This Python tool converts bodyfiles (version 2/3) into CSV format and generates an interactive HTML-based forensic analysis dashboard. It supports multiple bodyfiles, provides advanced filtering, and includes visualizations for forensic investigations. The tool is designed for cross-platform use and offers a lightweight, responsive interface for analyzing filesystem metadata.
- Multi-Bodyfile Support: Process multiple bodyfiles and combine them into a single database.
- MACB Timeline: Visualize Modified, Accessed, Changed, and Created timestamps.
- Time Skew Detection: Identify timestamp anomalies such as future dates or creation after modification.
- Interactive Dashboard: Web-based UI with search, filters, and zoomable charts powered by Chart.js.
- Regex Search: Search file paths using regular expressions.
- Hash Filtering: Filter by MD5 hash (full or partial).
- File Type Categorization: Automatically categorize files (e.g., executable, script, config, log).
- Noteworthy Flags: Flag files in temporary locations, hidden files, SSH artifacts, and more.
- Export Options: Export results as CSV or JSON.
- Batch Processing: Handle multiple bodyfiles in one session.
- Cross-Platform: Compatible with Windows, Linux, and macOS.
- Basic Authentication: Lightweight security for the web interface.
- Heatmap Visualization: Basic colored timeline for activity density.
- Python 3.6 or higher
- Required Python packages:
Note:
pip install tkinter
tkinteris typically included with Python but may need installation on some Linux systems (python3-tk).
- Clone the repository:
git clone https://github.com/dfirvault/bodyfile-to-csv/bodyfile-to-csv.git cd bodyfile-to-csv - Ensure you have a bodyfile (version 2 or 3) to process. Bodyfiles are typically generated by tools like
flsfrom The Sleuth Kit.
- Run the script:
python3 bodyfile-to-csv.py
- Choose to create a new analysis or open an existing database in the initial dialog.
- For new analysis:
- Select one or more bodyfiles.
- Choose an output CSV file location.
- Optionally apply date range filtering (e.g., filter by modified time).
- The tool will:
- Convert the bodyfile(s) to CSV.
- Create an SQLite database for fast querying.
- Generate an HTML report and start a local web server (default port: 8000).
- Open the report in your default browser.
- Search: Use the search bar for file name queries (supports regex).
- Filters: Toggle file types (e.g., executables, scripts) and flags (e.g., temp files, hidden files).
- Date Range: Filter by modified or accessed dates.
- Charts: View timeline activity (MACB) and file type distribution.
- Export: Download filtered results as CSV or JSON.
- Add Bodyfile: Dynamically add more bodyfiles via the web interface.
python3 bodyfile-to-csv.py- Select
bodyfile.txtas input. - Save output as
analysis.csv. - Choose date range (e.g., last 30 days).
- Access the dashboard at
http://localhost:8000/analysis_report.html.
bodyfile-to-csv.py: Main script.output.csv: Generated CSV file with converted bodyfile data.output.db: SQLite database for fast querying.output_report.html: Interactive HTML report.
The tool supports bodyfiles in version 2 (10 fields) and version 3 (11 fields, including crtime). Expected format:
MD5|Name|Inode|Mode|UID|GID|Size|Atime|Mtime|Ctime[|Crtime]
- Basic file signature detection is extension-based.
- Authentication is minimal (basic HTTP auth).
- Heatmap is a simple colored timeline; advanced visualization requires external tools.
- Large bodyfiles may require significant memory during initial processing.
Contributions are welcome! Please:
- Fork the repository.
- Create a feature branch (
git checkout -b feature/new-feature). - Commit changes (
git commit -m "Add new feature"). - Push to the branch (
git push origin feature/new-feature). - Open a pull request.
This project is licensed under the MIT License. See the LICENSE file for details.
- Built with Python, SQLite, and Chart.js.
- Inspired by forensic analysis tools like The Sleuth Kit.
Jacob Wilson
📧 [email protected]
https://www.linkedin.com/in/jacob--wilson/
More information: https://dfirvault.com