FACT: collect, process and visualise forensic data from clusters of machines

Forensic Artefact Collection Tool

FACT – Forensic Artefact Collection Tool

FACT is a tool to collect, process, and visualise forensic data from clusters of machines running in the cloud or on-premise.

Installation

Docker Compose Single-node Deployment

You can run FACT on platforms supported by Docker Desktop using our Docker Compose setup. This setup is not meant for production use yet.

Prerequisites

  1. Docker
  2. Docker Compose
  3. A large amount of disk space for disk images
  4. At least 4GB of RAM available, 8GB recommended

Configuring docker-compose.yml

Download docker-compose.yml from this repository.

Open it in a text editor and replace ${HOST_IP} with the IP address of your machine running Docker. Alternatively, set HOST_IP in your shell environment from which you run docker-compose. You can find your IP address using your operating system tools or when using Docker Desktop, try host.docker.internal.

The IP address can be either the one used to connect to the internet or when using Docker Desktop, the internal IP address of the underlying Docker Desktop VM. It should be reachable from both your host and within Docker.

Starting all services

Open a shell, enter the directory containing docker-compose.yml and start all the services using:

docker-compose up -d

View the documentation for docker-compose for other operations.

Once all the services have started, you can open http://localhost:3000 for the UI, and http://localhost:5601 for the search UI (Kibana). Data will be populated after your first Ingest.

Tips

  • When using Docker Desktop, remember to allocate enough disk space to your Docker Desktop machine.
  • Do keep tabs on the amount of disk space left.

Copyright (c) 2021 Song Xuan Neo, Wen En Hoe, and Ambrose Chua

Source: https://github.com/unicornunicode/