Beta (v0.1.0): This project is current in Beta, While it leverages industry-standard forensic tools (iLEAPP, aLEAPP, libimobiledevice), it remains a forensic best practice to always independently verify significant findings against raw data and secondary tools.
suiteDFIR is a forensic extraction and analysis suite built for speed, ease-of-use, and privacy.
Co-developed with: Slay3r00
- Device Extraction: Extract iOS backups via USB using libimobiledevice. Supports encrypted and unencrypted backups with progress tracking.
- LEAPP Analysis: Integrated iLEAPP (iOS) and aLEAPP (Android) forensic parsers for artifact extraction.
- Timeline Events: Reconstruct data from multiple sources into a searchable chronological view.
- Geospatial Viewer: Automatically extracts KML files from LEAPP reports. Features layer switching (Satellite, Hybrid, Default), custom KML imports, and location search pinning.
- Settings Management: Set and store Google Maps API key here in order to access the Geospatial page
- Private & Local: All data processing is done on your local machine. Forensic data is never sent to external servers.
suiteDFIR is designed to prioritize your privacy and the security of forensic data. Understanding where data stays local and where external connections are made is critical for forensic integrity.
- Forensic Extraction: All device imaging and backup extractions are performed locally via USB.
- Artifact Parsing: The iLEAPP and aLEAPP engines run entirely within your local environment.
- Case Database: All investigative data, metadata, and case files are stored on your local disk.
- Analysis & Timeline: Data correlation and timeline reconstruction are 100% offline.
While processing is local, certain UI and utility features require an internet connection:
- Map Page: Rendering map tiles and layers requires connecting to providers (Google, Carto, OpenStreetMap).
- Location Search: Geocoding and searching for addresses is performed via external API calls (e.g., Google Maps API).
- Tool Management: Checking for updates and downloading the latest forensic tool versions requires access to GitHub and PyPI.
- Launch: Open suiteDFIR on your workstation.
- Create Case: Create a new case and add relevant investigation details.
- Connect: Navigate to the Backups page and connect the target device via USB.
- Extract: Start the local extraction to image the device.
- Analyze: Navigate to the Analysis page to process the extracted data.
- Timeline: Navigate to the Timeline page to view the reconstructed event history.
- Map: Navigate to the Map page to visualize geographic data.
- Desktop: Electron
- Frontend: React, TypeScript, Tailwind CSS
- Backend: Python, FastAPI, Pydantic
- Build: PyInstaller, Vite
suiteDFIR stands on the shoulders of giants. See THIRD-PARTY-NOTICES.md for full attributions and license texts.
- iLEAPP & aLEAPP
- libimobiledevice (Licensed under LGPL 2.1+)
This project is licensed under the Apache License 2.0. See the LICENSE and NOTICE files for details.
- Node.js: Ensure Node.js 18+ is installed.
- Python: Python 3.9+ is required for the backend forensic engines.
- Virtual Environment: Initialize the Python environment:
cd backend python3 -m venv venv source venv/bin/activate pip install -r requirements.txt
Install all dependencies for root, frontend, and electron layers:
yarn install:allStart the concurrent development environment (Vite + Electron):
yarn dev:electronsuiteDFIR uses a multi-stage build process to bundle the Python environment, Vite frontend, and Electron shell.
Build the full production bundle for your current platform:
- macOS:
yarn build:mac - Windows:
yarn build:win - Linux:
yarn build:linux
- Backend Only:
yarn build:backend(Packages Python via PyInstaller) - Frontend Only:
yarn build:frontend(Builds static Vite assets)
This project is licensed under the Apache License 2.0. See the LICENSE and NOTICE files for details.
Third-party components are subject to their own licenses. See THIRD-PARTY-NOTICES.md for full attributions.