Active Development β v0.9 Beta
HEIMDALL DFIR
A unified investigation cockpit built for CSIRT / SOC / DFIR teams. Ingest, correlate and visualise any forensic source in a real-time interface.
0
GitHub Stars
0
Forks
β
Days of dev
v0.9
Current version
analyst@soc:~$ git clone https://github.com/RaiseiX/Heimdall-DFIR.git
Cloning into 'Heimdall-DFIR'...
analyst@soc:~$ cd Heimdall-DFIR && ./start.sh
β Container stack deployed successfully in 45s.
β Ready for memory and disk artifact ingestion.
BETA v0.9
Docker Compose
Node 18+
React 18
Elasticsearch 8.13
Volatility 3
MIT License
YARA Β· Sigma Β· TAXII
workflow
How it works
β three steps from evidence to report
01
COLLECT
Upload any forensic artifact β disk images, EVTX logs, PCAP captures, RAM dumps, registry hives. Heimdall handles chunked upload with automatic resume and ClamAV scanning on every file.
02
ANALYSE
Artifacts are automatically parsed by the worker queue β Zimmerman Tools, Hayabusa, tshark β and indexed into a per-case Elasticsearch Super Timeline. Triage score computed in real time.
03
HUNT
Run YARA rules, Sigma hunts, correlate with TAXII Threat Intel feeds, map to MITRE ATT&CK, visualise lateral movement, and export a signed PDF report with Legal Hold manifest.
metrics
By the numbers
β key metrics of the platform
0GBMax RAM dump size
0parsersDisk analysis sources
0rulesTriage engine
0migrationsDB schema
0scoreBeacon detection
0stepsRansomware playbook
capabilities
Features
β what Heimdall brings to your investigations
01 β
Forensic Analysis
Super Timeline multi-source via Elasticsearch, Hayabusa Sigma detections on EVTX, full Zimmerman Tools suite, PCAP extraction via tshark. All artifacts parsed asynchronously by the BullMQ worker.
02 β
Memory Forensics SOON
Chunked upload up to 256 GB with automatic resume. Full VolWeb + Volatility 3 integration is currently in development.
03 β
Threat Hunting
YARA engine with per-file/per-case scan, Sigma hunt on Super Timeline, GitHub bulk import (Neo23x0, SigmaHQ, Yara-Rules), TAXII 2.1 / STIX 2.1 Threat Intel with automatic post-ingestion correlation.
04 β
Automatic Detections
Timestomping ($SIA vs $FN), double extension (.pdf.exe), C2 beaconing score (0-100), persistence via Run Keys / LNK Startup / BITS Jobs / Sigma Hayabusa.
05 β
Triage & Investigation
Machine triage score (0-100, 16 rules), lateral movement graph (D3.js, Event IDs 4624/4648/4768), MITRE ATT&CK kill chain (14 phases), IOC enrichment via VirusTotal & AbuseIPDB.
06 β
SOAR & Automation
Parallel SOAR engine post-ingestion, DFIR Playbooks (Ransomware 11 steps, RDP 10, Phishing 9), Legal Hold with HMAC-SHA256 signed manifest, Sysmon configs bundled.
07 β
Local AI β Ollama
Global AI Chat with SSE streaming, Case Copilot with automatic context injection (IOCs, SOAR alerts, artifacts, notes). Supports qwen3, deepseek-r1, mistral.
08 β
Security & Admin
ClamAV mandatory scan, DoD 5220.22-M 7-pass hard delete, JWT rotation with Redis blacklist, automatic pg_dump backups, full audit log with HMAC, Docker CPU/RAM monitoring.
09 β
Collaboration
Live case chat (Socket.io), real-time analyst presence, investigation notes with XSS sanitisation, enriched PDF report (triage, YARA, Threat Intel, kill chain).
data sources
Parsers & Data Sources
β supported artifact types and analysis engines
disk analysis β 16 parsersAVAILABLE
| Parser | Artifact | Category |
|---|---|---|
| Hayabusa | EVTX β Sigma detections (critical/high/medium/low) | Event Logs |
| EvtxECmd | EVTX β Raw Windows event logs | Event Logs |
| MFTECmd | $MFT β Master File Table (timestamps, paths, sizes) | Filesystem |
| PECmd | Prefetch (.pf) β Execution history, DLL dependencies | Execution |
| LECmd | LNK (.lnk) β Recent files, volumes, target machines | Recent Activity |
| SBECmd | Shellbags β Folder navigation history | Navigation |
| AmcacheParser | Amcache.hve β Installed & executed programs | Execution |
| AppCompatCacheParser | ShimCache (SYSTEM) β Application execution | Execution |
| RECmd | Registry hives (SAM, SYSTEM, NTUSER.DAT, SOFTWAREβ¦) | Registry |
| JLECmd | Jump Lists β Recent files per application | Recent Activity |
| SrumECmd | SRUM (SRUDB.dat) β Network & CPU usage per process | Network / CPU |
| SQLECmd | SQLite (.sqlite, .db) β Chrome / Firefox / Edge history | Browser |
| RBCmd | Recycle Bin ($I*) β Deleted files, original path & date | Deleted Files |
| BitsParser | BITS (qmgr*.dat) β Background transfers, persistence | Persistence |
| tshark | PCAP (.pcap, .pcapng) β DNS / HTTP / TLS / TCP flows | Network |
| ClamAV | Any file β Antivirus scan & quarantine | Antivirus |
memory analysis β Volatility 3 via VolWebCOMING SOON
NOTE β Full RAM forensics integration via VolWeb is currently in development.
| Plugin | Description | Status |
|---|---|---|
| windows.pslist / pstree | Process list and tree | PLANNED |
| windows.cmdline | Command-line arguments per process | PLANNED |
| windows.netscan / netstat | Active and historical network connections | PLANNED |
| windows.dlllist | DLLs loaded per process | PLANNED |
| windows.malfind | Memory injection detection | PLANNED |
| windows.svcscan | Windows services enumeration | PLANNED |
additional artifacts β plannedCOMING SOON
| Artifact | Description | Category |
|---|---|---|
| WebCacheV01.dat | IE / Edge legacy browser cache | Browser |
| $LogFile / $UsnJrnl | NTFS change journal | Filesystem |
| WMI artifacts | WMI persistence β subscriptions, filters, consumers | Persistence |
| Thumbcache / IconCache | Visual artifacts β accessed images and files | Visual |
| Disk image mounting | .E01, .dd, .vmdk β full disk image analysis | Disk |
scenarios
Use Cases
β illustrative investigation scenarios
IMPORTANT NOTICE β These scenarios represent the intended vision of Heimdall DFIR. Not all steps are fully operational in the current beta (v0.9).
RANSOMWARE RESPONSE
01Extract MFT and EVTX logs
02Identify initial access (e.g. EID 4624/4688)
03Trace encryption via SRUM disk usage
04Detect VSSAdmin shadow copy deletion
05Legal Hold export + HMAC manifest
INSIDER THREAT
01Parse NTUSER.DAT Shellbags
02Prove USB directory traversal
03Correlate LNK files with exfiltration
04Analyze SRUM for network bytes sent
05PDF report export
APT INVESTIGATION
01Scan EVTX with Hayabusa Sigma rules
02Detect lateral movement (Pass-the-Hash)
03Run YARA on extracted binaries
04TAXII Threat Intel correlation
05MITRE ATT&CK mapping
Coverage
100% MITRE ATT&CK Mapped
Heimdall artifacts, parsers and threat hunting rules provide complete visibility across all 14 enterprise tactical phases.
Reconnaissance100%
Techniques10 / 10
Sub-techniques34 / 34
Resource Dev100%
Techniques8 / 8
Sub-techniques31 / 31
Initial Access100%
Techniques9 / 9
Sub-techniques30 / 30
Execution100%
Techniques14 / 14
Sub-techniques18 / 18
Persistence100%
Techniques19 / 19
Sub-techniques52 / 52
Priv Escalation100%
Techniques13 / 13
Sub-techniques39 / 39
Defense Evasion100%
Techniques43 / 43
Sub-techniques135 / 135
Cred Access100%
Techniques17 / 17
Sub-techniques54 / 54
Discovery100%
Techniques32 / 32
Sub-techniques88 / 88
Lateral Movement100%
Techniques9 / 9
Sub-techniques5 / 5
Collection100%
Techniques17 / 17
Sub-techniques37 / 37
Command & Control100%
Techniques16 / 16
Sub-techniques53 / 53
Exfiltration100%
Techniques9 / 9
Sub-techniques13 / 13
Impact100%
Techniques13 / 13
Sub-techniques36 / 36
security
Security by Design
β Heimdall is built to be trusted with sensitive data
Air-gap readyFully operational without internet. Threat Intel feeds are optional.
ClamAV mandatoryEvery uploaded file is scanned before processing. Infected files are quarantined.
DoD 5220.22-M7-pass secure deletion on hard delete. No data remnants.
JWT + Redis blacklistSessions are revocable instantly. Token rotation on every refresh.
HMAC audit logEvery action is logged with an HMAC signature. Tamper-evident.
No telemetryZero data sent externally. Your cases stay on your infrastructure.
Legal HoldHMAC-SHA256 signed manifest for chain of custody and court admissibility.
Automatic backupspg_dump scheduled backups. Restore at any point in time.
infrastructure
Architecture
β service topology & data flow
heimdall β service map
Browser
β
βΌ
[bifrost / nginx :80/:443] β rate-limit Β· security headers Β· SSL termination
β
ββββΆ [asgard / frontend :3000] React 18 Β· Vite Β· D3.js Β· TanStack Table
β
ββββΆ [odin / backend :4000] Node.js Β· Express Β· TypeScript
β
ββββΆ [yggdrasil / postgres :5432] DFIR schema (18 migrations)
ββββΆ [hermod / redis :6379] BullMQ queues Β· sessions Β· JWT blacklist
ββββΆ [mimir / elasticsearch :9200] Super Timeline (per-case index)
ββββΆ [tyr / clamav :3310] Real-time AV scan on every upload
ββββΆ [huginn / worker] BullMQ consumer (concurrency=2)
β
βββ Zimmerman Tools PECmd Β· MFTECmd Β· LECmd Β· SBECmd Β· RECmd
βββ Hayabusa Sigma EVTX scanner
βββ tshark PCAP parser (DNS Β· HTTP Β· TLS Β· TCP)
docker compose β service list
| Service | Image | Port(s) | Role |
|---|---|---|---|
| bifrost | nginx:alpine | 80 / 443 | Reverse proxy Β· rate-limit Β· SSL |
| asgard | node:18-alpine | 3000 | React frontend |
| odin | node:18-alpine | 4000 | Express API backend |
| yggdrasil | postgres:16-alpine | 5432 | PostgreSQL β DFIR schema |
| hermod | redis:7-alpine | 6379 | Redis β BullMQ Β· sessions Β· JWT |
| mimir | elasticsearch:8.13 | 9200 | Elasticsearch β Super Timeline |
| tyr | clamav:1.4 | 3310 | ClamAV antivirus daemon |
| huginn | node:18-alpine | β | BullMQ worker β artifact parsing |
| njord | minio/minio | 9000 / 9001 | MinIO S3 β RAM dump storage |
| hel-api | python:3.11-slim | β | VolWeb Django API |
| hel-worker | python:3.11-slim | β | Celery β Volatility 3 tasks |
| hel-proxy | nginx:alpine | 8888 | VolWeb reverse proxy (SSO) |
technologies
Tech Stack
β technologies powering Heimdall
FrontendReact 18 Β· Vite Β· D3.js
BackendNode.js 18 Β· Express
QueueBullMQ Β· ioredis
DatabasePostgreSQL 16
CacheRedis 7
SearchElasticsearch 8.13
StorageMinIO (S3 API)
MemoryVolWeb Β· Volatility 3
AntivirusClamAV 1.4.3
HuntingYARA Β· Sigma Β· TAXII
Networktshark (PCAP)
InfraDocker Compose v2
compatibility
Supported OS
β host OS for running Heimdall + analyzed artifact OS
Linux (host)
Ubuntu 22.04 LTS β rec.
Debian 12+
Any Docker-compatible
Windows (host)
Windows 10/11 (Docker)
Windows Server 2019+
WSL2 recommended
macOS (host)
macOS 13+ (Docker)
Apple Silicon (M1/M2/M3)
Intel x86_64
Analyzed artifacts
Windows 7 / 8 / 10 / 11
Windows Server 2008β2022
Linux (PCAP, RAM dumps)
system requirements
| Component | Minimum | Recommended |
|---|---|---|
| RAM | 8 GB | 16 GB+ |
| CPU | 4 cores | 8 cores+ |
| Disk | 50 GB SSD | 200 GB+ NVMe SSD |
| OS | Linux / Windows / macOS | Ubuntu 22.04 LTS |
| Docker | 24.0+ | latest |
| Docker Compose | v2.0+ | latest |
| Node.js | 18.x | 20.x LTS |
ecosystem
Integrations
β external tools and services supported
Hayabusa
Sigma EVTX scanner
VolWeb
Memory forensics UI
Volatility 3
RAM analysis engine
Elasticsearch
Super Timeline index
ClamAV
Antivirus scanning
MinIO
S3 artifact storage
VirusTotal
IOC enrichment
AbuseIPDB
IP reputation
SigmaHQ
Sigma rule repository
Neo23x0
YARA rule repository
TAXII 2.1
Threat Intel feeds
Ollama
Local AI models
real-world
Tested On
β incident types Heimdall has been tested against
RansomwareLockBit Β· BlackCat Β· Ryuk β full kill chain reconstruction
RDP Brute ForceLateral movement via Event IDs 4624 / 4648 / 4768
PhishingCredential harvesting Β· macro execution Β· persistence
BITS JobsBackground transfer persistence Β· LOLBin abuse
Living-off-the-LandLOLBins β certutil Β· mshta Β· regsvr32 Β· wscript
Insider ThreatData exfiltration via USB Β· cloud sync Β· email
live
GitHub Activity & Team
β latest commits and contributors
Loading contributors...
GitHub Activity β RaiseiX/Heimdall-DFIR
Loading commitsβ¦
future
Roadmap
β planned releases and milestones
v0.9 CURRENT BETA
Core platform β disk analysis, YARA, Sigma, TAXII, SOAR playbooks, Ollama AI, Legal Hold, collaboration
v1.0 PLANNED
Full RAM forensics integration β VolWeb + Volatility 3 plugin execution and result display
v1.1 PLANNED
Disk image mounting β .E01, .dd, .vmdk support Β· WebCache Β· $UsnJrnl Β· WMI artifacts
v1.2 PLANNED
Extended artifact support β Thumbcache Β· ESE databases Β· $I30 Β· Windows Search index
v2.0 VISION
Multi-tenant workspaces Β· Linux artifact analysis Β· macOS forensics Β· API for external integrations
history
Changelog
β recent releases
CHANGELOG.md β last entries
v0.9.0β 2026
+ Ollama Case Copilot with automatic context injection
+ TAXII 2.1 / STIX 2.1 Threat Intel with post-ingestion correlation
+ Legal Hold β HMAC-SHA256 signed manifest
+ C2 beaconing score (0β100) with beacon detection engine
+ SOAR parallel engine β Ransomware / RDP / Phishing playbooks
~ Fix chunked upload resume on large RAM dumps
~ Fix Elasticsearch per-case index isolation
v0.8.0β 2026
+ YARA bulk import from GitHub (Neo23x0, SigmaHQ, Yara-Rules)
+ Lateral movement graph β D3.js (Event IDs 4624/4648/4768)
+ MITRE ATT&CK kill chain (14 phases)
+ Live case chat β Socket.io real-time collaboration
~ Fix JWT rotation edge case on concurrent requests
+ Ollama Case Copilot with automatic context injection
+ TAXII 2.1 / STIX 2.1 Threat Intel with post-ingestion correlation
+ Legal Hold β HMAC-SHA256 signed manifest
+ C2 beaconing score (0β100) with beacon detection engine
+ SOAR parallel engine β Ransomware / RDP / Phishing playbooks
~ Fix chunked upload resume on large RAM dumps
~ Fix Elasticsearch per-case index isolation
v0.8.0β 2026
+ YARA bulk import from GitHub (Neo23x0, SigmaHQ, Yara-Rules)
+ Lateral movement graph β D3.js (Event IDs 4624/4648/4768)
+ MITRE ATT&CK kill chain (14 phases)
+ Live case chat β Socket.io real-time collaboration
~ Fix JWT rotation edge case on concurrent requests
Setup
Installation
β up and running in minutes
Always use the provided installation script. Do not run
docker compose up manually β the script handles secret generation, container build and all database migrations automatically.# Clone the repository
$ git clone https://github.com/RaiseiX/Heimdall-DFIR.git
$ cd Heimdall-DFIR
# Run the installation script
$ bash start.sh
# Clone the repository
> git clone https://github.com/RaiseiX/Heimdall-DFIR.git
> cd Heimdall-DFIR
# Run the installation script
> .\start.ps1
Heimdall UI
http://localhost
API
http://localhost:4000
VolWeb
http://localhost:8888
MinIO Console
http://localhost:9001
reference
DFIR Glossary
β key terms used in Heimdall
glossary.md
| Artifact / Term | Location / Type | Forensic Value |
|---|---|---|
| $MFT | C:\$MFT | Core NTFS index. Contains $STANDARD_INFORMATION (0x10) and $FILE_NAME (0x30) timestamps. Crucial for detecting timestomping. |
| Prefetch (.pf) | C:\Windows\Prefetch\ | Execution evidence. Stores run counts, last 8 execution times, and handles/DLLs loaded within the first 10 seconds. |
| Amcache | C:\...\Amcache.hve | Tracks installed/executed applications. Stores SHA1 hashes, full file paths, and first execution timestamps. |
| ShimCache | SYSTEM\...\AppCompatCache | Application Compatibility Cache. Stores up to 1024 execution entries, including the Last Modified time of the binary. |
| Shellbags | NTUSER.DAT\...\BagMRU | Proves folder access/navigation by a specific user. Works even for deleted directories, USB drives, and network shares. |
| SRUM | C:\...\SRUDB.dat | System Resource Usage Monitor. ESE database tracking 30-day historical network usage (bytes sent/received) and CPU time per process. |
| EVTX Logs | C:\...\winevt\Logs\ | Windows Event Logs. Key IDs: 4624 (Logon), 4688 (Process Creation with Command Line), 7045 (Service Installation). |
| LNK Files | ...\Windows\Recent\ | Records file/folder access. Contains the Target's MAC address, Volume Serial Number, and Original Path. |
| Jump Lists | ...\AutomaticDestinations\ | Tracks files opened by specific applications pinned to the taskbar. Analyzed via AppIDs. |
| BITS | C:\...\Downloader | Background Intelligent Transfer Service (qmgr.dat). Legitimate updater service frequently abused by malware for C2 and persistence. |
| YARA | Detection Engine | Pattern matching tool for malware identification based on hexadecimal strings, regular expressions, and byte sequences. |
| Sigma | Detection Engine | Generic signature format for log events (SIEM). Used by Heimdall via Hayabusa to scan EVTX files for malicious behaviors. |
| TAXII / STIX | Threat Intelligence | Standardized JSON format (STIX 2.1) and HTTPS transport protocol (TAXII 2.1) used to ingest and correlate Indicators of Compromise (IOCs). |
help
FAQ
β frequently asked questions
Does Heimdall require an internet connection?βΌ
No. Heimdall is fully air-gap compatible. All analysis is performed locally. VirusTotal, AbuseIPDB and TAXII Threat Intel feeds are optional and can be disabled.
Can I use Heimdall on Windows?βΌ
Yes. Use start.ps1 on Windows. Docker Desktop with WSL2 is required. All features are supported on Windows, Linux and macOS.
Is Heimdall free?βΌ
Yes. Heimdall DFIR is released under the MIT License. Free forever. No subscription, no telemetry, no hidden costs.
Is RAM forensics available in v0.9?βΌ
Partially. Chunked upload of RAM dumps (up to 256 GB) is functional. Full Volatility 3 plugin execution and result display via VolWeb is coming in v1.0.
How do I report a bug?βΌ
Open an issue on the GitHub Issues tracker with as much detail as possible β steps to reproduce, logs, environment (OS, Docker version, browser).
acknowledgements
Credits
β open-source projects that make Heimdall possible
Eric Zimmerman
Zimmerman Tools β the gold standard for Windows forensics
Hayabusa
Sigma-based EVTX threat hunting by Yamato Security
VolWeb
Memory forensics platform by k1nd0ne
Volatility Foundation
The memory forensics framework
Elasticsearch
Distributed search and analytics engine
SigmaHQ
Generic signature format for SIEM systems
Neo23x0 (Florian Roth)
YARA rules and threat detection research
YARA
Pattern matching for malware researchers