Kuiper is a digital investigation platform designed to streamline digital forensics workflows for investigators and teams. It enables parsing, searching, and visualizing collected digital evidence, facilitating collaboration through tagging and timeline features, and automating detection with custom rules.

How It Works

Kuiper centralizes processing on a server, reducing analyst hardware requirements and consolidating evidence. It employs a Flask web framework, Elasticsearch for storing parsed artifacts, MongoDB for configuration, Redis as a message broker, and Celery for asynchronous task processing to handle concurrent parsing of evidence files. This architecture aims for consistency, accuracy, and efficient handling of large datasets.

Quick Start & Requirements

• Installation: Clone the repository, navigate to the directory, and run docker-compose pull followed by docker-compose up -d.
• Prerequisites: Docker (version 20.10.17+) and Docker Compose (version 1.29.2+). Ubuntu 18.04.1 LTS is preferred.
• Resource Requirements: Minimum 4GB RAM and 4 CPU cores; 64GB RAM and more cores are recommended for performance. Disk space depends on data volume.
• Notes: Requires adjusting vm.max_map_count to 262144. See Installation for detailed Docker setup.

Highlighted Details

• Centralized server architecture reduces analyst hardware needs.
• Collaboration features include tagging artifacts and a timeline view.
• Supports custom parser development and integration.
• Enables rule creation for automated detection of malicious activities.

Maintenance & Community

The project is maintained by Saleh Muhaysin, Muteb Alqahtani, and Abdullah Alrasheed. Contributions and parser sharing are encouraged via pull requests.

Licensing & Compatibility

The core project is licensed under GPL-3.0. Individual parsers may have their own licenses. GPL-3.0 is a strong copyleft license, potentially restricting integration with closed-source commercial applications.

Limitations & Caveats

The platform is primarily tested on Ubuntu 18.04.1 LTS. Initial Docker startup may require manual adjustment of vm.max_map_count. Some users have reported volume mounting permission issues that may require re-running the docker-compose up -d command.