Unified Digital Forensics & Incident Response Operations Console
Installation • Features • Quick Start • Documentation • Contributing
DFIRVault is a comprehensive, all-in-one console application designed for Digital Forensics and Incident Response (DFIR) professionals. It consolidates multiple essential DFIR tools into a single, unified interface, streamlining your investigative workflow and eliminating the need to juggle between different applications.
Developed by a DFIR practitioner for DFIR practitioners, DFIRVault integrates case management, threat scanning, log analysis, timeline processing, log enrichment, CSV utilities, disk image conversion, data ingestion, and synchronization capabilities into one powerful platform.
- 🚀 Unified Workflow: No more switching between multiple tools - everything you need in one place
- 🔒 Forensic Soundness: Built with forensic best practices and chain-of-custody considerations
- 📊 Comprehensive Reporting: Generate detailed HTML, CSV, and JSON reports for documentation
- ⚡ Performance Optimized: Multi-threaded scanning and efficient data processing
- 🔧 Enterprise Ready: Integrates with Splunk, Elasticsearch, and scheduled task automation
- Create structured case folders with pre-defined evidence directory hierarchy
- Archive cases with optional AES-256 encryption (7-Zip integration)
- Case metadata tracking and keyword management
- One-click folder access and backup location management
- EVTX log scanning with Sigma rule detection
- CSV timeline generation with ISO-8601 timestamps
- HTML report creation for easy sharing and documentation
- Recursive folder scanning for mounted images and drive collections
- Sigma rule-based hunting across EVTX files
- Event log correlation and pattern detection
- CSV output for further analysis in Splunk/ELK
- Custom rule support for organization-specific threats
- Filesystem IOC scanning across multiple drives
- MD5 hash extraction for threat intelligence matching
- Multi-threaded scanning for maximum performance
- HTML and CSV reports with detailed findings
- Create/delete Splunk indexes programmatically
- Monitor folders and automatically ingest logs
- Backup/restore indexes with password protection
- Web interface launcher for quick access
- Bulk CSV upload to Elasticsearch clusters
- Automatic index creation with date-based naming
- Timestamp detection and field mapping
- Chunked uploads with progress tracking
- Bidirectional sync between local and remote folders
- Real-time file monitoring with Watchdog
- Remote folder browser with GUI selection
- Comprehensive logging for audit trails
- Safe scheduled synchronization using Windows Task Scheduler
- Graceful deletion handling with 30-day recovery window
- Bi-directional sync option for mirroring
- Deleted file vault with automatic purging
- Enhance your logs before they go into your SIEM or log analysis engine.
- Enrich with the latest IOCs Query IP2Proxy database, OTX, and AbuseIPDB
- Find threats faster Enrich your logs before processing, saving time and effort and unnecessary overhead doing post-ingestion lookups.
- Convert bodyfile to csv in preparation for super timelining and importing into your local log analysis platform (Splunk, Elastic, Opensearch)
- Additional HTML report with interactive filters for fast timelining triage and analysis
Split large CSV files by maximum file size (MB) or record count Preserve CSV structure with optional header duplication in each split file Integrity verification to confirm all records were successfully split Optimised for large DFIR datasets generated by Hayabusa, Chainsaw, Thor, Splunk, and Elasticsearch exports Automatic output management with organised split-file naming conventions
Normalise inconsistent timestamps across CSV datasets Convert multiple timestamp formats into a standard DD/MM/YYYY HH:MM:SS format Improve SIEM ingestion compatibility for Splunk, Elasticsearch, OpenSearch, and other analytics platforms Reduce timeline parsing issues caused by mixed date formats Prepare datasets for forensic timeline analysis and cross-source correlation
Convert forensic and virtual disk image formats using QEMU's qemu-img Batch conversion support for multiple image files Convert between RAW, QCOW2, VMDK, VHDX, and other supported formats Simplify evidence preparation for virtual machines, sandboxes, and analysis environments Streamline cross-platform image compatibility between forensic and virtualisation tools
Menu-driven Volatility 3 interface analyse multiple memory captures sequentially generate html reports with all captured information included
- Operating System: Windows 10/11, Windows Server 2016+
- Python: 3.8 or higher (if running from source)
- Disk Space: 500MB for application + variable for evidence
- RAM: 4GB minimum, 8GB+ recommended
- Admin Rights: Required for Thor Scanner and VaultMirror
- 7-Zip: For encrypted case archives (https://www.7-zip.org/)
- Hayabusa: For EVTX scanning (https://github.com/Yamato-Security/hayabusa)
- Chainsaw: For Sigma rule hunting (https://github.com/WithSecureLabs/chainsaw)
- Thor Lite: For IOC scanning (https://www.nextron-systems.com/thor-lite/)
- Splunk: For log management (https://www.splunk.com/)
- Elasticsearch: For CSV ingestion (https://www.elastic.co/)
- Download the latest
DFIRVault.exefrom the Releases page - Place the executable in your preferred tools directory (e.g.,
C:\Tools\DFIRVault\) - Double-click to run - no installation required!
# Clone the repository
git clone https://github.com/dfirvault/DFIRVault.git
cd DFIRVault
# Install dependencies
pip install -r requirements.txt
# Run the application
python dfirvault.py- Run
DFIRVault.exeas Administrator (for full functionality) - The main menu will display all available modules
- Configure tool paths when prompted (Hayabusa, Chainsaw, Thor, etc.)
- Set your case folder and backup locations in the Case Manager
- Start a New Case: Use the Case Manager to create a structured case folder
- Collect Evidence: Copy disk images, EVTX files, and other evidence to the case folder
- Scan for Threats: Run Hayabusa, Chainsaw, and Thor scanners against evidence
- Analyze Results: Review HTML/CSV reports generated by the scanners
- Prepare Data: Use CSV Splitter and CSV Timestamp Cleaner to optimise datasets for ingestion and timeline analysis
- Ingest Data: Upload CSV reports to Splunk or Elasticsearch for deeper analysis
- Convert Images: Convert forensic disk images to formats required by virtualisation or analysis platforms
- Archive Case: Password-protect and archive completed cases to cold storage
- Sync to Backup: Use VaultMirror to maintain off-site backups
The Case Manager creates a standardized folder structure for each investigation:
[Case Name]/
├── 01 - Evidence/ # Raw evidence, disk images, memory dumps
├── 02 - Case/ # Case notes, interview transcripts, legal docs
├── 03 - Malware/ # Captured malware samples (password protected)
└── 04 - Extracted Evidence/
├── 01 - Axiom/ # Magnet Axiom exports
├── 02 - XWays/ # X-Ways Forensics exports
├── 03 - Thor/ # Thor scanner results
├── 04 - Hayabusa/ # Hayabusa CSV/HTML reports
└── 05 - Chainsaw/ # Chainsaw detection results
Pro Tip: Store Keywords.txt in the case root for investigator notes and search terms.
- Download Hayabusa from GitHub
- Extract to
C:\Tools\Hayabusa\ - First scan will prompt for executable location
- Configuration saved to Windows Registry:
HKCU\Software\DFIRVault\Hayabusa
- Download Chainsaw from GitHub
- Extract to
C:\Tools\Chainsaw\ - Ensure Sigma rules are in the
rules/subdirectory - Configuration saved to Windows Registry
- Download Thor Lite from Nextron Systems
- Place
thor64-lite.exeinC:\Tools\Thor\ - Run signature updates via the tool menu
- Requires Administrator privileges
Initial Setup:
- Ensure Splunk is installed and running locally
- Navigate to
Settings > Tokensin Splunk Web - Generate an authentication token
- Enter credentials when prompted by DFIRVault
Common Operations:
- Create indexes with automatic folder monitoring
- Backup indexes before deletion (with password protection)
- Restore indexes from backup ZIP files
- Launch Splunk Web directly from the console
Supported Formats:
- Standard CSV with header row
- UTF-8 encoding (recommended)
- Any delimiter (auto-detected)
- Large files (automatic chunking)
Timestamp Handling:
- Automatic detection of timestamp columns
- Support for Unix epoch (seconds/milliseconds)
- ISO-8601 date string conversion
- Custom timestamp field selection
How Safe Delete Works:
- Files are NEVER permanently deleted immediately
- Deleted files moved to
[Drive]:\VaultMirror_Deleted\[CaseName]\ - Files retained for 30 days (configurable)
- Automatic purging after grace period
- Metadata JSON files track deletion history
Sync Modes:
- One-Way: Source → Destination (files only added/updated)
- Bi-Directional: Full synchronization with conflict resolution based on timestamps
DFIRVault stores all configurations in the Windows Registry under:
HKEY_CURRENT_USER\Software\DFIRVault\
DFIRVault/
├── CaseManager/
│ ├── case_folder (REG_SZ)
│ └── backup_location (REG_SZ)
├── Hayabusa/
│ └── executable_path (REG_SZ)
├── Chainsaw/
│ └── executable_path (REG_SZ)
├── Thor/
│ └── executable_path (REG_SZ)
├── LogEnhancer/
│ └── executable_path (REG_SZ)
├── Splunk/
│ ├── splunk_path (REG_SZ)
│ ├── username (REG_SZ)
│ └── password (REG_SZ)
└── Elasticsearch/
├── url (REG_SZ)
├── username (REG_SZ)
└── password (REG_SZ)
Backup Registry Settings:
reg export "HKCU\Software\DFIRVault" DFIRVault_backup.regRestore Registry Settings:
reg import DFIRVault_backup.reg| Issue | Solution |
|---|---|
| Hayabusa/Chainsaw not found | Download the tool and set path when prompted |
| Thor Scanner fails | Run DFIRVault as Administrator |
| Splunk connection refused | Ensure Splunk is running on port 8089 |
| CSV upload fails | Check Elasticsearch cluster health and credentials |
| VaultMirror task not created | Run as Administrator and check Task Scheduler service |
| Registry access denied | Ensure you have write permissions to HKCU |
- Case Manager:
[CaseFolder]/case_manager.log - Hayabusa:
[ReportPath]/[case]-log.txt - Thor Scanner:
[ReportPath]/[case]_thor_log.txt - SFTP Monitor:
[LocalFolder]/logs/sftp_monitor_*.log - VaultMirror:
%APPDATA%\VaultMirror\logs\
- Use SSDs for evidence storage when possible
- Limit concurrent scanners to avoid I/O bottlenecks
- Use multi-threading option in Thor Scanner for large drives
- Adjust chunk size in CSV2ELK for network conditions
We welcome contributions from the DFIR community!
- Report Bugs: Open an issue with detailed reproduction steps
- Suggest Features: Submit feature requests via GitHub Issues
- Code Contributions: Fork the repo and submit pull requests
- Documentation: Help improve this README or add wiki articles
- Tool Integrations: Add support for new DFIR tools
# Clone your fork
git clone https://github.com/YOUR_USERNAME/DFIRVault.git
cd DFIRVault
# Create virtual environment
python -m venv venv
venv\Scripts\activate # Windows
# Install dev dependencies
pip install -r requirements-dev.txt
# Run tests
pytest tests/- Follow PEP 8 guidelines
- Include docstrings for all functions
- Add type hints where possible
- Test on Windows 10/11 before submitting
This project is licensed under the MIT License - see the LICENSE file for details.
- Yamato Security for Hayabusa
- WithSecure Labs for Chainsaw
- Nextron Systems for Thor Lite
- Splunk and Elastic communities
- All DFIR practitioners who provided feedback and testing
- Developer: Jacob Wilson
- Email: dfirvault@gmail.com
- GitHub: https://github.com/dfirvault
- Issues: GitHub Issues Page
If you find DFIRVault useful, please consider starring the repository on GitHub!