RaiseiX

RaiseiX / Heimdall-DFIR

Public

A unified investigation cockpit built for CSIRT / SOC / DFIR teams. Ingest, correlate and visualise any forensic source in a real-time interface.

raiseix.github.ioHeimdall-DFIR
19
1
100% credibility
Found Apr 13, 2026 at 19 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
JavaScript
AI Summary

Heimdall DFIR is a unified web-based workbench for digital forensics and threat hunting teams to ingest, parse, analyze, and visualize forensic artifacts from Windows/Linux systems, network captures, and memory dumps.

How It Works

1
πŸ” Discover Heimdall DFIR

You find this free tool on GitHub that helps investigators make sense of computer clues from hacks.

2
πŸ“₯ Get it running easily

Download the files and run a simple setup script that prepares everything on your computer.

3
πŸ” Log in to your dashboard

Open the web page, sign in with the ready-made account, and see your secure workspace.

4
πŸ“ Start a new case

Create a folder for your investigation to organize all the digital evidence you'll gather.

5
πŸ“€ Upload your evidence files

Drag and drop files like logs or memory dumps, and watch the tool safely check them first.

6
πŸ”¬ Explore the super timeline

See all events lined up in time order with smart filters, colors for risks, and clickable details.

πŸ“Š Get your investigation report

Review findings with AI help, build your attack story, and export a polished PDF summary.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 19 to 19 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is Heimdall-DFIR?

Heimdall-DFIR is a unified investigation cockpit built for CSIRT, SOC, and DFIR teams, ingesting forensic artifacts from Windows/Linux, PCAPs, and RAM dumps into a real-time super timeline powered by Elasticsearch. It correlates data across sources like Zimmerman parsers, Hayabusa Sigma detections, and Volatility via VolWeb, delivering visualizations, automatic triage scores, and PDF reports in a collaborative React interface. Deployed via Docker Compose with Node.js backend, it handles everything from YARA scans to TAXII threat intel feeds without external tools.

Why is it gaining traction?

It stands out as an almost unified GitHub-powered DFIR workbench, pulling Sigma/YARA rules directly from repos like SigmaHQ and Neo23x0/signature-base, with built-in SOAR playbooks for ransomware or RDP compromises. Real-time chat, presence indicators, and local Ollama AI copilot (qwen2.5 or Llama) make investigations collaborative and fast, while ClamAV scans and DoD-hard deletes ensure chain-of-custody compliance. No vendor lock-in, chunked 256GB RAM uploads, and lateral movement graphs hook teams tired of stitching Velociraptor, GRR, or TheHive.

Who should use this?

Incident responders in CSIRT/SOC handling unified fire investigations or threat hunts, especially those correlating EVTX, MFT, Prefetch, and network flows. DFIR analysts evaluating self-hosted alternatives to commercial SIEMs for mid-sized teams (8GB RAM min). Security ops correlating GitHub unified logs with IOC enrichment from VirusTotal.

Verdict

Promising beta for self-hosted DFIR with broad parsers and AI, but 19 stars and 1.0% credibility score signal early-stage risksβ€”expect bugs, as noted in docs. Test in a lab before prod; roadmap shows polish ahead.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.