Automated Cloud Forensics and Incident Response Workflow
π View Project Portfolio & Technical Case Study
Snapshot Sleuth is a comprehensive cloud forensics and incident-response workflow designed to help security teams investigate EBS snapshot-based evidence quickly and consistently. The system orchestrates analysis, runs multiple forensic tools, and publishes evidence and results into durable storage with clear case tracking and notifications.
- YARA - Rule-based detection and pattern matching
- ClamAV - Malware scanning and virus detection
- EvidenceMiner - Artifact extraction and classification
- Log2Timeline - Timeline generation and analysis
- Case Management - GitHub Issues, Jira, Linear (extensible)
- Ticketing - GitHub Issues, Jira, Zendesk (extensible)
- Notifications - Slack, Email, Webhook (extensible)
- CloudWatch dashboards and metrics
- CloudTrail audit logging
- Real-time status updates
- Custom alarms and alerts
- Case list and detail views
- Workflow monitoring dashboard
- Evidence browser with preview
- Dark mode support
- Responsive design
The project is organized as a TypeScript monorepo using Bun workspaces and Turborepo:
packages/
βββ shared/ # Shared types, utilities, and configuration
βββ adapters/ # Pluggable adapter layer for integrations
βββ cdk/ # AWS CDK infrastructure code
βββ lambda-ts/ # TypeScript Lambda functions
βββ lambda-py/ # Python Lambda functions (forensic tools)
βββ frontend/ # React frontend application
βββ demo/ # Demo environment and scenarios
- Node.js >= 18.0.0
- Bun >= 1.0.0
- AWS CLI configured
- AWS CDK CLI installed
# Clone the repository
git clone https://github.com/Stealinglight/Snapshot-Sleuth.git
cd Snapshot-Sleuth
# Install dependencies
bun install
# Build all packages
bun run buildCreate a configuration file based on your environment:
{
"environment": "development",
"projectName": "snapshot-sleuth",
"aws": {
"region": "us-east-1",
"s3BucketPrefix": "snapshot-sleuth"
},
"adapters": {
"caseManagement": {
"provider": "GITHUB",
"config": {
"token": "YOUR_GITHUB_TOKEN",
"owner": "YOUR_ORG",
"repo": "YOUR_REPO"
}
},
"notifications": [
{
"channel": "SLACK",
"enabled": true,
"config": {
"webhookUrl": "YOUR_SLACK_WEBHOOK"
}
}
]
}
}# Deploy CDK stack
cd packages/cdk
bun run cdk deploy# Start frontend development server
cd packages/frontend
bun run dev
# Watch for changes in shared packages
cd packages/shared
bun run build --watch- Snapshot Event - EBS snapshot is shared or identified for investigation
- Validation - Snapshot is validated and accessible
- Preparation - Snapshot is copied to analysis region if needed
- Provisioning - Isolated analysis environment is created
- Analysis - Forensic tools run in parallel
- Evidence Upload - Results and artifacts uploaded to S3
- Notification - Stakeholders notified of completion
- Cleanup - Analysis environment cleaned up
- Architecture Documentation
- Deployment Guide
- Configuration Options
- Adapter Development
- Troubleshooting
- Security Best Practices
The demo package provides one-command deployment with prebuilt scenarios:
- Malware detection scenario
- Data exfiltration scenario
- Privilege escalation scenario
- Clean baseline scenario
Safety controls include tagging, TTL auto-expiry, and cost estimation/alerts.
Contributions are welcome! Please see our Contributing Guide for details.
This project is licensed under the MIT License - see the LICENSE file for details.
For security concerns, please see our Security Policy.
- π Documentation
- π Issue Tracker
- π¬ Discussions