Skip to content

CHANGELOG.md

Latest commit

 

History

History
132 lines (106 loc) · 7.78 KB

CHANGELOG.md

File metadata and controls

132 lines (106 loc) · 7.78 KB

Changelog

All notable changes to CyberCrew are documented in this file. Format based on Keep a Changelog. Versioning follows Semantic Versioning.

[Unreleased] — Roadmap

v2.1 Planned Features

  • Plugin Marketplace — In-app module discovery and installation; community-contributed plugins with signature verification
  • Network Topology Visualizer — Interactive graph (PyQtGraph NetworkX) showing discovered hosts, open ports, and service connections
  • AI-Assisted Triage — LLM integration (local Ollama / remote API) for automatic finding severity classification, anomaly explanation, and executive summary generation
  • Remote Evidence Collection — SSH-based agent deployment to collect artifacts from remote Linux hosts without physical access
  • Encrypted Evidence Containers — SQLCipher database encryption + LUKS-based evidence partition support
  • HMAC Audit Log Chaining — Each event_log entry hashes the previous entry (blockchain-style tamper detection)
  • Timeline Visualizer — Interactive Gantt-style view of filesystem timeline events (fls/mactime output)
  • YARA Rule Integration — Scan carved files against custom YARA rule sets
  • Hash Database Lookup — NSRL hash set integration for known-good file filtering
  • Case Collaboration Export — Encrypted ZIP export of a full case for handoff to another investigator

[2.0.0] — 2025-01-01

Complete rewrite from Phase 1 (Bash scripts) to a full PyQt6 desktop application.

Added

Core Infrastructure

  • ForensicsEngine (QObject) — parallel subprocess management via QProcess; supports up to 32 concurrent tool instances; SIGSTOP/SIGCONT pause/resume; SIGTERM→grace→SIGKILL shutdown
  • ArtifactHasher (QObject) — background SHA-256 hashing via QThread; 64KB chunked streaming; progress signals; cancellation support
  • DatabaseSession — SQLite with WAL mode, busy_timeout=5000, foreign_keys=ON, 0o600 file permissions
  • 7 SQLModel database tables: Case, Instance, Artifact, EventLog, Finding, Report, Settings
  • 6 database enums: CaseStatus, InstanceStatus, ArtifactType, EventLevel, FindingSeverity, ReportFormat
  • Auto-generated case numbers: CC-YYYY-XXXX
  • InputSanitizer — 16+ typed validators; ValidationError, PathTraversalError, InjectionError exceptions
  • BaseForensicsModule — abstract base class with 7 pyqtSignals; plugin contract enforced at class level
  • SHA-256 sidecar files (.sha256) in sha256sum format
  • JSON hash manifests with batch verification
  • Tamper-evident evidence chain: hash stored in DB + sidecar + verification flow

Forensics Modules (5 modules, 26 tools)

  • NetworkModule: HostDiscovery, PortScanner, VulnScanner (all nmap), PacketCapture, PacketAnalyzer (tshark)
  • ComputerModule: DiskImager (dd), FileRecovery (photorec), Timeline (fls/mactime), OCR (tesseract), PasswordCracker (john)
  • MobileModule: AdbInfo, MediaExtractor, CallLog, GPS, SMS, Contacts (all via adb)
  • MediaModule: Image, Video, PDF, Office, EXE metadata (all via exiftool)
  • WebAppModule: EmailAnalysis, WhatsAppAnalysis, WebsiteScanner (nikto), UrlLookup (whois), DomainRecon (dig)

Output Parsers (5 parsers)

  • NmapParser — streaming text + XML parsing; CVE extraction; risk scoring (0–10); to_findings()
  • TsharkParser — packet count, DNS extraction, conversation analysis, large-transfer anomaly detection
  • ExiftoolParser — JSON metadata, GPS DMS→decimal, anomaly detection (editing software, timestamp mismatch, PE compile date, OriginalFilename mismatch)
  • AdbParser — device detection, getprop parsing, root detection
  • NiktoParser — finding extraction with CRITICAL/HIGH/MEDIUM severity classification

GUI (9 widgets)

  • TitleBar — animated logo border pulse (QPropertyAnimation, 3s cycle), 6 nav tabs, case name pill, instance counter with pulsing dot, glow sweep animation at 25fps
  • InstanceBar — scrollable tab row for parallel instances; blinking status dots (RUNNING=green, PAUSED=amber); Ctrl+T/Ctrl+W shortcuts
  • TerminalPanel — read-only IBM Plex Mono output; CVE chip highlighting (red); flag colour highlighting (OPEN=green, VULNERABLE=red, FILTERED=amber); 10,000 line scrollback; command history (↑↓)
  • MetricsPanel — live animated metric counters (30ms ease); RiskBadge with pulsing dot; PortTable (PORT|STATE|SERVICE); MiniBar gradient fill
  • CaseLogPanel — timestamped log entries; tag pills; filter bar (ALL/INFO/WARNING/CRITICAL); smart auto-scroll
  • EvidencePanel — EvidenceItem with SHA-256 preview; SpinnerWidget for HASHING state; VERIFIED/HASHING/FAILED/PENDING status; VERIFY ALL button
  • DashboardPage — 4 StatCards; ActivityStream; QuickTerminal; ModuleList; NetworkChart (PyQtGraph); EvidenceChainSummary
  • MainWindow — QStackedWidget pages; QSplitter workspaces; StatusBar; signal routing; F11 fullscreen; graceful shutdown
  • styles.py — 1,200-line dark cockpit QSS; JetBrains Mono UI + IBM Plex Mono terminal; full widget coverage

Reports

  • ReportGenerator — Jinja2 HTML template with dark theme matching application aesthetic
  • WeasyPrint PDF export
  • Report sections: Executive Summary, Findings (severity-sorted), Evidence Chain, Event Timeline, Tool Output Logs

Distribution

  • cybercrew.spec — PyInstaller spec with all hidden imports and data files
  • scripts/build_appimage.sh — Linux AppImage build script with SHA-256 checksums
  • scripts/build_exe.bat — Windows EXE build script with optional NSIS installer
  • scripts/install_linux.sh — Automated Linux installer supporting Ubuntu/Debian/Arch/Kali
  • scripts/install_windows.ps1 — Automated Windows installer via winget

Tests

  • tests/test_hasher.py — 19 tests for ArtifactHasher
  • tests/test_security.py — 23 tests for InputSanitizer
  • tests/test_modules.py — 41 tests for BaseForensicsModule

Documentation

  • README.md — Full GitHub-quality documentation with installation guides for 4 platforms
  • docs/module_interface.md — Complete public API for all 5 modules
  • docs/database_schema.md — ERD and full column documentation
  • docs/plugin_development.md — Step-by-step guide for adding new modules
  • docs/security_audit.md — Full security audit with findings and recommendations
  • docs/qa_checklist.md — Complete QA testing matrix
  • src/security/SECURITY_HARDENING_CHECKLIST.md — 54-item internal security checklist

Changed

  • Complete rewrite from Bash to Python 3.11+

Security

  • No shell=True in any subprocess call — enforced by ForensicsEngine
  • Typed exception hierarchy for all input validation failures
  • Path traversal prevention with null byte + Unicode BiDi + ../ checks
  • 13 shell metacharacter blocklist in sanitize_command_args()

[1.0.0] — 2024-06-01 (Original Bash Version)

The original CyberCrew was a collection of Bash scripts for forensics automation.

Features (Bash version)

  • Network scanning via direct nmap invocation
  • Packet capture wrapper for tshark
  • Disk imaging via dd with basic hash verification
  • Mobile extraction via adb shell scripts
  • Metadata extraction via exiftool batch scripts
  • Password cracking via john wrapper
  • Basic HTML report generation via bash/sed/awk
  • Manual case directory structure (mkdir, cp, mv)

Limitations (that motivated v2.0)

  • No GUI — terminal-only operation
  • No parallel execution — tools ran sequentially
  • No real-time output streaming
  • SHA-256 hashing was manual and often forgotten
  • No structured findings database — findings stored in ad-hoc text files
  • No case management — directories tracked manually
  • No input sanitization — shell injection possible via crafted filenames
  • Report generation was fragile string concatenation
  • No cross-platform support (Linux only)