nightHawkResponse – Incident Response Framework

nightHawkResponse is a custom built application for asynchronus forensic data presentation on an Elasticsearch backend. This application is designed to ingest a Mandiant Redline “collections” file and give flexibility in search/stack and tagging. The application was born out of the inability to control multiple investigations (or hundreds of endpoints) in a single pane of glass.

Redline is a free endpoint security tool that provide users the possibility to identify malicious or suspicious activity on the operating system. it will collect running process, drivers, file system metadata , event logs , network information , services and web history. This is useful during a full scooping of an incident. Combining Redline with nightHawkResponse will make the collection of data faster and easier to visualize in a distributed network.

Some of the feature for this framework:

  • Single view endpoint forensics (multiple audit types).
  • Global search.
  • Timelining.
  • Stacking.
  • Tagging.
  • Interactive process tree view.
  • Multiple file upload & Named investigations.
nightHawkResponse - Incident Response Forensic Framework

nightHawkResponse – Incident Response Forensic Framework

You can read more and download the framework over here:

Notify of
Inline Feedbacks
View all comments