TA-DLA is a modular Python toolkit for DFIR practitioners to process, analyze, and report on ransomware leak data. It supports scraping, downloading, extracting, analyzing, and reporting on data from a variety of leak site formats, with a strong focus on OpSec and extensibility via a plugin system.
- Plugin-based architecture for scrapers and downloaders (HTTP, FTP, MEGA, etc.)
- Inventory tracking with SQLite (now includes SHA1 hashes for all downloaded files)
- Recursive extraction and analysis
- OpSec enforcement (TOR/SOCKS5, warnings, and checks)
- Extensible: Add new scrapers/downloaders as plugins
pip install -r requirements.txt
python setup.py develop
Scrape links from a TA leak site (index-style or FTP):
ta-dla scrape --case-dir /path/to/case --ta <threat-actor> --root-url http://<onion-site>/<victim-leak-page>
- The correct scraper plugin will be auto-selected.
- For FTP-based leaks, you will be prompted to include/exclude generic FTP links.
Download all files in the inventory (from scraping or manual input):
ta-dla download --case-dir /path/to/case
Or, download from a text file of URLs (HTTP, FTP, MEGA, etc.):
ta-dla download --case-dir /path/to/case --url-list urls.txt
If you have a text file of FTP URLs (with credentials and path):
ta-dla download-ftp-urls --case-dir /path/to/case --ftp-url-list ftp_urls.txt
Extract, analyze, and report as before:
ta-dla extract --case-dir /path/to/case
ta-dla analyze --case-dir /path/to/case [--skip-sha1]
ta-dla report --case-dir /path/to/case
- SHA1 hash calculation is enabled by default during analysis. All downloaded files will have their SHA1 hashes computed and stored in the inventory database for forensics, legal, and DFIR workflows. This is useful for verifying file integrity, comparing with restored data, and supporting legal/counsel review.
- Use
--skip-sha1to explicitly skip hash calculation if not needed. - SHA1 calculation is parallelized and resource-friendly, and only processes files that are fully downloaded and missing a hash.
See all available scraper and downloader plugins:
ta-dla list-plugins
- All downloads are routed through TOR/SOCKS5 by default.
- You will be warned if OpSec is at risk (e.g., MEGA without TOR).
- Always review findings in a secure, air-gapped environment.
- Add new scrapers or downloaders by implementing the appropriate base class and registering via
setup.pyentry points. - See
ta_dla/scraper/base.pyandta_dla/downloader/base.pyfor interfaces.
ftp://username:password@host/path/to/victim
- Victim-specific FTP links are preferred; generic links are optional and analyst-controlled.
See the documentation or use --help on any command for more details.
- Modular scrapers and downloaders for different TA leak sites (HTTP, FTP, MEGA; all support TOR/OpSec enforcement)
- Resumable, parallel downloads with granular inventory tracking (SQLite)
- Extraction of all major archive formats (zip, 7z, rar, tar.gz, gz, bz2; supports passwords and nested extraction)
- PII/PHI/PCI scanner (regex + entropy, parallelized, batch-processed, CSV output)
- YARA scanner (multiple rulesets, parallel, CSV output)
- ClamAV integration (optional, parallelized, with user guidance)
- Automated enrichment from Ransomware.live API
- Per-case directory structure and atomic status updates
- HTML dashboard reporting (Jinja2, OpSec reminders, cross-references, high-risk file highlighting)
- CLI-driven, no GUI dependencies, with strong OpSec enforcement and reminders
- Unit/integration tests and robust CI (GitHub Actions)
- MIT License
Important: TA-DLA never stores case data, downloads, or extracted files inside the toolkit repository. All case data must be stored in a user-specified directory using the --case-dir argument. This ensures sensitive data is kept outside the toolkit codebase and can be placed on secure or external storage as needed.
Every case should be initialized with the init-case command:
ta-dla init-case --case-dir /cases/AcmeCorp_Qilin/
- Prompts for victim, threat actor, description, analyst, and date
- Uses ransomware.live enrichment if available, but allows manual entry if offline
- Creates a standardized directory structure and saves all metadata in
case.json
Typical Case Flow:
init-case— Set up the case directory, metadata, and structurescrape(optional) — Scrape TA leak sites for download linksdownload/download_ftp/download_http— Download files (uses inventory tracking)extract— Extract all supported archives (nested, password-protected)analyze— Scan for PII/PHI/PCI, YARA, and ClamAV findings (uses metadata fromcase.json)report— Generate HTML dashboard and CSV summaries (uses metadata fromcase.json)- Inventory/DB management as needed
All commands use case.json for victim, TA, and other metadata unless overridden by CLI options.
ta_dla/ # Main toolkit source code
cli.py # CLI entry point
case_manager.py # Case directory/config management (case.json)
scraper/ # Pluggable scraper modules (per TA)
downloader/ # Pluggable downloader modules
extractor/ # Archive extraction logic
analyzer/ # Analysis modules (PII, malware, YARA)
enrichment/ # Ransomware.live API integration
db/ # SQLite helpers
utils.py # Shared utilities
requirements.txt # Python dependencies
README.md # Project documentation
SoftwareRequirements.MD # Full requirements
.github/workflows/ci.yml # GitHub Actions CI workflow
LICENSE # MIT License
To add support for a new threat actor or download method, create a new module in scraper/ or downloader/ and update your case's case.json as needed.
TA-DLA provides a modular CLI (via Click) with commands for scraping, downloading, extracting, analyzing, and reporting. All commands enforce OpSec by default (TOR checks, warnings, and bypass flags). Key commands include:
init-case: Initialize a new case, prompt for metadata, create directories, and savecase.jsondownload/download_ftp/download_http/resume_downloads: Download files from various sources with OpSec enforcementscrape: Scrape TA leak sites for download linksextract: Extract all supported archive types, including nested and password-protectedanalyze: Scan for PII/PHI/PCI, YARA, and ClamAV findings (CSV output; usescase.jsonfor metadata)report: Generate HTML dashboard and CSV summaries (usescase.jsonfor metadata)inventory_status,pending_downloads,failed_downloads,clear_failed_downloads,retry_failed_downloads,export_inventory: Inventory and DB managementopsec_check: Print OpSec reminders and check if TOR is running
Run python -m ta_dla.cli --help for full command details.
- Generates HTML dashboard (Jinja2) summarizing downloads, findings, cross-references, and OpSec reminders
- CSV reports for PII/PHI/PCI, YARA, ClamAV, and cross-referenced files
- Highlights files with multiple types of sensitive data
- Designed for secure, air-gapped review
TA-DLA uses a per-case inventory.db (SQLite) to track download, extraction, and analysis status for every file. This enables:
- Resumable downloads and analysis (even for very large leak sets)
- Querying failed, pending, or partial downloads
- Tracking extraction and analysis findings with granular status codes (e.g.,
pending,in-progress,complete,failed,skipped,corrupt,password-protected,partial) - Reliable reporting and workflow recovery
The database is created automatically in each case directory and is required for robust, large-scale workflows.
- All downloaders and scrapers enforce TOR/SOCKS5 usage for .onion and sensitive sites
- CLI and reporting include OpSec reminders and warnings
- MEGA downloads warn if not using system proxying
- Extraction, download, and analysis phases are robust to OpSec and error handling
- No case data is ever stored in the repo
- Unit and integration tests for core modules (downloaders, extractors, CLI, reporting, etc.)
- End-to-end workflow tests recommended for contributors
- GitHub Actions CI: runs linting, security audit, and tests (with coverage) on Python 3.9, 3.10, and 3.11
- Coverage report uploaded as an artifact on each run
This project is licensed under the MIT License. See LICENSE for details.
For more details, see SoftwareRequirements.MD and the in-code documentation.
TA-DLA now supports Dragonforce-style leak sites with a dedicated scraper and downloader plugin.
- Scrape all files from a Dragonforce leak site:
ta-dla scrape --case-dir /path/to/case --ta dragonforce --root-url http://<dragonforce-onion-site>/<victim-leak-page>
- Download all enumerated files (via Tor):
ta-dla download --case-dir /path/to/case
- The scraper will recursively enumerate all files and directories, saving download links to the inventory.
- The downloader will fetch all pending files using the correct token and path, routing requests through Tor.
- Both plugins are auto-discovered via the plugin system.
- SHA1 hashes are stored in the inventory database for all downloaded files (by default during analysis). This enables:
- File integrity verification
- Comparison with restored or original data
- Legal/counsel review and reporting
- Forensic chain-of-custody documentation