Warning
Forensibus is currently in Alpha release.
Features
- 🔎 Supports many DFIR artifacts
- ⚡ Blazingly fast - Horizontal scaling and high performance parallelism
- ⚙️ Modular - Add your own artifacts processors with ease
- 🖥️ Works with splunk right off the bat
Installation
Get the latest release from github:
mkdir forensibus
wget -c https://github.com/jurelou/forensibus/releases/latest/download/forensibus.tar -O - | tar -x -C forensibus
Once decompressed, the release contains:
forensibus_linux_amd64
: A linux statically compiled binary using musl libc
pipelines/
: Folder containing pre-made pipelines
external/
: Folder containing external tools (yara, sigma, …) and detection signatures
docker/
: Folder containing docker configuration files
By default, forensibus logs are stored under /var/log/forensibus.log
Create a log file, assign the rights to your current user and restrict file access to append only
sudo touch /var/log/forensibus.log
sudo chown `id -u`:`id -g` /var/log/forensibus.log
sudo chattr +a /var/log/forensibus.log
Quick start
Analyse DFIR-ORC archives
./forensibus_linux_amd64 run -p pipelines/dfir-orc.hcl <ORC_FILE>
See other pipelines in the pipelines
folder
Acknowledgments
this project would not have been possible without these awesome projects:
License
Source code in forensibus
is available under the GNU General Public License v3.0.