CIRTKit - Tools for the Computer Incident Response Team


CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.


Investigations are the core of CIRTKit. Incident responders and forensic analysts generate large amounts of data during investigations. Normally this data is stored in ticketing systems, governance and risk systems, or some other variation of persistent data storage.
CIRTKit aims to bring core DFIR (Digital Forensics and Incident Response) tools into one console, centralizing the investigation process. There are many tools available that incident responders use to collect, parse, and interpret data. If we can bring all of these tools together to one console that can store information and malware artifacts centrally, we may be able to better combat the adversaries.


The inspiration behind CIRTKit came from the Metasploit Framework. Metasploit was revolutionary to the offensive security industry, allowing users to not only centrally manage penetration tests, but also use and develop new tools/exploits to further their cause. The key question that spurred the initiation of CIRTKit was this: "Why are attackers more equipped than defenders?"
With Metasploit, attackers are always equipped, constantly sharing new exploits and tools with the framework to enable others to take advantage of known vulnerabilities. The time has come for network defenders to centralize our toolsets and share new detection and response capabilities easily with the community.


Database Setup

CIRTKit requires a database to store malware artifacts and investigation data. Currently, CIRTKit is equipped to use SQLite and Postgres SQL databases. If you need to have multiple analysts collaborate on investigations, then you need to setup CIRTKit to use Postgres, otherwise if you want to store information locally, you can use SQLite.
  • SQLite
For SQLite, you can simply run CIRTKit, and it will create and connect to a local SQLite file. Or you can specify the connection string to use a different file.
  • Postgres
Setup your Postgres database and edit the lines at the top of the with the credentials for the database you just configured.
DB_USER = '<username>'
DB_PASSWD = '<password>'

Install Dependencies

You can install decencies with pip (Python packaging system) using the provided requirements.txt file "pip install -r requirements.txt"


You can also specify the '-i' flag and specify a specific investigation. If it does not exist, CIRTKit will create a new investigation

No comments

Note: Only a member of this blog may post a comment.

Powered by Blogger.