Forensic event reconstruction and timeline correlation for SADFC-style data

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for KemalRajasa from gravatar.com KemalRajasa

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Muhammad Nur Yasir Utomo, Hudan Studiawan, Arkananta Masarief, Kemal Tangguh Aji Rajasa
  • Tags forensics , timeline , incident-response , sadfc , pandas
  • Requires: Python >=3.9
  • Provides-Extra: test , docs
Classifiers
Report project as malware

Project description

reconsadfc

Forensic event reconstruction and relationship analysis for SADFC-style footprint data.

This project provides a DataFrame-first pipeline to:

  • filter and preprocess forensic footprint data,
  • extract subjects, objects, and events,
  • build support and entity-event relationships,
  • compute event correlations over time,
  • analyze and visualize inferred timelines.

Features

  • Data ingestion and filtering from CSV files (source == WEBHIST)
  • Entity extraction for common event types (web visit, process creation, search activity, file activity)
  • Relationship modeling:
    • footprint-to-entity/event support
    • participation (subject-event)
    • usage (event-object)
  • Temporal and contextual correlation scoring
  • Timeline filtering based on type-level correlation statistics
  • Built-in timeline plotting with Matplotlib

Installation

From PyPI

After publishing, install with:

pip install reconsadfc

From source (local development)

git clone <your-repository-url>
cd temp-reconformal
pip install -e .

Requirements

  • Python 3.9+
  • pandas
  • matplotlib

Quick Start

from reconformal import (
		DataProcessor,
		KnowledgeRepresentation,
		TimelineReconstruction,
		RelationshipAnalysis,
)

# 1) Load and filter footprints
processor = DataProcessor(file_dir="./data", save_json=False)
combined_df = processor.process_files()

# 2) Build knowledge representation
kr = KnowledgeRepresentation(combined_df)
kr.sort_data()
kr.extract_entities()

# 3) Reconstruct timeline and compute correlations
timeline_builder = TimelineReconstruction(kr)
timeline_df = timeline_builder.reconstruct_timeline()
correlation_df = timeline_builder.calculate_correlation(timeline_df)

# 4) Analyze timeline quality
analysis = RelationshipAnalysis(kr)
scored_timeline_df = analysis.filter_events_based_on_avg_correlation(
		correlation_df=correlation_df,
		timeline_df=timeline_df,
		threshold=0.0,
)
updated_timeline_df = analysis.update_timeline_df(scored_timeline_df)

# Optional plot
analysis.draw_timeline_graph(updated_timeline_df)

# Optional metrics
counts = analysis.count_classification_groups(updated_timeline_df)
print(counts)

CLI Usage

After installation, run from PowerShell or any shell:

reconformal-cli --input-dir .\data --output-dir .\outputs --threshold 0.0 --draw-graph

You can also run as a Python module:

python -m reconformal --input-dir .\data --output-dir .\outputs

Generated outputs are written as CSV files, including timeline, correlation, relationship, summary, and metrics artifacts.

Main Components

  • DataProcessor
    • Reads CSV files from a directory
    • Filters rows where source is WEBHIST
  • EntityExtractor
    • Converts footprint rows into normalized subject/object/event records
  • RelationshipManager
    • Deduplicates entities and builds relationship tables
  • KnowledgeRepresentation
    • Orchestrates extraction and stores all derived DataFrames
  • TimelineReconstruction
    • Builds deduplicated timeline and computes pairwise correlations
  • RelationshipAnalysis
    • Aggregates correlation scores, filters events, enriches timeline, and plots results

Data Assumptions

Input footprint data is expected to include fields commonly used by the pipeline, such as:

  • id
  • type
  • source
  • date_time_min
  • optional event metadata (for example keys, plugin, files, filename)

PyPI Publishing Checklist

Before publishing, ensure you have:

  1. Package metadata configured (pyproject.toml preferred).
  2. This README referenced as the long description.
  3. Version bumped correctly.
  4. License file included.
  5. Source distribution and wheel built successfully.

Typical commands:

python -m pip install --upgrade build twine
python -m build
python -m twine check dist/*
python -m twine upload dist/*

Project Structure

Current minimal structure:

  • reconformal/reconformal.py - core implementation
  • reconformal/cli.py - CLI parser and command runner
  • reconformal/__main__.py - module execution entry point
  • reconformal/__init__.py - package exports
  • pyproject.toml - packaging metadata and console scripts
  • README.md - project documentation
  • LICENSE - MIT license
  • fer-sadfc.ipynb - notebook exploration

License

MIT License. See LICENSE.

Contributing

Contributions are welcome. Recommended workflow:

  1. Open an issue describing the change.
  2. Create a feature branch.
  3. Add tests and documentation updates.
  4. Submit a pull request.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for KemalRajasa from gravatar.com KemalRajasa

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Muhammad Nur Yasir Utomo, Hudan Studiawan, Arkananta Masarief, Kemal Tangguh Aji Rajasa
  • Tags forensics , timeline , incident-response , sadfc , pandas
  • Requires: Python >=3.9
  • Provides-Extra: test , docs
Classifiers

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

reconsadfc-0.1.0.tar.gz (22.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

reconsadfc-0.1.0-py3-none-any.whl (18.0 kB view details)

Uploaded Python 3

File details

Details for the file reconsadfc-0.1.0.tar.gz.

File metadata

  • Download URL: reconsadfc-0.1.0.tar.gz
  • Upload date:
  • Size: 22.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for reconsadfc-0.1.0.tar.gz
Algorithm Hash digest
SHA256 052cfdf1c7a7e342d1edb4a9ac13d37a625bfe9003a84bbb8fcc052923f0b7b5
MD5 508c526e615c6d430a8a8076c1671344
BLAKE2b-256 29960b5ccf95e5dabaf4c1b072ad7bfd4507b3a5fdf9d8716928c5c62ea9dcbe

See more details on using hashes here.

Provenance

The following attestation bundles were made for reconsadfc-0.1.0.tar.gz:

Publisher: publish.yml on forensic-timeline/reconsadfc

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file reconsadfc-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: reconsadfc-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 18.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for reconsadfc-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6d6d9cf5ee1758648b04cef4f70bad10b2b35cfbb84e6a9035d4eb3d69eda965
MD5 74764622ba3d1cb2e13b624b776ca78e
BLAKE2b-256 1fd314e5a1d59a660938a75cc2e01fa7b4027c3d218bfa051b5679008a877cb5

See more details on using hashes here.

Provenance

The following attestation bundles were made for reconsadfc-0.1.0-py3-none-any.whl:

Publisher: publish.yml on forensic-timeline/reconsadfc

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page