Project Achievement:
FileForensics is a comprehensive Django-based web application for cybersecurity analysis, featuring YARA-based malware detection, network packet analysis, image steganography detection, and comprehensive digital forensics capabilities.

Overview

FileForensics represents a significant milestone in my cybersecurity development journey. This Django-powered platform integrates multiple forensic analysis capabilities into a unified web application, combining the power of YARA pattern matching with modern web technologies to create a versatile security analysis tool.

The platform demonstrates advanced integration between Django's web framework and specialized cybersecurity tools, providing both automated analysis capabilities and comprehensive reporting features suitable for professional security assessments.

Key Features & Capabilities

The platform encompasses a wide range of cybersecurity analysis tools:

  • YARA-Based Malware Detection: Automated file analysis using compiled YARA rules
  • Multi-Format File Support: Detection and analysis of PE32, ELF, APK, Python, and JavaScript files
  • Network Traffic Analysis: Real-time ARP packet capture and device discovery using Scapy
  • Image Steganography Detection: Bit-plane analysis for hidden data detection in images
  • User Management System: Secure authentication with role-based access controls
  • Real-time Notifications: WebSocket integration for live analysis updates
  • Statistical Reporting: Data visualization with Plotly and Matplotlib
  • PDF Report Generation: Professional forensic reports using ReportLab

Installation & Setup

Setting up the FileForensics platform requires several specialized Python packages for cybersecurity analysis:

System Requirements

Prerequisites
Python 3.8+ Django 4.0+ YARA-python Scapy python-magic ReportLab Plotly Channels (WebSockets) Pillow (Image Processing) Matplotlib

Installation Process

Setup Commands
git clone https://github.com/elliot-hacks/FileForensics.git cd FileForensics python -m venv forensics_env source forensics_env/bin/activate pip install -r requirements.txt python manage.py migrate python manage.py createsuperuser python manage.py runserver
Important: Some features like network monitoring may require elevated privileges. Ensure proper permissions are configured for production deployments.

API Architecture & Endpoints

The platform exposes a comprehensive REST API for programmatic access to all analysis capabilities:

Core Application Routes

GET / Application dashboard with analysis overview
POST GET /register/ User registration with role assignment
POST GET /login/ Secure authentication with session management

File Analysis Endpoints

POST /upload File upload with automated YARA analysis
GET /files/ List all analyzed files with metadata
GET /files/<int:file_id>/ Detailed file analysis report
GET /analyse/<str:language_name>/<str:signatures>/ Specific analysis results by signature

Specialized Analysis Endpoints

POST GET /image_steg Image steganography analysis interface
POST GET /network_capture/ Network packet capture and analysis
GET /file_statistics Statistical analysis of upload patterns

YARA-Based Malware Detection System

The core strength of FileForensics lies in its sophisticated malware detection system, which leverages YARA rules for pattern-based threat identification.

File Type Classification

The system employs Python's python-magic library to perform accurate file type detection before applying appropriate YARA rulesets:

MIME Type Classification Analysis Approach
text/x-script.python Python Script Source code pattern matching
application/x-dosexec PE32 Executable Binary signature analysis
application/vnd.android.package-archive APK Package Android malware detection
application/javascript JavaScript Code Web-based threat analysis
application/x-executable ELF Executable Unix/Linux malware detection

YARA Rule Integration & Processing

The system implements a robust YARA rule compilation and execution engine:

def run_yara_analysis(file_object, yara_rules_path):
    """
    Execute YARA rules against uploaded file with comprehensive error handling
    """
    try:
        # Compile YARA rules from specified ruleset
        compiled_rules = yara.compile(filepath=yara_rules_path)
        
        # Reset file pointer for analysis
        file_object.seek(0)
        file_data = file_object.read()
        
        # Execute pattern matching
        matches = compiled_rules.match(data=file_data)
        
        # Extract signature information
        signatures = [{
            'rule': match.rule,
            'tags': match.tags,
            'meta': match.meta,
            'strings': [(s.identifier, s.instances) for s in match.strings]
        } for match in matches]
        
        return {
            'status': 'success',
            'signatures': signatures,
            'threat_level': calculate_threat_level(signatures)
        }
        
    except yara.Error as e:
        logger.error(f"YARA compilation/execution error: {e}")
        return {'status': 'error', 'message': str(e)}
    except Exception as e:
        logger.error(f"Unexpected error in YARA analysis: {e}")
        return {'status': 'error', 'message': 'Analysis failed'}
Advanced Feature: The system supports custom YARA rule integration and automatic rule updates from threat intelligence feeds.

Network Traffic Analysis

FileForensics includes sophisticated network monitoring capabilities using Scapy for real-time packet analysis and device discovery.

ARP Traffic Monitoring

The system captures and analyzes ARP packets to build a comprehensive network device inventory:

def process_network_packet(packet):
    """
    Process captured network packets for device discovery and analysis
    """
    if ARP in packet and packet[ARP].op == 1:  # ARP Request
        sender_ip = packet[ARP].psrc
        sender_mac = packet[ARP].hwsrc.upper()
        target_ip = packet[ARP].pdst
        
        # Perform reverse DNS lookup
        try:
            sender_hostname = socket.gethostbyaddr(sender_ip)[0]
        except (socket.herror, socket.gaierror):
            sender_hostname = 'Unknown'
        
        # Extract vendor information from MAC address
        vendor_info = get_mac_vendor(sender_mac)
        
        # Store device information with metadata
        device_entry = NetworkDevice.objects.update_or_create(
            mac_address=sender_mac,
            defaults={
                'ip_address': sender_ip,
                'hostname': sender_hostname,
                'vendor': vendor_info,
                'last_seen': timezone.now(),
                'packet_count': F('packet_count') + 1,
                'is_active': True
            }
        )
        
        # Log packet details for forensic analysis
        PacketLog.objects.create(
            timestamp=timezone.now(),
            source_ip=sender_ip,
            source_mac=sender_mac,
            destination_ip=target_ip,
            protocol='ARP',
            packet_size=len(packet),
            raw_packet=bytes(packet).hex()
        )
Network Interface Selection
sudo python manage.py start_network_monitor --interface eth0 Starting network monitoring on interface eth0... Capturing ARP traffic for device discovery... [INFO] Device discovered: 192.168.1.1 (AA:BB:CC:DD:EE:FF) - Router [INFO] Device discovered: 192.168.1.100 (11:22:33:44:55:66) - Workstation

Image Steganography Analysis

The platform includes advanced image forensics capabilities for detecting hidden data through steganographic analysis.

Bit-Plane Analysis Algorithm

The system examines individual bit planes across RGB channels to identify potential steganographic content:

def analyze_image_steganography(image_path):
    """
    Comprehensive steganography detection using bit-plane analysis
    """
    try:
        img = Image.open(image_path).convert('RGB')
        width, height = img.size
        
        analysis_results = {
            'suspicious_patterns': [],
            'entropy_analysis': {},
            'bit_plane_anomalies': []
        }
        
        # Analyze each color channel
        for channel_idx, channel in enumerate(['R', 'G', 'B']):
            channel_data = []
            
            # Extract bit planes for analysis
            for bit_position in range(8):
                bit_plane = extract_bit_plane(img, channel_idx, bit_position)
                entropy = calculate_entropy(bit_plane)
                
                # Check for suspicious entropy levels
                if entropy > 0.7:  # High entropy threshold
                    analysis_results['suspicious_patterns'].append({
                        'channel': channel,
                        'bit_plane': bit_position,
                        'entropy': entropy,
                        'anomaly_type': 'high_entropy'
                    })
                
                # Statistical analysis of bit distribution
                if detect_lsb_anomaly(bit_plane):
                    analysis_results['bit_plane_anomalies'].append({
                        'channel': channel,
                        'bit_plane': bit_position,
                        'anomaly': 'irregular_distribution'
                    })
        
        return analysis_results
        
    except Exception as e:
        logger.error(f"Image analysis error: {e}")
        return {'error': str(e)}
Analysis Note: Image steganography detection requires careful statistical analysis. False positives can occur with naturally complex images.

Advanced Reporting & Statistics

FileForensics generates comprehensive reports suitable for professional security assessments and forensic documentation.

PDF Report Generation

def generate_comprehensive_report(analysis_session):
    """
    Create detailed PDF forensic report with analysis findings
    """
    report_path = f'{settings.MEDIA_ROOT}/reports/{analysis_session.id}_forensic_report.pdf'
    
    # Initialize PDF canvas with custom styling
    c = canvas.Canvas(report_path, pagesize=letter)
    width, height = letter
    
    # Report header with metadata
    c.setFont("Helvetica-Bold", 16)
    c.drawString(50, height - 50, f"FileForensics Analysis Report")
    c.setFont("Helvetica", 10)
    c.drawString(50, height - 70, f"Generated: {timezone.now().strftime('%Y-%m-%d %H:%M:%S')}")
    c.drawString(50, height - 85, f"Session ID: {analysis_session.id}")
    
    # Executive summary section
    y_position = height - 120
    c.setFont("Helvetica-Bold", 12)
    c.drawString(50, y_position, "Executive Summary")
    
    # Analysis findings with threat classification
    findings = analysis_session.get_findings_summary()
    for finding in findings:
        y_position -= 20
        threat_color = get_threat_color(finding['severity'])
        c.setFillColor(threat_color)
        c.drawString(70, y_position, f"• {finding['description']}")
    
    # Technical details and recommendations
    add_technical_analysis(c, analysis_session, y_position)
    add_recommendations(c, analysis_session)
    
    c.save()
    return report_path

Statistical Visualization Dashboard

The platform provides interactive dashboards for trend analysis and threat intelligence:

def create_analysis_dashboard():
    """
    Generate interactive statistical dashboard using Plotly
    """
    # File type distribution analysis
    file_types = FileAnalysis.objects.values('file_type').annotate(
        count=Count('id')
    ).order_by('-count')
    
    fig_file_types = px.pie(
        values=[item['count'] for item in file_types],
        names=[item['file_type'] for item in file_types],
        title="File Type Distribution"
    )
    
    # Threat detection timeline
    threat_timeline = FileAnalysis.objects.filter(
        threats_detected__gt=0
    ).extra({
        'date': 'DATE(created_at)'
    }).values('date').annotate(
        threat_count=Count('id')
    ).order_by('date')
    
    fig_timeline = px.line(
        x=[item['date'] for item in threat_timeline],
        y=[item['threat_count'] for item in threat_timeline],
        title="Threat Detection Timeline"
    )
    
    return {
        'file_distribution': fig_file_types.to_json(),
        'threat_timeline': fig_timeline.to_json()
    }

Real-time Analysis Notifications

The platform leverages Django Channels to provide real-time updates during analysis operations:

class ForensicsConsumer(AsyncWebsocketConsumer):
    """
    WebSocket consumer for real-time forensic analysis updates
    """
    async def connect(self):
        self.user = self.scope['user']
        if self.user.is_authenticated:
            self.group_name = f'forensics_{self.user.id}'
            
            await self.channel_layer.group_add(
                self.group_name,
                self.channel_name
            )
            await self.accept()
        else:
            await self.close()
    
    async def disconnect(self, close_code):
        if hasattr(self, 'group_name'):
            await self.channel_layer.group_discard(
                self.group_name,
                self.channel_name
            )
    
    async def analysis_update(self, event):
        """
        Send analysis progress updates to connected clients
        """
        await self.send(text_data=json.dumps({
            'type': 'analysis_update',
            'message': event['message'],
            'progress': event.get('progress', 0),
            'analysis_id': event.get('analysis_id'),
            'status': event.get('status', 'processing')
        }))

Security Architecture & Considerations

Critical Security Notes:
FileForensics handles potentially malicious files and requires careful security implementation:
  • Sandboxed Analysis: All file analysis occurs in isolated environments to prevent system compromise
  • Input Validation: Comprehensive validation of all uploaded content and user inputs
  • Privilege Management: Network monitoring features require elevated privileges - implement principle of least access
  • YARA Rule Security: Regular updates from trusted threat intelligence sources with signature verification
  • Session Management: Secure authentication with session timeout and CSRF protection
  • File Storage: Encrypted storage of analyzed files with secure deletion capabilities
  • Audit Logging: Comprehensive logging of all analysis activities for forensic accountability
Security Configuration Example
sudo chown -R forensics:forensics /var/forensics/ sudo chmod 750 /var/forensics/quarantine/ sudo setcap cap_net_raw+ep /usr/bin/python3.8 # Enable security logging echo "forensics.* /var/log/forensics.log" >> /etc/rsyslog.conf

Project Impact & Future Development

FileForensics represents a comprehensive achievement in cybersecurity platform development, successfully integrating multiple specialized security tools into a cohesive Django application. The project demonstrates advanced technical skills in:

  • Security Tool Integration: Successfully combining YARA, Scapy, and image analysis libraries
  • Web Application Security: Implementing secure file handling and user authentication
  • Real-time Communication: WebSocket integration for live analysis updates
  • Data Visualization: Interactive dashboards for security intelligence
  • Forensic Reporting: Professional documentation generation for security assessments
Technical Achievement: This platform showcases the successful integration of low-level security tools with modern web frameworks, creating a user-friendly interface for complex forensic analysis tasks.

Future development plans include machine learning integration for threat classification, expanded file format support, and integration with additional threat intelligence APIs. The modular architecture allows for seamless expansion of analysis capabilities.

Project Repository
git clone https://github.com/elliot-hacks/FileForensics.git cd FileForensics git log --oneline | head -5 abc123f Add machine learning threat classification def456g Implement advanced YARA rule management 789hij0 Add network traffic analysis dashboard klm901n Enhance image steganography detection nop234q Initial FileForensics platform release

For complete documentation, installation guides, and contribution information, visit the FileForensics GitHub repository.