OSDFIR Infrastructure helps setup Open Source Digital Forensics tools to Kubernetes clusters using Helm.
Currently, OSDFIR Infrastructure supports the deployment and integration of the following tools:
- Turbinia for automating processing of forensic evidence at scale helping find prevelant badness and includes built-in integrations to many tools such as:
- Plaso (and related projects such as dfVFS, libyal) for extracting data from a variety of sources into a correlated super timeline
- Container Explorer for container level processing
- Docker Explorer for docker container level processing
- Fraken for multi-threaded yara scanning
- Libcloudforensics for mounting evidence from cloud platforms
- Timesketch for collaborative forensic timeline analysis with built-in analyzers to help identitify patterns in data and supports Plaso, JSONL, or CSV file imports
- dfTimewolf for orchestrating forensic collection, processing and data export, helping pass data between tools
These tools can be used independently as well by following the documentation on the tool's repository or by installing a tool specific Helm chart which includes any built-in integrations.
To get started, ensure you have Helm installed and are authenticated to your Kubernetes cluster, then using a release name of your choice, such as my-release, run:
helm install my-release oci://us-docker.pkg.dev/osdfir-registry/osdfir-charts/osdfir-infrastructureThe command deploys OSDFIR Infrastructure on the Kubernetes cluster in the default configuration. See the GKE Installations section for installing to GCP environments or to quickly get started with a local cluster, see minikube install docs.
For more information on how to install and configure OSDFIR Infrastructure or individual tools, please refer to the links below.