README
¶
](https://deepsource.io/gh/jurelou/forensibus/?ref=repository-badge){kind=icon}
Warning Forensibus is currently in Alpha release.
Features
- 🔎 Supports many DFIR artifacts
- ⚡ Blazingly fast - Horizontal scaling and high performance parallelism
- ⚙️ Modular - Add your own artifacts processors with ease
- 🖥️ Works with splunk right off the bat
Installation
Get the latest release from github:
mkdir forensibus
wget -c https://github.com/jurelou/forensibus/releases/latest/download/forensibus.tar -O - | tar -x -C forensibus
Once decompressed, the release contains:
forensibus_linux_amd64: A linux statically compiled binary using musl libcpipelines/: Folder containing pre-made pipelinesexternal/: Folder containing external tools (yara, sigma, …) and detection signaturesdocker/: Folder containing docker configuration files
By default, forensibus logs are stored under /var/log/forensibus.log
Create a log file, assign the rights to your current user and restrict file access to append only
sudo touch /var/log/forensibus.log
sudo chown `id -u`:`id -g` /var/log/forensibus.log
sudo chattr +a /var/log/forensibus.log
Quick start
Analyse DFIR-ORC archives
./forensibus_linux_amd64 run -p pipelines/dfir-orc.hcl <ORC_FILE>
See other pipelines in the
pipelinesfolder
Acknowledgments
this project would not have been possible without these awesome projects:
- https://github.com/Velocidex/velociraptor
- https://github.com/hashicorp/hcl
- https://github.com/coreos/go-systemd
- https://github.com/hillu/go-yara
License
Source code in forensibus is available under the GNU General Public License v3.0.
Documentation
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.