Skip to content

v0.25.0

Choose a tag to compare

View all tags
@hasamba hasamba released this 20 Jun 12:57
· 17 commits to master since this release
v0.25.0
ff8a16c

Added

  • Demo modeDFIR_DEMO_MODE=true blocks all mutating API routes, seeds the demo case on startup, auto-resets it every hour (DFIR_DEMO_RESET_HOURS); railway.toml for one-click Railway deployment.
  • Timeline source filter — faceted dropdown to show/hide events by tool/source; multi-source events stay visible unless all sources hidden (#131).
  • Enhanced redaction — tokenize PowerShell encoded-command blobs + victim user SIDs before the AI; new CMD/REG anon categories (closes #128).
  • Draggable push button (extension) — injected button can be dragged anywhere; position remembered and clamped on-screen.
  • Security Onion adapter + importer — recognizes SO event views; deterministic severity_label→severity, ECS threat→MITRE, IOCs.
  • SO-CRATES adapter + importer — Suricata alert, YARA filealerts, Sigma overlaid on matched Sysmon event via mapWindows.
  • Linux AppImage — single-file build attached to every release; DFIR_ENV_FILE override (#127).
  • Update notice — opt-in dashboard banner for newer GitHub releases (#127).
  • CI build + test gate.github/workflows/ci.yml on every PR and push to master (#126).
  • Scheduled-task mapper — Velociraptor TaskScheduler/Analysistaskscheduler kind with well-known SID expansion.
  • MFT detection InUse fieldDetectRaptor.Windows.Detection.MFT rows append [deleted] when InUse is false.
  • Evidence-of-download mapper — Velociraptor BrowserDownloads/EvidenceOfDownloaddownload kind; URL IOCs.
  • Startup-items mapper — Velociraptor StartupItems/Autorunstartup kind with T1547.
  • CIRCL hashlookup enrichment — keyless known-file lookup; DFIR_HASHLOOKUP_URL override (closes #154).
  • Timeline pagination — 100/250/500/all rows per page (#125).
  • Correlation profile — per-case Strict/Moderate/Aggressive merge-window setting (#125).
  • Synthesis performance metricssynth-meta.json records durationMs/eventCount/iocCount; dashboard ⚠ advisory above 5 000 events (#125).

Fixed

  • Large Plaso import OOM — files over 200 MB streamed line-by-line; 555 MB file imports at ~1.3 GB peak RSS.
  • DFIR_DISK_WARN_PCT=0 ignored — setting to 0 now correctly disables the disk-space warning.
  • Import progress bar — thin strip shows browser-read then server-side import progress.
  • Playbook task flood from burst detectionsbackfillHighSeverityFindings groups uncovered Critical/High events by short title.
  • Velociraptor pslist/pstree import — NDJSON exports without _Source/Artifact now route via CallChain+Pid presence.
  • Velociraptor netstat importWindows.Network.Netstat routes to mapNetstat; ESTABLISHED external IP added as IOC.
  • WebSocket over HTTPS — dashboard uses wss:// when served over HTTPS; constructor errors caught so a blocked WebSocket doesn't surface as a modal alert.
  • Extension offline message — Refresh Cases now shows "companion offline — check URL" instead of always reporting success.
  • Enrichment picker — all 13 known providers always listed; unconfigured ones dimmed with (key missing: ENVVAR) hint.
  • KillerCoda scenario — switched to pre-built Docker image (~1 min setup); suppressed bash verbose echo; corrected hamburger icon; added port-access instructions.

Changed

  • Consistent event-field separator — extension-pushed imports join description fields with -; ParentCommandLine added to standard Windows subject fields.
  • Graph-grounded fleet-hunt suggestionssuggestHunts feeds the causal evidence graph (#124).
Assets 5
Loading