Digital Forensics Timeline Analysis using Sigma-like rules for event reconstruction.
SigmaDFT is a Python package that analyzes digital forensics timelines using YAML-based detection rules. It processes CSV files from forensics tools like Plaso and applies custom rules to identify suspicious activities and reconstruct high-level events.
- Timeline Analysis: Process CSV timeline files from forensics tools
- YAML Rules: Use Sigma-like YAML rules for event detection
- Event Reconstruction: Convert low-level events to meaningful high-level events
- Multiple Rule Types: Support for web activity, authentication, system changes, and security events
- JSON Output: Export results in structured JSON format
- Flexible Matching: Support regex and keyword-based event matching
- Anaconda or Miniconda
- Git
# Create a new conda environment
conda create --name sigmadft python=3.12
# Activate the environment
conda activate sigmadft# Clone the repository
git clone https://github.com/yourusername/sigmadft.git
cd sigmadft
# Install the package
pip install .
# For development (editable install)
pip install -e .# Check if package is installed
pip list | grep sigmadft
# Test the command
sigmadft -h# Basic timeline analysis
sigmadft -i timeline.csv -o results.json
# Analyze specific event types
sigmadft -i timeline.csv -o results.json -t google-search
sigmadft -i timeline.csv -o results.json -t all-web-activity
sigmadft -i timeline.csv -o results.json -t authentication-activity
| Type | Description |
|---|---|
google-search |
Google search activities |
bing-search |
Bing search activities |
web-visits |
General web browsing |
youtube-watch |
YouTube viewing activities |
all-web-activity |
All web-related activities |
user-add |
User account creation |
user-mod |
User account modifications |
account-management-activity |
All user management activities |
auth-failure |
Authentication failures |
session-opened |
Session login events |
authentication-activity |
All authentication events |
web-shell |
Web shell detection |
security-tools |
Security tools disabling syslog |
suspicious-dns |
Suspicious DNS activities |
crontab-modification |
Crontab file modifications |
ftp-errors |
VSFTPD suspicious error messages |
suspicious-logs |
Suspicious shell log entries |
all-linux-security |
All Linux security events |
all |
All available rules |
# Analyze web browsing activity
sigmadft -i plaso_timeline.csv -o web_analysis.json -t all-web-activity
# Detect authentication issues
sigmadft -i auth_logs.csv -o auth_analysis.json -t authentication-activity
# Comprehensive security analysis
sigmadft -i full_timeline.csv -o security_analysis.json -t all-linux-securitySigmaDFT expects CSV files in Plaso format with the following columns:
datetime: Timestamp of the eventtimestamp_desc: Description of the timestampsource: Event sourcesource_long: Detailed source informationmessage: Event message/evidenceparser: Parser used to extract the eventdisplay_name: Display name/pathtag: Event tags
Results are exported in JSON format containing:
- Event metadata (timestamps, sources, etc.)
- Reconstructed high-level events
- Supporting evidence
- Rule match information
- Event categorization
Rules are defined in YAML format similar to Sigma rules:
title: "Example Detection Rule"
id: "example-001"
description: "Detects example activities"
category: "example"
detection:
keywords:
- "example_keyword"
- "another_keyword"
condition: "keywords"
high_level_event:
type: "Example Activity"
description: "User performed {example_key}"
keys:
- name: "example_key"
source: "extract_example_data"MIT License - see LICENSE file for details.
- Inspired by the pyDFT project
- Uses Sigma-like rule format for digital forensics
- Built for the digital forensics and incident response community
- Create an issue for bug reports or feature requests
- Check existing issues before creating new ones
- Provide sample data and steps to reproduce for bug reports