shakti2613/WinDFIR---Windows-Digital-Forensics-Incident-Response-Tool

# 🛡️ WinDFIR - Windows 数字取证与事件响应工具 WinDFIR 是一个专为 Windows 系统设计的综合性、开源数字取证与事件响应 (DFIR) 平台。它使用 Python 和 PyQt6 构建，提供了一个现代化的 GUI 仪表板，用于获取取证 artifacts、分析威胁，并生成 PDF、HTML 和 JSON 格式的专业报告。 ## ✨ 核心功能 - **🔍 全面采集：** 采集进程、服务、启动项、计划任务、用户账户、已安装软件、USB 历史记录、浏览器 artifacts、事件日志和网络连接。 - **🔬 高级分析：** 检测持久化机制、匹配 IOC、使用 YARA 规则进行扫描、识别可疑/未签名的二进制文件，并集成 VirusTotal。 - **📊 专业报告：** 生成包含执行摘要、风险评分和证据保管链完整性哈希的 **PDF**、**HTML** 和 **JSON** 格式的详细取证报告。 - **🖥️ 现代仪表板：** 使用 PyQt6 构建的时尚暗色主题 GUI，具有实时控制台日志、交互式 artifact 表格和时间线可视化功能。 - **🛡️ 防御性安全：** 遵循行业最佳实践的只读采集、SHA-256 完整性封装和审计日志记录。 ## 📁 项目结构 ``` windfir/ ├── main.py # Entry point + GUI launcher ├── requirements.txt # Python dependencies ├── config.py # Global configuration ├── core/ │ ├── evidence.py # Chain-of-custody / case metadata │ ├── collectors/ # Data acquisition modules (read-only) │ │ ├── processes.py # Running process enumeration │ │ ├── services.py # Windows service analysis │ │ ├── startup.py # Autorun/Registry startup entries │ │ ├── scheduled_tasks.py # Task scheduler analysis │ │ ├── users.py # User account enumeration │ │ ├── software.py # Installed software inventory │ │ ├── usb_history.py # USB device connection history │ │ ├── browser.py # Chrome/Edge history artifacts │ │ ├── event_logs.py # Windows Event Log parsing │ │ └── network.py # Active network connections │ ├── analyzers/ # Threat analysis modules │ │ ├── pe_analyzer.py # PE file & hash analysis │ │ ├── persistence.py # Persistence mechanism detection │ │ ├── ioc_matcher.py # IOC correlation engine │ │ ├── yara_scanner.py # YARA rule scanning │ │ └── virustotal.py # VirusTotal API integration │ └── timeline.py # Forensic timeline builder ── reports/ │ ├── pdf_report.py # Professional PDF generator │ ├── html_report.py # Interactive HTML report │ └── json_report.py # Machine-readable JSON export ├── gui/ │ └── dashboard.py # PyQt6 main dashboard interface ├── resources/ │ ├── iocs.csv # Custom IOC database │ └── yara_rules/ # Custom YARA rules └── output/ # Generated reports directory 🚀 Installation Prerequisites Windows 10/11 Python 3.10+ Administrator privileges (recommended for full artifact collection) Setup # Clone repository git clone https://github.com/YOUR_USERNAME/WindFIR.git cd WindFIR # 创建 virtual environment python -m venv venv venv\Scripts\activate # Install dependencies pip install -r requirements.txt # 运行 application python main.py 🛠️ Usage Guide Start Acquisition: Click "Start Acquisition & Analysis" to begin collecting forensic data. Review Findings: Check the "Findings" tab for detected threats. Use "Add Demo Findings" to test the display. Explore Artifacts: Browse collected data in the "Artifacts" tab using the category sidebar. Generate Reports: Click "Generate Reports", select your desired format(s), choose a save location, and generate professional documentation. ⚙️ Configuration VirusTotal API: Set the VT_API_KEY environment variable to enable VT enrichment. IOC Database: Add custom indicators to resources/iocs.csv. YARA Rules: Place custom rules in resources/yara_rules/. 🤝 Contributing Contributions are welcome! Please feel free to submit issues and pull requests. ⚖️ Legal Notice WinDFIR is provided "as is" without warranty. The authors are not responsible for any misuse of this tool. Always comply with local laws and organizational policies when conducting forensic investigations. ```

标签：PyQt6, Python, YARA, 云资产可视化, 库, 应急响应, 数字取证, 无后门, 无线安全, 自动化脚本, 逆向工具