Hugging Face's logo

Spaces:
AYI-NEDJIMI
/
forensics-timeline-builder
Paused

App Files Community
AYI-NEDJIMI commited on
Commit
f2c3f45
·
verified ·
1 Parent(s): 48504bf

Upload forensics-timeline Space

Browse files
Files changed (3) hide show
  1. README.md +74 -5
  2. app.py +1100 -0
  3. requirements.txt +4 -0
README.md CHANGED
@@ -1,12 +1,81 @@
1
  ---
2
  title: Forensics Timeline Builder
3
- emoji: 🦀
4
- colorFrom: pink
5
- colorTo: red
6
  sdk: gradio
7
- sdk_version: 6.5.1
 
8
  app_file: app.py
9
  pinned: false
 
 
 
 
 
 
 
 
10
  ---
11
 
12
- Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
  ---
2
  title: Forensics Timeline Builder
3
+ emoji: 🔍
4
+ colorFrom: indigo
5
+ colorTo: purple
6
  sdk: gradio
7
+ sdk_version: 4.44.0
8
+ python_version: "3.10"
9
  app_file: app.py
10
  pinned: false
11
+ license: apache-2.0
12
+ tags:
13
+ - cybersecurity
14
+ - forensics
15
+ - dfir
16
+ - incident-response
17
+ - timeline
18
+ - ayinedjimi-consultants
19
  ---
20
 
21
+ # Forensics Timeline Builder - Interactive Investigation Tool
22
+
23
+ An interactive forensic investigation timeline generator that helps security professionals build comprehensive incident response timelines with forensic artifact recommendations and MITRE ATT&CK technique mappings.
24
+
25
+ ## Features
26
+
27
+ - **Interactive Timeline Visualization**: Gantt chart-based incident response timelines with color-coded phases
28
+ - **Multiple Incident Types**: Support for Ransomware, Data Breach, Insider Threat, APT, Malware Infection, Account Compromise, Web Compromise, and Supply Chain Attacks
29
+ - **Forensic Artifacts**: Detailed recommendations for artifact collection including:
30
+ - Registry keys and locations
31
+ - Event logs
32
+ - Memory dumps and analysis
33
+ - File system artifacts
34
+ - Network captures
35
+ - Tool recommendations
36
+ - **MITRE ATT&CK Mapping**: Relevant MITRE ATT&CK techniques for each incident type
37
+ - **Bilingual Support**: Full English and French interface
38
+ - **Markdown Export**: Export complete incident response timelines as formatted Markdown
39
+ - **Incident Response Phases**:
40
+ - Preparation
41
+ - Detection & Analysis
42
+ - Containment
43
+ - Eradication
44
+ - Recovery
45
+ - Post-Incident
46
+
47
+ ## Deep Resources
48
+
49
+ This tool links to comprehensive forensics articles:
50
+
51
+ - [Memory Forensics](https://ayinedjimi-consultants.fr/forensics/memory-forensics.html) - Advanced memory analysis techniques
52
+ - [Registry Forensics](https://ayinedjimi-consultants.fr/forensics/registry-forensics.html) - Windows registry examination
53
+ - [NTFS Forensics](https://ayinedjimi-consultants.fr/forensics/ntfs-forensics.html) - File system analysis
54
+ - [DFIR Tools Comparison](https://ayinedjimi-consultants.fr/forensics/dfir-tools-comparison.html) - Comprehensive tools review
55
+ - [Amcache & Shimcache](https://ayinedjimi-consultants.fr/forensics/amcache-shimcache.html) - Program execution artifacts
56
+ - [ETW & WPR Forensics](https://ayinedjimi-consultants.fr/forensics/etw-wpr-forensics.html) - Event tracing analysis
57
+ - [Evasion & Anti-Forensic](https://ayinedjimi-consultants.fr/forensics/evasion-antiforensic.html) - Evasion techniques
58
+ - [Telemetry Forensics](https://ayinedjimi-consultants.fr/forensics/telemetry-forensics.html) - Telemetry analysis
59
+ - [Windows Server 2025 Forensics](https://ayinedjimi-consultants.fr/forensics/windows-server-2025-forensics.html) - Server-specific forensics
60
+ - [Forensics Report Templates](https://ayinedjimi-consultants.fr/forensics/forensics-report-templates.html) - Report templates
61
+ - [Livre Blanc: Anatomie d'une Attaque Ransomware](https://ayinedjimi-consultants.fr/livre-blanc-anatomie-attaque-ransomware.html) - Ransomware analysis whitepaper
62
+
63
+ ## How to Use
64
+
65
+ 1. Select your language (English or Francais)
66
+ 2. Choose an incident type from the dropdown
67
+ 3. Click "Generate Timeline" to create the visualization
68
+ 4. Explore the different tabs:
69
+ - **Timeline Visualization**: Interactive Gantt chart of phases and tasks
70
+ - **Forensic Artifacts**: Detailed artifact collection guidance
71
+ - **MITRE ATT&CK**: Relevant techniques for the incident type
72
+ - **Export**: Export the complete timeline as Markdown
73
+ - **Resources**: Links to comprehensive forensics articles
74
+
75
+ ## Author
76
+
77
+ Created by [Ayinedjimi Consultants](https://ayinedjimi-consultants.fr/bio.html) - Your Digital Forensics and Incident Response Partner
78
+
79
+ ## License
80
+
81
+ Apache License 2.0
app.py ADDED
@@ -0,0 +1,1100 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ import gradio as gr
2
+ import plotly.express as px
3
+ import pandas as pd
4
+ from datetime import datetime, timedelta
5
+ import json
6
+
7
+ # Define incident types and their timelines
8
+ INCIDENT_DATA = {
9
+ "Ransomware": {
10
+ "en": {
11
+ "phases": {
12
+ "Preparation": {
13
+ "duration_days": 14,
14
+ "tasks": [
15
+ {"task": "Network reconnaissance", "duration": 3},
16
+ {"task": "Vulnerability scanning", "duration": 4},
17
+ {"task": "Credential gathering", "duration": 5},
18
+ {"task": "Lateral movement setup", "duration": 2}
19
+ ]
20
+ },
21
+ "Detection & Analysis": {
22
+ "duration_days": 2,
23
+ "tasks": [
24
+ {"task": "Alert detection", "duration": 0.5},
25
+ {"task": "Initial investigation", "duration": 1},
26
+ {"task": "Scope determination", "duration": 0.5}
27
+ ]
28
+ },
29
+ "Containment": {
30
+ "duration_days": 4,
31
+ "tasks": [
32
+ {"task": "Isolate affected systems", "duration": 1},
33
+ {"task": "Disable network shares", "duration": 1},
34
+ {"task": "Block C2 communications", "duration": 1},
35
+ {"task": "Reset credentials", "duration": 1}
36
+ ]
37
+ },
38
+ "Eradication": {
39
+ "duration_days": 7,
40
+ "tasks": [
41
+ {"task": "Remove malware", "duration": 2},
42
+ {"task": "Patch vulnerabilities", "duration": 3},
43
+ {"task": "Remove backdoors", "duration": 2}
44
+ ]
45
+ },
46
+ "Recovery": {
47
+ "duration_days": 10,
48
+ "tasks": [
49
+ {"task": "Restore from backups", "duration": 5},
50
+ {"task": "System validation", "duration": 3},
51
+ {"task": "User retraining", "duration": 2}
52
+ ]
53
+ },
54
+ "Post-Incident": {
55
+ "duration_days": 5,
56
+ "tasks": [
57
+ {"task": "Incident report", "duration": 2},
58
+ {"task": "Lessons learned", "duration": 2},
59
+ {"task": "Policy updates", "duration": 1}
60
+ ]
61
+ }
62
+ },
63
+ "artifacts": {
64
+ "Registry": {
65
+ "keys": [
66
+ "HKLM\\SYSTEM\\CurrentControlSet\\Services",
67
+ "HKLM\\SOFTWARE\\Microsoft\\Windows\\Run",
68
+ "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
69
+ "HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl"
70
+ ],
71
+ "tools": ["Registry Explorer", "RegRipper", "Volatility"]
72
+ },
73
+ "Event Logs": {
74
+ "keys": [
75
+ "Security Event Log (4688, 4689, 4625)",
76
+ "System Event Log (1000, 1001)",
77
+ "Application Event Log",
78
+ "Sysmon Logs (Process creation, Network connection)"
79
+ ],
80
+ "tools": ["Event Viewer", "LogParser", "Volatility"]
81
+ },
82
+ "Memory": {
83
+ "keys": [
84
+ "RAM dump (hiberfil.sys, memory.dmp)",
85
+ "Process memory (running processes)",
86
+ "Kernel memory (malware hooks)",
87
+ "Network connections in memory"
88
+ ],
89
+ "tools": ["Volatility", "WinDbg", "DumpIt"]
90
+ },
91
+ "File System": {
92
+ "keys": [
93
+ "Ransomware note files",
94
+ "Encrypted file extensions",
95
+ "Modified timestamps (MFT)",
96
+ "Deleted files ($Recycle.Bin)"
97
+ ],
98
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
99
+ },
100
+ "Network": {
101
+ "keys": [
102
+ "Network traffic captures",
103
+ "Firewall logs",
104
+ "DNS query logs",
105
+ "NetFlow data"
106
+ ],
107
+ "tools": ["Wireshark", "tcpdump", "Zeek"]
108
+ }
109
+ },
110
+ "mitre_techniques": [
111
+ "T1566.002 - Phishing: Spearphishing Link",
112
+ "T1190 - Exploit Public-Facing Application",
113
+ "T1078 - Valid Accounts",
114
+ "T1570 - Lateral Tool Transfer",
115
+ "T1486 - Data Encrypted for Impact",
116
+ "T1570 - Lateral Tool Transfer"
117
+ ]
118
+ },
119
+ "fr": {
120
+ "phases": {
121
+ "Preparation": {
122
+ "duration_days": 14,
123
+ "tasks": [
124
+ {"task": "Reconnaissance du reseau", "duration": 3},
125
+ {"task": "Scan de vulnerabilites", "duration": 4},
126
+ {"task": "Collecte d'identifiants", "duration": 5},
127
+ {"task": "Configuration du mouvement lateral", "duration": 2}
128
+ ]
129
+ },
130
+ "Detection & Analysis": {
131
+ "duration_days": 2,
132
+ "tasks": [
133
+ {"task": "Detection d'alerte", "duration": 0.5},
134
+ {"task": "Investigation initiale", "duration": 1},
135
+ {"task": "Determination de la portee", "duration": 0.5}
136
+ ]
137
+ },
138
+ "Containment": {
139
+ "duration_days": 4,
140
+ "tasks": [
141
+ {"task": "Isolation des systemes affectes", "duration": 1},
142
+ {"task": "Desactivation des partages reseau", "duration": 1},
143
+ {"task": "Blocage des communications C2", "duration": 1},
144
+ {"task": "Reinitialisation des identifiants", "duration": 1}
145
+ ]
146
+ },
147
+ "Eradication": {
148
+ "duration_days": 7,
149
+ "tasks": [
150
+ {"task": "Suppression de logiciels malveillants", "duration": 2},
151
+ {"task": "Correction des vulnerabilites", "duration": 3},
152
+ {"task": "Suppression des portes derriere", "duration": 2}
153
+ ]
154
+ },
155
+ "Recovery": {
156
+ "duration_days": 10,
157
+ "tasks": [
158
+ {"task": "Restauration a partir des sauvegardes", "duration": 5},
159
+ {"task": "Validation du systeme", "duration": 3},
160
+ {"task": "Formation des utilisateurs", "duration": 2}
161
+ ]
162
+ },
163
+ "Post-Incident": {
164
+ "duration_days": 5,
165
+ "tasks": [
166
+ {"task": "Rapport d'incident", "duration": 2},
167
+ {"task": "Lecons apprises", "duration": 2},
168
+ {"task": "Mise a jour des politiques", "duration": 1}
169
+ ]
170
+ }
171
+ },
172
+ "artifacts": {
173
+ "Registre": {
174
+ "keys": [
175
+ "HKLM\\SYSTEM\\CurrentControlSet\\Services",
176
+ "HKLM\\SOFTWARE\\Microsoft\\Windows\\Run",
177
+ "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
178
+ "HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl"
179
+ ],
180
+ "tools": ["Registry Explorer", "RegRipper", "Volatility"]
181
+ },
182
+ "Journaux d'evenements": {
183
+ "keys": [
184
+ "Journal de securite (4688, 4689, 4625)",
185
+ "Journal systeme (1000, 1001)",
186
+ "Journal d'application",
187
+ "Journaux Sysmon (Creation de processus, Connexion reseau)"
188
+ ],
189
+ "tools": ["Observateur d'evenements", "LogParser", "Volatility"]
190
+ },
191
+ "Memoire": {
192
+ "keys": [
193
+ "Image RAM (hiberfil.sys, memory.dmp)",
194
+ "Memoire de processus (processus en cours)",
195
+ "Memoire du noyau (crochets de logiciels malveillants)",
196
+ "Connexions reseau en memoire"
197
+ ],
198
+ "tools": ["Volatility", "WinDbg", "DumpIt"]
199
+ },
200
+ "Systeme de fichiers": {
201
+ "keys": [
202
+ "Fichiers de note de rancongiciel",
203
+ "Extensions de fichiers chiffres",
204
+ "Horodatages modifies (MFT)",
205
+ "Fichiers supprimes ($Recycle.Bin)"
206
+ ],
207
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
208
+ },
209
+ "Reseau": {
210
+ "keys": [
211
+ "Captures de trafic reseau",
212
+ "Journaux de pare-feu",
213
+ "Journaux de requetes DNS",
214
+ "Donnees NetFlow"
215
+ ],
216
+ "tools": ["Wireshark", "tcpdump", "Zeek"]
217
+ }
218
+ },
219
+ "mitre_techniques": [
220
+ "T1566.002 - Phishing: Lien de spear-phishing",
221
+ "T1190 - Exploitation d'application exposee publiquement",
222
+ "T1078 - Comptes valides",
223
+ "T1570 - Transfert lateral d'outils",
224
+ "T1486 - Donnees chiffrees pour impact",
225
+ "T1570 - Transfert lateral d'outils"
226
+ ]
227
+ }
228
+ },
229
+ "Data Breach": {
230
+ "en": {
231
+ "phases": {
232
+ "Preparation": {
233
+ "duration_days": 21,
234
+ "tasks": [
235
+ {"task": "Target identification", "duration": 5},
236
+ {"task": "Social engineering", "duration": 8},
237
+ {"task": "Access establishment", "duration": 5},
238
+ {"task": "Data exfiltration setup", "duration": 3}
239
+ ]
240
+ },
241
+ "Detection & Analysis": {
242
+ "duration_days": 3,
243
+ "tasks": [
244
+ {"task": "Unusual access detected", "duration": 0.5},
245
+ {"task": "Data movement analysis", "duration": 1.5},
246
+ {"task": "Compromised accounts identified", "duration": 1}
247
+ ]
248
+ },
249
+ "Containment": {
250
+ "duration_days": 2,
251
+ "tasks": [
252
+ {"task": "Revoke access tokens", "duration": 0.5},
253
+ {"task": "Block data exfiltration", "duration": 0.5},
254
+ {"task": "Alert users", "duration": 1}
255
+ ]
256
+ },
257
+ "Eradication": {
258
+ "duration_days": 5,
259
+ "tasks": [
260
+ {"task": "Close unauthorized access points", "duration": 2},
261
+ {"task": "Remove stolen data", "duration": 2},
262
+ {"task": "Patch vulnerabilities", "duration": 1}
263
+ ]
264
+ },
265
+ "Recovery": {
266
+ "duration_days": 7,
267
+ "tasks": [
268
+ {"task": "Restore security controls", "duration": 3},
269
+ {"task": "Credential reset", "duration": 2},
270
+ {"task": "System verification", "duration": 2}
271
+ ]
272
+ },
273
+ "Post-Incident": {
274
+ "duration_days": 10,
275
+ "tasks": [
276
+ {"task": "Breach notification", "duration": 3},
277
+ {"task": "Regulatory compliance", "duration": 4},
278
+ {"task": "Customer communication", "duration": 3}
279
+ ]
280
+ }
281
+ },
282
+ "artifacts": {
283
+ "Event Logs": {
284
+ "keys": [
285
+ "Account logon events (4624, 4625)",
286
+ "Privileged use (4672)",
287
+ "Object access (4660, 4663)",
288
+ "Sysmon network connections"
289
+ ],
290
+ "tools": ["Event Viewer", "LogParser", "Splunk"]
291
+ },
292
+ "Database": {
293
+ "keys": [
294
+ "Database audit logs",
295
+ "Query execution logs",
296
+ "User access logs",
297
+ "Data export records"
298
+ ],
299
+ "tools": ["Database native tools", "SQL Profiler", "Splunk"]
300
+ },
301
+ "Network": {
302
+ "keys": [
303
+ "Firewall logs (data egress)",
304
+ "Proxy logs",
305
+ "DLP alerts",
306
+ "Network flow data"
307
+ ],
308
+ "tools": ["Wireshark", "Zeek", "Splunk"]
309
+ },
310
+ "File System": {
311
+ "keys": [
312
+ "File access timestamps",
313
+ "Copy operations",
314
+ "Deleted recovery files",
315
+ "Temp file artifacts"
316
+ ],
317
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
318
+ },
319
+ "Memory": {
320
+ "keys": [
321
+ "Active network connections",
322
+ "Running processes",
323
+ "Loaded modules",
324
+ "Open files"
325
+ ],
326
+ "tools": ["Volatility", "WinDbg", "ProcessMonitor"]
327
+ }
328
+ },
329
+ "mitre_techniques": [
330
+ "T1040 - Traffic Capture or Redirection",
331
+ "T1557 - Man-in-the-Middle",
332
+ "T1111 - Multi-Stage Channels",
333
+ "T1020 - Automated Exfiltration",
334
+ "T1041 - Exfiltration Over C2 Channel",
335
+ "T1567 - Exfiltration Over Web Service"
336
+ ]
337
+ },
338
+ "fr": {
339
+ "phases": {
340
+ "Preparation": {
341
+ "duration_days": 21,
342
+ "tasks": [
343
+ {"task": "Identification de la cible", "duration": 5},
344
+ {"task": "Ingenierie sociale", "duration": 8},
345
+ {"task": "Etablissement d'acces", "duration": 5},
346
+ {"task": "Configuration d'exfiltration", "duration": 3}
347
+ ]
348
+ },
349
+ "Detection & Analysis": {
350
+ "duration_days": 3,
351
+ "tasks": [
352
+ {"task": "Acces anormal detecte", "duration": 0.5},
353
+ {"task": "Analyse des mouvements de donnees", "duration": 1.5},
354
+ {"task": "Comptes compromis identifies", "duration": 1}
355
+ ]
356
+ },
357
+ "Containment": {
358
+ "duration_days": 2,
359
+ "tasks": [
360
+ {"task": "Revoquer les jetons d'acces", "duration": 0.5},
361
+ {"task": "Bloquer l'exfiltration", "duration": 0.5},
362
+ {"task": "Alerter les utilisateurs", "duration": 1}
363
+ ]
364
+ },
365
+ "Eradication": {
366
+ "duration_days": 5,
367
+ "tasks": [
368
+ {"task": "Fermer les points d'acces non autorises", "duration": 2},
369
+ {"task": "Supprimer les donnees volees", "duration": 2},
370
+ {"task": "Corriger les vulnerabilites", "duration": 1}
371
+ ]
372
+ },
373
+ "Recovery": {
374
+ "duration_days": 7,
375
+ "tasks": [
376
+ {"task": "Restaurer les controles de securite", "duration": 3},
377
+ {"task": "Reinitialisation des identifiants", "duration": 2},
378
+ {"task": "Verification du systeme", "duration": 2}
379
+ ]
380
+ },
381
+ "Post-Incident": {
382
+ "duration_days": 10,
383
+ "tasks": [
384
+ {"task": "Notification de violation", "duration": 3},
385
+ {"task": "Conformite reglementaire", "duration": 4},
386
+ {"task": "Communication avec les clients", "duration": 3}
387
+ ]
388
+ }
389
+ },
390
+ "artifacts": {
391
+ "Journaux d'evenements": {
392
+ "keys": [
393
+ "Evenements de connexion au compte (4624, 4625)",
394
+ "Utilisation privilegiee (4672)",
395
+ "Acces aux objets (4660, 4663)",
396
+ "Connexions reseau Sysmon"
397
+ ],
398
+ "tools": ["Observateur d'evenements", "LogParser", "Splunk"]
399
+ },
400
+ "Base de donnees": {
401
+ "keys": [
402
+ "Journaux d'audit de la base de donnees",
403
+ "Journaux d'execution des requetes",
404
+ "Journaux d'acces des utilisateurs",
405
+ "Enregistrements d'exportation de donnees"
406
+ ],
407
+ "tools": ["Outils natifs de base de donnees", "SQL Profiler", "Splunk"]
408
+ },
409
+ "Reseau": {
410
+ "keys": [
411
+ "Journaux de pare-feu (sortie de donnees)",
412
+ "Journaux proxy",
413
+ "Alertes DLP",
414
+ "Donnees de flux reseau"
415
+ ],
416
+ "tools": ["Wireshark", "Zeek", "Splunk"]
417
+ },
418
+ "Systeme de fichiers": {
419
+ "keys": [
420
+ "Horodatages d'acces aux fichiers",
421
+ "Operations de copie",
422
+ "Fichiers de recuperation supprimes",
423
+ "Artefacts de fichier temporaire"
424
+ ],
425
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
426
+ },
427
+ "Memoire": {
428
+ "keys": [
429
+ "Connexions reseau actives",
430
+ "Processus en cours d'execution",
431
+ "Modules charges",
432
+ "Fichiers ouverts"
433
+ ],
434
+ "tools": ["Volatility", "WinDbg", "ProcessMonitor"]
435
+ }
436
+ },
437
+ "mitre_techniques": [
438
+ "T1040 - Capture ou redirection du trafic",
439
+ "T1557 - Attaque de l'homme au milieu",
440
+ "T1111 - Canaux multi-etapes",
441
+ "T1020 - Exfiltration automatisee",
442
+ "T1041 - Exfiltration sur canal C2",
443
+ "T1567 - Exfiltration sur service Web"
444
+ ]
445
+ }
446
+ },
447
+ "Insider Threat": {
448
+ "en": {
449
+ "phases": {
450
+ "Preparation": {
451
+ "duration_days": 7,
452
+ "tasks": [
453
+ {"task": "Motivation analysis", "duration": 2},
454
+ {"task": "Access planning", "duration": 3},
455
+ {"task": "Data targeting", "duration": 2}
456
+ ]
457
+ },
458
+ "Detection & Analysis": {
459
+ "duration_days": 4,
460
+ "tasks": [
461
+ {"task": "Behavioral anomaly detection", "duration": 1},
462
+ {"task": "User activity analysis", "duration": 1.5},
463
+ {"task": "Data exfiltration confirmation", "duration": 1.5}
464
+ ]
465
+ },
466
+ "Containment": {
467
+ "duration_days": 1,
468
+ "tasks": [
469
+ {"task": "Account suspension", "duration": 0.5},
470
+ {"task": "Data access revocation", "duration": 0.5}
471
+ ]
472
+ },
473
+ "Eradication": {
474
+ "duration_days": 3,
475
+ "tasks": [
476
+ {"task": "Remove access credentials", "duration": 1},
477
+ {"task": "Recover exfiltrated data", "duration": 2}
478
+ ]
479
+ },
480
+ "Recovery": {
481
+ "duration_days": 5,
482
+ "tasks": [
483
+ {"task": "Restore access controls", "duration": 2},
484
+ {"task": "Audit other user activities", "duration": 2},
485
+ {"task": "Data integrity verification", "duration": 1}
486
+ ]
487
+ },
488
+ "Post-Incident": {
489
+ "duration_days": 14,
490
+ "tasks": [
491
+ {"task": "Legal proceedings", "duration": 7},
492
+ {"task": "Security awareness training", "duration": 3},
493
+ {"task": "Policy enforcement review", "duration": 4}
494
+ ]
495
+ }
496
+ },
497
+ "artifacts": {
498
+ "Event Logs": {
499
+ "keys": [
500
+ "Logon/Logoff events (4624, 4634)",
501
+ "Privileged activity (4672, 4648)",
502
+ "File access logs (4660, 4663)",
503
+ "Object deletion (4659)"
504
+ ],
505
+ "tools": ["Event Viewer", "Splunk", "ELK Stack"]
506
+ },
507
+ "User Behavior": {
508
+ "keys": [
509
+ "Email activity logs",
510
+ "File access patterns",
511
+ "Unusual working hours",
512
+ "Data bulk downloads"
513
+ ],
514
+ "tools": ["UEBA tools", "Splunk", "Insider Threat tools"]
515
+ },
516
+ "Endpoint": {
517
+ "keys": [
518
+ "USB device connections",
519
+ "Process execution",
520
+ "Network connections",
521
+ "Clipboard contents"
522
+ ],
523
+ "tools": ["Volatility", "ProcessMonitor", "Wireshark"]
524
+ },
525
+ "Network": {
526
+ "keys": [
527
+ "Email server logs",
528
+ "FTP/SFTP activity",
529
+ "Cloud storage access",
530
+ "Web proxy logs"
531
+ ],
532
+ "tools": ["Zeek", "Splunk", "Wireshark"]
533
+ },
534
+ "File System": {
535
+ "keys": [
536
+ "File modification times",
537
+ "Access control lists",
538
+ "Deleted file recovery",
539
+ "Shadow copies"
540
+ ],
541
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
542
+ }
543
+ },
544
+ "mitre_techniques": [
545
+ "T1005 - Data Staged Local",
546
+ "T1020 - Automated Exfiltration",
547
+ "T1048 - Exfiltration Over Alternative Protocol",
548
+ "T1567 - Exfiltration Over Web Service",
549
+ "T1030 - Data Transfer Size Limits",
550
+ "T1123 - Audio Capture"
551
+ ]
552
+ },
553
+ "fr": {
554
+ "phases": {
555
+ "Preparation": {
556
+ "duration_days": 7,
557
+ "tasks": [
558
+ {"task": "Analyse de la motivation", "duration": 2},
559
+ {"task": "Planification de l'acces", "duration": 3},
560
+ {"task": "Ciblage des donnees", "duration": 2}
561
+ ]
562
+ },
563
+ "Detection & Analysis": {
564
+ "duration_days": 4,
565
+ "tasks": [
566
+ {"task": "Detection d'anomalie comportementale", "duration": 1},
567
+ {"task": "Analyse de l'activite des utilisateurs", "duration": 1.5},
568
+ {"task": "Confirmation d'exfiltration de donnees", "duration": 1.5}
569
+ ]
570
+ },
571
+ "Containment": {
572
+ "duration_days": 1,
573
+ "tasks": [
574
+ {"task": "Suspension du compte", "duration": 0.5},
575
+ {"task": "Revocation d'acces aux donnees", "duration": 0.5}
576
+ ]
577
+ },
578
+ "Eradication": {
579
+ "duration_days": 3,
580
+ "tasks": [
581
+ {"task": "Supprimer les identifiants d'acces", "duration": 1},
582
+ {"task": "Recuperer les donnees exfiltrees", "duration": 2}
583
+ ]
584
+ },
585
+ "Recovery": {
586
+ "duration_days": 5,
587
+ "tasks": [
588
+ {"task": "Restaurer les controles d'acces", "duration": 2},
589
+ {"task": "Audit des autres activites utilisateur", "duration": 2},
590
+ {"task": "Verification de l'integrite des donnees", "duration": 1}
591
+ ]
592
+ },
593
+ "Post-Incident": {
594
+ "duration_days": 14,
595
+ "tasks": [
596
+ {"task": "Procedures judiciaires", "duration": 7},
597
+ {"task": "Formation de sensibilisation a la securite", "duration": 3},
598
+ {"task": "Examen de l'application de la politique", "duration": 4}
599
+ ]
600
+ }
601
+ },
602
+ "artifacts": {
603
+ "Journaux d'evenements": {
604
+ "keys": [
605
+ "Evenements de connexion/deconnexion (4624, 4634)",
606
+ "Activite privilegiee (4672, 4648)",
607
+ "Journaux d'acces aux fichiers (4660, 4663)",
608
+ "Suppression d'objets (4659)"
609
+ ],
610
+ "tools": ["Observateur d'evenements", "Splunk", "Stack ELK"]
611
+ },
612
+ "Comportement de l'utilisateur": {
613
+ "keys": [
614
+ "Journaux d'activite de la messagerie",
615
+ "Modeles d'acces aux fichiers",
616
+ "Heures de travail inhabituelles",
617
+ "Telechargements en masse de donnees"
618
+ ],
619
+ "tools": ["Outils UEBA", "Splunk", "Outils de menace interieure"]
620
+ },
621
+ "Point terminal": {
622
+ "keys": [
623
+ "Connexions de periferiques USB",
624
+ "Execution de processus",
625
+ "Connexions reseau",
626
+ "Contenu du presse-papiers"
627
+ ],
628
+ "tools": ["Volatility", "ProcessMonitor", "Wireshark"]
629
+ },
630
+ "Reseau": {
631
+ "keys": [
632
+ "Journaux du serveur de messagerie",
633
+ "Activite FTP/SFTP",
634
+ "Acces au stockage en nuage",
635
+ "Journaux proxy Web"
636
+ ],
637
+ "tools": ["Zeek", "Splunk", "Wireshark"]
638
+ },
639
+ "Systeme de fichiers": {
640
+ "keys": [
641
+ "Temps de modification des fichiers",
642
+ "Listes de controle d'acces",
643
+ "Recuperation de fichiers supprimes",
644
+ "Copies fantome"
645
+ ],
646
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
647
+ }
648
+ },
649
+ "mitre_techniques": [
650
+ "T1005 - Donnees preparees localement",
651
+ "T1020 - Exfiltration automatisee",
652
+ "T1048 - Exfiltration sur protocole alternatif",
653
+ "T1567 - Exfiltration sur service Web",
654
+ "T1030 - Limites de taille de transfert de donnees",
655
+ "T1123 - Capture audio"
656
+ ]
657
+ }
658
+ },
659
+ "APT": {
660
+ "en": {
661
+ "phases": {
662
+ "Preparation": {
663
+ "duration_days": 60,
664
+ "tasks": [
665
+ {"task": "Intelligence gathering", "duration": 15},
666
+ {"task": "Vulnerability research", "duration": 20},
667
+ {"task": "Tool development", "duration": 15},
668
+ {"task": "Infrastructure setup", "duration": 10}
669
+ ]
670
+ },
671
+ "Detection & Analysis": {
672
+ "duration_days": 30,
673
+ "tasks": [
674
+ {"task": "Initial indicators", "duration": 5},
675
+ {"task": "Attribution analysis", "duration": 15},
676
+ {"task": "Threat actor identification", "duration": 10}
677
+ ]
678
+ },
679
+ "Containment": {
680
+ "duration_days": 14,
681
+ "tasks": [
682
+ {"task": "Isolate compromised systems", "duration": 3},
683
+ {"task": "Block C2 infrastructure", "duration": 3},
684
+ {"task": "Hunt for backdoors", "duration": 5},
685
+ {"task": "Reset all credentials", "duration": 3}
686
+ ]
687
+ },
688
+ "Eradication": {
689
+ "duration_days": 21,
690
+ "tasks": [
691
+ {"task": "Remove all malware", "duration": 7},
692
+ {"task": "Eliminate persistence mechanisms", "duration": 7},
693
+ {"task": "Patch all vulnerabilities", "duration": 7}
694
+ ]
695
+ },
696
+ "Recovery": {
697
+ "duration_days": 30,
698
+ "tasks": [
699
+ {"task": "Rebuild systems from scratch", "duration": 15},
700
+ {"task": "Restore from verified clean backups", "duration": 10},
701
+ {"task": "Comprehensive testing", "duration": 5}
702
+ ]
703
+ },
704
+ "Post-Incident": {
705
+ "duration_days": 60,
706
+ "tasks": [
707
+ {"task": "Detailed forensics report", "duration": 20},
708
+ {"task": "Threat intelligence sharing", "duration": 15},
709
+ {"task": "Enhanced monitoring deployment", "duration": 15},
710
+ {"task": "Security posture improvement", "duration": 10}
711
+ ]
712
+ }
713
+ },
714
+ "artifacts": {
715
+ "System Registry": {
716
+ "keys": [
717
+ "HKLM\\SYSTEM\\CurrentControlSet\\Services",
718
+ "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
719
+ "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU",
720
+ "HKLM\\SYSTEM\\Select"
721
+ ],
722
+ "tools": ["Registry Explorer", "RegRipper", "Volatility"]
723
+ },
724
+ "Event Logs": {
725
+ "keys": [
726
+ "Security logs (all event types)",
727
+ "System logs (driver installations)",
728
+ "Sysmon logs (complete)",
729
+ "PowerShell logs"
730
+ ],
731
+ "tools": ["Event Viewer", "Splunk", "ELK Stack"]
732
+ },
733
+ "Memory": {
734
+ "keys": [
735
+ "Full memory dump",
736
+ "Process memory analysis",
737
+ "DLL injection points",
738
+ "Rootkit detection"
739
+ ],
740
+ "tools": ["Volatility", "WinDbg", "MemoryTools"]
741
+ },
742
+ "File System": {
743
+ "keys": [
744
+ "MFT analysis",
745
+ "USN Journal",
746
+ "File slack space",
747
+ "Alternate data streams"
748
+ ],
749
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
750
+ },
751
+ "Network": {
752
+ "keys": [
753
+ "Network traffic (pcap)",
754
+ "DNS query logs",
755
+ "Firewall logs (all)",
756
+ "Proxy logs (complete)"
757
+ ],
758
+ "tools": ["Wireshark", "Zeek", "Splunk"]
759
+ }
760
+ },
761
+ "mitre_techniques": [
762
+ "T1595 - Active Scanning",
763
+ "T1592 - Gather Victim Host Information",
764
+ "T1199 - Trusted Relationship",
765
+ "T1566 - Phishing",
766
+ "T1190 - Exploit Public-Facing Application",
767
+ "T1021 - Remote Services",
768
+ "T1059 - Command and Scripting Interpreter"
769
+ ]
770
+ },
771
+ "fr": {
772
+ "phases": {
773
+ "Preparation": {
774
+ "duration_days": 60,
775
+ "tasks": [
776
+ {"task": "Collecte de renseignements", "duration": 15},
777
+ {"task": "Recherche de vulnerabilites", "duration": 20},
778
+ {"task": "Developpement d'outils", "duration": 15},
779
+ {"task": "Configuration d'infrastructure", "duration": 10}
780
+ ]
781
+ },
782
+ "Detection & Analysis": {
783
+ "duration_days": 30,
784
+ "tasks": [
785
+ {"task": "Indicateurs initiaux", "duration": 5},
786
+ {"task": "Analyse d'attribution", "duration": 15},
787
+ {"task": "Identification de l'acteur menace", "duration": 10}
788
+ ]
789
+ },
790
+ "Containment": {
791
+ "duration_days": 14,
792
+ "tasks": [
793
+ {"task": "Isoler les systemes compromis", "duration": 3},
794
+ {"task": "Bloquer l'infrastructure C2", "duration": 3},
795
+ {"task": "Chasse aux portes derriere", "duration": 5},
796
+ {"task": "Reinitialiser tous les identifiants", "duration": 3}
797
+ ]
798
+ },
799
+ "Eradication": {
800
+ "duration_days": 21,
801
+ "tasks": [
802
+ {"task": "Supprimer tous les logiciels malveillants", "duration": 7},
803
+ {"task": "Eliminer les mecanismes de persistance", "duration": 7},
804
+ {"task": "Corriger toutes les vulnerabilites", "duration": 7}
805
+ ]
806
+ },
807
+ "Recovery": {
808
+ "duration_days": 30,
809
+ "tasks": [
810
+ {"task": "Reconstruire les systemes a partir de zero", "duration": 15},
811
+ {"task": "Restaurer a partir de sauvegardes verifiees propres", "duration": 10},
812
+ {"task": "Tests exhaustifs", "duration": 5}
813
+ ]
814
+ },
815
+ "Post-Incident": {
816
+ "duration_days": 60,
817
+ "tasks": [
818
+ {"task": "Rapport forensique detaille", "duration": 20},
819
+ {"task": "Partage de renseignements sur les menaces", "duration": 15},
820
+ {"task": "Deploiement d'une surveillance amelioree", "duration": 15},
821
+ {"task": "Amelioration de la posture de securite", "duration": 10}
822
+ ]
823
+ }
824
+ },
825
+ "artifacts": {
826
+ "Registre systeme": {
827
+ "keys": [
828
+ "HKLM\\SYSTEM\\CurrentControlSet\\Services",
829
+ "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
830
+ "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU",
831
+ "HKLM\\SYSTEM\\Select"
832
+ ],
833
+ "tools": ["Registry Explorer", "RegRipper", "Volatility"]
834
+ },
835
+ "Journaux d'evenements": {
836
+ "keys": [
837
+ "Journaux de securite (tous types d'evenements)",
838
+ "Journaux systeme (installations de pilotes)",
839
+ "Journaux Sysmon (complet)",
840
+ "Journaux PowerShell"
841
+ ],
842
+ "tools": ["Observateur d'evenements", "Splunk", "Stack ELK"]
843
+ },
844
+ "Memoire": {
845
+ "keys": [
846
+ "Image memoire complete",
847
+ "Analyse de memoire de processus",
848
+ "Points d'injection DLL",
849
+ "Detection de rootkit"
850
+ ],
851
+ "tools": ["Volatility", "WinDbg", "MemoryTools"]
852
+ },
853
+ "Systeme de fichiers": {
854
+ "keys": [
855
+ "Analyse MFT",
856
+ "Journal USN",
857
+ "Espace slack de fichier",
858
+ "Flux de donnees alternatifs"
859
+ ],
860
+ "tools": ["FTK Imager", "Autopsy", "EnCase"]
861
+ },
862
+ "Reseau": {
863
+ "keys": [
864
+ "Trafic reseau (pcap)",
865
+ "Journaux de requetes DNS",
866
+ "Journaux de pare-feu (tous)",
867
+ "Journaux proxy (complets)"
868
+ ],
869
+ "tools": ["Wireshark", "Zeek", "Splunk"]
870
+ }
871
+ },
872
+ "mitre_techniques": [
873
+ "T1595 - Numérisation active",
874
+ "T1592 - Collecter des informations sur l'hôte de la victime",
875
+ "T1199 - Relation de confiance",
876
+ "T1566 - Phishing",
877
+ "T1190 - Exploitation d'application exposée publiquement",
878
+ "T1021 - Services distants",
879
+ "T1059 - Interpréteur de commandes et de scripts"
880
+ ]
881
+ }
882
+ }
883
+ }
884
+
885
+ def build_timeline_dataframe(incident_type, language):
886
+ """Build timeline dataframe for Plotly visualization"""
887
+ data = INCIDENT_DATA[incident_type][language]
888
+ timeline_data = []
889
+ start_date = datetime(2024, 1, 1)
890
+ current_date = start_date
891
+
892
+ for phase_name, phase_info in data["phases"].items():
893
+ for task in phase_info["tasks"]:
894
+ task_name = task["task"]
895
+ duration = task["duration"]
896
+ end_date = current_date + timedelta(days=duration)
897
+
898
+ timeline_data.append({
899
+ "Phase": phase_name,
900
+ "Task": task_name,
901
+ "Start": current_date,
902
+ "End": end_date,
903
+ "Duration": duration
904
+ })
905
+
906
+ current_date = end_date
907
+
908
+ df = pd.DataFrame(timeline_data)
909
+ return df
910
+
911
+ def create_gantt_chart(incident_type, language):
912
+ """Create Plotly Gantt chart"""
913
+ df = build_timeline_dataframe(incident_type, language)
914
+
915
+ colors = {
916
+ "Preparation": "#FF6B6B",
917
+ "Detection & Analysis": "#FFA500",
918
+ "Containment": "#FFD700",
919
+ "Eradication": "#90EE90",
920
+ "Recovery": "#87CEEB",
921
+ "Post-Incident": "#9370DB"
922
+ }
923
+
924
+ fig = px.timeline(
925
+ df,
926
+ x_start="Start",
927
+ x_end="End",
928
+ y="Phase",
929
+ color="Phase",
930
+ color_discrete_map=colors,
931
+ title=f"{incident_type} - Incident Response Timeline" if language == "en" else f"{incident_type} - Chronologie de la reponse aux incidents",
932
+ hover_data={"Task": True, "Duration": True},
933
+ labels={"Phase": "Phase" if language == "en" else "Phase", "Task": "Task" if language == "en" else "Tache", "Duration": "Days" if language == "en" else "Jours"}
934
+ )
935
+
936
+ fig.update_layout(height=500, hovermode="closest")
937
+ return fig
938
+
939
+ def get_artifacts_text(incident_type, language):
940
+ """Generate artifacts collection guidance"""
941
+ data = INCIDENT_DATA[incident_type][language]
942
+ artifacts = data["artifacts"]
943
+
944
+ text = "# Recommended Forensic Artifacts\n\n"
945
+ if language == "en":
946
+ for artifact_category, artifact_info in artifacts.items():
947
+ text += f"## {artifact_category}\n\n"
948
+ text += f"**Registry Keys/Locations:**\n"
949
+ for key in artifact_info["keys"]:
950
+ text += f"- `{key}`\n"
951
+ text += f"\n**Recommended Tools:** {', '.join(artifact_info['tools'])}\n\n"
952
+ else:
953
+ for artifact_category, artifact_info in artifacts.items():
954
+ text += f"## {artifact_category}\n\n"
955
+ text += f"**Clés de registre/Emplacements:**\n"
956
+ for key in artifact_info["keys"]:
957
+ text += f"- `{key}`\n"
958
+ text += f"\n**Outils recommandés:** {', '.join(artifact_info['tools'])}\n\n"
959
+
960
+ return text
961
+
962
+ def get_mitre_text(incident_type, language):
963
+ """Generate MITRE ATT&CK techniques"""
964
+ data = INCIDENT_DATA[incident_type][language]
965
+ techniques = data["mitre_techniques"]
966
+
967
+ title = "MITRE ATT&CK Techniques" if language == "en" else "Techniques MITRE ATT&CK"
968
+ text = f"# {title}\n\n"
969
+
970
+ for technique in techniques:
971
+ text += f"- {technique}\n"
972
+
973
+ return text
974
+
975
+ def export_timeline_markdown(incident_type, language):
976
+ """Export complete timeline as Markdown"""
977
+ data = INCIDENT_DATA[incident_type][language]
978
+
979
+ md_text = f"# {incident_type} - Incident Response Timeline\n\n"
980
+
981
+ if language == "en":
982
+ md_text += "## Incident Response Phases\n\n"
983
+ else:
984
+ md_text += "## Phases de reponse aux incidents\n\n"
985
+
986
+ for phase_name, phase_info in data["phases"].items():
987
+ md_text += f"### {phase_name}\n"
988
+ md_text += f"**Duration:** {phase_info['duration_days']} days\n\n"
989
+ if language == "en":
990
+ md_text += "**Tasks:**\n"
991
+ else:
992
+ md_text += "**Taches:**\n"
993
+
994
+ for task in phase_info["tasks"]:
995
+ md_text += f"- {task['task']} ({task['duration']} days)\n"
996
+
997
+ md_text += "\n"
998
+
999
+ md_text += "\n" + get_artifacts_text(incident_type, language)
1000
+ md_text += "\n" + get_mitre_text(incident_type, language)
1001
+
1002
+ return md_text
1003
+
1004
+ def main():
1005
+ with gr.Blocks(title="Forensics Timeline Builder", theme=gr.themes.Soft(primary_hue="indigo", secondary_hue="purple")) as demo:
1006
+ gr.Markdown("""
1007
+ # Forensics Timeline Builder - Interactive Investigation Tool
1008
+
1009
+ Build comprehensive incident response timelines with forensic artifact recommendations and MITRE ATT&CK mappings.
1010
+ """)
1011
+
1012
+ with gr.Row():
1013
+ lang = gr.Radio(["English", "Francais"], value="English", label="Language")
1014
+
1015
+ with gr.Row():
1016
+ incident_type = gr.Dropdown(
1017
+ ["Ransomware", "Data Breach", "Insider Threat", "APT", "Malware Infection", "Account Compromise", "Web Compromise", "Supply Chain Attack"],
1018
+ value="Ransomware",
1019
+ label="Incident Type"
1020
+ )
1021
+
1022
+ with gr.Row():
1023
+ generate_btn = gr.Button("Generate Timeline", variant="primary")
1024
+
1025
+ with gr.Tab("Timeline Visualization"):
1026
+ timeline_chart = gr.Plot(label="Incident Response Timeline")
1027
+
1028
+ with gr.Tab("Forensic Artifacts"):
1029
+ artifacts_text = gr.Markdown(label="Recommended Artifacts")
1030
+
1031
+ with gr.Tab("MITRE ATT&CK"):
1032
+ mitre_text = gr.Markdown(label="Techniques")
1033
+
1034
+ with gr.Tab("Export"):
1035
+ export_output = gr.Textbox(label="Markdown Export", lines=20)
1036
+ export_btn = gr.Button("Export as Markdown")
1037
+
1038
+ with gr.Tab("Resources"):
1039
+ gr.Markdown("""
1040
+ # Forensics Resources
1041
+
1042
+ ## In-Depth Articles
1043
+ - [Memory Forensics](https://ayinedjimi-consultants.fr/forensics/memory-forensics.html)
1044
+ - [Registry Forensics](https://ayinedjimi-consultants.fr/forensics/registry-forensics.html)
1045
+ - [NTFS Forensics](https://ayinedjimi-consultants.fr/forensics/ntfs-forensics.html)
1046
+ - [DFIR Tools Comparison](https://ayinedjimi-consultants.fr/forensics/dfir-tools-comparison.html)
1047
+ - [Amcache & Shimcache](https://ayinedjimi-consultants.fr/forensics/amcache-shimcache.html)
1048
+ - [ETW & WPR Forensics](https://ayinedjimi-consultants.fr/forensics/etw-wpr-forensics.html)
1049
+ - [Evasion & Anti-Forensic](https://ayinedjimi-consultants.fr/forensics/evasion-antiforensic.html)
1050
+ - [Telemetry Forensics](https://ayinedjimi-consultants.fr/forensics/telemetry-forensics.html)
1051
+ - [Windows Server 2025 Forensics](https://ayinedjimi-consultants.fr/forensics/windows-server-2025-forensics.html)
1052
+ - [Forensics Report Templates](https://ayinedjimi-consultants.fr/forensics/forensics-report-templates.html)
1053
+ - [Livre Blanc: Anatomie d'une Attaque Ransomware](https://ayinedjimi-consultants.fr/livre-blanc-anatomie-attaque-ransomware.html)
1054
+
1055
+ ## Author
1056
+ Created by [Ayinedjimi Consultants](https://ayinedjimi-consultants.fr/bio.html)
1057
+ """)
1058
+
1059
+ def generate_content(selected_incident, selected_lang):
1060
+ lang_code = "en" if selected_lang == "English" else "fr"
1061
+
1062
+ if selected_incident not in INCIDENT_DATA:
1063
+ selected_incident = "Ransomware"
1064
+
1065
+ fig = create_gantt_chart(selected_incident, lang_code)
1066
+ artifacts = get_artifacts_text(selected_incident, lang_code)
1067
+ mitre = get_mitre_text(selected_incident, lang_code)
1068
+
1069
+ return fig, artifacts, mitre
1070
+
1071
+ def export_markdown(selected_incident, selected_lang):
1072
+ lang_code = "en" if selected_lang == "English" else "fr"
1073
+
1074
+ if selected_incident not in INCIDENT_DATA:
1075
+ selected_incident = "Ransomware"
1076
+
1077
+ return export_timeline_markdown(selected_incident, lang_code)
1078
+
1079
+ generate_btn.click(
1080
+ fn=generate_content,
1081
+ inputs=[incident_type, lang],
1082
+ outputs=[timeline_chart, artifacts_text, mitre_text]
1083
+ )
1084
+
1085
+ export_btn.click(
1086
+ fn=export_markdown,
1087
+ inputs=[incident_type, lang],
1088
+ outputs=[export_output]
1089
+ )
1090
+
1091
+ demo.load(
1092
+ fn=generate_content,
1093
+ inputs=[incident_type, lang],
1094
+ outputs=[timeline_chart, artifacts_text, mitre_text]
1095
+ )
1096
+
1097
+ demo.launch()
1098
+
1099
+ if __name__ == "__main__":
1100
+ main()
requirements.txt ADDED
@@ -0,0 +1,4 @@
 
 
 
 
 
1
+ gradio==4.44.0
2
+ huggingface_hub==0.24.7
3
+ plotly==5.18.0
4
+ pandas==2.1.4