Dfirtrack - The Incident Answer Tracking Application


DFIRTrack (Digital Forensics as well as Incident Response Tracking application) is an opened upwards source spider web application mainly based on Django using a PostgreSQL database backend.
In contrast to other slap-up incident reply tools, which are mainly case-based as well as back upwards the piece of occupation of CERTs, SOCs etc. inwards their daily business, DFIRTrack is focused on treatment 1 major incident alongside a lot of affected systems every bit it is oftentimes observed inwards APT cases. It is meant to endure used every bit a tool for dedicated incident reply teams inwards large cases. So, of course, CERTs as well as SOCs may utilisation DFIRTrack every bit well, but they may experience it volition endure to a greater extent than appropriate inwards special cases instead of every twenty-four hr menstruum work.
In contrast to case-based applications, DFIRTrack industrial plant inwards a system-based fashion. It keeps rail of the condition of diverse systems as well as the tasks associated alongside them, keeping the analyst well-informed almost the condition as well as number of affected systems at whatever fourth dimension during the investigation stage upwards to the remediation stage of the incident reply process.

Features
One focus is the fast as well as reliable import as well as export of systems as well as associated information. The finish for importing systems is to supply a fast as well as error-free procedure. Moreover, the finish for exporting systems as well as their condition is to convey multiple instances of documentation: for instance, detailed Markdown reports for technical staff vs. spreadsheets for non-technical audiences without redundancies as well as deviations inwards the information sets. H5N1 manager whose numbers check is a happy manager! ;-)
The next functions are implemented for now:
  • Importer
    • Creator (fast creation of multiple related instances via spider web interface) for systems as well as tasks,
    • CSV (simple as well as generic CSV based import (either hostname as well as IP or hostname as well as tags combined alongside a spider web form), should fit for the export capabilities of many tools),
    • Markdown for entries (one entry per system(report)).
  • Exporter
    • Markdown for so-called organization reports (for utilisation inwards a MkDocs structure),
    • Spreadsheet (CSV as well as XLS),
    • LaTeX (planned).

Installation as well as dependencies
DFIRTrack is developed for deploying on Debian Stretch or Ubuntu 16.04. Other Debian based distributions or versions may piece of occupation but were non tested yet. At the minute the projection volition endure focused on Ubuntu LTS as well as Debian releases.
For fast as well as uncomplicated installation on a dedicated server including all dependencies an Ansible playbook as well as role was written (available here). For testing a docker environs was prepared (see below).
For a minimal setup the next dependencies are needed:
  • django (2.0),
  • django_q,
  • djangorestframework,
  • gunicorn,
  • postgresql,
  • psycopg2-binary,
  • python3-pip,
  • PyYAML,
  • requests,
  • virtualenv,
  • xlwt.
Note that at that topographic point is no settings.py inwards this repository. This file is submitted via Ansible or has to endure copied as well as configured past times hand. That volition endure changed inwards the hereafter (see issues for to a greater extent than information).

Docker Environment
An experimental Docker Compose environs for local-only usage is provided inwards this project. Run the next ascendance inwards the projection root directory to inaugural of all the environment:
docker-compose up
H5N1 user admin is already created. H5N1 password tin dismiss endure laid with:
docker/setup_admin.sh
The application is located at localhost:8000.

Built-in software
The application was created past times implementing the next libraries as well as code:

Development
There are ii primary branches:
  • master
  • development
The master copy branch should endure stable (as you lot tin dismiss aspect from an alpha version). New features as well as changes are added to the evolution branch as well as merged into master copy from fourth dimension to time. Everything merged into evolution should run likewise but mightiness demand manual changes (e. g. config). Devolopment branch of DFIRTrack Ansible should follow these changes. So if you lot desire to come across the latest features as well as progress: "check out" development.

Disclaimer
This software is inwards an early on alpha stage then a lot of piece of occupation has to endure done. Even if to a greater extent than or less basic mistake checking is implemented, every bit of at in 1 trial the usage of DFIRTrack mainly depends on proper handling.
DFIRTrack was non as well as most probable volition never endure intended for usage on publicly available servers. Nevertheless to a greater extent than or less basic safety features were implemented (in especial inwards connectedness alongside the corresponding ansible role) ever install DFIRTrack inwards a secured environs (e. g. a dedicated virtual machine or inwards a separated network)!