Hunt. Collect. Analyze. Respond.
The open-source DFIR platform that unifies your investigation workflow
Features β’ Who It's For β’ Quick Start β’ Documentation β’ Contributing
Eleanor is an open-source, self-hosted Digital Forensics and Incident Response (DFIR) platform that brings the entire investigation lifecycle into a single, unified interface. No more juggling a dozen browser tabs, copy-pasting IOCs between tools, or losing context during critical investigations.
Modern DFIR teams use 10+ separate tools: SIEM for detection, case management for tracking, endpoint agents for collection, forensic tools for analysis, threat intel platforms for enrichment, and SOAR for response. Each tool has its own interface, data format, and learning curve. Context-switching kills investigation velocity.
Eleanor fixes this. It integrates battle-tested open-source tools (IRIS, Velociraptor, OpenCTI, Shuffle, Timesketch) under a single Sentinel-style dashboard. One login, one interface, one unified workflow from detection to remediation.
Investigation-first, not alert-first. Most security tools optimize for alert triageβEleanor optimizes for deep investigation. Start with a hypothesis, hunt proactively, and follow the evidence wherever it leads. When you find something, you have the tools to respond immediately.
| Role | How Eleanor Helps |
|---|---|
| SOC Analysts | Investigate alerts faster with unified entity profiles, automated enrichment, and one-click threat intel lookups. No more copying hashes between VirusTotal tabs. |
| Threat Hunters | Hunt across your environment with ES|QL/KQL queries, save successful hunts as reusable playbooks, and build workbooks that capture institutional knowledge. |
| Forensic Investigators | Process disk images, memory dumps, and triage packages with 34+ built-in parsers. Build timelines, trace lateral movement, and generate court-ready reports. |
| Incident Responders | Coordinate response with case management, execute automated playbooks with approval gates, and contain threats without leaving the platform. |
| MSSPs | Serve multiple clients from one instance with full multi-tenancy, tenant isolation, and per-organization configurations. |
-
Unified Interface, Best-of-Breed Tools β Eleanor doesn't reinvent proven tools. It wraps IRIS, Velociraptor, OpenCTI, and Shuffle in a cohesive UI so you get the power of each without the integration headaches.
-
Self-Hosted & Privacy-Preserving β Your investigation data never leaves your infrastructure. No cloud dependencies, no telemetry phoning home, no vendor lock-in. Critical for investigations involving sensitive data.
-
Multi-Tenant by Design β Built from day one for MSSPs and enterprise teams. Row-level security, scoped Elasticsearch indices, and per-tenant configurations. One instance, many clients.
-
Investigation Workbooks β Capture your team's investigative playbooks as reusable workbooks. New analysts can follow proven procedures; experienced hunters can share their techniques.
-
OVA Deployment β Download a pre-configured virtual appliance and be investigating in under 30 minutes. No Kubernetes expertise required (though we support that too).
| Feature | Description |
|---|---|
| Threat Hunting | ES |
| Case Management | Full lifecycle tracking with IRIS integration, assets, IOCs, and notes |
| Evidence Processing | 34+ parsers for EVTX, Registry, MFT, Browser artifacts, Memory, and more |
| Entity Profiling | Aggregated views of hosts, users, IPs with threat intelligence enrichment |
| Timeline Analysis | Interactive D3 timeline reconstruction with correlation markers |
| Investigation Graphs | Cytoscape-powered relationship visualization with path analysis |
| Endpoint Collection | Live response and artifact collection via Velociraptor |
| Automated Response | SOAR workflows via Shuffle with approval gates |
| Forensic Reports | Professional report generation with templates (PDF, DOCX, HTML) |
- Multi-tenancy β Organization-level isolation with RLS and tenant-scoped indices
- Visual Rule Builder β Drag-drop correlation rules with 4 detection patterns
- Response Playbooks β Automated workflows with approval gates and SOAR integration
- Real-time Dashboard β Live SOC monitoring with WebSocket event streaming
- MITRE ATT&CK Navigator β Coverage analysis, gap identification, and layer export
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ELEANOR UNIFIED DASHBOARD β
β (Angular 17+ SPA) β
β ββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββββββ β
β β Incidentsβ Hunting β Entities β Timeline β Evidence β Workbooks β β
β β Queue β Console β Profiles β View β Browser β & Reports β β
β ββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ELEANOR ORCHESTRATION API β
β (FastAPI + Celery) β
β βββββββββββββββ¬ββββββββββββββ¬ββββββββββββββ¬ββββββββββββββ¬βββββββββββββββ β
β β Search β Entity β Evidence β Workflow β Auth β β
β β Engine β Enrichment β Parsing β Engine β (JWT/OIDC) β β
β βββββββββββββββ΄ββββββββββββββ΄ββββββββββββββ΄ββββββββββββββ΄βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββ
βΌ βΌ βΌ
βββββββββββββββββββββββ βββββββββββββββββββββββ βββββββββββββββββββββββ
β IRIS Adapter β β Velociraptor Adapterβ β OpenCTI Adapter β
β (Case Management) β β (Collection) β β (Threat Intel) β
βββββββββββββββββββββββ βββββββββββββββββββββββ βββββββββββββββββββββββ
β β β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SHARED DATA LAYER β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β Elasticsearch β β PostgreSQL β β Redis β β
β β (Events/Search)β β (Config/Users) β β (Cache/Queue) β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Docker Engine 24.0+ & Docker Compose v2
- 32GB+ RAM (64GB recommended for production)
- 500GB+ SSD storage
# Clone the repository
git clone https://github.com/Project-Eleanor/Eleanor.git
cd Eleanor
# Copy environment template
cp .env.example .env
# Edit .env with your settings (change default passwords!)
# Start core services
docker compose up -d
# Start integrated tools
docker compose -f docker-compose.tools.yml up -d
# Check status
docker compose pscd deploy/kubernetes
# Development environment
./deploy.sh development deploy
# Production environment (update secrets first!)
vim overlays/production/secrets.yaml
./deploy.sh production deploy| Service | URL | Default Credentials |
|---|---|---|
| Eleanor UI | http://localhost:4200 | admin / admin123 |
| Eleanor API | http://localhost:8000/docs | β |
| IRIS | https://localhost:8443 | administrator / iris_admin |
| Velociraptor | https://localhost:8889 | admin / admin |
| Document | Description |
|---|---|
| Quick Start Guide | Get up and running in minutes |
| Architecture Overview | System design and components |
| API Reference | Complete API documentation |
| Parser Development | Creating custom evidence parsers |
| Kubernetes Deployment | Production K8s deployment |
| Contributing Guide | How to contribute to Eleanor |
Eleanor integrates these battle-tested open-source tools:
| Component | Role | Integration |
|---|---|---|
| DFIR-IRIS | Case Management | REST API |
| Velociraptor | Endpoint Collection | REST API |
| OpenCTI | Threat Intelligence | GraphQL |
| Shuffle | SOAR Automation | REST API |
| Timesketch | Timeline Analysis | REST API |
| Dissect | Artifact Parsing | Native |
| Layer | Technologies |
|---|---|
| Frontend | Angular 17, Material Design, Cytoscape.js, D3.js, Monaco Editor |
| Backend | Python 3.11, FastAPI, Celery, SQLAlchemy |
| Database | PostgreSQL 15, Elasticsearch 8.x, Redis 7 |
| Infrastructure | Docker, Kubernetes, Nginx |
| Parsing | Dissect, Volatility3, python-evtx |
| Deployment | RAM | CPU | Storage | Use Case |
|---|---|---|---|---|
| Development | 16GB | 4 cores | 100GB | Local testing |
| Small Lab | 32GB | 8 cores | 500GB | Small team |
| Production | 64GB | 16 cores | 1TB+ | Enterprise |
| Enterprise | 128GB+ | 32+ cores | Multi-TB | Large scale |
See our Project Roadmap for planned features.
- AI-Assisted Investigation β LLM-powered query suggestions and anomaly explanations
- Evidence Chain of Custody β Cryptographic verification with blockchain anchoring
- Federated Search β Cross-instance threat hunting with privacy controls
- Mobile Forensics β iOS/Android artifact parsing and timeline integration
- Compliance Reporting β Automated audit reports for SOC2, HIPAA, PCI-DSS
We welcome contributions! Please see our Contributing Guide for details.
- Report bugs and request features via Issues
- Submit pull requests for bug fixes and features
- Improve documentation
- Write evidence parsers
- Share detection rules and workbooks
# Backend
cd backend
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
uvicorn app.main:app --reload
# Frontend
cd frontend
npm install
ng serveIf you discover a security vulnerability, please see our Security Policy for responsible disclosure guidelines.
Eleanor is licensed under the Apache License 2.0.
Copyright 2024-2026 Project Eleanor Contributors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Eleanor stands on the shoulders of giants. Special thanks to:
- The DFIR-IRIS team
- The Velociraptor community
- The OpenCTI project
- The Dissect developers at Fox-IT
- All open-source DFIR tool maintainers
Built with dedication for the DFIR community