Digital Forensics Suite v2.0.0
The Last Homely House
# Clone repository
git clone https://github.com/cmdaltr/rivendell.git
cd rivendell
|
sudo ./scripts/install_linux.sh
|
|
sudo ./scripts/install_macos.sh
|
|
.\scripts\install_windows_wsl.ps1
|
elrond --check-dependencies
Web Investigation Workflow:
CLI Investigation Workflow:
1. Acquire evidence from remote system
|
python3 src/acquisition/python/gandalf.py Password 192.168.1.100 -u administrator -M -o /evidence/CASE-001
|
|
sudo ./scripts/install_macos.sh
|
|
.\scripts\install_windows_wsl.ps1
|
2. Process and analyze evidence
elrond -C -c CASE-001 -s /evidence/CASE-001 -m /evidence/CASE-001/memory.dmp -o /cases/CASE-001
3. Additional optional features
βββMap to MITRE ATT&CK
βββpython3 -m rivendell.mitre.mapper /cases/CASE-001
βββIndex for AI analysis
βββrivendell-ai index CASE-001 /cases/CASE-001
βββQuery with natural language
βββrivendell-ai query CASE-001 "What PowerShell commands were executed?"
βββGenerate report
βββrivendell-ai summary CASE-001 --format markdown --output report.md
- Remote Acquisition - Collect artifacts from remote Windows, Linux, and macOS systems
- Automated Analysis - Process evidence with 30+ integrated forensic tools
- MITRE ATT&CK Integration - Automatic technique mapping with comprehensive content-based detection and ATT&CK Navigator visualization
- Cloud Forensics - AWS, Azure, and GCP investigation support
- AI-Powered Analysis - Natural language queries of investigation data
- Memory Forensics - Volatility 3 integration for memory analysis
- Timeline Generation - Plaso/log2timeline for comprehensive timelines
- SIEM Integration - Direct export to Splunk and Elasticsearch
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Rivendell Suite β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ βββββββββββββ β
β β Gandalf β β Elrond β β AI β β
β β Acquisition β β β Analysis β β β Agent β β
β ββββββββββββββββ ββββββββββββββββ βββββββββββββ β
β β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β MITRE ATT&CK β’ Cloud β’ SIEM β’ Reports β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Collect forensic artifacts from local and remote systems.
Features:
- Multi-platform support (Windows, Linux, macOS)
- Remote acquisition via SSH and PowerShell
- Memory dump collection
- Encrypted evidence packaging
- SHA256 hashing and audit trails
- Comprehensive artifact collection
Collected Artifacts:
- System information
- Running processes
- Network connections
- Registry hives (Windows)
- Event logs (Windows)
- System logs (Linux/macOS)
- Browser artifacts
- User profiles
- Scheduled tasks
- Services
- Memory dumps
Process and analyze forensic evidence with integrated tools.
Features:
- Automated artifact parsing
- Timeline generation with Plaso
- Memory forensics with Volatility 3
- Registry analysis
- Event log parsing
- IOC detection
- Browser artifact extraction
- Multi-OS support (Windows, Linux, macOS)
Integrated Tools:
- Volatility 3 (memory analysis)
- Plaso/log2timeline (timeline generation)
- RegRipper (registry parsing)
- EvtxCmd (event log parsing)
- Bulk Extractor (IOC extraction)
- 25+ additional forensic utilities
Automatically map forensic findings to MITRE ATT&CK techniques with comprehensive content-based detection.
Features:
- Auto-updates from MITRE ATT&CK framework (v18.1)
- Content-based pattern matching for accurate technique detection
- 600+ ATT&CK techniques with full descriptions
- Multi-tactic technique support (techniques mapped to all relevant tactics)
- ATT&CK Navigator layer generation with automatic visualization
- Splunk dashboards for each technique with tactic badges
- Comprehensive JSON record scanning (all records, not sampled)
- Large file streaming support for files >10MB
Usage:
# Update MITRE data
python3 -m rivendell.mitre.updater
# Map artifacts to techniques
python3 -m rivendell.mitre.mapper /path/to/artifacts
# Generate Navigator layer
python3 -m rivendell.mitre.dashboard -o /output/dashboard.htmlCoverage:
- 600+ ATT&CK techniques detected
- All 14 tactics covered
- Content-based pattern matching for accurate detection
- Evidence source mapping with full metadata
Real-time MITRE ATT&CK coverage analysis during investigations.
Features:
- Standalone coverage analyzer
- Live detection as artifacts are processed
- Integration with Elrond analysis
- SIEM export (Splunk, Elasticsearch)
- Visual coverage dashboards
Usage:
# Analyze coverage
python3 -m rivendell.coverage.analyzer /cases/CASE-001
# Real-time monitoring
python3 -m rivendell.coverage.monitor --watch /cases
# Generate dashboard
python3 -m rivendell.coverage.dashboard -o dashboard.htmlExtended support for Windows, macOS, and Linux artifacts.
Features:
- Windows: WMI persistence detection, scheduled tasks, services
- macOS: plists, launch agents/daemons, unified logs, FSEvents
- Linux: systemd services, cron jobs, bash history, auth logs
Usage:
# Parse Windows WMI
python3 -m rivendell.artifacts.windows.wmi /path/to/system
# Parse macOS artifacts
python3 -m rivendell.artifacts.macos.launch_agents /path/to/system
# Parse Linux artifacts
python3 -m rivendell.artifacts.linux.systemd /path/to/systemInvestigate cloud infrastructure across AWS, Azure, and GCP.
Features:
- AWS: EC2 snapshots, CloudTrail analysis, S3 forensics
- Azure: VM disk snapshots, Activity Log analysis
- GCP: Compute Engine snapshots, Cloud Logging analysis
- Unified CLI across all providers
- MITRE ATT&CK mapping for cloud techniques
Usage:
# List AWS instances
python3 -m rivendell.cloud.cli aws list --credentials aws_creds.json
# Acquire Azure VM disk
python3 -m rivendell.cloud.cli azure acquire-disk \
--instance-id myvm \
--resource-group mygroup \
--output ./output
# Analyze CloudTrail logs
python3 -m rivendell.cloud.cli aws analyze-logs \
--log-file cloudtrail.json \
--output ./analysisDetected Techniques:
- T1078.004 - Cloud Accounts
- T1530 - Data from Cloud Storage
- T1580 - Cloud Infrastructure Discovery
- T1619 - Cloud Storage Object Discovery
- And 13+ more cloud-specific techniques
Query investigation data using natural language with local AI.
Features:
- Natural language queries of forensic data
- Investigation path suggestions
- Automated case summaries
- Web chat interface (port 5687)
- Privacy-focused local LLM (Ollama/LlamaCpp)
- Multi-artifact search (timeline, IOCs, processes, network, registry)
Usage:
# Index case data
rivendell-ai index CASE-001 /cases/CASE-001
# Query the case
rivendell-ai query CASE-001 "What PowerShell commands were executed?"
# Get investigation suggestions
rivendell-ai suggest CASE-001
# Generate case summary
rivendell-ai summary CASE-001 --format markdown --output summary.md
# Start web interface
python3 -m rivendell.ai.web_interface
# Access at http://localhost:5687/ai/chat/CASE-001Example Queries:
- "What PowerShell commands were executed?"
- "Show network connections to external IPs"
- "What MITRE ATT&CK techniques were detected?"
- "Summarize the attack timeline"
- "What persistence mechanisms were found?"
Core Requirements:
- Python 3.8+
- Volatility 3
- Plaso/log2timeline
- 30+ forensic utilities
Optional:
- Ollama (for AI agent)
- Docker (for containerized deployment)
- Splunk/Elasticsearch (for SIEM integration)
For complete installation guide, see: REQUIREMENTS.md
- Quick Start - Get started in 5 minutes
- Usage Guide - Complete command reference for all features
- Workflows - Common investigation workflows
- Requirements - Installation requirements and dependencies
- User Guide - Comprehensive user guide
- Configuration - Configuration options
- Support - Troubleshooting and help
- Artifacts - Supported artifact types and parsing
- Cloud Forensics - AWS, Azure, and GCP investigations
- AI Agent - Natural language analysis
- SIEM Integration - Splunk and Elasticsearch
- Tools - Integrated forensic tools
- Update Guide - Update procedures
- Contributing - Contribution guidelines
Incident Response:
# Quick triage β Analysis β MITRE mapping β AI query β SIEM export
python3 acquisition/python/gandalf.py Password 192.168.1.100 -u admin -o /evidence
elrond -C -c IR-2024-001 -s /evidence -o /cases/IR-2024-001
python3 -m rivendell.mitre.mapper /cases/IR-2024-001
rivendell-ai query IR-2024-001 "What lateral movement occurred?"Malware Analysis:
# Acquire β Memory analysis β IOC extraction β Report
python3 acquisition/python/gandalf.py Password 192.168.1.50 -M -o /evidence
elrond -C -c MAL-001 -s /evidence -m /evidence/memory.dmp -o /output
rivendell-ai query MAL-001 "What IOCs were detected?"
rivendell-ai summary MAL-001 --format markdown --output report.mdCloud Investigation:
# Acquire logs β Analyze β Query
python3 -m rivendell.cloud.cli aws acquire-logs --days 30 --output ./logs
python3 -m rivendell.cloud.cli aws analyze-logs --log-file ./logs/cloudtrail.json
rivendell-ai query CLOUD-001 "What suspicious AWS API calls were made?"For complete workflows, see: WORKFLOWS.md
We welcome contributions! See CONTRIBUTION.md for guidelines.
Ways to Contribute:
- Report bugs and request features
- Improve documentation
- Add support for new artifacts
- Develop integrations
- Share use cases and workflows
This project is licensed under the MIT License - see the LICENSE file for details.
Rivendell integrates many excellent open-source forensic tools:
- Volatility 3 - Memory forensics framework
- Plaso/log2timeline - Timeline generation
- RegRipper - Registry analysis
- Bulk Extractor - IOC extraction
- MITRE ATT&CK - Adversary tactics and techniques
- Ollama - Local LLM inference
- LangChain - AI orchestration
And 25+ additional tools. See TOOLS.md for the complete list.
- Documentation: See docs/
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Support Guide: SUPPORT.md
v2.2 (Planned):
- Mobile device forensics (iOS, Android)
- Network forensics integration
- Automated reporting enhancements
- Additional SIEM integrations
v2.3 (Future):
- Collaborative investigation features
- Advanced ML-based anomaly detection
- Container forensics (Docker, Kubernetes)
- Threat intelligence integration
- Lines of Code: 50,000+
- Integrated Tools: 30+
- Supported Platforms: Windows, Linux, macOS
- Cloud Providers: AWS, Azure, GCP
- MITRE ATT&CK Techniques: 600+
- Artifact Types: 50+
Built with β€οΈ for the DFIR community