nightHawkResponse is a custom built application for asynchronus forensic data presentation on an Elasticsearch backend. This application is designed to ingest a Mandiant Redline “collections” file and give flexibility in search/stack and tagging. The application was born out of the inability to control multiple investigations (or hundreds of endpoints) in a single pane of glass.

Redline is a free endpoint security tool that provide users the possibility to identify malicious or suspicious activity on the operating system. it will collect running process, drivers, file system metadata , event logs , network information , services and web history. This is useful during a full scooping of an incident. Combining Redline with nightHawkResponse will make the collection of data faster and easier to visualize in a distributed network.

Some of the feature for this framework:

• Single view endpoint forensics (multiple audit types).
• Global search.
• Timelining.
• Stacking.
• Tagging.
• Interactive process tree view.
• Multiple file upload & Named investigations.

nightHawkResponse – Incident Response Forensic Framework

You can read more and download the framework over here: https://github.com/biggiesmallsAG/