Skip to content

Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux


Notifications You must be signed in to change notification settings


Repository files navigation

(pronounced “SKAH-Dee”: similar to Scotty but with a d sound) is a giantess and goddess of hunting in Norse mythology

Please Read

Open Letter to the users of Skadi, CyLR, and CDQR


Skadi is a free, open source collection of tools that enables the collection, processing and advanced analysis of forensic artifacts and images. It works on MacOS, Windows, and Linux machines. It scales to work effectively on laptops, desktops, servers, the cloud, and can be installed on top of hardened / gold disk images.

How to Get Started and Support

Download Latest Release

Available in OVA, Vagrant and Signed Installer formats
Download the Latest Release

Installation Instructions

Starting Skadi on Docker Instructions Vagrant Installation Instructions
OVA Installation Instructions
Signed Installer Instructions

Skadi Portal

This portal allows easy access to Skadi tools. By default it is available at the IP address of the Skadi Server.
The default credentials are:

  • Username: skadi
  • Password: skadi

Access the portal through a web browser at the IP address of the server. In this example the server is while Vagrant and Docker will create a link to localhost

Included Tools

The tools are combined into one platform that all work together to provide the ability to collect data, convert the bits and bytes to words and numbers, and analyze the results quickly and easily. This enables the ability to rapidly hunt for host based evidence of a malicious activities quickly and accurately.

  • CDQR
  • CyberChef
  • CyLR
  • Docker
  • ElasticSearch
  • Glances
  • Grafana
  • Portainer
  • Kibana
  • Yeti
  • Plaso
  • TimeSketch

Yeti (Threat Intelligence Tool)

Kibana and TimeSketch Included

11 Kibana Dashboards


Videos and Media

  • Alamo ISSA 2018 Slides: Reviews CCF-VM components, walkthrough of how to install GCP version and discuss automation possibilities and risks
  • SANS DFIR Summit 2017 Video: A talk about using CCF-VM for Digital Forensics and Incident Response (DFIR)
  • ISC2 Security Congress 2017 Slides: Another talk about using CCF-VM for Digital Forensics and Incident Response (DFIR)
  • DEFCON 25 4-hour Workshop 2017 Slides: Free and Easy DFIR Triage for Everyone
  • OSDFCON 2017 Slides: Walk-through different techniques that are required to provide forensics results for Windows and *nix environments (Including CyLR and CDQR)

Skadi Wiki Page

The answers to common questions and information about how to get started with Skadi is stored in the Skadi Wiki Pages.

Skadi Community

There is a Slack community setup for developers and users of the Skadi ecosystem. It is a safe place to ask questions and share information.

Join the Skadi Community Slack

Skadi Add-on Packs

Skadi add-on packs are installed on top of the base Skadi VM to provide extra functionality

  • Skadi Pack 01: Automation: Provides two methods of integrating with any Automation tool: gRPC API or using SSH
  • Skadi Pack 02: Secure Networking: Updates the firewall and authenticated reverse proxy for use in network deployment. Provides instructions for obtaining TLS/SSL certificates

Thank you to everyone who has helped, and those that continue to, making this project a reality.

Special Thanks to:

  • The team from Komand for their advice and support on all things Automation
  • Jackie & Jason from @SpyglassSec for their guidance
  • Every single one of the contributors who's efforts made the automation Addon Pack possible