Skadi – DFIR Framework to Collect Process and Hunt

Skadi is a free, open source collection of tools that enables the collection, processing and advanced analysis of forensic artifacts and images. It works on MacOS, Windows, and Linux machines. It scales to work effectively on laptops, desktops, servers, the cloud, and can be installed on top of hardened / gold disk images.

Skadi - Collect Process and Hunt
Skadi – Collect Process and Hunt

The tools are combined into one platform that all work together to provide the ability to collect data, convert the bits and bytes to words and numbers, and analyze the results quickly and easily. This enables the ability to rapidly hunt for host based evidence of a malicious activities quickly and accurately.

Current list of tools available in this framework are:

There are three ways to use the framework the first by running OVA, the second with deployment of Skadi using Vagrant and the third using a Signed Installer formats.

The recommended way for security alerts investigation with this framework include the following three steps:

  1. Collect information from host
  2. Process / parse collected data
  3. Start reviewing data from csv reports or from Kibana or TimeSketch Web UI’s

You can read more and download this framework over here: https://www.skadivm.com/

Share