Skip to content

google/osdfir-infrastructure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

172 Commits
.github
.github
 
 
charts
charts
 
 
docs
docs
 
 
extras
extras
 
 
.gitignore
.gitignore
 
 
.markdownlint.json
.markdownlint.json
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
contributing.md
contributing.md
 
 

Repository files navigation

OSDFIR Infrastructure

OSDFIR Infrastructure simplifies the deployment and integration of Open Source Digital Forensics tools to Kubernetes clusters (local or cloud) using Helm.

Currently, OSDFIR Infrastructure supports the deployment and integration of the following tools:

  • dfTimewolf for orchestrating forensic collection, processing and data export, helping pass data between tools using recipes (e.g. importing processed Plaso files Timesketch)
  • Timesketch for collaborative forensic timeline analysis featuring analyzers to help identitify patterns in data, support for Plaso, JSONL, or CSV file imports, and built-in integrations to tools such as:
    • DFIQ for digital forensics investigative questions and the approaches to answering them
    • Sigma for detection and hunting rules to run across timelines
    • Unfurl for graph analysis of URLs
  • Yeti for DFIR and threat intelligence tracking, enabling responders to store and analyze CTI (observables, TTPs, campaigns, etc.) from internal and external systems and integrates with Timesketch.
  • OpenRelik is a platform that streamlines collaborative digital forensic investigations. It provides modular workflows, an intuitive interface, real-time collaboration, a centralized artifact repository, and can easily be extended to support new workers.

Additionally, OSDFIR Infrastructure also offers standalone charts. These charts are not directly integrated with OSDFIR Infrastructure, but can be used independently.

  • Turbinia for automating processing of forensic evidence helping find prevelant badness.
  • Hashr to build your own hash sets based on your data sources.
  • GRR for incident response and remote live forensics.

Installing the Charts

To get started, ensure you have Helm installed and are authenticated to your Kubernetes cluster.

Once complete, add the repo containing the Helm charts as follows:

helm repo add osdfir-charts https://google.github.io/osdfir-infrastructure

If you had already added this repo earlier, run helm repo update to retrieve the latest versions of the packages. You can then run helm search repo osdfir-charts to see the available charts.

To install the OSDFIR Infrastructure chart using a release name of my-release:

helm install my-release osdfir-charts/osdfir-infrastructure

Note: The default configuration of the Helm chart installs it within your cluster for internal access. To enable external access, follow the instructions provided in the Helm chart's README.

To uninstall the chart:

helm uninstall my-release

Please refer to the links below for more details on configuring OSDFIR Infrastructure, and accessing helpful guides.

Obligatory Fine Print

This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.

About

Helm charts for running open source digital forensic tools in Kubernetes

Topics

kubernetes security cloud deployment forensics dfir

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

84 stars

Watchers

7 watching

Forks

16 forks
Report repository

Releases 61

osdfir-infrastructure-2.1.0 Latest
Feb 12, 2025
+ 60 releases

Packages

No packages published

Contributors 10

Languages