{"id":47160878,"url":"https://github.com/FlipForensics/AIFT","last_synced_at":"2026-03-27T07:01:03.411Z","repository":{"id":339269468,"uuid":"1161193354","full_name":"FlipForensics/AIFT","owner":"FlipForensics","description":"Automated Windows forensic triage, powered by AI.  AIFT turns hours of manual artifact analysis into minutes. Upload a disk image, select what to parse, and get an AI-generated forensic report, all from your browser, all running locally on your machine.  Built for incident responders who need fast answers. ","archived":false,"fork":false,"pushed_at":"2026-03-24T18:13:33.000Z","size":28477,"stargazers_count":16,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-25T23:15:34.922Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FlipForensics.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":"COPYRIGHT.txt","agents":null,"dco":null,"cla":null}},"created_at":"2026-02-18T20:52:09.000Z","updated_at":"2026-03-25T16:17:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/FlipForensics/AIFT","commit_stats":null,"previous_names":["flipforensics/aift"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/FlipForensics/AIFT","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FlipForensics%2FAIFT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FlipForensics%2FAIFT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FlipForensics%2FAIFT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FlipForensics%2FAIFT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FlipForensics","download_url":"https://codeload.github.com/FlipForensics/AIFT/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FlipForensics%2FAIFT/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31032120,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-27T06:08:13.374Z","status":"ssl_error","status_checked_at":"2026-03-27T06:08:07.217Z","response_time":164,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-13T03:00:26.972Z","updated_at":"2026-03-27T07:01:03.387Z","avatar_url":"https://github.com/FlipForensics.png","language":"HTML","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/AIFT Logo - White Text.png\" alt=\"AIFT Logo\" width=\"400\"\u003e\n\u003c/p\u003e\n\n# AIFT - AI Forensic Triage V1.3\n\n**Automated Windows forensic triage, powered by AI.**\n\nAIFT turns hours of manual artifact analysis into minutes. Upload a disk image, select what to parse, and get an AI-generated forensic report - all from your browser, all running locally on your machine.\n\nBuilt for incident responders who need fast answers, and simple enough for non-forensic team members to operate.\n\n**This project is under active development. Contributions are welcome. If you run into any bugs, let me know!**\n\n---\n\n## How It Works\n\n```\nUpload Evidence → Select Artifacts → Parse → AI Analysis → HTML Report\n```\n\n1. **Run the app** - a local web interface opens in your browser.\n2. **Upload evidence** - drag-and-drop an E01, VMDK, VHD, raw image, or archive, or point to a local path for large images.\n3. **Pick artifacts** - choose from 25+ Windows forensic artifacts, which will be parsed by [Dissect](https://github.com/fox-it/dissect).\n4. **Get results** - AI analyzes each artifact for indicators of compromise, correlates findings across artifacts, and generates a self-contained HTML report with evidence hashes and full audit trail.\n\nNo Elasticsearch. No Docker. No database. One Python script, one command.\n\n![](images/AIFT.gif)\n\n---\n\n## Documentation\n\n- **User Guide**: https://github.com/FlipForensics/AIFT/wiki\n- **Code Reference**: https://flipforensics.github.io/AIFT/docs/\n\n---\n\n## Example Reports\n\nA [publicly available test image](https://cfreds.nist.gov/all/BenjaminDonnachie/CompromisedWindowsServer2022simulation) (Compromised Windows Server 2022 Simulation by Benjamin Donnachie, NIST CFReDS) was used to compare AI providers. The analysis prompt included one real IOC (`PsExec`) and one not observed IOC (`redpetya.exe`) to test each model's ability to identify true findings and avoid false positives.\n\n| Model | Cost | Runtime | Quality | Report |\n|-------|------|---------|---------|--------|\n| Kimi | $0.20 | ~5 min | :star::star::star: | [View report](https://flipforensics.github.io/AIFT/example_reports/KIMI.html) |\n| OpenAI GPT | $0.94 | ~8 min | :star::star::star::star: | [View report](https://flipforensics.github.io/AIFT/example_reports/ChatGPT5.2.html) |\n| Claude Opus 4.6 | $3.01 | ~20 min | :star::star::star::star::star: | [View report](https://flipforensics.github.io/AIFT/example_reports/Opus4.6.html) |\n| Local: qwen3:8b \u003cbr\u003e(RTX 2070 8GB VRAM + 32k context window) | $0 | ~2.5h | :star: | [View report](https://flipforensics.github.io/AIFT/example_reports/qwen-3-8b.html) |\n| Local: gpt-oss 120b \u003cbr\u003e(DGX Spark 128GB (V)RAM + 128k context window) | $0 | ~20 min | :star::star::star: | [View report](https://flipforensics.github.io/AIFT/example_reports/gpt-oss-120b.html) |\n---\n\n## Quick Start\n\n### 1. Install\n\n```bash\ngit clone https://github.com/\u003cyour-repo\u003e/aift.git\ncd aift\npip install -r requirements.txt\n```\n\nPython 3.10-3.13 is required. All dependencies are pure Python - no C libraries, no system packages.\nPython 3.14+ is currently unsupported due to upstream `dissect.target` compatibility.\n\n### 2. Run\n\n```bash\npython aift.py\n```\n\nThe app starts and opens your browser to `http://localhost:5000`. On first run, a default `config.yaml` is created automatically.\n\n### 3. Configure your AI provider\n\nClick the **gear icon** (⚙) in the top-right corner of the UI. Select your AI provider and enter the required credentials:\n\n- For **Claude** or **OpenAI**: paste your API key and click Save.\n- For **Kimi**: paste your Moonshot API key and click Save.\n- For a **local model**: enter your server URL (e.g., `http://localhost:11434/v1`) and model name.\n\nClick **Test Connection** to verify everything works. That's it - you're ready to go.\n\n### 4. Analyze your first image\n\n- Upload evidence by dragging it into the upload area (E01, VMDK, VHD, raw images, ZIP, 7z, tar), or switch to **Path Mode** and enter the file path for large images or directories.\n- AIFT opens the image or Triage Package.\n- Select artifacts manually or click **Recommended**. You have the option to save your selected artifacts as a profile, and load them in future cases.\n- Click **Parse**. Progress is shown in real time.\n- Enter your investigation context (e.g., \"Suspected unauthorized access between Jan 1-15, 2026. Look for new accounts and remote access tools. IOC identified: abc.exe\").\n- Click **Analyze**. Per-artifact findings stream in as the AI completes each one, followed by a cross-artifact summary.\n- Download the HTML report and/or the raw CSV data.\n- **Chat with the AI** about the results - ask follow-up questions, request correlations, or drill into specific artifacts without re-running the analysis.\n\n---\n\n## AI Chat (Q\u0026A)\n\nAfter analysis completes, click **Show Chat** on the Results page to ask follow-up questions, request cross-artifact correlations, or drill into specific CSV data - the AI references its own prior analysis and automatically retrieves matching rows when needed. \n\n---\n\n## AI Providers\n\nAIFT supports four AI backends and can be run completely isolated. All configuration is done through the in-app settings page.\n\n| Provider | What You Need | Notes |\n|----------|--------------|-------|\n| **Anthropic Claude** | API key from [console.anthropic.com](https://console.anthropic.com) | Recommended for analysis quality |\n| **OpenAI / GPT** | API key from [platform.openai.com](https://platform.openai.com) | GPT-4o or later |\n| **Kimi** | API key from [platform.moonshot.ai](https://platform.moonshot.ai) | Moonshot AI's Kimi K2 - OpenAI-compatible |\n| **Local model** | Any OpenAI-compatible server | Ollama, LM Studio, vLLM, text-generation-webui |\n\n### Ollama (local, free, private)\n\n```bash\nollama pull llama3.1:70b\nollama serve\n```\n\nIn AIFT settings: select **Local**, set URL to `http://localhost:11434/v1`, model to `llama3.1:70b`.\n\n**Important: set `Analysis Max Tokens` to match your model's context window** (Settings \u003e Advanced). For example, `qwen3:8b` with 32K context → set to `32000`. Cloud models (Claude, OpenAI, Kimi) default to 128K and typically don't need adjustment.\n\nWhen an artifact's data exceeds the context budget, AIFT automatically **chunks** the CSV across multiple AI calls so every row is analyzed. Chunk findings are then merged hierarchically - grouped into batches that fit the context window, merged by the AI, and repeated until a single result remains. This ensures no data is lost regardless of model size. The maximum number of merge rounds before fallback can be configured via `Max Merge Rounds` in advanced settings (default: 5).\n\nA minimum of 32K tokens is strongly recommended.\n\n### Environment variables\n\nAPI keys can also be set via environment variables instead of the UI:\n\n```bash\nexport ANTHROPIC_API_KEY=\"sk-ant-...\"\nexport OPENAI_API_KEY=\"sk-...\"\nexport KIMI_API_KEY=\"sk-...\"\n```\n\n---\n\n## Supported Artifacts\n\nAIFT uses [Dissect](https://github.com/fox-it/dissect) by Fox-IT (NCC Group) for forensic parsing - pure Python, no external dependencies.\n\n| Category | Artifacts |\n|----------|----------|\n| **Persistence** | Run/RunOnce Keys, Scheduled Tasks, Services, WMI Persistence |\n| **Execution** | Shimcache, Amcache, Prefetch, BAM/DAM, UserAssist, MUIcache |\n| **Event Logs** | Windows Event Logs (all channels), Defender Logs |\n| **File System** | NTFS MFT, USN Journal, Recycle Bin |\n| **User Activity** | Browser History, Browser Downloads, PowerShell History, Activities Cache |\n| **Network** | SRUM Network Data, SRUM Application Usage |\n| **Registry** | Shellbags, USB Device History |\n| **Security** | SAM User Accounts, Defender Quarantine |\n\nOnly artifacts present in the image are shown. Unavailable artifacts are automatically grayed out.\n\n---\n\n## Supported Evidence Formats\n\nAIFT uses [Dissect](https://github.com/fox-it/dissect) for evidence loading, which supports a wide range of forensic image and disk formats.\n\n| Category | Formats | Notes |\n|----------|---------|-------|\n| **EnCase (EWF)** | `.E01`, `.Ex01`, `.S01`, `.L01` | Split segments (`.E02`, `.E03`, ...) are auto-discovered in the same directory |\n| **Raw / DD** | `.dd`, `.img`, `.raw`, `.bin`, `.iso` | Bit-for-bit disk images |\n| **Split raw** | `.000`, `.001`, ... | Segmented raw images - pass the first segment |\n| **VMware** | `.vmdk`, `.vmx`, `.vmwarevm` | Virtual disk and VM config (auto-loads associated disks) |\n| **Hyper-V** | `.vhd`, `.vhdx`, `.vmcx` | Legacy and modern Hyper-V formats |\n| **VirtualBox** | `.vdi`, `.vbox` | VirtualBox disk and VM config |\n| **QEMU** | `.qcow2`, `.utm` | QEMU Copy-On-Write and UTM bundles |\n| **Parallels** | `.hdd`, `.hds`, `.pvm`, `.pvs` | Parallels Desktop images |\n| **OVA / OVF** | `.ova`, `.ovf` | Open Virtualization Format |\n| **XenServer** | `.xva`, `.vma` | Xen and Proxmox exports |\n| **Backup** | `.vbk` | Veeam Backup files |\n| **Dissect native** | `.asdf`, `.asif` | Dissect `acquire` output |\n| **FTK / AccessData** | `.ad1` | Logical images |\n| **Archives** | `.zip`, `.7z`, `.tar`, `.tar.gz` | Extracted and scanned for evidence files inside |\n\nEvidence can also be provided as a **directory path** (e.g., KAPE, Velociraptor, or UAC triage output).\n\nFor images over 2 GB, use **Path Mode** instead of uploading - enter the local file path and AIFT reads it directly.\n\n---\n\n## Roadmap\n\nFeatures under active development:\n\n- **Multi-Image Support**: Analyze multiple evidence sources in a single case (e.g., workstation + server + domain controller). Includes cross-system correlation to identify lateral movement and shared IOCs.\n- **Linux Support**: Full analysis of Linux disk images using Dissect. Covers bash/zsh/fish history, wtmp/btmp, syslog, journald, cron jobs, systemd services, SSH keys, package history, and user accounts.\n- **Mobile Support**: iOS and Android device analysis using [iLEAPP](https://github.com/abrignoni/iLEAPP) and [ALEAPP](https://github.com/abrignoni/ALEAPP). Covers call logs, SMS, browser history, installed apps, location data, and more.\n\n---\n\n## Forensic Integrity\n\nAIFT is built with forensic defensibility in mind:\n\n- **Evidence is read-only.** Disk images are never modified. Dissect opens everything in read-only mode.\n- **SHA-256 + MD5 hashing** on intake and before report generation. Hash match is verified and shown in the report.\n- **Complete audit trail.** Every action (upload, parse, analyze, report) is logged with UTC timestamps to a per-case `audit.jsonl` file.\n- **AI guardrails.** The AI is instructed to cite specific records, state uncertainty explicitly, and never fabricate evidence. Findings include confidence ratings (HIGH / MEDIUM / LOW).\n- **Prompt audit trail.** Every prompt sent to the AI (system prompt + user prompt) is saved to the case's `prompts/` directory. This allows full review of exactly what the AI was asked, regardless of provider.\n- **Disclaimer in every report.** AI-assisted findings must be verified by a qualified examiner before use in legal or formal proceedings.\n\n---\n\n## Report Output\n\nAIFT generates a **self-contained HTML report** - all CSS inlined, no external dependencies. Open it in any browser, print it, or archive it. The report includes:\n\n- Evidence metadata and hash verification\n- Executive summary with confidence assessment\n- Per-artifact findings with cited evidence\n- Investigation gaps and recommended next steps\n- Complete audit trail\n\nParsed artifact data is also available as a downloadable CSV bundle for further analysis.\n\n---\n\n## Requirements\n\n- Python 3.10-3.13\n- Python 3.14+ is currently unsupported due to upstream `dissect.target` compatibility\n- 8 GB RAM minimum (for parsing large artifacts)\n- Disk space: ~2× the evidence file size (for parsed CSV output)\n- No C library dependencies - Dissect is pure Python\n\n---\n\n## Disclaimer\n\nAIFT output is AI-assisted. All findings must be independently verified by a qualified forensic examiner before use in any legal, regulatory, or formal investigative proceeding. The AI analyzes only the data provided and may not capture all relevant artifacts or context.\n\nWhen using a cloud-based AI provider, parsed artifact data is sent to external servers for analysis. Be mindful of the sensitivity of the evidence - if the data is subject to privacy regulations, legal restrictions, or confidentiality requirements, consider using a local model instead.\n\n---\n\n## License\n\nAIFT is released as open source by Flip Forensics and made available at https://github.com/FlipForensics/AIFT. \n\nLicense terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html).\n\nContact: info@FlipForensics.com\n","funding_links":[],"categories":["Tools"],"sub_categories":["Frameworks"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFlipForensics%2FAIFT","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFlipForensics%2FAIFT","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFlipForensics%2FAIFT/lists"}