This directory contains tools for ingesting and analyzing collection and timeline data, along with the web-based UI component CollectiFOR Viewer.
The script collectifor.py is the main tool used. In addition there are some helper scripts to assist with further analysis.
There are two main data source types that can be ingested:
- Triage collection collected with CollectiFOR's collect binary or collect scripts.
- Log2timeline+psort JSON line formatted super timelines.
See documentation for:
-
Modify config.yaml.sample
-
Here's all-in-one example command to run everything with a fresh collection tar.gz.
# Might require sudo/root depending on your collection's permissions
python3 collectifor.py -c config.yaml.sample --analysis --collection /collections/host1_20251217_141749.tar.gz
# Analyze other collection
python3 collectifor.py -c config.yaml.sample --analysis --collection /collections/host2_20251218_141749.tar.gz Arguments:
-c-> Path to config YAML.--analysis-> Run analysis modules--viewer-> Launch collectiFOR viewer after initialization and analysis (Listens -> 127.0.0.1:5000)--collection /collections/host_20251217_141749.tar.gz-> Path to collection. Can be collection tar.gz or collection directory if already decompressed.
If your collection configuration did not compress the collection directory then just give path to collection directory (<hostname>_<ts>/<ts>).
It's important the directory structed is the one generated by the collect tool (<hostname>_<ts>/<ts>/<collection data>).
CollectiFOR also supports super timeline ingestion. More information about ingestion can be found here and timeline UI components here Modify config.yaml.sample if you want to change the default timeline database location.