns: 1fr;
-  }
-  
-  .card {
-    padding: 1rem;
-  }
-  
-  .form-grid {
-    gap: 0.75rem;
-  }
-  
-  .kb-entry {
-    padding: 1rem;
-  }
-  
-  .kb-entry .flex-between {
-    flex-direction: column;
-    align-items: flex-start;
-    gap: 1rem;
-  }
-  
-  .kb-entry .flex-shrink-0 {
-    align-self: stretch;
-  }
-  
-  .kb-entry .flex-shrink-0 .flex {
-    justify-content: space-between;
-    width: 100%;
-  }
-  
-  .btn-sm {
-    padding: 0.5rem 1rem;
-    flex: 1;
-  }
-  .search-suggestions {
-    justify-content: center;
-  }
-  
-  .suggestion-chip {
-    flex: 1;
-    min-width: 0;
-    max-width: calc(50% - 0.25rem);
-    justify-content: center;
-  }
-  
-  .targeted-section {
-    padding: 1.5rem;
-  }
-}
-
-@media (width <= 480px) {
-  .phase-buttons {
-    flex-direction: column;
-    gap: 0.375rem;
-  }
-  
-  .phase-button { width: 100%; }
-  
-  .phase-tools { grid-template-columns: 1fr; }
-  
-  .collaboration-tools-compact { 
-    flex-direction: column; 
-  }
-  .collaboration-tool-compact { 
-    min-width: auto; 
-    max-width: none; 
-  }
-  
-  .nav-wrapper { gap: 0.75rem; }
-  .nav-links {
-    gap: 0.5rem;
-    flex-wrap: wrap;
-    justify-content: center;
-  }
-  
-  .nav-link {
-    font-size: 0.75rem;
-    padding: 0.25rem 0.375rem;
-  }
-  
-  .tool-details {
-    max-height: 75vh; 
-    padding: 1rem; 
-    border-radius: 0.25rem; 
-  }
-  
-  .kb-entry .badge {
-    font-size: 0.625rem;
-    padding: 0.125rem 0.375rem;
-  }
-  
-  .kb-entry .text-lg {
-    font-size: 1rem;
-  }
-  
-  .kb-entry .flex.gap-4 {
-    gap: 0.75rem;
-  }
-  
-  .kb-entry .flex.gap-2 {
-    gap: 0.5rem;
-  }
-
-  
-  .prompting-card {
-    padding: 0.75rem;
-  }
-  
-  .suggestion-item {
-    padding: 0.375rem 0.5rem;
-    font-size: 0.75rem;
-  }
-  
-  .position-badge {
-    width: 28px;
-    height: 28px;
-    font-size: 0.875rem;
-  }
-  
-  .queue-status-card {
-    padding: 1rem;
-  }
-  .hint-card {
-    padding: 0.75rem;
-  }
-  
-  .hint-title {
-    font-size: 0.8125rem;
-  }
-  
-  .hint-description {
-    font-size: 0.625rem;
-  }
-  .approach-info {
-    padding: 0.75rem;
-    font-size: 0.8125rem;
-  }
-  
-  .quick-actions {
-    flex-direction: column;
-    align-items: center;
-  }
-  
-  .quick-actions .btn {
-    width: 100%;
-    max-width: 280px;
-  }
-  .nist-workflow { 
-  grid-template-columns: 1fr; 
-  }
-}
-
-/* Smart Prompting Styles - Simplified */
-.smart-prompting-container {
-  height: 100%;
-  animation: smartPromptSlideIn 0.4s cubic-bezier(0.4, 0, 0.2, 1);
-}
-
-.prompting-card {
-  background-color: var(--color-bg-tertiary);
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1rem;
-  height: 100%;
-  min-height: 120px;
-  display: flex;
-  flex-direction: column;
-  opacity: 0.85;
-  transition: var(--transition-fast);
-}
-
-.prompting-card:hover {
-  opacity: 1;
-  border-color: var(--color-accent);
-}
-
-.prompting-status {
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-  margin-bottom: 0.75rem;
-  padding-bottom: 0.75rem;
-  border-bottom: 1px solid var(--color-border);
-}
-
-.status-icon {
-  font-size: 1rem;
-  flex-shrink: 0;
-}
-
-.status-text {
-  font-size: 0.8125rem;
-  font-weight: 500;
-  color: var(--color-text);
-  flex: 1;
-}
-
-.prompting-spinner {
-  flex-shrink: 0;
-  animation: spin 1s linear infinite;
-}
-
-/* Smart Prompting Hint */
-.smart-prompting-hint {
-  height: 100%;
-  min-height: 120px;
-  display: flex;
-  align-items: center;
-  animation: hintFadeIn 0.3s ease-in-out;
-}
-
-.hint-card {
-  background: linear-gradient(135deg, var(--color-bg-secondary) 0%, var(--color-bg-tertiary) 100%);
-  border: 1px dashed var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1.25rem;
-  width: 100%;
-  text-align: center;
-  opacity: 0.7;
-  transition: var(--transition-medium);
-}
-
-.hint-card:hover {
-  opacity: 0.9;
-  border-color: var(--color-accent);
-  transform: translateY(-1px);
-}
-
-.hint-icon {
-  margin-bottom: 0.75rem;
-  opacity: 0.8;
-}
-
-.hint-content {
-  display: flex;
-  flex-direction: column;
-  gap: 0.5rem;
-}
-
-.hint-title {
-  margin: 0;
-  font-size: 0.875rem;
-  font-weight: 600;
-  color: var(--color-text);
-  letter-spacing: 0.025em;
-}
-
-.hint-description {
-  margin: 0;
-  font-size: 0.75rem;
-  line-height: 1.5;
-  color: var(--color-text-secondary);
-}
-
-.hint-trigger {
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  gap: 0.5rem;
-  margin-top: 0.25rem;
-  padding-top: 0.75rem;
-  border-top: 1px solid var(--color-border);
-}
-
-.hint-label {
-  font-size: 0.6875rem;
-  color: var(--color-text-secondary);
-  text-transform: uppercase;
-  letter-spacing: 0.05em;
-  font-weight: 500;
-}
-
-.hint-value {
-  font-size: 0.75rem;
-  font-weight: 600;
-  color: var(--color-accent);
-  background-color: var(--color-bg);
-  padding: 0.125rem 0.5rem;
-  border-radius: 1rem;
-  border: 1px solid var(--color-accent);
-}
-
-/* Hide hint when smart prompting is active */
-.smart-prompting-container[style*="block"] ~ .smart-prompting-hint,
-.smart-prompting-container:not([style*="none"]) ~ .smart-prompting-hint {
-  display: none;
-}
-
-@keyframes hintFadeIn {
-  from {
-    opacity: 0;
-    transform: translateY(10px);
-  }
-  to {
-    opacity: 0.7;
-    transform: translateY(0);
-  }
-}
-
-.suggested-questions {
-  flex: 1;
-  display: flex;
-  flex-direction: column;
-}
-
-.suggestions-header {
-  margin-bottom: 0.75rem;
-}
-
-.suggestions-label {
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-  font-weight: 500;
-  text-transform: uppercase;
-  letter-spacing: 0.025em;
-}
-
-.questions-list {
-  flex: 1;
-  display: flex;
-  flex-direction: column;
-  gap: 0.5rem;
-  margin-bottom: 0.75rem;
-}
-
-.suggestion-item {
-  background-color: var(--color-bg);
-  border: 1px solid transparent;
-  border-radius: 0.375rem;
-  padding: 0.5rem 0.75rem;
-  font-size: 0.8125rem;
-  line-height: 1.4;
-  color: var(--color-text-secondary);
-  border-left: 2px solid var(--color-accent);
-  transition: var(--transition-fast);
-  position: relative;
-}
-
-.suggestion-item::before {
-  content: counter(suggestion-counter);
-  counter-increment: suggestion-counter;
-  position: absolute;
-  left: -8px;
-  top: -6px;
-  background-color: var(--color-accent);
-  color: white;
-  width: 16px;
-  height: 16px;
-  border-radius: 50%;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  font-size: 0.625rem;
-  font-weight: 600;
-}
-.questions-list {
-  counter-reset: suggestion-counter;
-}
-
-.suggestion-number {
-  color: var(--color-accent);
-  font-weight: 600;
-  margin-right: 0.5rem;
-}
-
-.suggestion-chip {
-  display: inline-flex;
-  align-items: center;
-  gap: 0.5rem;
-  padding: 0.75rem 1rem;
-  background-color: var(--color-bg-secondary);
-  border: 1px solid var(--color-border);
-  border-radius: 2rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-  font-size: 0.875rem;
-  user-select: none;
-}
-
-.suggestion-chip:hover {
-  background-color: var(--color-accent);
-  border-color: var(--color-accent);
-  color: white;
-  transform: translateY(-2px);
-  box-shadow: var(--shadow-md);
-}
-
-.suggestion-chip.active {
-  background-color: var(--color-accent);
-  border-color: var(--color-accent);
-  color: white;
-}
-
-.scenario-emoji {
-  font-size: 1.125rem;
-}
-
-.scenario-text {
-  font-weight: 500;
-}
-
-.more-scenarios {
-  text-align: center;
-  margin-top: 1rem;
-}
-
-.btn-more-scenarios {
-  background: none;
-  border: 1px solid var(--color-border);
-  border-radius: 1rem;
-  padding: 0.5rem 1rem;
-  color: var(--color-text-secondary);
-  cursor: pointer;
-  font-size: 0.8125rem;
-  transition: var(--transition-fast);
-}
-
-.btn-more-scenarios:hover {
-  background-color: var(--color-bg-secondary);
-  border-color: var(--color-accent);
-  color: var(--color-accent);
-}
-
-.targeted-tip {
-  background-color: var(--color-bg-secondary);
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1rem;
-  text-align: center;
-  max-width: 600px;
-  margin: 0 auto;
-}
-
-.targeted-tip p {
-  margin: 0;
-  font-size: 0.875rem;
-  color: var(--color-text-secondary);
-}
-
-.dismiss-button {
-  align-self: flex-end;
-  background: none;
-  border: none;
-  color: var(--color-text-secondary);
-  cursor: pointer;
-  padding: 0.25rem;
-  border-radius: 0.25rem;
-  transition: var(--transition-fast);
-  opacity: 0.7;
-}
-
-.dismiss-button:hover {
-  background-color: var(--color-bg-secondary);
-  color: var(--color-text);
-  opacity: 1;
-}
-
-/* Queue Status - Improved Design */
-.queue-status-card {
-  max-width: 400px;
-  margin: 1.5rem auto 0;
-  background: linear-gradient(135deg, var(--color-bg-secondary) 0%, var(--color-bg-tertiary) 100%);
-  border: 1px solid var(--color-border);
-  border-radius: 0.75rem;
-  padding: 1.25rem;
-  box-shadow: var(--shadow-sm);
-}
-
-.queue-header {
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  margin-bottom: 1rem;
-}
-
-.queue-position-display {
-  display: flex;
-  align-items: center;
-  gap: 0.75rem;
-}
-
-.position-badge {
-  width: 32px;
-  height: 32px;
-  background: linear-gradient(135deg, var(--color-primary) 0%, var(--color-accent) 100%);
-  color: white;
-  border-radius: 50%;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  font-weight: 700;
-  font-size: 1rem;
-  box-shadow: var(--shadow-sm);
-}
-
-.position-label {
-  font-weight: 600;
-  color: var(--color-text);
-  font-size: 0.9375rem;
-}
-
-.queue-details {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 1rem;
-  margin-bottom: 1.25rem;
-}
-
-.queue-stat {
-  text-align: center;
-  padding: 0.75rem;
-  background-color: var(--color-bg);
-  border-radius: 0.5rem;
-  border: 1px solid var(--color-border);
-}
-
-.stat-label {
-  display: block;
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-  margin-bottom: 0.25rem;
-  font-weight: 500;
-}
-
-.stat-value {
-  font-size: 1.125rem;
-  font-weight: 700;
-  color: var(--color-primary);
-}
-
-.stat-unit {
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-  margin-left: 0.25rem;
-}
-
-.queue-progress-container {
-  position: relative;
-}
-
-.queue-progress-track {
-  background-color: var(--color-bg);
-  border-radius: 8px;
-  height: 6px;
-  overflow: hidden;
-  border: 1px solid var(--color-border);
-  margin-bottom: 0.75rem;
-}
-
-.queue-progress-fill {
-  height: 100%;
-  background: linear-gradient(90deg, var(--color-primary) 0%, var(--color-accent) 100%);
-  width: 0%;
-  transition: width 0.3s ease;
-  border-radius: 8px;
-}
-
-.task-id-display {
-  text-align: center;
-  padding: 0.5rem;
-  background-color: var(--color-bg);
-  border-radius: 0.375rem;
-  border: 1px solid var(--color-border);
-}
-
-.task-label {
-  font-size: 0.6875rem;
-  color: var(--color-text-secondary);
-  margin-right: 0.5rem;
-  text-transform: uppercase;
-  letter-spacing: 0.025em;
-  font-weight: 500;
-}
-
-.task-id {
-  font-family: 'SF Mono', 'Monaco', 'Menlo', 'Consolas', monospace;
-  font-size: 0.6875rem;
-  color: var(--color-text);
-  background-color: var(--color-bg-secondary);
-  padding: 0.125rem 0.375rem;
-  border-radius: 0.25rem;
-  border: 1px solid var(--color-border);
-}
-
-@keyframes smartPromptSlideIn {
-  from {
-    opacity: 0;
-    transform: translateX(20px);
-    max-height: 0;
-  }
-  to {
-    opacity: 0.85;
-    transform: translateX(0);
-    max-height: 300px;
-  }
-}
-
-
-/* Enhanced contextual analysis cards */
-.contextual-analysis-card {
-  margin-bottom: 2rem;
-  border-left: 4px solid;
-  transition: var(--transition-fast);
-}
-
-.contextual-analysis-card:hover {
-  transform: translateY(-1px);
-  box-shadow: var(--shadow-md);
-}
-
-.contextual-analysis-card.scenario {
-  border-left-color: var(--color-primary);
-}
-
-.contextual-analysis-card.approach {
-  border-left-color: var(--color-accent);
-}
-
-.contextual-analysis-card.critical {
-  border-left-color: var(--color-warning);
-}
-
-.analysis-header {
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-  margin-bottom: 1rem;
-  font-size: 1rem;
-  font-weight: 600;
-}
-
-.analysis-header.scenario { color: var(--color-primary); }
-.analysis-header.approach { color: var(--color-accent); }
-.analysis-header.critical { color: var(--color-warning); }
-
-/* Methodology-First Approach Styles */
-.approach-hero {
-  background: linear-gradient(135deg, var(--color-bg-secondary) 0%, var(--color-bg-tertiary) 100%);
-  border-radius: 1rem;
-  border: 1px solid var(--color-border);
-  padding: 3rem 2rem;
-  margin: 2rem 0;
-  text-align: center;
-}
-
-.approach-content h1 {
-  font-size: 2.5rem;
-  margin-bottom: 1rem;
-  color: var(--color-primary);
-}
-
-.hero-tagline {
-  font-size: 1.25rem;
-  color: var(--color-text);
-  margin-bottom: 0.5rem;
-  font-weight: 600;
-}
-
-.hero-subtitle {
-  color: var(--color-text-secondary);
-  margin-bottom: 2rem;
-  line-height: 1.6;
-  max-width: 700px;
-  margin-left: auto;
-  margin-right: auto;
-}
-
-.approach-selector {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 2rem;
-  max-width: 900px;
-  margin: 0 auto 2rem;
-}
-
-.approach-card {
-  background: var(--color-bg);
-  border: 2px solid var(--color-border);
-  border-radius: 0.75rem;
-  padding: 2rem;
-  cursor: pointer;
-  transition: var(--transition-fast);
-  text-align: left;
-  position: relative;
-  overflow: hidden;
-}
-
-.approach-card::before {
-  content: '';
-  position: absolute;
-  top: 0;
-  left: 0;
-  right: 0;
-  height: 4px;
-  background: var(--approach-color);
-  opacity: 0.7;
-}
-
-.approach-card.methodology { --approach-color: var(--color-primary); }
-.approach-card.targeted { --approach-color: var(--color-accent); }
-
-.approach-card:hover {
-  transform: translateY(-4px);
-  box-shadow: var(--shadow-lg);
-  border-color: var(--approach-color);
-}
-
-.approach-header {
-  display: flex;
-  align-items: center;
-  margin-bottom: 1rem;
-  gap: 1rem;
-}
-
-.approach-icon {
-  width: 3rem;
-  height: 3rem;
-  background: var(--approach-color);
-  color: white;
-  border-radius: 0.75rem;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  font-size: 1.5rem;
-  flex-shrink: 0;
-}
-
-.approach-card h3 {
-  font-size: 1.375rem;
-  color: var(--color-text);
-  margin: 0;
-}
-
-.approach-card.selected {
-  border-color: var(--approach-color);
-  background: linear-gradient(135deg, var(--color-bg) 0%, color-mix(in srgb, var(--approach-color) 8%, transparent) 100%);
-  box-shadow: var(--shadow-md);
-}
-
-.approach-description {
-  color: var(--color-text-secondary);
-  margin-bottom: 1.5rem;
-  line-height: 1.6;
-}
-
-.approach-features {
-  list-style: none;
-  padding: 0;
-  margin: 0;
-}
-
-.approach-features li {
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-  margin-bottom: 0.5rem;
-  font-size: 0.875rem;
-  color: var(--color-text-secondary);
-}
-
-.approach-features li::before {
-  content: '✓';
-  color: var(--approach-color);
-  font-weight: bold;
-  flex-shrink: 0;
-}
-
-.approach-actions {
-  max-width: 800px;
-  margin: 0 auto;
-}
-
-.approach-info {
-  background: var(--color-bg-secondary);
-  border: 1px solid var(--color-border);
-  border-radius: 0.5rem;
-  padding: 1rem;
-  margin-bottom: 1.5rem;
-  font-size: 0.875rem;
-  color: var(--color-text-secondary);
-  line-height: 1.6;
-  text-align: left;
-}
-
-.info-icon {
-  margin-right: 0.5rem;
-  font-size: 1rem;
-}
-
-.quick-actions {
-  display: flex;
-  gap: 1rem;
-  justify-content: center;
-  flex-wrap: wrap;
-}
-
-.quick-actions .btn {
-  padding: 0.75rem 1.5rem;
-  font-size: 0.875rem;
-}
-
-.methodology-section {
-  background: var(--color-bg);
-  border: 1px solid var(--color-border);
-  border-radius: 0.75rem;
-  padding: 2rem;
-  margin: 2rem 0;
-  display: none;
-}
-
-.methodology-section.active { 
-  display: block; 
-  animation: fadeInUp 0.5s ease-out;
-}
-
-.methodology-header {
-  text-align: center;
-  margin-bottom: 2rem;
-}
-
-.methodology-header h3 {
-  color: var(--color-primary);
-  font-size: 1.5rem;
-  margin-bottom: 0.5rem;
-}
-
-.methodology-subtitle {
-  color: var(--color-text-secondary);
-  font-size: 0.875rem;
-}
-
-.methodology-tip {
-  text-align: center;
-  padding: 1.5rem;
-  background: var(--color-bg-secondary);
-  border-radius: 0.5rem;
-}
-
-.methodology-tip p {
-  color: var(--color-text-secondary);
-  margin: 0;
-  font-size: 0.875rem;
-}
-
-.nist-workflow {
-  display: grid;
-  grid-template-columns: repeat(4, 1fr);
-  gap: 1rem;
-  margin-bottom: 2rem;
-}
-
-.targeted-section {
-  background: var(--color-bg);
-  border: 1px solid var(--color-border);
-  border-radius: 0.75rem;
-  padding: 2rem;
-  margin: 2rem 0;
-  display: none;
-  animation: fadeInUp 0.5s ease-out;
-}
-
-.targeted-section.active { 
-  display: block; 
-}
-
-.targeted-header {
-  text-align: center;
-  margin-bottom: 2rem;
-}
-
-.targeted-header h3 {
-  color: var(--color-accent);
-  font-size: 1.5rem;
-  margin-bottom: 0.5rem;
-}
-
-.targeted-subtitle {
-  color: var(--color-text-secondary);
-  font-size: 0.875rem;
-  margin: 0;
-}
-
-.search-interface {
-  max-width: 800px;
-  margin: 0 auto 2rem;
-}
-
-.search-box {
-  position: relative;
-  margin-bottom: 1.5rem;
-}
-
-.search-icon {
-  position: absolute;
-  left: 1rem;
-  top: 50%;
-  transform: translateY(-50%);
-  color: var(--color-text-secondary);
-  pointer-events: none;
-}
-
-.targeted-search-input {
-  width: 100%;
-  padding: 1rem 1rem 1rem 3rem;
-  border: 2px solid var(--color-border);
-  border-radius: 0.5rem;
-  font-size: 0.875rem;
-  background-color: var(--color-bg);
-  color: var(--color-text);
-  transition: var(--transition-fast);
-}
-
-.targeted-search-input:focus {
-  outline: none;
-  border-color: var(--color-accent);
-  box-shadow: 0 0 0 3px rgb(5 150 105 / 10%);
-}
-
-.search-suggestions {
-  display: flex;
-  flex-wrap: wrap;
-  gap: 0.75rem;
-  margin-bottom: 1rem;
-  justify-content: center;
-}
\ No newline at end of file
diff --git a/src/styles/global.css b/src/styles/global.css
index 0515ccc..be43144 100644
--- a/src/styles/global.css
+++ b/src/styles/global.css
@@ -144,24 +144,11 @@ a:hover {
   margin: 0 auto;
 }
 
-.container-wide {
-  max-width: 1400px;
-  margin: 0 auto;
-}
-
 /* Section Utilities */
 .section {
   padding: 2rem 0;
 }
 
-.section-sm {
-  padding: 1rem 0;
-}
-
-.section-lg {
-  padding: 3rem 0;
-}
-
 /* Flex Utilities */
 .flex {
   display: flex;
@@ -209,10 +196,6 @@ a:hover {
   align-items: center;
 }
 
-.items-start {
-  align-items: flex-start;
-}
-
 .justify-center {
   justify-content: center;
 }
@@ -231,11 +214,6 @@ a:hover {
   grid-template-columns: 1fr 1fr;
 }
 
-.grid-3 {
-  display: grid;
-  grid-template-columns: 1fr 1fr 1fr;
-}
-
 .grid-4 {
   display: grid;
   grid-template-columns: 1fr 1fr 1fr 1fr;
@@ -248,24 +226,11 @@ a:hover {
   justify-content: center;
 }
 
-.grid-auto-fit-sm {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
-  gap: 1rem;
-}
-
-.grid-auto-fit-lg {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(400px, 1fr));
-  gap: 1rem;
-}
-
 /* Gap Utilities */
 .gap-1 { gap: 0.25rem; }
 .gap-2 { gap: 0.5rem; }
 .gap-3 { gap: 0.75rem; }
 .gap-4 { gap: 1rem; }
-.gap-6 { gap: 1.5rem; }
 .gap-8 { gap: 2rem; }
 
 /* ===================================================================
@@ -273,29 +238,16 @@ a:hover {
    ================================================================= */
 
 /* Margin Utilities */
-.m-0 { margin: 0; }
-.m-1 { margin: 0.25rem; }
-.m-2 { margin: 0.5rem; }
-.m-3 { margin: 0.75rem; }
-.m-4 { margin: 1rem; }
-.m-6 { margin: 1.5rem; }
-.m-8 { margin: 2rem; }
-
 .mx-auto { margin-left: auto; margin-right: auto; }
 
-.mt-0 { margin-top: 0; }
 .mt-1 { margin-top: 0.25rem; }
 .mt-2 { margin-top: 0.5rem; }
 .mt-3 { margin-top: 0.75rem; }
 .mt-4 { margin-top: 1rem; }
-.mt-6 { margin-top: 1.5rem; }
-.mt-8 { margin-top: 2rem; }
 .mt-auto { margin-top: auto; }
 
-.mr-1 { margin-right: 0.25rem; }
 .mr-2 { margin-right: 0.5rem; }
 .mr-3 { margin-right: 0.75rem; }
-.mr-4 { margin-right: 1rem; }
 
 .mb-0 { margin-bottom: 0; }
 .mb-1 { margin-bottom: 0.25rem; }
@@ -305,34 +257,22 @@ a:hover {
 .mb-6 { margin-bottom: 1.5rem; }
 .mb-8 { margin-bottom: 2rem; }
 
-.ml-1 { margin-left: 0.25rem; }
 .ml-2 { margin-left: 0.5rem; }
-.ml-3 { margin-left: 0.75rem; }
-.ml-4 { margin-left: 1rem; }
 
 /* Padding Utilities */
-.p-0 { padding: 0; }
-.p-1 { padding: 0.25rem; }
 .p-2 { padding: 0.5rem; }
 .p-3 { padding: 0.75rem; }
 .p-4 { padding: 1rem; }
 .p-6 { padding: 1.5rem; }
 .p-8 { padding: 2rem; }
 
-.px-1 { padding-left: 0.25rem; padding-right: 0.25rem; }
-.px-2 { padding-left: 0.5rem; padding-right: 0.5rem; }
 .px-3 { padding-left: 0.75rem; padding-right: 0.75rem; }
 .px-4 { padding-left: 1rem; padding-right: 1rem; }
 
-.py-1 { padding-top: 0.25rem; padding-bottom: 0.25rem; }
 .py-2 { padding-top: 0.5rem; padding-bottom: 0.5rem; }
-.py-3 { padding-top: 0.75rem; padding-bottom: 0.75rem; }
-.py-4 { padding-top: 1rem; padding-bottom: 1rem; }
-.py-6 { padding-top: 1.5rem; padding-bottom: 1.5rem; }
 .py-8 { padding-top: 2rem; padding-bottom: 2rem; }
 
 .pt-3 { padding-top: 0.75rem; }
-.pb-2 { padding-bottom: 0.5rem; }
 
 /* ===================================================================
    6. TARGETED UTILITY CLASSES (FOR INLINE STYLE CONSOLIDATION)
@@ -342,8 +282,6 @@ a:hover {
 .section-padding { padding: 2rem 0; }
 .content-center { text-align: center; margin-bottom: 1rem; }
 .content-center-lg { text-align: center; margin-bottom: 2rem; }
-.content-narrow { max-width: 900px; margin: 0 auto; }
-.content-wide { max-width: 1200px; margin: 0 auto; }
 
 /* Card Info Variants (for inline background/padding combinations) */
 .card-info-sm { 
@@ -352,20 +290,6 @@ a:hover {
   border-radius: 0.5rem; 
 }
 
-.card-info-md { 
-  background-color: var(--color-bg-secondary); 
-  padding: 1.5rem; 
-  border-radius: 0.75rem; 
-  border: 1px solid var(--color-border); 
-}
-
-.card-info-lg { 
-  background-color: var(--color-bg-secondary); 
-  padding: 2rem; 
-  border-radius: 1rem; 
-  border: 1px solid var(--color-border); 
-}
-
 /* Header/Title Combinations */
 .header-center { 
   text-align: center; 
@@ -384,42 +308,6 @@ a:hover {
   color: white;
 }
 
-/* Metadata/Info Text Combinations */
-.info-text {
-  font-size: 0.875rem;
-  color: var(--color-text-secondary);
-  line-height: 1.6;
-}
-
-.info-text-center {
-  font-size: 0.875rem;
-  color: var(--color-text-secondary);
-  text-align: center;
-  line-height: 1.6;
-}
-
-/* Grid Auto-fit Variants for common inline grid patterns */
-.grid-auto-300 {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
-  gap: 1rem;
-}
-
-.grid-auto-400 {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(400px, 1fr));
-  gap: 1rem;
-}
-
-.grid-auto-500 {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(500px, 1fr));
-  gap: 1.5rem;
-}
-
-/* Add to global.css */
-.pros-cons-section { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
-.tool-metadata { display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 0.75rem; }
 .grid-cols-2 { grid-template-columns: 1fr 1fr; }
 .flex-shrink-1 { flex-shrink: 1; }
 
@@ -429,7 +317,6 @@ a:hover {
 
 /* Text Utilities */
 .text-center { text-align: center; }
-.text-left { text-align: left; }
 .text-right { text-align: right; }
 
 .text-xs { font-size: 0.75rem; }
@@ -439,10 +326,8 @@ a:hover {
 .text-xl { font-size: 1.25rem; }
 .text-2xl { font-size: 1.5rem; }
 
-.font-normal { font-weight: 400; }
 .font-medium { font-weight: 500; }
 .font-semibold { font-weight: 600; }
-.font-bold { font-weight: 700; }
 
 .leading-tight { line-height: 1.25; }
 .leading-normal { line-height: 1.5; }
@@ -454,12 +339,10 @@ a:hover {
 .text-secondary { color: var(--color-text-secondary); }
 .text-accent { color: var(--color-accent); }
 .text-warning { color: var(--color-warning); }
-.text-error { color: var(--color-error); }
 
 /* Display Utilities */
 .block { display: block; }
 .inline { display: inline; }
-.inline-block { display: inline-block; }
 .hidden { display: none; }
 
 /* Size Utilities */
@@ -475,18 +358,13 @@ a:hover {
 .fixed { position: fixed; }
 .sticky { position: sticky; }
 
-.top-0 { top: 0; }
 .bottom-8 { bottom: 2rem; }
 .right-8 { right: 2rem; }
-.left-0 { left: 0; }
 
-.z-10 { z-index: 10; }
 .z-50 { z-index: 50; }
-.z-100 { z-index: 100; }
 
 /* Overflow Utilities */
 .overflow-hidden { overflow: hidden; }
-.overflow-auto { overflow: auto; }
 
 /* Border Utilities */
 .border { border: 1px solid var(--color-border); }
@@ -494,19 +372,15 @@ a:hover {
 .border-l-4 { border-left: 4px solid; }
 
 .rounded { border-radius: 0.25rem; }
-.rounded-md { border-radius: 0.375rem; }
 .rounded-lg { border-radius: 0.5rem; }
 .rounded-xl { border-radius: 0.75rem; }
-.rounded-2xl { border-radius: 1rem; }
 
 /* Background Utilities */
 .bg-secondary { background-color: var(--color-bg-secondary); }
-.bg-tertiary { background-color: var(--color-bg-tertiary); }
 
 /* Cursor Utilities */
 .cursor-pointer { cursor: pointer; }
 
-.h-12 { height: 3rem; }
 .align-middle { vertical-align: middle; }
 
 
@@ -646,11 +520,6 @@ nav {
 }
 
 /* Button Sizes */
-.btn-xs {
-  padding: 0.25rem 0.5rem;
-  font-size: 0.75rem;
-}
-
 .btn-sm {
   padding: 0.375rem 0.75rem;
   font-size: 0.8125rem;
@@ -808,14 +677,6 @@ input[type="checkbox"] {
 }
 
 /* Card Variants */
-.card-sm {
-  padding: 1rem;
-}
-
-.card-lg {
-  padding: 2rem;
-}
-
 .card-info {
   background-color: var(--color-bg-secondary);
   border-left: 4px solid var(--color-primary);
@@ -826,15 +687,6 @@ input[type="checkbox"] {
   color: white;
 }
 
-.card-gradient {
-  background: linear-gradient(135deg, var(--color-bg-secondary) 0%, var(--color-bg-tertiary) 100%);
-}
-
-.card-hero {
-  background: linear-gradient(135deg, var(--color-primary) 0%, var(--color-accent) 100%);
-  color: white;
-}
-
 /* Card Type Modifiers */
 .card-hosted {
   background-color: var(--color-hosted-bg);
@@ -878,7 +730,6 @@ input[type="checkbox"] {
 .badge-primary { background-color: var(--color-primary); color: white; }
 .badge-secondary { background-color: var(--color-bg-secondary); color: var(--color-text); border: 1px solid var(--color-border); }
 .badge-success { background-color: var(--color-accent); color: white; }
-.badge-accent { background-color: var(--color-accent); color: white; }
 .badge-warning { background-color: var(--color-warning); color: white; }
 .badge-error { background-color: var(--color-error); color: white; }
 
@@ -1750,7 +1601,93 @@ input[type="checkbox"] {
   border-color: var(--color-accent) !important;
 }
 
+.ai-hero-spotlight {
+  background: linear-gradient(135deg, var(--color-bg) 0%, var(--color-bg-secondary) 100%);
+  border: 2px solid var(--color-accent);
+  border-radius: 1rem;
+  padding: 2rem;
+  margin: 1.5rem auto;
+  text-align: center;
+  position: relative;
+  overflow: hidden;
+  max-width: 600px;
+  width: 100%;
+}
 
+.ai-hero-spotlight::before {
+  content: '';
+  position: absolute;
+  top: 0;
+  left: 0;
+  right: 0;
+  height: 3px;
+  background: linear-gradient(90deg, var(--color-accent) 0%, var(--color-primary) 100%);
+}
+
+.ai-spotlight-content {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 1rem;
+  margin-bottom: 1.5rem;
+}
+
+.ai-spotlight-icon {
+  width: 48px;
+  height: 48px;
+  background: linear-gradient(135deg, var(--color-accent) 0%, var(--color-primary) 100%);
+  border-radius: 0.75rem;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  color: white;
+  box-shadow: var(--shadow-md);
+  flex-shrink: 0;
+}
+
+.ai-spotlight-text h3 {
+  margin: 0 0 0.25rem 0;
+  font-size: 1.25rem;
+  color: var(--color-text);
+}
+
+.ai-spotlight-text p {
+  margin: 0;
+  color: var(--color-text-secondary);
+  font-size: 0.875rem;
+}
+
+.ai-primary-btn {
+  padding: 0.875rem 2rem;
+  margin: 0 0 1rem 0;
+  position: relative;
+  overflow: hidden;
+}
+
+.ai-primary-btn:hover {
+  transform: translateY(-2px);
+  box-shadow: var(--shadow-lg), 0 8px 20px rgba(5, 150, 105, 0.3);
+}
+
+.ai-primary-btn svg:last-child {
+  transition: var(--transition-fast);
+}
+
+.ai-primary-btn:hover svg:last-child {
+  transform: translate(2px, -2px);
+}
+
+/* Mini features display */
+.ai-features-mini {
+  display: flex;
+  justify-content: center;
+  gap: 0.5rem;
+  flex-wrap: wrap;
+}
+
+.ai-features-mini .badge {
+  font-size: 0.75rem;
+}
 
 /* ===================================================================
    16. AI INTERFACE (CONSOLIDATED)
@@ -1985,21 +1922,7 @@ input[type="checkbox"] {
   }
 }
 
-/* Animation for micro-task progress */
-@keyframes micro-task-pulse {
-  0%, 100% { opacity: 1; }
-  50% { opacity: 0.7; }
-}
 
-.micro-step.active {
-  animation: micro-task-pulse 2s ease-in-out infinite;
-}
-
-@keyframes micro-task-complete {
-  0% { transform: scale(1); }
-  50% { transform: scale(1.1); }
-  100% { transform: scale(1); }
-}
 
 .micro-step.completed {
   animation: micro-task-complete 0.6s ease-out;
@@ -2015,6 +1938,7 @@ input[type="checkbox"] {
   gap: 1rem;
   max-width: 1200px;
   margin: 0 auto;
+  margin-top: 1rem;
 }
 
 .phase-header {
@@ -2145,6 +2069,10 @@ input[type="checkbox"] {
   border-color: var(--color-method);
 }
 
+.tool-recommendation:hover {
+  box-shadow: 0 0 8px rgba(0,0,0,0.1);
+}
+
 .tool-rec-header {
   display: flex;
   justify-content: space-between;
@@ -2183,14 +2111,6 @@ input[type="checkbox"] {
   border-left: 3px solid var(--color-primary);
 }
 
-.tool-rec-metadata {
-  display: flex;
-  flex-direction: column;
-  gap: 0.375rem;
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-}
-
 /* ===================================================================
    18. APPROACH SELECTION (CONSOLIDATED)
    ================================================================= */
@@ -2566,11 +2486,36 @@ footer {
   }
 }
 
+/* Animation for micro-task progress */
+@keyframes micro-task-pulse {
+  0%, 100% { opacity: 1; }
+  50% { opacity: 0.7; }
+}
+
+.micro-step.active {
+  animation: micro-task-pulse 2s ease-in-out infinite;
+}
+
+@keyframes micro-task-complete {
+  0% { transform: scale(1); }
+  50% { transform: scale(1.1); }
+  100% { transform: scale(1); }
+}
+
+@keyframes ai-spotlight-pulse {
+  0% { transform: scale(1); }
+  50% { transform: scale(1.02); }
+  100% { transform: scale(1); }
+}
+
+.ai-primary-btn.activated {
+  animation: ai-spotlight-pulse 0.4s ease-out;
+}
+
 /* ===================================================================
    21. SMART PROMPTING INTERFACE (MISSING STYLES ADDED BACK)
    ================================================================= */
 
-/* Smart Prompting Container */
 .smart-prompting-container {
   height: 100%;
   animation: smartPromptSlideIn 0.4s cubic-bezier(0.4, 0, 0.2, 1);
@@ -2852,12 +2797,6 @@ footer {
   color: var(--color-primary);
 }
 
-.stat-unit {
-  font-size: 0.75rem;
-  color: var(--color-text-secondary);
-  margin-left: 0.25rem;
-}
-
 .queue-progress-container {
   position: relative;
 }
@@ -3273,7 +3212,7 @@ footer {
     grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
     gap: 0.5rem;
   }
-  
+ 
   .phase-chip {
     padding: 0.625rem 0.75rem;
     font-size: 0.8125rem;
@@ -3353,6 +3292,30 @@ footer {
     width: 100%;
     min-height: 100px;
   }
+
+  .ai-spotlight-content {
+    flex-direction: column;
+    gap: 0.75rem;
+    margin-bottom: 1rem;
+  }
+  
+  .ai-spotlight-icon {
+    width: 40px;
+    height: 40px;
+  }
+  
+  .ai-spotlight-text h3 {
+    font-size: 1.125rem;
+  }
+  
+  .ai-primary-btn {
+    width: 100%;
+    max-width: 280px;
+  }
+  
+  .ai-features-mini {
+    gap: 0.375rem;
+  }
   
   .approach-hero { 
     padding: 2rem 1rem; 
@@ -3406,7 +3369,6 @@ footer {
   }
   
   .grid-2,
-  .grid-3,
   .grid-4 {
     grid-template-columns: 1fr;
   }
@@ -3436,10 +3398,6 @@ footer {
   .advanced-filters-compact {
     gap: 0.5rem;
   }
-
-  .filter-row {
-    grid-template-columns: 1fr;
-  }
   
   .filter-toggles-compact {
     flex-direction: column;
@@ -3625,6 +3583,14 @@ footer {
     flex: 1 1 100%;
     justify-content: flex-end;
   }
+  .ai-hero-spotlight {
+    padding: 1.5rem 1rem;
+  }
+  
+  .ai-features-mini {
+    flex-direction: column;
+    align-items: center;
+  }
 }
 
 
@@ -3632,9 +3598,6 @@ footer {
    MIGRATION UTILITIES - Additional classes for inline style migration
    ================================================================= */
 
-/* Height utilities */
-.h-12 { height: 3rem; }
-
 /* Alignment utilities */
 .align-middle { vertical-align: middle; }
 
@@ -3659,17 +3622,8 @@ footer {
   color: white;
 }
 
-/* Enhanced card info variants (if not already present) */
-.card-info-xl { 
-  background-color: var(--color-bg-secondary); 
-  padding: 2.5rem; 
-  border-radius: 1.25rem; 
-  border: 1px solid var(--color-border); 
-}
-
 /* Ensure we have all text size variants */
 .text-2xl { font-size: 1.5rem; }
-.text-3xl { font-size: 1.875rem; }
 
 /* Additional spacing utilities that might be missing */
 .py-8 { padding-top: 2rem; padding-bottom: 2rem; }
@@ -3681,7 +3635,6 @@ footer {
 
 /* Additional rounded variants */
 .rounded-xl { border-radius: 0.75rem; }
-.rounded-2xl { border-radius: 1rem; }
 
 /* ===================================================================
    23. MARKDOWN CONTENT
@@ -3769,4 +3722,50 @@ footer {
   border: none;
   border-top: 1px solid var(--color-border);
   margin: 2rem 0;
+}
+
+/* ===================================================================
+   26. ENHANCED AUDIT TRAIL STYLES
+   ================================================================= */
+
+.audit-process-flow {
+  position: relative;
+}
+
+.phase-group {
+  position: relative;
+}
+
+.phase-group:not(:last-child)::after {
+  content: '';
+  position: absolute;
+  left: 13px;
+  bottom: -8px;
+  width: 2px;
+  height: 16px;
+  background: linear-gradient(to bottom, var(--color-border) 0%, transparent 100%);
+}
+
+.toggle-icon {
+  transition: transform 0.2s ease;
+}
+
+/* Hover effects for audit entries */
+.audit-trail-details .hover\\:bg-secondary:hover {
+  background-color: var(--color-bg-secondary);
+}
+
+/* Responsive adjustments for audit trail */
+@media (width <= 768px) {
+  .audit-process-flow .grid-cols-3 {
+    grid-template-columns: 1fr;
+    gap: 1rem;
+  }
+  
+  .phase-group .flex {
+    flex-direction: column;
+    align-items: flex-start;
+    gap: 0.5rem;
+  }
+  
 }
\ No newline at end of file
diff --git a/src/utils/aiPipeline.ts b/src/utils/aiPipeline.ts
index ac727f7..c1583c0 100644
--- a/src/utils/aiPipeline.ts
+++ b/src/utils/aiPipeline.ts
@@ -1,7 +1,9 @@
-// src/utils/aiPipeline.ts 
+// src/utils/aiPipeline.ts - Enhanced with Proper Confidence Scoring
 
 import { getCompressedToolsDataForAI } from './dataService.js';
-import { embeddingsService, type EmbeddingData } from './embeddings.js';
+import { embeddingsService, type EmbeddingData, type SimilarityResult } from './embeddings.js';
+import { AI_PROMPTS, getPrompt } from '../config/prompts.js';
+import { isToolHosted } from './toolHelpers.js';
 
 interface AIConfig {
   endpoint: string;
@@ -30,6 +32,17 @@ interface AnalysisResult {
   };
 }
 
+interface AuditEntry {
+  timestamp: number;
+  phase: string;           
+  action: string;          
+  input: any;              
+  output: any;             
+  confidence: number;      
+  processingTimeMs: number;
+  metadata: Record<string, any>;
+}
+
 interface AnalysisContext {
   userQuery: string;
   mode: string;
@@ -43,10 +56,22 @@ interface AnalysisContext {
   problemAnalysis?: string;
   investigationApproach?: string;
   criticalConsiderations?: string;
-  selectedTools?: Array<{tool: any, phase: string, priority: string, justification?: string}>;
+  selectedTools?: Array<{tool: any, phase: string, priority: string, justification?: string, taskRelevance?: number, limitations?: string[]}>;
   backgroundKnowledge?: Array<{concept: any, relevance: string}>;
   
   seenToolNames: Set<string>;
+  
+  auditTrail: AuditEntry[];
+  
+  embeddingsSimilarities: Map<string, number>;
+}
+
+interface ConfidenceMetrics {
+  overall: number;                    
+  semanticRelevance: number;         
+  taskSuitability: number;          
+  uncertaintyFactors: string[];   
+  strengthIndicators: string[]; 
 }
 
 class ImprovedMicroTaskAIPipeline {
@@ -56,8 +81,35 @@ class ImprovedMicroTaskAIPipeline {
   private similarityThreshold: number;
   private microTaskDelay: number;
   
+  private embeddingSelectionLimit: number;
+  private embeddingConceptsLimit: number;
+
+  private noEmbeddingsToolLimit: number;
+  private noEmbeddingsConceptLimit: number;
+  
+  private embeddingsMinTools: number;
+  private embeddingsMaxReductionRatio: number;
+  
   private maxContextTokens: number;
   private maxPromptTokens: number;
+  
+  private auditConfig: {
+    enabled: boolean;
+    detailLevel: 'minimal' | 'standard' | 'verbose';
+    retentionHours: number;
+  };
+
+  private confidenceConfig: {
+    semanticWeight: number;       
+    suitabilityWeight: number;  
+    consistencyWeight: number;    
+    reliabilityWeight: number;    
+    minimumThreshold: number;
+    mediumThreshold: number;
+    highThreshold: number;
+  };
+  
+  private tempAuditEntries: AuditEntry[] = [];
 
   constructor() {
     this.config = {
@@ -66,13 +118,43 @@ class ImprovedMicroTaskAIPipeline {
       model: this.getEnv('AI_ANALYZER_MODEL')
     };
 
-    this.maxSelectedItems = parseInt(process.env.AI_MAX_SELECTED_ITEMS || '60', 10);
-    this.embeddingCandidates = parseInt(process.env.AI_EMBEDDING_CANDIDATES || '60', 10); 
-    this.similarityThreshold = 0.3; 
+    this.maxSelectedItems = parseInt(process.env.AI_MAX_SELECTED_ITEMS || '25', 10);
+    this.embeddingCandidates = parseInt(process.env.AI_EMBEDDING_CANDIDATES || '50', 10); 
+    this.similarityThreshold = parseFloat(process.env.AI_SIMILARITY_THRESHOLD || '0.3');
     this.microTaskDelay = parseInt(process.env.AI_MICRO_TASK_DELAY_MS || '500', 10);
     
+    this.embeddingSelectionLimit = parseInt(process.env.AI_EMBEDDING_SELECTION_LIMIT || '30', 10);
+    this.embeddingConceptsLimit = parseInt(process.env.AI_EMBEDDING_CONCEPTS_LIMIT || '15', 10);
+
+    this.noEmbeddingsToolLimit = parseInt(process.env.AI_NO_EMBEDDINGS_TOOL_LIMIT || '0', 10);
+    this.noEmbeddingsConceptLimit = parseInt(process.env.AI_NO_EMBEDDINGS_CONCEPT_LIMIT || '0', 10);
+    
+    this.embeddingsMinTools = parseInt(process.env.AI_EMBEDDINGS_MIN_TOOLS || '8', 10);
+    this.embeddingsMaxReductionRatio = parseFloat(process.env.AI_EMBEDDINGS_MAX_REDUCTION_RATIO || '0.75');
+    
     this.maxContextTokens = parseInt(process.env.AI_MAX_CONTEXT_TOKENS || '4000', 10);
     this.maxPromptTokens = parseInt(process.env.AI_MAX_PROMPT_TOKENS || '1500', 10);
+    
+    this.auditConfig = {
+      enabled: process.env.FORENSIC_AUDIT_ENABLED === 'true',
+      detailLevel: (process.env.FORENSIC_AUDIT_DETAIL_LEVEL as any) || 'standard',
+      retentionHours: parseInt(process.env.FORENSIC_AUDIT_RETENTION_HOURS || '72', 10)
+    };
+    
+    this.confidenceConfig = {
+      semanticWeight: parseFloat(process.env.CONFIDENCE_SEMANTIC_WEIGHT || '0.3'),   
+      suitabilityWeight: parseFloat(process.env.CONFIDENCE_SUITABILITY_WEIGHT || '0.7'), 
+      consistencyWeight: 0,    
+      reliabilityWeight: 0,
+      minimumThreshold: parseInt(process.env.CONFIDENCE_MINIMUM_THRESHOLD || '40', 10),
+      mediumThreshold: parseInt(process.env.CONFIDENCE_MEDIUM_THRESHOLD || '60', 10),
+      highThreshold: parseInt(process.env.CONFIDENCE_HIGH_THRESHOLD || '80', 10)
+    };
+
+    console.log('[AI PIPELINE] Simplified confidence scoring enabled:', {
+      weights: `Semantic:${this.confidenceConfig.semanticWeight} Suitability:${this.confidenceConfig.suitabilityWeight}`,
+      thresholds: `${this.confidenceConfig.minimumThreshold}/${this.confidenceConfig.mediumThreshold}/${this.confidenceConfig.highThreshold}`
+    });
   }
 
   private getEnv(key: string): string {
@@ -83,6 +165,86 @@ class ImprovedMicroTaskAIPipeline {
     return value;
   }
 
+  private addAuditEntry(
+    context: AnalysisContext | null, 
+    phase: string, 
+    action: string, 
+    input: any, 
+    output: any, 
+    confidence: number, 
+    startTime: number, 
+    metadata: Record<string, any> = {}
+  ): void {
+    if (!this.auditConfig.enabled) return;
+    
+    const auditEntry: AuditEntry = {
+      timestamp: Date.now(),
+      phase,
+      action, 
+      input: this.auditConfig.detailLevel === 'verbose' ? input : this.summarizeForAudit(input),
+      output: this.auditConfig.detailLevel === 'verbose' ? output : this.summarizeForAudit(output),
+      confidence,
+      processingTimeMs: Date.now() - startTime,
+      metadata
+    };
+    
+    if (context) {
+      context.auditTrail.push(auditEntry);
+    } else {
+      this.tempAuditEntries.push(auditEntry);
+    }
+    
+    console.log(`[AUDIT] ${phase}/${action}: ${confidence}% confidence, ${Date.now() - startTime}ms`);
+  }
+  
+  private mergeTemporaryAuditEntries(context: AnalysisContext): void {
+    if (!this.auditConfig.enabled || this.tempAuditEntries.length === 0) return;
+    
+    const entryCount = this.tempAuditEntries.length;
+    context.auditTrail.unshift(...this.tempAuditEntries);
+    this.tempAuditEntries = []; 
+    
+    console.log(`[AUDIT] Merged ${entryCount} temporary audit entries into context`);
+  }
+
+  private summarizeForAudit(data: any): any {
+    if (this.auditConfig.detailLevel === 'minimal') {
+      if (typeof data === 'string' && data.length > 100) {
+        return data.slice(0, 100) + '...[truncated]';
+      }
+      if (Array.isArray(data) && data.length > 3) {
+        return [...data.slice(0, 3), `...[${data.length - 3} more items]`];
+      }
+    } else if (this.auditConfig.detailLevel === 'standard') {
+      if (typeof data === 'string' && data.length > 500) {
+        return data.slice(0, 500) + '...[truncated]';
+      }
+      if (Array.isArray(data) && data.length > 10) {
+        return [...data.slice(0, 10), `...[${data.length - 10} more items]`];
+      }
+    }
+    return data;
+  }
+
+  private calculateSelectionConfidence(result: any, candidateCount: number): number {
+    if (!result || !result.selectedTools) return 30;
+    
+    const selectionRatio = result.selectedTools.length / candidateCount;
+    const hasReasoning = result.reasoning && result.reasoning.length > 50;
+    
+    let confidence = 60; 
+    
+    if (selectionRatio > 0.05 && selectionRatio < 0.3) confidence += 20;
+    else if (selectionRatio <= 0.05) confidence -= 10; 
+    else confidence -= 15; 
+    
+    if (hasReasoning) confidence += 15;
+    
+    if (result.selectedConcepts && result.selectedConcepts.length > 0) confidence += 5;
+    
+    return Math.min(95, Math.max(25, confidence));
+  }
+
   private estimateTokens(text: string): number {
     return Math.ceil(text.length / 4); 
   }
@@ -101,26 +263,106 @@ class ImprovedMicroTaskAIPipeline {
 
   private safeParseJSON(jsonString: string, fallback: any = null): any {
     try {
-      const cleaned = jsonString
+      let cleaned = jsonString
         .replace(/^```json\s*/i, '')
         .replace(/\s*```\s*$/g, '')
         .trim();
       
+      if (!cleaned.endsWith('}') && !cleaned.endsWith(']')) {
+        console.warn('[AI PIPELINE] JSON appears truncated, attempting recovery...');
+        
+        let lastCompleteStructure = '';
+        let braceCount = 0;
+        let bracketCount = 0;
+        let inString = false;
+        let escaped = false;
+        
+        for (let i = 0; i < cleaned.length; i++) {
+          const char = cleaned[i];
+          
+          if (escaped) {
+            escaped = false;
+            continue;
+          }
+          
+          if (char === '\\') {
+            escaped = true;
+            continue;
+          }
+          
+          if (char === '"' && !escaped) {
+            inString = !inString;
+            continue;
+          }
+          
+          if (!inString) {
+            if (char === '{') braceCount++;
+            if (char === '}') braceCount--;
+            if (char === '[') bracketCount++;
+            if (char === ']') bracketCount--;
+            
+            if (braceCount === 0 && bracketCount === 0 && (char === '}' || char === ']')) {
+              lastCompleteStructure = cleaned.substring(0, i + 1);
+            }
+          }
+        }
+        
+        if (lastCompleteStructure) {
+          console.log('[AI PIPELINE] Attempting to parse recovered JSON structure...');
+          cleaned = lastCompleteStructure;
+        } else {
+          if (braceCount > 0) {
+            cleaned += '}';
+            console.log('[AI PIPELINE] Added closing brace to truncated JSON');
+          }
+          if (bracketCount > 0) {
+            cleaned += ']';
+            console.log('[AI PIPELINE] Added closing bracket to truncated JSON');
+          }
+        }
+      }
+      
       const parsed = JSON.parse(cleaned);
+      
+      if (parsed && typeof parsed === 'object') {
+        if (parsed.selectedTools === undefined) parsed.selectedTools = [];
+        if (parsed.selectedConcepts === undefined) parsed.selectedConcepts = [];
+        
+        if (!Array.isArray(parsed.selectedTools)) parsed.selectedTools = [];
+        if (!Array.isArray(parsed.selectedConcepts)) parsed.selectedConcepts = [];
+      }
+      
       return parsed;
     } catch (error) {
       console.warn('[AI PIPELINE] JSON parsing failed:', error.message);
-      console.warn('[AI PIPELINE] Raw content:', jsonString.slice(0, 200));
+      console.warn('[AI PIPELINE] Raw content (first 300 chars):', jsonString.slice(0, 300));
+      console.warn('[AI PIPELINE] Raw content (last 300 chars):', jsonString.slice(-300));
+      
+      if (jsonString.includes('selectedTools')) {
+        const toolMatches = jsonString.match(/"([^"]+)"/g);
+        if (toolMatches && toolMatches.length > 0) {
+          console.log('[AI PIPELINE] Attempting partial recovery from broken JSON...');
+          const possibleTools = toolMatches
+            .map(match => match.replace(/"/g, ''))
+            .filter(name => name.length > 2 && !['selectedTools', 'selectedConcepts', 'reasoning'].includes(name))
+            .slice(0, 15); 
+          
+          if (possibleTools.length > 0) {
+            console.log(`[AI PIPELINE] Recovered ${possibleTools.length} possible tool names from broken JSON`);
+            return {
+              selectedTools: possibleTools,
+              selectedConcepts: [],
+              reasoning: 'Recovered from truncated response'
+            };
+          }
+        }
+      }
+      
       return fallback;
     }
   }
 
-  private addToolToSelection(context: AnalysisContext, tool: any, phase: string, priority: string, justification?: string): boolean {
-    if (context.seenToolNames.has(tool.name)) {
-      console.log(`[AI PIPELINE] Skipping duplicate tool: ${tool.name}`);
-      return false;
-    }
-    
+  private addToolToSelection(context: AnalysisContext, tool: any, phase: string, priority: string, justification?: string, taskRelevance?: number, limitations?: string[]): boolean {   
     context.seenToolNames.add(tool.name);
     if (!context.selectedTools) context.selectedTools = [];
     
@@ -128,55 +370,112 @@ class ImprovedMicroTaskAIPipeline {
       tool,
       phase,
       priority,
-      justification
+      justification,
+      taskRelevance,
+      limitations
     });
     
     return true;
   }
 
-  private async getIntelligentCandidates(userQuery: string, toolsData: any, mode: string) {
+  private async getIntelligentCandidates(userQuery: string, toolsData: any, mode: string, context: AnalysisContext) {
     let candidateTools: any[] = [];
     let candidateConcepts: any[] = [];
     let selectionMethod = 'unknown';
     
+    context.embeddingsSimilarities = new Map<string, number>();
+    
+    if (process.env.AI_EMBEDDINGS_ENABLED === 'true') {
+      try {
+        console.log('[AI PIPELINE] Waiting for embeddings initialization...');
+        await embeddingsService.waitForInitialization();
+        console.log('[AI PIPELINE] Embeddings ready, proceeding with similarity search');
+      } catch (error) {
+        console.error('[AI PIPELINE] Embeddings initialization failed, falling back to full dataset:', error);
+      }
+    }
+    
     if (embeddingsService.isEnabled()) {
+      const embeddingsStart = Date.now();
       const similarItems = await embeddingsService.findSimilar(
         userQuery, 
         this.embeddingCandidates, 
         this.similarityThreshold
-      );
+      ) as SimilarityResult[];
       
-      const toolNames = new Set<string>();
-      const conceptNames = new Set<string>();
+      console.log(`[AI PIPELINE] Embeddings found ${similarItems.length} similar items`);
       
       similarItems.forEach(item => {
-        if (item.type === 'tool') toolNames.add(item.name);
-        if (item.type === 'concept') conceptNames.add(item.name);
+        context.embeddingsSimilarities.set(item.name, item.similarity);
       });
       
-      console.log(`[IMPROVED PIPELINE] Embeddings found: ${toolNames.size} tools, ${conceptNames.size} concepts`);
+      const toolsMap = new Map<string, any>(toolsData.tools.map((tool: any) => [tool.name, tool]));
+      const conceptsMap = new Map<string, any>(toolsData.concepts.map((concept: any) => [concept.name, concept]));
       
-      if (toolNames.size >= 15) {
-        candidateTools = toolsData.tools.filter((tool: any) => toolNames.has(tool.name));
-        candidateConcepts = toolsData.concepts.filter((concept: any) => conceptNames.has(concept.name));
+      const similarTools = similarItems
+        .filter((item): item is SimilarityResult => item.type === 'tool')
+        .map(item => toolsMap.get(item.name))
+        .filter((tool): tool is any => tool !== undefined);
+      
+      const similarConcepts = similarItems
+        .filter((item): item is SimilarityResult => item.type === 'concept')
+        .map(item => conceptsMap.get(item.name))
+        .filter((concept): concept is any => concept !== undefined);
+      
+      console.log(`[AI PIPELINE] Similarity-ordered results: ${similarTools.length} tools, ${similarConcepts.length} concepts`);
+      
+      const totalAvailableTools = toolsData.tools.length;
+      const reductionRatio = similarTools.length / totalAvailableTools;
+      
+      if (similarTools.length >= this.embeddingsMinTools && reductionRatio <= this.embeddingsMaxReductionRatio) {
+        candidateTools = similarTools;
+        candidateConcepts = similarConcepts;
         selectionMethod = 'embeddings_candidates';
         
-        console.log(`[IMPROVED PIPELINE] Using embeddings candidates: ${candidateTools.length} tools`);
+        console.log(`[AI PIPELINE] Using embeddings filtering: ${totalAvailableTools} → ${similarTools.length} tools (${(reductionRatio * 100).toFixed(1)}% reduction)`);
       } else {
-        console.log(`[IMPROVED PIPELINE] Embeddings insufficient (${toolNames.size} < 15), using full dataset`);
+        if (similarTools.length < this.embeddingsMinTools) {
+          console.log(`[AI PIPELINE] Embeddings found too few tools (${similarTools.length} < ${this.embeddingsMinTools}), using full dataset`);
+        } else {
+          console.log(`[AI PIPELINE] Embeddings didn't filter enough (${(reductionRatio * 100).toFixed(1)}% > ${(this.embeddingsMaxReductionRatio * 100).toFixed(1)}%), using full dataset`);
+        }
         candidateTools = toolsData.tools;
         candidateConcepts = toolsData.concepts;
         selectionMethod = 'full_dataset';
       }
+      
+      if (this.auditConfig.enabled) {
+        this.addAuditEntry(context, 'retrieval', 'embeddings-search', 
+          { query: userQuery, threshold: this.similarityThreshold, candidates: this.embeddingCandidates }, 
+          { 
+            candidatesFound: similarItems.length, 
+            toolsInOrder: similarTools.slice(0, 3).map((t: any) => t.name),
+            conceptsInOrder: similarConcepts.slice(0, 3).map((c: any) => c.name),
+            reductionRatio: reductionRatio,
+            usingEmbeddings: selectionMethod === 'embeddings_candidates',
+            totalAvailable: totalAvailableTools,
+            filtered: similarTools.length,
+            avgSimilarity: similarItems.length > 0 ? similarItems.reduce((sum, item) => sum + item.similarity, 0) / similarItems.length : 0
+          },
+          selectionMethod === 'embeddings_candidates' ? 85 : 60,
+          embeddingsStart,
+          { 
+            selectionMethod, 
+            embeddingsEnabled: true, 
+            reductionAchieved: selectionMethod === 'embeddings_candidates',
+            tokenSavingsExpected: selectionMethod === 'embeddings_candidates'
+          }
+        );
+      }
     } else {
-      console.log(`[IMPROVED PIPELINE] Embeddings disabled, using full dataset`);
+      console.log(`[AI PIPELINE] Embeddings disabled or not ready, using full dataset`);
       candidateTools = toolsData.tools;
       candidateConcepts = toolsData.concepts;
       selectionMethod = 'full_dataset';
     }
 
-    console.log(`[IMPROVED PIPELINE] AI will analyze FULL DATA of ${candidateTools.length} candidate tools`);
-    const finalSelection = await this.aiSelectionWithFullData(userQuery, candidateTools, candidateConcepts, mode, selectionMethod);
+    console.log(`[AI PIPELINE] AI will analyze ${candidateTools.length} candidate tools (method: ${selectionMethod})`);
+    const finalSelection = await this.aiSelectionWithFullData(userQuery, candidateTools, candidateConcepts, mode, selectionMethod, context);
     
     return {
       tools: finalSelection.selectedTools,
@@ -192,12 +491,11 @@ class ImprovedMicroTaskAIPipeline {
     candidateTools: any[], 
     candidateConcepts: any[], 
     mode: string,
-    selectionMethod: string
+    selectionMethod: string,
+    context: AnalysisContext
   ) {
-    const modeInstruction = mode === 'workflow' 
-      ? 'The user wants a COMPREHENSIVE WORKFLOW with multiple tools/methods across different phases. Select 15-25 tools that cover the full investigation lifecycle.'
-      : 'The user wants SPECIFIC TOOLS/METHODS that directly solve their particular problem. Select 3-8 tools that are most relevant and effective.';
-
+    const selectionStart = Date.now();
+    
     const toolsWithFullData = candidateTools.map((tool: any) => ({
       name: tool.name,
       type: tool.type,
@@ -227,69 +525,44 @@ class ImprovedMicroTaskAIPipeline {
       related_software: concept.related_software || []
     }));
 
-    const prompt = `You are a DFIR expert with access to the complete forensics tool database. You need to select the most relevant tools and concepts for this specific query.
+    let toolsToSend: any[];
+    let conceptsToSend: any[];
+    
+    if (selectionMethod === 'embeddings_candidates') {
+      toolsToSend = toolsWithFullData.slice(0, this.embeddingSelectionLimit);
+      conceptsToSend = conceptsWithFullData.slice(0, this.embeddingConceptsLimit);
+      
+      console.log(`[AI PIPELINE] Embeddings enabled: sending top ${toolsToSend.length} similarity-ordered tools`);
+    } else {
+      const maxTools = this.noEmbeddingsToolLimit > 0 ? 
+        Math.min(this.noEmbeddingsToolLimit, candidateTools.length) : 
+        candidateTools.length;
+      
+      const maxConcepts = this.noEmbeddingsConceptLimit > 0 ? 
+        Math.min(this.noEmbeddingsConceptLimit, candidateConcepts.length) : 
+        candidateConcepts.length;
+      
+      toolsToSend = toolsWithFullData.slice(0, maxTools);
+      conceptsToSend = conceptsWithFullData.slice(0, maxConcepts);
+      
+      console.log(`[AI PIPELINE] Embeddings disabled: sending ${toolsToSend.length}/${candidateTools.length} tools (limit: ${this.noEmbeddingsToolLimit || 'none'})`);
+    }
 
-SELECTION METHOD: ${selectionMethod}
-${selectionMethod === 'embeddings_candidates' ? 
-  'These tools were pre-filtered by vector similarity, so they are already relevant. Your job is to select the BEST ones from this relevant set.' :
-  'You have access to the full tool database. Select the most relevant tools for the query.'}
+    const basePrompt = getPrompt('toolSelection', mode, userQuery, selectionMethod, this.maxSelectedItems);
+    const prompt = `${basePrompt}
 
-${modeInstruction}
+VERFÜGBARE TOOLS (mit vollständigen Daten):
+${JSON.stringify(toolsToSend, null, 2)}
 
-USER QUERY: "${userQuery}"
+VERFÜGBARE KONZEPTE (mit vollständigen Daten):
+${JSON.stringify(conceptsToSend, null, 2)}`;
 
-CRITICAL SELECTION PRINCIPLES:
-1. **CONTEXT OVER POPULARITY**: Don't default to "famous" tools like Volatility, Wireshark, or Autopsy just because they're well-known. Choose based on SPECIFIC scenario needs.
+    const estimatedTokens = this.estimateTokens(prompt);
+    console.log(`[AI PIPELINE] Method: ${selectionMethod}, Tools: ${toolsToSend.length}, Estimated tokens: ~${estimatedTokens}`);
 
-2. **METHODOLOGY vs SOFTWARE**: 
-   - For RAPID/URGENT scenarios → Prioritize METHODS and rapid response approaches
-   - For TIME-CRITICAL incidents → Choose triage methods over deep analysis tools
-   - For COMPREHENSIVE analysis → Then consider detailed software tools
-   - METHODS (type: "method") are often better than SOFTWARE for procedural guidance
-
-3. **SCENARIO-SPECIFIC LOGIC**:
-   - "Rapid/Quick/Urgent/Triage" scenarios → Rapid Incident Response and Triage METHOD > Volatility
-   - "Industrial/SCADA/ICS" scenarios → Specialized ICS tools > generic network tools
-   - "Mobile/Android/iOS" scenarios → Mobile-specific tools > desktop forensics tools
-   - "Memory analysis needed urgently" → Quick memory tools/methods > comprehensive Volatility analysis
-
-4. **AVOID TOOL BIAS**:
-   - Volatility is NOT always the answer for memory analysis
-   - Wireshark is NOT always the answer for network analysis  
-   - Autopsy is NOT always the answer for disk analysis
-   - Consider lighter, faster, more appropriate alternatives
-
-AVAILABLE TOOLS (with complete data):
-${JSON.stringify(toolsWithFullData.slice(0, 30), null, 2)}
-
-AVAILABLE CONCEPTS (with complete data):
-${JSON.stringify(conceptsWithFullData.slice(0, 10), null, 2)}
-
-ANALYSIS INSTRUCTIONS:
-1. Read the FULL description of each tool/concept
-2. Consider ALL tags, platforms, related tools, and metadata
-3. **MATCH URGENCY LEVEL**: Rapid scenarios need rapid methods, not deep analysis tools
-4. **MATCH SPECIFICITY**: Specialized scenarios need specialized tools, not generic ones
-5. **CONSIDER TYPE**: Methods provide procedural guidance, software provides technical capability
-6. For SCADA/ICS queries: prioritize specialized ICS tools over generic network tools
-7. For mobile queries: prioritize mobile-specific tools over desktop tools
-8. For rapid/urgent queries: prioritize methodology and triage approaches
-
-BIAS PREVENTION:
-- If query mentions "rapid", "quick", "urgent", "triage" → Strongly favor METHODS over deep analysis SOFTWARE
-- If query mentions specific technologies (SCADA, Android, etc.) → Strongly favor specialized tools
-- Don't recommend Volatility unless deep memory analysis is specifically needed AND time allows
-- Don't recommend generic tools when specialized ones are available
-- Consider the SKILL LEVEL and TIME CONSTRAINTS implied by the query
-
-Select the most relevant items (max ${this.maxSelectedItems} total).
-
-Respond with ONLY this JSON format:
-{
-  "selectedTools": ["Tool Name 1", "Tool Name 2", ...],
-  "selectedConcepts": ["Concept Name 1", "Concept Name 2", ...],
-  "reasoning": "Detailed explanation of why these specific tools were selected for this query, addressing why certain popular tools were NOT selected if they were inappropriate for the scenario context"
-}`;
+    if (estimatedTokens > 35000) {
+      console.warn(`[AI PIPELINE] WARNING: Prompt tokens (${estimatedTokens}) may exceed model limits`);
+    }
 
     try {
       const response = await this.callAI(prompt, 2500);
@@ -297,23 +570,49 @@ Respond with ONLY this JSON format:
       const result = this.safeParseJSON(response, null);
       
       if (!result || !Array.isArray(result.selectedTools) || !Array.isArray(result.selectedConcepts)) {
-        console.error('[IMPROVED PIPELINE] AI selection returned invalid structure:', response.slice(0, 200));
+        console.error('[AI PIPELINE] AI selection returned invalid structure:', response.slice(0, 200));
+        
+        if (this.auditConfig.enabled) {
+          this.addAuditEntry(context, 'selection', 'ai-tool-selection-failed',
+            { candidateCount: candidateTools.length, mode, prompt: prompt.slice(0, 200) },
+            { error: 'Invalid JSON structure', response: response.slice(0, 200) },
+            10,
+            selectionStart,
+            { aiModel: this.config.model, selectionMethod, tokensSent: estimatedTokens, toolsSent: toolsToSend.length }
+          );
+        }
+        
         throw new Error('AI selection failed to return valid tool selection');
       }
 
       const totalSelected = result.selectedTools.length + result.selectedConcepts.length;
       if (totalSelected === 0) {
-        console.error('[IMPROVED PIPELINE] AI selection returned no tools');
+        console.error('[AI PIPELINE] AI selection returned no tools');
         throw new Error('AI selection returned empty selection');
       }
       
-      console.log(`[IMPROVED PIPELINE] AI selected: ${result.selectedTools.length} tools, ${result.selectedConcepts.length} concepts`);
-      console.log(`[IMPROVED PIPELINE] AI reasoning: ${result.reasoning}`);
+      console.log(`[AI PIPELINE] AI selected: ${result.selectedTools.length} tools, ${result.selectedConcepts.length} concepts from ${toolsToSend.length} candidates`);
 
       const selectedTools = candidateTools.filter(tool => result.selectedTools.includes(tool.name));
       const selectedConcepts = candidateConcepts.filter(concept => result.selectedConcepts.includes(concept.name));
       
-      console.log(`[IMPROVED PIPELINE] Final selection: ${selectedTools.length} tools with bias prevention applied`);
+      if (this.auditConfig.enabled) {
+        const confidence = this.calculateSelectionConfidence(result, candidateTools.length);
+        
+        this.addAuditEntry(context, 'selection', 'ai-tool-selection',
+          { candidateCount: candidateTools.length, mode, promptLength: prompt.length },
+          { 
+            selectedToolCount: result.selectedTools.length, 
+            selectedConceptCount: result.selectedConcepts.length,
+            reasoning: result.reasoning?.slice(0, 200) + '...',
+            finalToolNames: selectedTools.map(t => t.name),
+            selectionEfficiency: `${toolsToSend.length} → ${result.selectedTools.length}`
+          },
+          confidence,
+          selectionStart,
+          { aiModel: this.config.model, selectionMethod, promptTokens: estimatedTokens, toolsSent: toolsToSend.length }
+        );
+      }
       
       return {
         selectedTools,
@@ -321,50 +620,26 @@ Respond with ONLY this JSON format:
       };
 
     } catch (error) {
-      console.error('[IMPROVED PIPELINE] AI selection failed:', error);
+      console.error('[AI PIPELINE] AI selection failed:', error);
       
-      console.log('[IMPROVED PIPELINE] Using emergency keyword-based selection');
-      return this.emergencyKeywordSelection(userQuery, candidateTools, candidateConcepts, mode);
+      if (this.auditConfig.enabled) {
+        this.addAuditEntry(context, 'selection', 'ai-tool-selection-error',
+          { candidateCount: candidateTools.length, mode },
+          { error: error.message },
+          5,
+          selectionStart,
+          { aiModel: this.config.model, selectionMethod, tokensSent: estimatedTokens }
+        );
+      }
+      throw error;
     }
   }
 
-  private emergencyKeywordSelection(userQuery: string, candidateTools: any[], candidateConcepts: any[], mode: string) {
-    const queryLower = userQuery.toLowerCase();
-    const keywords = queryLower.split(/\s+/).filter(word => word.length > 3);
-    
-    const scoredTools = candidateTools.map(tool => {
-      const toolText = (
-        tool.name + ' ' + 
-        tool.description + ' ' + 
-        (tool.tags || []).join(' ') + ' ' +
-        (tool.platforms || []).join(' ') + ' ' +
-        (tool.domains || []).join(' ')
-      ).toLowerCase();
-      
-      const score = keywords.reduce((acc, keyword) => {
-        return acc + (toolText.includes(keyword) ? 1 : 0);
-      }, 0);
-      
-      return { tool, score };
-    }).filter(item => item.score > 0)
-      .sort((a, b) => b.score - a.score);
-    
-    const maxTools = mode === 'workflow' ? 20 : 8;
-    const selectedTools = scoredTools.slice(0, maxTools).map(item => item.tool);
-    
-    console.log(`[IMPROVED PIPELINE] Emergency selection: ${selectedTools.length} tools, keywords: ${keywords.slice(0, 5).join(', ')}`);
-    
-    return {
-      selectedTools,
-      selectedConcepts: candidateConcepts.slice(0, 3)
-    };
-  }
-
   private async delay(ms: number): Promise<void> {
     return new Promise(resolve => setTimeout(resolve, ms));
   }
 
-  private async callMicroTaskAI(prompt: string, context: AnalysisContext, maxTokens: number = 300): Promise<MicroTaskResult> {
+  private async callMicroTaskAI(prompt: string, context: AnalysisContext, maxTokens: number = 500): Promise<MicroTaskResult> {
     const startTime = Date.now();
     
     let contextPrompt = prompt;
@@ -382,46 +657,158 @@ Respond with ONLY this JSON format:
     try {
       const response = await this.callAI(contextPrompt, maxTokens);
       
-      return {
+      const result = {
         taskType: 'micro-task',
         content: response.trim(),
         processingTimeMs: Date.now() - startTime,
         success: true
       };
+      
+      this.addAuditEntry(context, 'micro-task', 'ai-analysis',
+        { promptLength: contextPrompt.length, maxTokens },
+        { responseLength: response.length, contentPreview: response.slice(0, 100) },
+        response.length > 50 ? 80 : 60,
+        startTime,
+        { aiModel: this.config.model, contextUsed: context.contextHistory.length > 0 }
+      );
+      
+      return result;
 
     } catch (error) {
-      return {
+      const result = {
         taskType: 'micro-task',
         content: '',
         processingTimeMs: Date.now() - startTime,
         success: false,
         error: error.message
       };
+      
+      this.addAuditEntry(context, 'micro-task', 'ai-analysis-failed',
+        { promptLength: contextPrompt.length, maxTokens },
+        { error: error.message },
+        5,
+        startTime,
+        { aiModel: this.config.model, contextUsed: context.contextHistory.length > 0 }
+      );
+      
+      return result;
     }
   }
 
+  private calculateRecommendationConfidence(
+    tool: any, 
+    context: AnalysisContext,
+    taskRelevance: number = 70,
+    limitations: string[] = []
+  ): ConfidenceMetrics {
+    
+    const rawSemanticRelevance = context.embeddingsSimilarities.has(tool.name) ? 
+      context.embeddingsSimilarities.get(tool.name)! * 100 : 50;
+    
+    let enhancedTaskSuitability = taskRelevance;
+    
+    if (context.mode === 'workflow') {
+      const toolSelection = context.selectedTools?.find(st => st.tool.name === tool.name);
+      if (toolSelection && tool.phases && tool.phases.includes(toolSelection.phase)) {
+        const phaseBonus = Math.min(15, 100 - taskRelevance);
+        enhancedTaskSuitability = Math.min(100, taskRelevance + phaseBonus);
+        
+        console.log(`[CONFIDENCE] Phase bonus for ${tool.name}: ${taskRelevance} -> ${enhancedTaskSuitability} (phase: ${toolSelection.phase})`);
+      }
+    }
+    
+    const overall = (
+      rawSemanticRelevance * this.confidenceConfig.semanticWeight +
+      enhancedTaskSuitability * this.confidenceConfig.suitabilityWeight
+    );
+
+    const uncertaintyFactors = this.identifySpecificUncertaintyFactors(tool, context, limitations, overall);
+    const strengthIndicators = this.identifySpecificStrengthIndicators(tool, context, overall);
+
+    console.log(`[CONFIDENCE DEBUG] ${tool.name}:`, {
+      rawSemantic: Math.round(rawSemanticRelevance),
+      rawTaskSuitability: taskRelevance,
+      enhancedTaskSuitability: Math.round(enhancedTaskSuitability),
+      overall: Math.round(overall),
+      mode: context.mode
+    });
+
+    return {
+      overall: Math.round(overall),
+      semanticRelevance: Math.round(rawSemanticRelevance),
+      taskSuitability: Math.round(enhancedTaskSuitability), 
+      uncertaintyFactors,
+      strengthIndicators
+    };
+  }
+
+  private identifySpecificUncertaintyFactors(tool: any, context: AnalysisContext, limitations: string[], confidence: number): string[] {
+    const factors: string[] = [];
+    
+    if (limitations && limitations.length > 0) {
+      factors.push(...limitations.slice(0, 2));
+    }
+    
+    const similarity = context.embeddingsSimilarities.get(tool.name) || 0.5;
+    if (similarity < 0.7) {
+      factors.push('Geringe semantische Ähnlichkeit zur Anfrage - Tool-Beschreibung passt möglicherweise nicht optimal');
+    }
+    
+    if (tool.skillLevel === 'expert' && /schnell|rapid|triage|urgent|sofort/i.test(context.userQuery)) {
+      factors.push('Experten-Tool für zeitkritisches Szenario - Setup und Einarbeitung könnten zu lange dauern');
+    }
+    
+    if (tool.skillLevel === 'novice' && /komplex|erweitert|tiefgehend|advanced|forensisch/i.test(context.userQuery)) {
+      factors.push('Einsteiger-Tool für komplexe Analyse - könnte funktionale Limitierungen haben');
+    }
+    
+    if (tool.type === 'software' && !isToolHosted(tool) && tool.accessType === 'download') {
+      factors.push('Installation und Setup erforderlich');
+    }
+    
+    if (tool.license === 'Proprietary') {
+      factors.push('Kommerzielle Software - Lizenzkosten und rechtliche Beschränkungen zu beachten');
+    }
+    
+    if (confidence < 60) {
+      factors.push('Moderate Gesamtbewertung - alternative Ansätze sollten ebenfalls betrachtet werden');
+    }
+    
+    return factors.slice(0, 4);
+  }
+
+  private identifySpecificStrengthIndicators(tool: any, context: AnalysisContext, confidence: number): string[] {
+    const indicators: string[] = [];
+    
+    const similarity = context.embeddingsSimilarities.get(tool.name) || 0.5;
+    if (similarity >= 0.7) {
+      indicators.push('Sehr gute semantische Übereinstimmung mit Ihrer Anfrage');
+    }
+    
+    if (tool.knowledgebase === true) {
+      indicators.push('Umfassende Dokumentation und Wissensbasis verfügbar');
+    }
+    
+    if (isToolHosted(tool)) {
+      indicators.push('Sofort verfügbar über gehostete Lösung - kein Setup erforderlich');
+    }
+    
+    if (tool.skillLevel === 'intermediate' || tool.skillLevel === 'advanced') {
+      indicators.push('Ausgewogenes Verhältnis zwischen Funktionalität und Benutzerfreundlichkeit');
+    }
+    
+    if (tool.type === 'method' && /methodik|vorgehen|prozess|ansatz/i.test(context.userQuery)) {
+      indicators.push('Methodischer Ansatz passt zu Ihrer prozeduralen Anfrage');
+    }
+    
+    return indicators.slice(0, 4); 
+  }
+
   private async analyzeScenario(context: AnalysisContext): Promise<MicroTaskResult> {
     const isWorkflow = context.mode === 'workflow';
-    
-    const prompt = `Sie sind ein erfahrener DFIR-Experte. Analysieren Sie das folgende ${isWorkflow ? 'forensische Szenario' : 'technische Problem'}.
+    const prompt = getPrompt('scenarioAnalysis', isWorkflow, context.userQuery);
 
-${isWorkflow ? 'FORENSISCHES SZENARIO' : 'TECHNISCHES PROBLEM'}: "${context.userQuery}"
-
-Führen Sie eine systematische ${isWorkflow ? 'Szenario-Analyse' : 'Problem-Analyse'} durch und berücksichtigen Sie dabei:
-
-${isWorkflow ? 
-  `- Angriffsvektoren und Bedrohungsmodellierung nach MITRE ATT&CK
-- Betroffene Systeme und kritische Infrastrukturen
-- Zeitkritische Faktoren und Beweiserhaltung
-- Forensische Artefakte und Datenquellen` :
-  `- Spezifische forensische Herausforderungen
-- Verfügbare Datenquellen und deren Integrität
-- Methodische Anforderungen für rechtssichere Analyse`
-}
-
-WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen, Aufzählungen oder Markdown-Formatierung. Maximum 150 Wörter.`;
-
-    const result = await this.callMicroTaskAI(prompt, context, 220);
+    const result = await this.callMicroTaskAI(prompt, context, 400);
     
     if (result.success) {
       if (isWorkflow) {
@@ -438,25 +825,9 @@ WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen, Aufzählun
 
   private async generateApproach(context: AnalysisContext): Promise<MicroTaskResult> {
     const isWorkflow = context.mode === 'workflow';
-    
-    const prompt = `Basierend auf der Analyse entwickeln Sie einen fundierten ${isWorkflow ? 'Untersuchungsansatz' : 'Lösungsansatz'} nach NIST SP 800-86 Methodik.
+    const prompt = getPrompt('investigationApproach', isWorkflow, context.userQuery);
 
-${isWorkflow ? 'SZENARIO' : 'PROBLEM'}: "${context.userQuery}"
-
-Entwickeln Sie einen systematischen ${isWorkflow ? 'Untersuchungsansatz' : 'Lösungsansatz'} unter Berücksichtigung von:
-
-${isWorkflow ?
-  `- Triage-Prioritäten nach forensischer Dringlichkeit
-- Phasenabfolge nach NIST-Methodik
-- Kontaminationsvermeidung und forensische Isolierung` :
-  `- Methodik-Auswahl nach wissenschaftlichen Kriterien
-- Validierung und Verifizierung der gewählten Ansätze
-- Integration in bestehende forensische Workflows`
-}
-
-WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 150 Wörter.`;
-
-    const result = await this.callMicroTaskAI(prompt, context, 220);
+    const result = await this.callMicroTaskAI(prompt, context, 400);
     
     if (result.success) {
       context.investigationApproach = result.content;
@@ -468,27 +839,9 @@ WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdo
 
   private async generateCriticalConsiderations(context: AnalysisContext): Promise<MicroTaskResult> {
     const isWorkflow = context.mode === 'workflow';
-    
-    const prompt = `Identifizieren Sie ${isWorkflow ? 'kritische forensische Überlegungen' : 'wichtige methodische Voraussetzungen'} für diesen Fall.
+    const prompt = getPrompt('criticalConsiderations', isWorkflow, context.userQuery);
 
-${isWorkflow ? 'SZENARIO' : 'PROBLEM'}: "${context.userQuery}"
-
-Berücksichtigen Sie folgende forensische Aspekte:
-
-${isWorkflow ?
-  `- Time-sensitive evidence preservation
-- Chain of custody requirements und rechtliche Verwertbarkeit
-- Incident containment vs. evidence preservation Dilemma
-- Privacy- und Compliance-Anforderungen` :
-  `- Tool-Validierung und Nachvollziehbarkeit
-- False positive/negative Risiken bei der gewählten Methodik
-- Qualifikationsanforderungen für die Durchführung
-- Dokumentations- und Reporting-Standards`
-}
-
-WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 120 Wörter.`;
-
-    const result = await this.callMicroTaskAI(prompt, context, 180);
+    const result = await this.callMicroTaskAI(prompt, context, 350);
     
     if (result.success) {
       context.criticalConsiderations = result.content;
@@ -512,29 +865,9 @@ WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdo
       };
     }
 
-    const prompt = `Wählen Sie 2-3 Methoden/Tools für die Phase "${phase.name}" basierend auf objektiven, fallbezogenen Kriterien.
+    const prompt = getPrompt('phaseToolSelection', context.userQuery, phase, phaseTools);
 
-SZENARIO: "${context.userQuery}"
-
-VERFÜGBARE TOOLS FÜR ${phase.name.toUpperCase()}:
-${phaseTools.map((tool: any) => `- ${tool.name}: ${tool.description.slice(0, 100)}...`).join('\n')}
-
-Wählen Sie Methoden/Tools nach forensischen Kriterien aus:
-- Court admissibility und Chain of Custody Kompatibilität  
-- Integration in forensische Standard-Workflows
-- Reproduzierbarkeit und Dokumentationsqualität
-- Objektivität
-
-Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format (kein zusätzlicher Text):
-[
-  {
-    "toolName": "Exakter Methoden/Tool-Name",
-    "priority": "high|medium|low", 
-    "justification": "Objektive Begründung warum diese Methode/Tool für das spezifische Szenario besser geeignet ist"
-  }
-]`;
-
-    const result = await this.callMicroTaskAI(prompt, context, 450);
+    const result = await this.callMicroTaskAI(prompt, context, 1000);
     
     if (result.success) {
       const selections = this.safeParseJSON(result.content, []);
@@ -547,9 +880,29 @@ Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format (kein zusätzlicher Text):
         validSelections.forEach((sel: any) => {
           const tool = phaseTools.find((t: any) => t.name === sel.toolName);
           if (tool) {
-            this.addToolToSelection(context, tool, phase.id, sel.priority, sel.justification);
+            const taskRelevance = typeof sel.taskRelevance === 'number' ? 
+              sel.taskRelevance : parseInt(String(sel.taskRelevance)) || 70;
+            
+            const priority = this.derivePriorityFromScore(taskRelevance);
+            
+            this.addToolToSelection(context, tool, phase.id, priority, sel.justification, taskRelevance, sel.limitations);
           }
         });
+        
+        this.addAuditEntry(context, 'micro-task', 'phase-tool-selection',
+          { phase: phase.id, availableTools: phaseTools.length },
+          { 
+            validSelections: validSelections.length, 
+            selectedTools: validSelections.map(s => ({ 
+              name: s.toolName, 
+              taskRelevance: s.taskRelevance, 
+              derivedPriority: this.derivePriorityFromScore(s.taskRelevance) 
+            }))
+          },
+          validSelections.length > 0 ? 75 : 30,
+          Date.now() - result.processingTimeMs,
+          { phaseName: phase.name, comparativeEvaluation: true, priorityDerived: true }
+        );
       }
     }
     
@@ -557,34 +910,20 @@ Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format (kein zusätzlicher Text):
   }
 
   private async evaluateSpecificTool(context: AnalysisContext, tool: any, rank: number): Promise<MicroTaskResult> {
-    const prompt = `Bewerten Sie diese Methode/Tool fallbezogen für das spezifische Problem nach forensischen Qualitätskriterien.
+    const existingSelection = context.selectedTools?.find(st => st.tool.name === tool.name);
+    const taskRelevance = existingSelection?.taskRelevance || 70;
+    const priority = this.derivePriorityFromScore(taskRelevance);
+    
+    const prompt = getPrompt('toolEvaluation', context.userQuery, tool, rank, taskRelevance);
 
-PROBLEM: "${context.userQuery}"
-
-TOOL: ${tool.name}
-BESCHREIBUNG: ${tool.description}
-PLATTFORMEN: ${tool.platforms?.join(', ') || 'N/A'}
-SKILL LEVEL: ${tool.skillLevel}
-
-Bewerten Sie nach forensischen Standards und antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format:
-{
-  "suitability_score": "high|medium|low",
-  "detailed_explanation": "Detaillierte forensische Begründung warum diese Methode/Tool das Problem löst",
-  "implementation_approach": "Konkrete methodische Schritte zur korrekten Anwendung für dieses spezifische Problem",
-  "pros": ["Forensischer Vorteil 1", "Validierter Vorteil 2"],
-  "cons": ["Methodische Limitation 1", "Potenzielle Schwäche 2"],
-  "alternatives": "Alternative Ansätze falls diese Methode/Tool nicht optimal ist"
-}`;
-
-    const result = await this.callMicroTaskAI(prompt, context, 650);
+    const result = await this.callMicroTaskAI(prompt, context, 1000);
     
     if (result.success) {
       const evaluation = this.safeParseJSON(result.content, {
-        suitability_score: 'medium',
         detailed_explanation: 'Evaluation failed',
         implementation_approach: '',
         pros: [],
-        cons: [],
+        limitations: [], 
         alternatives: ''
       });
       
@@ -592,9 +931,25 @@ Bewerten Sie nach forensischen Standards und antworten Sie AUSSCHLIESSLICH mit d
         ...tool,
         evaluation: {
           ...evaluation,
-          rank
+          rank,
+          task_relevance: taskRelevance
         }
-      }, 'evaluation', evaluation.suitability_score);
+      }, 'evaluation', priority, evaluation.detailed_explanation, 
+      taskRelevance, evaluation.limitations); 
+      
+      this.addAuditEntry(context, 'micro-task', 'tool-evaluation',
+        { toolName: tool.name, rank, existingTaskRelevance: taskRelevance, derivedPriority: priority },
+        { 
+          hasExplanation: !!evaluation.detailed_explanation,
+          hasImplementationApproach: !!evaluation.implementation_approach,
+          prosCount: evaluation.pros?.length || 0,
+          limitationsCount: evaluation.limitations?.length || 0,
+          hasLimitations: Array.isArray(evaluation.limitations) && evaluation.limitations.length > 0
+        },
+        70,
+        Date.now() - result.processingTimeMs,
+        { toolType: tool.type, explanationOnly: true, priorityDerived: true, limitationsExtracted: true }
+      );
     }
     
     return result;
@@ -613,26 +968,9 @@ Bewerten Sie nach forensischen Standards und antworten Sie AUSSCHLIESSLICH mit d
     }
 
     const selectedToolNames = context.selectedTools?.map(st => st.tool.name) || [];
-    
-    const prompt = `Wählen Sie relevante forensische Konzepte für das Verständnis der empfohlenen Methodik.
+    const prompt = getPrompt('backgroundKnowledgeSelection', context.userQuery, context.mode, selectedToolNames, availableConcepts);
 
-${context.mode === 'workflow' ? 'SZENARIO' : 'PROBLEM'}: "${context.userQuery}"
-EMPFOHLENE TOOLS: ${selectedToolNames.join(', ')}
-
-VERFÜGBARE KONZEPTE:
-${availableConcepts.slice(0, 15).map((concept: any) => `- ${concept.name}: ${concept.description.slice(0, 80)}...`).join('\n')}
-
-Wählen Sie 2-4 Konzepte aus, die für das Verständnis der forensischen Methodik essentiell sind.
-
-Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format:
-[
-  {
-    "conceptName": "Exakter Konzept-Name",
-    "relevance": "Forensische Relevanz: Warum dieses Konzept für das Verständnis der Methodik kritisch ist"
-  }
-]`;
-
-    const result = await this.callMicroTaskAI(prompt, context, 400);
+    const result = await this.callMicroTaskAI(prompt, context, 700);
     
     if (result.success) {
       const selections = this.safeParseJSON(result.content, []);
@@ -644,6 +982,14 @@ Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format:
           concept: availableConcepts.find((c: any) => c.name === sel.conceptName),
           relevance: sel.relevance
         }));
+        
+        this.addAuditEntry(context, 'micro-task', 'background-knowledge-selection',
+          { availableConcepts: availableConcepts.length },
+          { selectedConcepts: context.backgroundKnowledge?.length || 0 },
+          context.backgroundKnowledge && context.backgroundKnowledge.length > 0 ? 75 : 40,
+          Date.now() - result.processingTimeMs,
+          {}
+        );
       }
     }
     
@@ -651,152 +997,183 @@ Antworten Sie AUSSCHLIESSLICH mit diesem JSON-Format:
   }
 
   private async generateFinalRecommendations(context: AnalysisContext): Promise<MicroTaskResult> {
-    const isWorkflow = context.mode === 'workflow';
-    
-    const prompt = isWorkflow ? 
-      `Erstellen Sie eine forensisch fundierte Workflow-Empfehlung basierend auf DFIR-Prinzipien.
+    const selectedToolNames = context.selectedTools?.map(st => st.tool.name) || [];
+    const prompt = getPrompt('finalRecommendations', context.mode === 'workflow', context.userQuery, selectedToolNames);
 
-SZENARIO: "${context.userQuery}"
-AUSGEWÄHLTE TOOLS: ${context.selectedTools?.map(st => st.tool.name).join(', ') || 'Keine Tools ausgewählt'}
-
-Erstellen Sie konkrete methodische Workflow-Schritte für dieses spezifische Szenario unter Berücksichtigung forensischer Best Practices, Objektivität und rechtlicher Verwertbarkeit.
-
-WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 120 Wörter.` :
-      
-      `Erstellen Sie wichtige methodische Überlegungen für die korrekte Methoden-/Tool-Anwendung.
-
-PROBLEM: "${context.userQuery}"
-EMPFOHLENE TOOLS: ${context.selectedTools?.map(st => st.tool.name).join(', ') || 'Keine Methoden/Tools ausgewählt'}
-
-Geben Sie kritische methodische Überlegungen, Validierungsanforderungen und Qualitätssicherungsmaßnahmen für die korrekte Anwendung der empfohlenen Methoden/Tools.
-
-WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdown. Maximum 100 Wörter.`;
-
-    const result = await this.callMicroTaskAI(prompt, context, 180);
+    const result = await this.callMicroTaskAI(prompt, context, 350);
     return result;
   }
 
-  private async callAI(prompt: string, maxTokens: number = 1000): Promise<string> {
-    const response = await fetch(`${this.config.endpoint}/v1/chat/completions`, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': `Bearer ${this.config.apiKey}`
-      },
-      body: JSON.stringify({
-        model: this.config.model,
-        messages: [{ role: 'user', content: prompt }],
-        max_tokens: maxTokens,
-        temperature: 0.3
-      })
-    });
-
-    if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`AI API error: ${response.status} - ${errorText}`);
-    }
-
-    const data = await response.json();
-    const content = data.choices?.[0]?.message?.content;
+  private async callAI(prompt: string, maxTokens: number = 1500): Promise<string> {
+    const endpoint = this.config.endpoint;
+    const apiKey = this.config.apiKey;
+    const model = this.config.model;
     
-    if (!content) {
-      throw new Error('No response from AI model');
+    let headers: Record<string, string> = {
+      'Content-Type': 'application/json'
+    };
+    
+    if (apiKey) {
+      headers['Authorization'] = `Bearer ${apiKey}`;
+      console.log('[AI PIPELINE] Using API key authentication');
+    } else {
+      console.log('[AI PIPELINE] No API key - making request without authentication');
     }
+    
+    const requestBody = {
+      model,
+      messages: [{ role: 'user', content: prompt }],
+      max_tokens: maxTokens,
+      temperature: 0.3
+    };
+    
+    try {
+      const response = await fetch(`${endpoint}/v1/chat/completions`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(requestBody)
+      });
 
-    return content;
+      if (!response.ok) {
+        const errorText = await response.text();
+        console.error(`[AI PIPELINE] AI API Error ${response.status}:`, errorText);
+        throw new Error(`AI API error: ${response.status} - ${errorText}`);
+      }
+
+      const data = await response.json();
+      const content = data.choices?.[0]?.message?.content;
+      
+      if (!content) {
+        console.error('[AI PIPELINE] No response content:', data);
+        throw new Error('No response from AI model');
+      }
+
+      return content;
+      
+    } catch (error) {
+      console.error('[AI PIPELINE] AI service call failed:', error.message);
+      throw error;
+    }
+  }
+
+  private derivePriorityFromScore(taskRelevance: number): string {
+    if (taskRelevance >= 80) return 'high';
+    if (taskRelevance >= 60) return 'medium';
+    return 'low';
   }
 
   async processQuery(userQuery: string, mode: string): Promise<AnalysisResult> {
     const startTime = Date.now();
-    let completedTasks = 0;
+    let completeTasks = 0;
     let failedTasks = 0;
     
-    console.log(`[IMPROVED PIPELINE] Starting ${mode} query processing with context continuity`);
+    this.tempAuditEntries = [];
+    
+    console.log(`[AI PIPELINE] Starting ${mode} query processing with enhanced confidence scoring`);
 
     try {
-      // Stage 1: Get intelligent candidates (embeddings + AI selection)
       const toolsData = await getCompressedToolsDataForAI();
-      const filteredData = await this.getIntelligentCandidates(userQuery, toolsData, mode);
       
       const context: AnalysisContext = {
         userQuery,
         mode,
-        filteredData,
+        filteredData: {},
         contextHistory: [],
         maxContextLength: this.maxContextTokens,
         currentContextLength: 0,
-        seenToolNames: new Set<string>()
+        seenToolNames: new Set<string>(),
+        auditTrail: [],
+        embeddingsSimilarities: new Map<string, number>()
       };
 
-      console.log(`[IMPROVED PIPELINE] Starting micro-tasks with ${filteredData.tools.length} tools visible`);
-
-      // MICRO-TASK SEQUENCE
+      const filteredData = await this.getIntelligentCandidates(userQuery, toolsData, mode, context);
+      context.filteredData = filteredData;
       
-      // Task 1: Scenario/Problem Analysis
+      this.mergeTemporaryAuditEntries(context);
+
+      console.log(`[AI PIPELINE] Starting micro-tasks with ${filteredData.tools.length} tools visible`);
+
+      this.addAuditEntry(context, 'initialization', 'pipeline-start',
+        { userQuery, mode, toolsDataLoaded: !!toolsData },
+        { candidateTools: filteredData.tools.length, candidateConcepts: filteredData.concepts.length },
+        90, 
+        startTime,
+        { auditEnabled: this.auditConfig.enabled, confidenceScoringEnabled: true }
+      );
+   
       const analysisResult = await this.analyzeScenario(context);
-      if (analysisResult.success) completedTasks++; else failedTasks++;
+      if (analysisResult.success) completeTasks++; else failedTasks++;
       await this.delay(this.microTaskDelay);
 
-      // Task 2: Investigation/Solution Approach
       const approachResult = await this.generateApproach(context);
-      if (approachResult.success) completedTasks++; else failedTasks++;
+      if (approachResult.success) completeTasks++; else failedTasks++;
       await this.delay(this.microTaskDelay);
 
-      // Task 3: Critical Considerations
       const considerationsResult = await this.generateCriticalConsiderations(context);
-      if (considerationsResult.success) completedTasks++; else failedTasks++;
+      if (considerationsResult.success) completeTasks++; else failedTasks++;
       await this.delay(this.microTaskDelay);
 
-      // Task 4: Tool Selection/Evaluation (mode-dependent)
       if (mode === 'workflow') {
         const phases = toolsData.phases || [];
         for (const phase of phases) {
           const toolSelectionResult = await this.selectToolsForPhase(context, phase);
-          if (toolSelectionResult.success) completedTasks++; else failedTasks++;
+          if (toolSelectionResult.success) completeTasks++; else failedTasks++;
           await this.delay(this.microTaskDelay);
         }
       } else {
         const topTools = filteredData.tools.slice(0, 3);
         for (let i = 0; i < topTools.length; i++) {
           const evaluationResult = await this.evaluateSpecificTool(context, topTools[i], i + 1);
-          if (evaluationResult.success) completedTasks++; else failedTasks++;
+          if (evaluationResult.success) completeTasks++; else failedTasks++;
           await this.delay(this.microTaskDelay);
         }
       }
 
-      // Task 5: Background Knowledge Selection
       const knowledgeResult = await this.selectBackgroundKnowledge(context);
-      if (knowledgeResult.success) completedTasks++; else failedTasks++;
+      if (knowledgeResult.success) completeTasks++; else failedTasks++;
       await this.delay(this.microTaskDelay);
 
-      // Task 6: Final Recommendations
       const finalResult = await this.generateFinalRecommendations(context);
-      if (finalResult.success) completedTasks++; else failedTasks++;
+      if (finalResult.success) completeTasks++; else failedTasks++;
 
-      // Build final recommendation
       const recommendation = this.buildRecommendation(context, mode, finalResult.content);
 
+      this.addAuditEntry(context, 'completion', 'pipeline-end',
+        { completedTasks: completeTasks, failedTasks },
+        { finalRecommendation: !!recommendation, auditEntriesGenerated: context.auditTrail.length },
+        completeTasks > failedTasks ? 85 : 60,
+        startTime,
+        { totalProcessingTimeMs: Date.now() - startTime, confidenceScoresGenerated: context.selectedTools?.length || 0 }
+      );
+
       const processingStats = {
         embeddingsUsed: embeddingsService.isEnabled(),
         candidatesFromEmbeddings: filteredData.tools.length,
         finalSelectedItems: (context.selectedTools?.length || 0) + 
                            (context.backgroundKnowledge?.length || 0),
         processingTimeMs: Date.now() - startTime,
-        microTasksCompleted: completedTasks,
+        microTasksCompleted: completeTasks,
         microTasksFailed: failedTasks,
         contextContinuityUsed: true
       };
 
-      console.log(`[IMPROVED PIPELINE] Completed: ${completedTasks} tasks, Failed: ${failedTasks} tasks`);
-      console.log(`[IMPROVED PIPELINE] Unique tools selected: ${context.seenToolNames.size}`);
+      console.log(`[AI PIPELINE] Completed: ${completeTasks} tasks, Failed: ${failedTasks} tasks`);
+      console.log(`[AI PIPELINE] Enhanced confidence scores generated: ${context.selectedTools?.length || 0}`);
+      console.log(`[AI PIPELINE] Audit trail entries: ${context.auditTrail.length}`);
 
       return {
-        recommendation,
+        recommendation: {
+          ...recommendation,
+          auditTrail: this.auditConfig.enabled ? context.auditTrail : undefined
+        },
         processingStats
       };
 
     } catch (error) {
-      console.error('[IMPROVED PIPELINE] Processing failed:', error);
+      console.error('[AI PIPELINE] Processing failed:', error);
+      
+      this.tempAuditEntries = [];
+      
       throw error;
     }
   }
@@ -816,29 +1193,83 @@ WICHTIG: Antworten Sie NUR in fließendem deutschen Text ohne Listen oder Markdo
     };
 
     if (isWorkflow) {
-      return {
-        ...base,
-        recommended_tools: context.selectedTools?.map(st => ({
+      const recommendedToolsWithConfidence = context.selectedTools?.map(st => {
+        const confidence = this.calculateRecommendationConfidence(
+          st.tool,
+          context,
+          st.taskRelevance || 70,
+          st.limitations || []
+        );
+        
+        this.addAuditEntry(context, 'validation', 'confidence-scoring',
+          { toolName: st.tool.name, phase: st.phase },
+          { 
+            overall: confidence.overall,
+            components: {
+              semantic: confidence.semanticRelevance,
+              suitability: confidence.taskSuitability,
+            }
+          },
+          confidence.overall,
+          Date.now(),
+          { uncertaintyCount: confidence.uncertaintyFactors.length, strengthCount: confidence.strengthIndicators.length }
+        );
+
+        return {
           name: st.tool.name,
           phase: st.phase,
           priority: st.priority,
-          justification: st.justification || `Empfohlen für ${st.phase}`
-        })) || [],
+          justification: st.justification || `Empfohlen für ${st.phase}`,
+          confidence: confidence,
+          recommendationStrength: confidence.overall >= this.confidenceConfig.highThreshold ? 'strong' : 
+                                confidence.overall >= this.confidenceConfig.mediumThreshold ? 'moderate' : 'weak'
+        };
+      }) || [];
+
+      return {
+        ...base,
+        recommended_tools: recommendedToolsWithConfidence,
         workflow_suggestion: finalContent
       };
     } else {
-      return {
-        ...base,
-        recommended_tools: context.selectedTools?.map(st => ({
+      const recommendedToolsWithConfidence = context.selectedTools?.map(st => {
+        const confidence = this.calculateRecommendationConfidence(
+          st.tool,
+          context,
+          st.taskRelevance || 70,
+          st.limitations || [] 
+        );
+        
+        this.addAuditEntry(context, 'validation', 'confidence-scoring',
+          { toolName: st.tool.name, rank: st.tool.evaluation?.rank || 1 },
+          { 
+            overall: confidence.overall,
+            suitabilityAlignment: st.priority === 'high' && confidence.overall >= this.confidenceConfig.highThreshold,
+            limitationsUsed: st.limitations?.length || 0
+          },
+          confidence.overall,
+          Date.now(),
+          { strengthCount: confidence.strengthIndicators.length, limitationsCount: confidence.uncertaintyFactors.length }
+        );
+
+        return {
           name: st.tool.name,
           rank: st.tool.evaluation?.rank || 1,
           suitability_score: st.priority,
           detailed_explanation: st.tool.evaluation?.detailed_explanation || '',
           implementation_approach: st.tool.evaluation?.implementation_approach || '',
           pros: st.tool.evaluation?.pros || [],
-          cons: st.tool.evaluation?.cons || [],
-          alternatives: st.tool.evaluation?.alternatives || ''
-        })) || [],
+          cons: st.tool.evaluation?.limitations || [],
+          alternatives: st.tool.evaluation?.alternatives || '',
+          confidence: confidence,
+          recommendationStrength: confidence.overall >= this.confidenceConfig.highThreshold ? 'strong' : 
+                                confidence.overall >= this.confidenceConfig.mediumThreshold ? 'moderate' : 'weak'
+        };
+      }) || [];
+
+      return {
+        ...base,
+        recommended_tools: recommendedToolsWithConfidence,
         additional_considerations: finalContent
       };
     }
diff --git a/src/utils/dataService.ts b/src/utils/dataService.ts
index 7f6b6a0..c0f8b1d 100644
--- a/src/utils/dataService.ts
+++ b/src/utils/dataService.ts
@@ -77,33 +77,8 @@ interface EnhancedCompressedToolsData {
   domains: any[];
   phases: any[];
   'domain-agnostic-software': any[];
-  scenarios?: any[]; // Optional for AI processing
+  scenarios?: any[];
   skill_levels: any;
-  // Enhanced context for micro-tasks
-  domain_relationships: DomainRelationship[];
-  phase_dependencies: PhaseDependency[];
-  tool_compatibility_matrix: CompatibilityMatrix[];
-}
-
-interface DomainRelationship {
-  domain_id: string;
-  tool_count: number;
-  common_tags: string[];
-  skill_distribution: Record<string, number>;
-}
-
-interface PhaseDependency {
-  phase_id: string;
-  order: number;
-  depends_on: string | null;
-  enables: string | null;
-  is_parallel_capable: boolean;
-  typical_duration: string;
-}
-
-interface CompatibilityMatrix {
-  type: string;
-  groups: Record<string, string[]>;
 }
 
 let cachedData: ToolsData | null = null;
@@ -146,104 +121,6 @@ function generateDataVersion(data: any): string {
   return Math.abs(hash).toString(36);
 }
 
-// Enhanced: Generate domain relationships for better AI understanding
-function generateDomainRelationships(domains: any[], tools: any[]): DomainRelationship[] {
-  const relationships: DomainRelationship[] = [];
-  
-  for (const domain of domains) {
-    const domainTools = tools.filter(tool => 
-      tool.domains && tool.domains.includes(domain.id)
-    );
-    
-    const commonTags = domainTools
-      .flatMap(tool => tool.tags || [])
-      .reduce((acc: any, tag: string) => {
-        acc[tag] = (acc[tag] || 0) + 1;
-        return acc;
-      }, {});
-      
-    const topTags = Object.entries(commonTags)
-      .sort(([,a], [,b]) => (b as number) - (a as number))
-      .slice(0, 5)
-      .map(([tag]) => tag);
-    
-    relationships.push({
-      domain_id: domain.id,
-      tool_count: domainTools.length,
-      common_tags: topTags,
-      skill_distribution: domainTools.reduce((acc: any, tool: any) => {
-        acc[tool.skillLevel] = (acc[tool.skillLevel] || 0) + 1;
-        return acc;
-      }, {})
-    });
-  }
-  
-  return relationships;
-}
-
-// Enhanced: Generate phase dependencies
-function generatePhaseDependencies(phases: any[]): PhaseDependency[] {
-  const dependencies: PhaseDependency[] = [];
-  
-  for (let i = 0; i < phases.length; i++) {
-    const phase = phases[i];
-    const nextPhase = phases[i + 1];
-    const prevPhase = phases[i - 1];
-    
-    dependencies.push({
-      phase_id: phase.id,
-      order: i + 1,
-      depends_on: prevPhase?.id || null,
-      enables: nextPhase?.id || null,
-      is_parallel_capable: ['examination', 'analysis'].includes(phase.id), // Some phases can run in parallel
-      typical_duration: phase.id === 'data-collection' ? 'hours-days' :
-                       phase.id === 'examination' ? 'hours-weeks' :
-                       phase.id === 'analysis' ? 'days-weeks' :
-                       'hours-days'
-    });
-  }
-  
-  return dependencies;
-}
-
-// Enhanced: Generate tool compatibility matrix
-function generateToolCompatibilityMatrix(tools: any[]): CompatibilityMatrix[] {
-  const matrix: CompatibilityMatrix[] = [];
-  
-  // Group tools by common characteristics
-  const platformGroups = tools.reduce((acc: any, tool: any) => {
-    if (tool.platforms) {
-      tool.platforms.forEach((platform: string) => {
-        if (!acc[platform]) acc[platform] = [];
-        acc[platform].push(tool.name);
-      });
-    }
-    return acc;
-  }, {});
-  
-  const phaseGroups = tools.reduce((acc: any, tool: any) => {
-    if (tool.phases) {
-      tool.phases.forEach((phase: string) => {
-        if (!acc[phase]) acc[phase] = [];
-        acc[phase].push(tool.name);
-      });
-    }
-    return acc;
-  }, {});
-  
-  matrix.push({
-    type: 'platform_compatibility',
-    groups: platformGroups
-  });
-  
-  matrix.push({
-    type: 'phase_synergy',
-    groups: phaseGroups
-  });
-  
-  return matrix;
-}
-
 async function loadRawData(): Promise<ToolsData> {
   if (!cachedData) {
     const yamlPath = path.join(process.cwd(), 'src/data/tools.yaml');
@@ -253,7 +130,6 @@ async function loadRawData(): Promise<ToolsData> {
     try {
       cachedData = ToolsDataSchema.parse(rawData);
       
-      // Enhanced: Add default skill level descriptions if not provided
       if (!cachedData.skill_levels || Object.keys(cachedData.skill_levels).length === 0) {
         cachedData.skill_levels = {
           novice: "Minimal technical background required, guided interfaces",
@@ -301,21 +177,18 @@ export async function getCompressedToolsDataForAI(): Promise<EnhancedCompressedT
   if (!cachedCompressedData) {
     const data = await getToolsData();
     
-    // Enhanced: More detailed tool information for micro-tasks
     const compressedTools = data.tools
       .filter(tool => tool.type !== 'concept') 
       .map(tool => {
         const { projectUrl, statusUrl, ...compressedTool } = tool;
         return {
           ...compressedTool,
-          // Enhanced: Add computed fields for AI
           is_hosted: projectUrl !== undefined && projectUrl !== null && projectUrl !== "" && projectUrl.trim() !== "",
           is_open_source: tool.license && tool.license !== 'Proprietary',
           complexity_score: tool.skillLevel === 'expert' ? 5 :
                            tool.skillLevel === 'advanced' ? 4 :
                            tool.skillLevel === 'intermediate' ? 3 :
                            tool.skillLevel === 'beginner' ? 2 : 1,
-          // Enhanced: Phase-specific suitability hints
           phase_suitability: tool.phases?.map(phase => ({
             phase,
             primary_use: tool.tags?.find(tag => tag.includes(phase)) ? 'primary' : 'secondary'
@@ -329,7 +202,6 @@ export async function getCompressedToolsDataForAI(): Promise<EnhancedCompressedT
         const { projectUrl, statusUrl, platforms, accessType, license, ...compressedConcept } = concept;
         return {
           ...compressedConcept,
-          // Enhanced: Learning difficulty indicator
           learning_complexity: concept.skillLevel === 'expert' ? 'very_high' :
                               concept.skillLevel === 'advanced' ? 'high' :
                               concept.skillLevel === 'intermediate' ? 'medium' :
@@ -337,27 +209,16 @@ export async function getCompressedToolsDataForAI(): Promise<EnhancedCompressedT
         };
       });
     
-    // Enhanced: Add rich context data
-    const domainRelationships = generateDomainRelationships(data.domains, compressedTools);
-    const phaseDependencies = generatePhaseDependencies(data.phases);
-    const toolCompatibilityMatrix = generateToolCompatibilityMatrix(compressedTools);
-    
     cachedCompressedData = {
       tools: compressedTools,
       concepts: concepts,
       domains: data.domains,
       phases: data.phases,
       'domain-agnostic-software': data['domain-agnostic-software'],
-      scenarios: data.scenarios, // Include scenarios for context
+      scenarios: data.scenarios,
       skill_levels: data.skill_levels || {},
-      // Enhanced context for micro-tasks
-      domain_relationships: domainRelationships,
-      phase_dependencies: phaseDependencies,
-      tool_compatibility_matrix: toolCompatibilityMatrix
     };
     
-    console.log(`[DATA SERVICE] Generated enhanced compressed data: ${compressedTools.length} tools, ${concepts.length} concepts`);
-    console.log(`[DATA SERVICE] Added context: ${domainRelationships.length} domain relationships, ${phaseDependencies.length} phase dependencies`);
   }
   
   return cachedCompressedData;
diff --git a/src/utils/embeddings.ts b/src/utils/embeddings.ts
index 369b95d..165fb90 100644
--- a/src/utils/embeddings.ts
+++ b/src/utils/embeddings.ts
@@ -24,9 +24,14 @@ interface EmbeddingsDatabase {
   embeddings: EmbeddingData[];
 }
 
+interface SimilarityResult extends EmbeddingData {
+  similarity: number;
+}
+
 class EmbeddingsService {
   private embeddings: EmbeddingData[] = [];
   private isInitialized = false;
+  private initializationPromise: Promise<void> | null = null;
   private readonly embeddingsPath = path.join(process.cwd(), 'data', 'embeddings.json');
   private readonly batchSize: number;
   private readonly batchDelay: number;
@@ -39,6 +44,19 @@ class EmbeddingsService {
   }
 
   async initialize(): Promise<void> {
+    if (this.initializationPromise) {
+      return this.initializationPromise;
+    }
+
+    if (this.isInitialized) {
+      return Promise.resolve();
+    }
+
+    this.initializationPromise = this.performInitialization();
+    return this.initializationPromise;
+  }
+
+  private async performInitialization(): Promise<void> {
     if (!this.enabled) {
       console.log('[EMBEDDINGS] Embeddings disabled, skipping initialization');
       return;
@@ -47,13 +65,11 @@ class EmbeddingsService {
     try {
       console.log('[EMBEDDINGS] Initializing embeddings system...');
       
-      // Create data directory if it doesn't exist
       await fs.mkdir(path.dirname(this.embeddingsPath), { recursive: true });
       
       const toolsData = await getCompressedToolsDataForAI();
       const currentDataHash = this.hashData(toolsData);
       
-      // Try to load existing embeddings
       const existingEmbeddings = await this.loadEmbeddings();
       
       if (existingEmbeddings && existingEmbeddings.version === currentDataHash) {
@@ -70,9 +86,29 @@ class EmbeddingsService {
     } catch (error) {
       console.error('[EMBEDDINGS] Failed to initialize:', error);
       this.isInitialized = false;
+      throw error;
+    } finally {
+      this.initializationPromise = null;
     }
   }
 
+  async waitForInitialization(): Promise<void> {
+    if (!this.enabled) {
+      return Promise.resolve();
+    }
+
+    if (this.isInitialized) {
+      return Promise.resolve();
+    }
+
+    if (this.initializationPromise) {
+      await this.initializationPromise;
+      return;
+    }
+
+    return this.initialize();
+  }
+
   private hashData(data: any): string {
     return Buffer.from(JSON.stringify(data)).toString('base64').slice(0, 32);
   }
@@ -115,16 +151,21 @@ class EmbeddingsService {
     const apiKey = process.env.AI_EMBEDDINGS_API_KEY;
     const model = process.env.AI_EMBEDDINGS_MODEL;
 
-    if (!endpoint || !apiKey || !model) {
+    if (!endpoint || !model) {
       throw new Error('Missing embeddings API configuration');
     }
 
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json'
+    };
+
+    if (apiKey) {
+      headers['Authorization'] = `Bearer ${apiKey}`;
+    }
+
     const response = await fetch(endpoint, {
       method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': `Bearer ${apiKey}`
-      },
+      headers,
       body: JSON.stringify({
         model,
         input: contents
@@ -137,7 +178,16 @@ class EmbeddingsService {
     }
 
     const data = await response.json();
-    return data.data.map((item: any) => item.embedding);
+
+    if (Array.isArray(data.embeddings)) {
+      return data.embeddings;
+    }
+
+    if (Array.isArray(data.data)) {
+      return data.data.map((item: any) => item.embedding);
+    }
+
+    throw new Error('Unknown embeddings API response format');
   }
 
   private async generateEmbeddings(toolsData: any, version: string): Promise<void> {
@@ -149,7 +199,6 @@ class EmbeddingsService {
     const contents = allItems.map(item => this.createContentString(item));
     this.embeddings = [];
 
-    // Process in batches to respect rate limits
     for (let i = 0; i < contents.length; i += this.batchSize) {
       const batch = contents.slice(i, i + this.batchSize);
       const batchItems = allItems.slice(i, i + this.batchSize);
@@ -177,7 +226,6 @@ class EmbeddingsService {
           });
         });
         
-        // Rate limiting delay between batches
         if (i + this.batchSize < contents.length) {
           await new Promise(resolve => setTimeout(resolve, this.batchDelay));
         }
@@ -192,7 +240,6 @@ class EmbeddingsService {
   }
 
   public async embedText(text: string): Promise<number[]> {
-    // Re‑use the private batch helper to avoid auth duplication
     const [embedding] = await this.generateEmbeddingsBatch([text.toLowerCase()]);
     return embedding;
   }
@@ -211,28 +258,56 @@ class EmbeddingsService {
     return dotProduct / (Math.sqrt(normA) * Math.sqrt(normB));
   }
 
-  async findSimilar(query: string, maxResults: number = 30, threshold: number = 0.3): Promise<EmbeddingData[]> {
+  async findSimilar(query: string, maxResults: number = 30, threshold: number = 0.3): Promise<SimilarityResult[]> {
     if (!this.enabled || !this.isInitialized || this.embeddings.length === 0) {
+      console.log('[EMBEDDINGS] Service not available for similarity search');
       return [];
     }
 
     try {
-      // Generate embedding for query
       const queryEmbeddings = await this.generateEmbeddingsBatch([query.toLowerCase()]);
       const queryEmbedding = queryEmbeddings[0];
 
-      // Calculate similarities
-      const similarities = this.embeddings.map(item => ({
+      console.log(`[EMBEDDINGS] Computing similarities for ${this.embeddings.length} items`);
+
+      const similarities: SimilarityResult[] = this.embeddings.map(item => ({
         ...item,
         similarity: this.cosineSimilarity(queryEmbedding, item.embedding)
       }));
 
-      // Filter by threshold and sort by similarity
-      return similarities
+      const results = similarities
         .filter(item => item.similarity >= threshold)
-        .sort((a, b) => b.similarity - a.similarity)
+        .sort((a, b) => b.similarity - a.similarity) 
         .slice(0, maxResults);
 
+      const orderingValid = results.every((item, index) => {
+        if (index === 0) return true;
+        return item.similarity <= results[index - 1].similarity;
+      });
+
+      if (!orderingValid) {
+        console.error('[EMBEDDINGS] CRITICAL: Similarity ordering is broken!');
+        results.forEach((item, idx) => {
+          console.error(`  ${idx}: ${item.name} = ${item.similarity.toFixed(4)}`);
+        });
+      }
+
+      console.log(`[EMBEDDINGS] Found ${results.length} similar items (threshold: ${threshold})`);
+      if (results.length > 0) {
+        console.log('[EMBEDDINGS] Top 10 similarity matches:');
+        results.slice(0, 10).forEach((item, idx) => {
+          console.log(`  ${idx + 1}. ${item.name} (${item.type}) = ${item.similarity.toFixed(4)}`);
+        });
+        
+        const topSimilarity = results[0].similarity;
+        const hasHigherSimilarity = results.some(item => item.similarity > topSimilarity);
+        if (hasHigherSimilarity) {
+          console.error('[EMBEDDINGS] CRITICAL: Top result is not actually the highest similarity!');
+        }
+      }
+
+      return results;
+
     } catch (error) {
       console.error('[EMBEDDINGS] Failed to find similar items:', error);
       return [];
@@ -254,12 +329,10 @@ class EmbeddingsService {
 
 
 
-// Global instance
 const embeddingsService = new EmbeddingsService();
 
-export { embeddingsService, type EmbeddingData };
+export { embeddingsService, type EmbeddingData, type SimilarityResult };
 
-// Auto-initialize on import in server environment
 if (typeof window === 'undefined' && process.env.NODE_ENV !== 'test') {
   embeddingsService.initialize().catch(error => {
     console.error('[EMBEDDINGS] Auto-initialization failed:', error);
diff --git a/src/utils/rateLimitedQueue.ts b/src/utils/rateLimitedQueue.ts
index 3d9b96b..d2f078c 100644
--- a/src/utils/rateLimitedQueue.ts
+++ b/src/utils/rateLimitedQueue.ts
@@ -1,10 +1,14 @@
-// src/utils/rateLimitedQueue.ts - FIXED: Memory leak and better cleanup
+// src/utils/rateLimitedQueue.ts
 
 import dotenv from "dotenv";
 
 dotenv.config();
 
-const RATE_LIMIT_DELAY_MS = Number.parseInt(process.env.AI_RATE_LIMIT_DELAY_MS ?? "2000", 10) || 2000;
+const RATE_LIMIT_DELAY_MS =
+  Number.parseInt(process.env.AI_RATE_LIMIT_DELAY_MS ?? "2000", 10) || 2000;
+
+const TASK_TIMEOUT_MS =
+  Number.parseInt(process.env.AI_TASK_TIMEOUT_MS ?? "300000", 10) || 300000;
 
 export type Task<T = unknown> = () => Promise<T>;
 
@@ -12,7 +16,7 @@ interface QueuedTask {
   id: string;
   task: Task;
   addedAt: number;
-  status: 'queued' | 'processing' | 'completed' | 'failed';
+  status: "queued" | "processing" | "completed" | "failed" | "timedout";
   startedAt?: number;
   completedAt?: number;
 }
@@ -29,11 +33,12 @@ class RateLimitedQueue {
   private tasks: QueuedTask[] = [];
   private isProcessing = false;
   private delayMs = RATE_LIMIT_DELAY_MS;
+  private taskTimeoutMs = TASK_TIMEOUT_MS;
   private lastProcessedAt = 0;
   private currentlyProcessingTaskId: string | null = null;
-  
+
   private cleanupInterval: NodeJS.Timeout;
-  private readonly TASK_RETENTION_MS = 30000; 
+  private readonly TASK_RETENTION_MS = 300000; // 5 minutes
 
   constructor() {
     this.cleanupInterval = setInterval(() => {
@@ -44,19 +49,19 @@ class RateLimitedQueue {
   private cleanupOldTasks(): void {
     const now = Date.now();
     const initialLength = this.tasks.length;
-    
-    this.tasks = this.tasks.filter(task => {
-      if (task.status === 'queued' || task.status === 'processing') {
+
+    this.tasks = this.tasks.filter((task) => {
+      if (task.status === "queued" || task.status === "processing") {
         return true;
       }
-      
-      if (task.completedAt && (now - task.completedAt) > this.TASK_RETENTION_MS) {
+
+      if (task.completedAt && now - task.completedAt > this.TASK_RETENTION_MS) {
         return false;
       }
-      
+
       return true;
     });
-    
+
     const cleaned = initialLength - this.tasks.length;
     if (cleaned > 0) {
       console.log(`[QUEUE] Cleaned up ${cleaned} old tasks, ${this.tasks.length} remaining`);
@@ -86,11 +91,11 @@ class RateLimitedQueue {
           }
         },
         addedAt: Date.now(),
-        status: 'queued'
+        status: "queued",
       };
-      
+
       this.tasks.push(queuedTask);
-      
+
       setTimeout(() => {
         this.processQueue();
       }, 100);
@@ -98,12 +103,12 @@ class RateLimitedQueue {
   }
 
   getStatus(taskId?: string): QueueStatus {
-    const queuedTasks = this.tasks.filter(t => t.status === 'queued');
-    const processingTasks = this.tasks.filter(t => t.status === 'processing');
+    const queuedTasks = this.tasks.filter((t) => t.status === "queued");
+    const processingTasks = this.tasks.filter((t) => t.status === "processing");
     const queueLength = queuedTasks.length + processingTasks.length;
-    
+
     const now = Date.now();
-    
+
     let estimatedWaitTime = 0;
     if (queueLength > 0) {
       if (this.isProcessing && this.lastProcessedAt > 0) {
@@ -118,38 +123,34 @@ class RateLimitedQueue {
     const status: QueueStatus = {
       queueLength,
       isProcessing: this.isProcessing,
-      estimatedWaitTime
+      estimatedWaitTime,
     };
 
     if (taskId) {
-      const task = this.tasks.find(t => t.id === taskId);
-      
+      const task = this.tasks.find((t) => t.id === taskId);
+
       if (task) {
         status.taskStatus = task.status;
-        
-        if (task.status === 'processing') {
+
+        if (task.status === "processing") {
           status.currentPosition = 1;
-        } else if (task.status === 'queued') {
+        } else if (task.status === "queued") {
           const queuedTasksInOrder = this.tasks
-            .filter(t => t.status === 'queued')
+            .filter((t) => t.status === "queued")
             .sort((a, b) => a.addedAt - b.addedAt);
-          
-          const positionInQueue = queuedTasksInOrder.findIndex(t => t.id === taskId);
-          
+
+          const positionInQueue = queuedTasksInOrder.findIndex((t) => t.id === taskId);
+
           if (positionInQueue >= 0) {
             const processingOffset = processingTasks.length > 0 ? 1 : 0;
             status.currentPosition = processingOffset + positionInQueue + 1;
           }
         }
-      } else {        
+      } else {
         const taskTimestamp = taskId.match(/ai_(\d+)_/)?.[1];
         if (taskTimestamp) {
           const taskAge = now - parseInt(taskTimestamp);
-          if (taskAge < 30000) { 
-            status.taskStatus = 'starting';
-          } else {
-            status.taskStatus = 'unknown';
-          }
+          status.taskStatus = taskAge < 300000 ? "starting" : "unknown";
         }
       }
     }
@@ -157,51 +158,48 @@ class RateLimitedQueue {
     return status;
   }
 
-  setDelay(ms: number): void {
-    if (!Number.isFinite(ms) || ms < 0) return;
-    this.delayMs = ms;
-  }
-
-  getDelay(): number {
-    return this.delayMs;
-  }
-
   private async processQueue(): Promise<void> {
-    if (this.isProcessing) {
-      return;
-    }
+    if (this.isProcessing) return;
 
     this.isProcessing = true;
 
     try {
       while (true) {
         const nextTask = this.tasks
-          .filter(t => t.status === 'queued')
+          .filter((t) => t.status === "queued")
           .sort((a, b) => a.addedAt - b.addedAt)[0];
-        
-        if (!nextTask) {
-          break;
-        }
-        
-        nextTask.status = 'processing';
+
+        if (!nextTask) break;
+
+        nextTask.status = "processing";
         nextTask.startedAt = Date.now();
         this.currentlyProcessingTaskId = nextTask.id;
         this.lastProcessedAt = Date.now();
-        
+
         try {
-          await nextTask.task();
-          nextTask.status = 'completed';
+          await Promise.race([
+            nextTask.task(),
+            new Promise((_, reject) =>
+              setTimeout(
+                () => reject(new Error(`Task ${nextTask.id} timed out after ${this.taskTimeoutMs} ms`)),
+                this.taskTimeoutMs,
+              ),
+            ),
+          ]);
+
+          nextTask.status = "completed";
           nextTask.completedAt = Date.now();
           console.log(`[QUEUE] Task ${nextTask.id} completed`);
         } catch (error) {
-          nextTask.status = 'failed';
+          const err = error as Error;
+          nextTask.status = err.message.includes("timed out") ? "timedout" : "failed";
           nextTask.completedAt = Date.now();
           console.error(`[QUEUE] Task ${nextTask.id} failed:`, error);
         }
-        
+
         this.currentlyProcessingTaskId = null;
-        
-        const hasMoreQueued = this.tasks.some(t => t.status === 'queued');
+
+        const hasMoreQueued = this.tasks.some((t) => t.status === "queued");
         if (hasMoreQueued) {
           console.log(`[QUEUE] Waiting ${this.delayMs}ms before next task`);
           await new Promise((r) => setTimeout(r, this.delayMs));
@@ -232,4 +230,4 @@ export function shutdownQueue(): void {
   queue.shutdown();
 }
 
-export default queue;
\ No newline at end of file
+export default queue;
diff --git a/src/utils/toolHelpers.ts b/src/utils/toolHelpers.ts
index 54431b3..47f572f 100644
--- a/src/utils/toolHelpers.ts
+++ b/src/utils/toolHelpers.ts
@@ -1,8 +1,3 @@
-/**
- * CONSOLIDATED Tool utility functions for consistent tool operations across the app
- * Works in both server (Node.js) and client (browser) environments
- */
-
 export interface Tool {
   name: string;
   type?: 'software' | 'method' | 'concept';
@@ -18,10 +13,6 @@ export interface Tool {
   related_concepts?: string[];
 }
 
-/**
- * Creates a URL-safe slug from a tool name
- * Used for URLs, IDs, and file names consistently across the app
- */
 export function createToolSlug(toolName: string): string {
   if (!toolName || typeof toolName !== 'string') {
     console.warn('[toolHelpers] Invalid toolName provided to createToolSlug:', toolName);
@@ -35,9 +26,6 @@ export function createToolSlug(toolName: string): string {
     .replace(/^-|-$/g, '');           // Remove leading/trailing hyphens
 }
 
-/**
- * Finds a tool by name or slug from tools array
- */
 export function findToolByIdentifier(tools: Tool[], identifier: string): Tool | undefined {
   if (!identifier || !Array.isArray(tools)) return undefined;
   
@@ -47,23 +35,9 @@ export function findToolByIdentifier(tools: Tool[], identifier: string): Tool |
   );
 }
 
-/**
- * Checks if tool has a valid project URL (hosted on CC24 server)
- */
 export function isToolHosted(tool: Tool): boolean {
   return tool.projectUrl !== undefined && 
          tool.projectUrl !== null && 
          tool.projectUrl !== "" && 
          tool.projectUrl.trim() !== "";
-}
-
-/**
- * Determines tool category for styling/logic
- */
-export function getToolCategory(tool: Tool): 'concept' | 'method' | 'hosted' | 'oss' | 'proprietary' {
-  if (tool.type === 'concept') return 'concept';
-  if (tool.type === 'method') return 'method';
-  if (isToolHosted(tool)) return 'hosted';
-  if (tool.license && tool.license !== 'Proprietary') return 'oss';
-  return 'proprietary';
 }
\ No newline at end of file