Skip to content

v0.19.0

Choose a tag to compare

View all tags
@hasamba hasamba released this 12 Jun 17:57
· 68 commits to master since this release
v0.19.0
e0145d4

[0.19.0] - 2026-06-12

Added

  • Linux evidence importers — deterministic auditd (audit.log/ausearch/aureport), journald (journalctl -o json), and sysdig/Falco (alert + -j event JSON) ingest, auto-detected by the unified Import button (closes #62).
  • Mobile companion — installable read-only PWA at /mobile (case status, worst findings, severe/recent timeline, IOC verdicts) for quick glances during IR; navigate directly to http://127.0.0.1:4773/mobile; /cases/:id/mobile-summary endpoint, DFIR_MOBILE_MAX_* caps (closes #59).
  • AI-suggested fleet hunts — generate proactive Velociraptor VQL hunts from the case findings, review the VQL + rationale, one-click deploy across all enrolled endpoints (closes #57).
  • Memory forensics import — deterministic Volatility 3 (JSON renderer) + Rekall importer: pslist/psscan/pstree → process tree, netscan → connections, malfind → injected code (T1055), cmdline/svcscan/modules → evidence (closes #61).
  • Investigation snapshot export/import — one shareable JSON (timeline, findings, IOCs, graph state, analyst decisions, evidence references) restores a case on another machine, with no AI keys or machine config (closes #56).
  • Redacted case export — shareable ZIP for external parties: report/CSVs/state tokenized (internal IPs/hosts/users/emails/paths → consistent ANON_*), secrets redacted, screenshot EXIF stripped + PII text blurred (OCR); AI keys/config excluded (closes #54).
  • Dark / light theme — full-coverage theme toggle in the dashboard header; follows the OS prefers-color-scheme by default, manual choice persists in localStorage across sessions; every panel, graph and the swimlane canvas themed via CSS variables (closes #53).
  • Custom report templates — global branded report layouts (accent colour, cover title/subtitle, running header/footer with {{placeholder}} interpolation, and per-section enable/reorder), built-ins editable in place, selected per case; flows to Markdown/HTML/Word (closes #60).
  • Notifications — Slack / MS Teams webhooks + SMTP email channels for new/escalated findings, playbook updates, and investigation milestones, with per-channel severity thresholds + event toggles; opt-in, secrets redacted; Settings → Notifications (closes #58).
  • NSRL known-good hash checking — auto-marks matching forensic events + IOCs legitimate on import (reversible) to cut false positives. Two backends: a flat hash set (paste / server file / DFIR_NSRL_FILE) for custom lists, and direct query of the full NSRL RDS SQLite database (DFIR_NSRL_DB or connect in-UI) — the real ~160 GB set, never loaded into memory. Keys on sha256/md5; Settings → NSRL (closes #63).

Changed

  • Dashboard: removed Mobile toolbar button — navigate to /mobile directly in your browser.
  • Dashboard: finding tag chips reordered — tag icon after comment chip, tag labels after confidence score (matches timeline layout).
  • Dashboard: case ID input fixed-width to fit INC-YYYY-NNN.
  • Dashboard: removed ellipsis from Import and Import snapshot button labels.
Assets 4
Loading