Skadi v2019.1 releases: Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux

Skadi is a free, open-source collection of tools that enable the collection, processing and advanced analysis of forensic artifacts and images. It scales to work effectively on laptops, desktops, servers, the cloud and can be installed on top of hardened / gold disk images.

Included Tools

The following tools are combined into one platform that all work together to provide everyone with the ability to collect data, convert the bits and bytes to words and numbers, and analyze the results quickly and easily. All of this enables the ability to rapidly hunt for host-based evidence of malicious activities.

  • Plaso
  • CDQR
  • CyLR
  • Docker
  • ElasticSearch, Logstash, Kibana (ELK)
  • Redis
  • Neo4j
  • Celery
  • Cerebro

Videos and Media

  • Alamo ISSA 2018 Slides: Reviews CCF-VM components, walkthrough of how to install GCP version and discuss automation possibilities and risks
  • SANS DFIR Summit 2017 Video: A talk about using CCF-VM for Digital Forensics and Incident Response (DFIR)
  • ISC2 Security Congress 2017 Slides: Another talk about using CCF-VM for Digital Forensics and Incident Response (DFIR)
  • DEFCON 25 4-hour Workshop 2017 Slides: Free and Easy DFIR Triage for Everyone
  • OSDFCON 2017 Slides: Walk-through different techniques that are required to provide forensics results for Windows and *nix environments (Including CyLR and CDQR)

Changelog v2019.1

System Changes

  • Created Skadi Portal Start Page
    • Single Point of Access to all tools
    • Direct download links to all CyLR versions that are stored on skadi server
  • Added Remote Management and Monitoring tools
    • Grafana (Host & Container monitoring)
    • Glances (Detailed Process Monitoring)
  • Refactored to use containers where possible
  • Created Customized Docker Images for TimeSketch and CyberChef
  • Modified Firewall and Nginx Reverse proxy configuration
    • Container Support
    • Longer, larger data uploads
    • Subpath support for TimeSketch
  • Updated Digitally Signed Installer
  • Updated Packer and Vagrant build scripts

Updated All Tools to Include the Following

  • Plaso Version 20181219
  • Docker Version 18.09.0
  • CDQR Version 4.2.1
  • CyLR Version
  • Kibana 6.5.1
  • ElasticSearch 6.5.1
  • Nginx 1.15
  • Grafana 5.4.2
  • Cerebro Version 0.8.1
  • Redis Version 5
  • Neo4j Version 3.5
  • Postgres 10
  • skadi_cyberchef Last update Dec 19, 2018
  • skadi_dockprom Last Update Dec 12, 2018
  • skadi_timesketch 1.2


Kibana, TimeSketch, Cerebro Included

11 New Kibana Dashboards



Skadi (formerly known as CyLR CDQR Forensics Virtual Machine (CCF-VM)) Copyright (C) 2018 Alan Orlikoski