ChrisDanielW/Digital-Forensics-ToolKit

# Automated Incident Response and Digital Forensics Toolkit A modular Python toolkit for Linux DFIR that automates evidence collection, basic analysis, integrity verification, and report generation. It focuses on orchestration of common forensic workflows for academic and portfolio use. ## Current capabilities - Case management with structured evidence, logs, and reports per run - System information, process analysis, and network analysis - Log collection and parsing (auth/syslog/dmesg/bash history) - Browser artifacts (Chromium/Chrome/Firefox) with suspicious indicators - Suspicious file scanner for temp and downloads directories - Evidence hashing and chain of custody logging - Memory analysis orchestration via Volatility 3 - Timeline generation (CSV + summary) - Report generation (Markdown, HTML, PDF) - Flask dashboard for case browsing and analysis runs ## Project layout forensics_toolkit/ main.py modules/ utils/ dashboard/ cases/ logs/ reports/ evidence/ ## Setup 1. Create a virtual environment and install dependencies: python3 -m venv .venv source .venv/bin/activate pip install -r requirements.txt 2. Initialize the Volatility 3 submodule (recommended): git submodule update --init --recursive 3. Install Volatility 3 in editable mode: cd volatility3 pip install -e ".[full]" cd .. 4. Confirm Volatility 3 is reachable (from project root): python3 volatility3/vol.py -h 5. (Linux memory analysis) Generate a matching Linux ISF for your kernel: 5.1 Identify the kernel banner from your memory image: ROOT="/home/john-ubuntu/Desktop/Digital Forensics ToolKit" python3 "$ROOT/volatility3/vol.py" \ -f /path/to/memory.lime \ -s "$ROOT/volatility3/symbols" \ banners.Banners 5.2 Install debug symbols and build dwarf2json (run on the same VM/kernel): sudo apt install ubuntu-dbgsym-keyring echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \ sudo tee /etc/apt/sources.list.d/ddebs.list sudo apt update sudo apt install linux-image-$(uname -r)-dbgsym golang-go git cd ~ git clone https://github.com/volatilityfoundation/dwarf2json.git cd dwarf2json go build 5.3 Generate the ISF and place it in Volatility symbols: VMLINUX="/usr/lib/debug/boot/vmlinux-$(uname -r)" OUT="$HOME/Ubuntu_$(uname -r)_x64.json" ~/dwarf2json/dwarf2json linux --elf "$VMLINUX" > "$OUT" mv "$OUT" "$ROOT/volatility3/symbols/linux/" 5.4 (Optional) Compress the ISF: xz -f "$ROOT/volatility3/symbols/linux/Ubuntu_$(uname -r)_x64.json" 6. If you run with sudo, use the venv python to avoid missing packages: sudo -E .venv/bin/python -m forensics_toolkit.main CASE001 --run all ## Running the CLI Run a full collection: python3 -m forensics_toolkit.main CASE001 --run all --investigator "Your Name" --notes "Initial collection" Run a single module: python3 -m forensics_toolkit.main CASE001 --run logs python3 -m forensics_toolkit.main CASE001 --run browser python3 -m forensics_toolkit.main CASE001 --run timeline Memory analysis (requires a memory image and matching symbols): python3 -m forensics_toolkit.main CASE001 --run memory \ --memory-image /path/to/memory.lime --memory-os linux Report generation for an existing case: python3 -m forensics_toolkit.main CASE001 --run report \ --case-path /path/to/cases/case_CASE001_YYYYMMDD_HHMMSS \ --investigator "Your Name" --notes "Report only" ## Dashboard Launch the dashboard: python3 -m forensics_toolkit.main CASE000 --run dashboard \ --case-root "/home/john-ubuntu/Desktop/Digital Forensics ToolKit/cases" Open: http://127.0.0.1:5000 The dashboard supports: - Case browsing with results tabs - On-demand analysis runs (async or sync) - Memory analysis as a standalone run - Report and artifact previews ## Outputs - Case data under `cases/case__/` - Evidence artifacts under `evidence/` - Logs and chain of custody under `logs/` - Reports under `reports/` ## Volatility 3 symbols Linux memory analysis requires a matching ISF for the kernel banner. Store ISFs in: volatility3/symbols/linux/ Symbols are intentionally not tracked in Git. Keep them local or use external storage. ## Notes on running with sudo If you run the toolkit with sudo (for access to privileged logs), outputs are chowned to the invoking user to remain deletable. If you see permissions issues, run: sudo chown -R $USER:$USER cases logs ## Attribution This project integrates Volatility 3. See the Volatility Foundation repository and license for details: https://github.com/volatilityfoundation/volatility3