I got tired of juggling 10 different tools for DFIR, so I spent the last 9 months building an open-source alternative.
Hey everyone,
I don't know about you, but I was getting seriously frustrated with how fragmented our tools are. Trying to piece together an investigation across Windows, Linux, and Mac artifacts usually means jumping between half a dozen different apps, and the centralized "all-in-one" solutions cost some money
So, about 9 months ago, I decided to just try and build the tool I actually wanted to use. It's called Heimdall DFIR. GitHub: https://raiseix.github.io/Heimdall-DFIR
Instead of a bunch of marketing buzzwords, here is what it actually does right now:
- One giant timeline: It takes your artifacts (EVTX, MFT, Prefetch and other Windows artifacts Linux/Mac logs, etc.) and merges them into a single chronological grid. I spent a lot of time trying to make the output actually human-readable instead of just dumping raw JSON on the screen
- RAM Analysis: I hooked it up to VolWeb (Volatility 3). You can upload massive memory dumps directly in the UI and it actually handles the stream without crashing the backend
- Collaborative mode: Investigating alone sucks, so I added a side-chat and an evidence-pinning system so a team can look at the exact same case simultaneously
To be completely transparent with you all: This is very much a Beta. It’s a massive undertaking and it’s still missing a lot of features I want to add before calling it a complete platform
That’s honestly why I’m sharing it today. I’m hoping to get some brutally honest feedback from people who do this daily. What parsers are you constantly missing in open-source tools? What would make you actually want to use this?
If anyone wants to spin it up (Docker compose is ready to go), break it, submit bug reports, or even contribute code to help build this out, I would be incredibly grateful.
Let me know what you think. If you like the vision, a GitHub ⭐ helps a lot!