{"id":50770700,"url":"https://github.com/joemunene-by/ghostforensics","last_synced_at":"2026-06-11T18:01:42.873Z","repository":{"id":363847053,"uuid":"1213085461","full_name":"joemunene-by/ghostforensics","owner":"joemunene-by","description":"Memory forensics automation — process analysis, injection detection, YARA scanning, IOC extraction with STIX 2.1 export. Works standalone or with Volatility3.","archived":false,"fork":false,"pushed_at":"2026-06-10T15:21:05.000Z","size":82,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-10T17:08:37.166Z","etag":null,"topics":["blue-team","dfir","forensics","incident-response","ioc","memory-forensics","python","security","stix","threat-hunting","volatility","yara"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joemunene-by.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-17T03:03:04.000Z","updated_at":"2026-06-10T15:18:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/joemunene-by/ghostforensics","commit_stats":null,"previous_names":["joemunene-by/ghostforensics"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/joemunene-by/ghostforensics","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fghostforensics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fghostforensics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fghostforensics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fghostforensics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joemunene-by","download_url":"https://codeload.github.com/joemunene-by/ghostforensics/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fghostforensics/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34211067,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","dfir","forensics","incident-response","ioc","memory-forensics","python","security","stix","threat-hunting","volatility","yara"],"created_at":"2026-06-11T18:01:41.050Z","updated_at":"2026-06-11T18:01:42.858Z","avatar_url":"https://github.com/joemunene-by.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GhostForensics\n\nMemory forensics automation tool for incident response. Wraps Volatility3 to automate RAM dump analysis, IOC extraction, and report generation for SOC teams.\n\n## Features\n\n- **Process Analysis** — Extracts process tree, detects hidden processes, orphans, name masquerading, and duplicate system processes\n- **Network Analysis** — Extracts connections, flags suspicious ports, external IPs from system processes, and lateral movement indicators\n- **Injection Detection** — Identifies process hollowing, DLL injection, RWX memory regions, and reflective loading\n- **Handle Analysis** — Detects suspicious mutexes, sensitive file access (SAM, NTDS.dit), and cross-process handle abuse\n- **YARA Scanning** — Scans memory with built-in and custom YARA rules (works with or without yara-python)\n- **IOC Extraction** — Extracts IPs, domains, URLs, hashes, registry keys, and emails with deduplication and STIX 2.1 export\n- **Reputation Checking** — Optional integration with VirusTotal and AbuseIPDB\n- **Reports** — Console (Rich), HTML (dark-themed), and JSON output formats\n\n## Installation\n\n```bash\npip install -e .\n```\n\nWith optional dependencies:\n\n```bash\n# Volatility3 support\npip install -e \".[volatility]\"\n\n# YARA support\npip install -e \".[yara]\"\n\n# Everything\npip install -e \".[all]\"\n```\n\n## Quick Start\n\nAnalyze a memory dump (JSON format):\n\n```bash\nghostforensics analyze examples/sample_dump.json\n```\n\nGenerate an HTML report:\n\n```bash\nghostforensics analyze examples/sample_dump.json --output report.html\n```\n\nExport as JSON:\n\n```bash\nghostforensics analyze examples/sample_dump.json --output report.json --format json\n```\n\n## Commands\n\n| Command | Description |\n|---------|-------------|\n| `analyze` | Full analysis with all modules |\n| `processes` | List processes and detect anomalies |\n| `network` | List network connections and flags |\n| `yara` | Scan with YARA rules |\n| `ioc` | Extract IOCs (supports `--stix` for STIX 2.1 export) |\n| `report` | Generate a standalone report file |\n\n## Input Formats\n\nGhostForensics works **without Volatility3 installed** by accepting JSON files that represent pre-processed memory dump data. When Volatility3 is available, it can also analyze raw `.raw`, `.dmp`, and `.vmem` files directly.\n\n### JSON Format\n\nSee `examples/sample_dump.json` for the complete schema. Key sections:\n\n- `processes` — List of process objects (pid, ppid, name, path, cmdline)\n- `connections` — Network connections (local/remote addr and port, state, pid)\n- `memory_regions` — Memory regions with protection flags\n- `handles` — Open handles (mutexes, files, registry keys)\n- `yara_matches` — Pre-computed YARA matches\n- `extracted_strings` — Raw strings from the dump\n\n## IOC Extraction\n\nGhostForensics extracts and classifies indicators across all analysis modules:\n\n```\nIOCs Extracted: 12\n  [high] ip-address: 45.33.32.156 — connection from svchost.exe (PID 4444)\n  [high] ip-address: 185.220.101.42 — connection from svchost.exe (PID 4444)\n  [medium] url: http://evil.com/payload.ps1 — raw_data\n  [critical] ip-address: 91.215.85.209 — connection from powershell.exe (PID 4600)\n  [low] email: admin@evil-corp.com — raw_data\n```\n\nExport in STIX 2.1 format:\n\n```bash\nghostforensics ioc examples/sample_dump.json --stix\n```\n\n## YARA Rules\n\nBuilt-in rules cover:\n\n- `malware_indicators.yar` — Malware API calls, packer signatures, suspicious user agents\n- `webshells.yar` — PHP, ASPX, and JSP webshell patterns\n- `credentials.yar` — Mimikatz, credential dumping tools, SSH keys\n- `persistence.yar` — Registry run keys, scheduled tasks, WMI persistence\n\nAdd custom rules:\n\n```bash\nghostforensics yara dump.json --rules /path/to/custom/rules/\n```\n\n## Configuration\n\nCreate a `config.yml`:\n\n```yaml\nanalyzer:\n  enable_process_analysis: true\n  enable_network_analysis: true\n  enable_injection_analysis: true\n  enable_handle_analysis: true\n  enable_yara_scan: true\n  enable_ioc_extraction: true\n\nyara:\n  builtin_rules: true\n  custom_rules_dirs:\n    - /opt/yara-rules/\n  timeout: 60\n\nreputation:\n  enable_online_checks: true\n  virustotal_api_key: ${VT_API_KEY}\n  abuseipdb_api_key: ${ABUSEIPDB_API_KEY}\n\nreport:\n  output_format: html\n  include_evidence: true\n  include_remediation: true\n  include_mitre: true\n```\n\n```bash\nghostforensics analyze dump.json --config config.yml --output report.html\n```\n\n## Development\n\n```bash\npip install -e \".[dev]\"\nmake test\nmake lint\n```\n\n## License\n\nMIT License. Copyright (c) 2026 Joe Munene.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemunene-by%2Fghostforensics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoemunene-by%2Fghostforensics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemunene-by%2Fghostforensics/lists"}