New Forensics Tool: DFIR-Companion
DFIR-Companion is a new open-source digital forensics and incident response (DFIR) tool designed to assist investigators by consolidating and analyzing data from multiple sources in real time. It uses AI to correlate findings, build event timelines, extract and enrich indicators of compromise (IOCs), and suggest investigative next steps. The tool acts as a layer after detection tools, enhancing situational awareness and investigation efficiency. It supports integration with various DFIR outputs and security platforms. There is no indication that this tool itself introduces a security vulnerability or threat.
AI Analysis
Technical Summary
DFIR-Companion is an AI-powered forensic assistant that overlays existing DFIR and security tools to help analysts manage and correlate investigation data. It captures screenshots, analyzes findings, builds timelines, enriches threat intelligence, and automates query generation for tools like Velociraptor. The tool is not a detection engine but a post-detection analysis aid that consolidates data from multiple sources into a unified dashboard. It is open source and intended to improve investigation workflows without introducing new attack surfaces. No vulnerabilities or exploits are reported in the provided information.
Potential Impact
There is no evidence from the provided data that DFIR-Companion poses a security risk or vulnerability. It is a tool designed to assist security professionals and does not itself represent a threat or exploit. No known exploits or malicious activity have been reported.
Mitigation Recommendations
Not applicable. This entry describes a security tool rather than a vulnerability or threat. No remediation or patching is required.
New Forensics Tool: DFIR-Companion
Description
DFIR-Companion is a new open-source digital forensics and incident response (DFIR) tool designed to assist investigators by consolidating and analyzing data from multiple sources in real time. It uses AI to correlate findings, build event timelines, extract and enrich indicators of compromise (IOCs), and suggest investigative next steps. The tool acts as a layer after detection tools, enhancing situational awareness and investigation efficiency. It supports integration with various DFIR outputs and security platforms. There is no indication that this tool itself introduces a security vulnerability or threat.
Reddit Discussion
An AI pair of eyes sitting over your shoulder, catching what you miss while you're deep in an investigation.
Repo: https://github.com/hasamba/DFIR-Companion
Landing page: https://hasamba.github.io/DFIR-Companion/
Hands-on lab: https://killercoda.com/dfir-companion/scenario/killercoda
Honestly, it started out of frustration.
I'm sitting on an investigation, open Velociraptor, spot an interesting lead, start digging into it, find another lead, and so on, and then suddenly I realize I completely forgot to go back to the other findings from the first artifact.
The sheer amount of information you need to process during an investigation is simply more than one pair of eyes can handle, no matter how much coffee you've had.
So I started building something to help myself and it ended up going somewhere I didn't expect.
The original idea was a browser extension that takes screenshots every few seconds, so I could scroll back and see what I missed. Pretty dumb idea in hindsight, actually. But then the question came up: if I already have all those screenshots, why not let AI go through them while I work?
And from there it exploded.
Today it's a real-time dashboard that updates live as I investigate. It identifies findings, automatically builds an event timeline, extracts IOCs and enriches them from multiple sources, creating playbook that suggests what to check next, suggest hunt queries for velociraptor, run them and collect back the results, checks for data leaks, and answers the standard questions every investigation report needs: access vector, lateral movement, privilege escalation, etc. If a client confirms a finding-"that's legit, it's our weekly scan", one click and the entire analysis updates accordingly.
The coolest part, to me, is that this started as a Velociraptor-specific solution but in practice became an AI layer on top of every tool I have open in the browser: SIEM, Security Onion, Splunk4DFIR, VolWeb, you name it. Even tools with no built-in AI suddenly get smarter, and all the data consolidates in one place instead of me jumping between ten tabs.
Important to understand: this is NOT another detection layer. Your Sigma, YARA, and Suricata rules are already doing their job. This tool is the layer after detection-it takes all the verdicts from your tools, correlates them, and builds the "so what."
The tool didn't stop at screenshots either. You can feed it almost any DFIR output and it will automatically detect the format and import it deterministically (no burning tokens on AI for that).
Additional features:
• Data correlation
• Threat intel enrichment — with OPSEC in mind
• AI input anonymization
• Asset ↔ IoC graph
• Targeted query generation
• Export to multiple platforms
• Free-form case Q&A against an LLM
and much more...
📎 If you work in DFIR, Blue Team, or SOC — I'd love for you to try it out, open issues, suggest features, submit PRs, or just tell me what you think.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
DFIR-Companion is an AI-powered forensic assistant that overlays existing DFIR and security tools to help analysts manage and correlate investigation data. It captures screenshots, analyzes findings, builds timelines, enriches threat intelligence, and automates query generation for tools like Velociraptor. The tool is not a detection engine but a post-detection analysis aid that consolidates data from multiple sources into a unified dashboard. It is open source and intended to improve investigation workflows without introducing new attack surfaces. No vulnerabilities or exploits are reported in the provided information.
Potential Impact
There is no evidence from the provided data that DFIR-Companion poses a security risk or vulnerability. It is a tool designed to assist security professionals and does not itself represent a threat or exploit. No known exploits or malicious activity have been reported.
Mitigation Recommendations
Not applicable. This entry describes a security tool rather than a vulnerability or threat. No remediation or patching is required.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a36da835e061732c8458d4d
Added to database: 6/20/2026, 6:22:59 PM
Last enriched: 6/20/2026, 6:23:04 PM
Last updated: 6/20/2026, 6:25:44 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.