ForensicAI: An AI-Powered Digital Forensics Investigation Platform Enabling Automated Evidence Analysis and Reporting

ForensicAI is a full-stack digital forensics investigation platform for cybersecurity professionals. It combines artificial intelligence with rigorous forensic methodologies to automate the entire workflow of evidence collection, parsing, timeline reconstruction, and report generation. The platform adheres to the principle of human-machine collaboration: AI assists in analysis and drafting, while conclusions need to be reviewed by human investigators to ensure reliability. It is suitable for enterprise SOCs, incident response teams, law enforcement agencies, and consulting firms to improve investigation efficiency.

In the digital age, cyberattacks and data leaks occur frequently, and digital forensics is a key link in cybersecurity response. However, traditional forensics faces challenges such as complex evidence formats, time-consuming timeline reconstruction, and tedious report writing. The ForensicAI project emerged as a solution to provide end-to-end investigation tools for professionals.

System Architecture

Adopts a full-stack architecture with separate front-end and back-end.

Frontend Tech Stack

Built on React 18, using Vite 6 for construction, React Router 6 for routing, Framer Motion for animations, Recharts for visualization, Lucide React for icons, React Dropzone for uploads, and supports WebAuthn authentication.

Backend Tech Stack

API built with Node.js 18+ and Express.js 4, data stored in MongoDB + Mongoose 8, JWT authentication, bcryptjs hashing, Multer for uploads, Helmet for security headers, express-rate-limit for rate limiting, PDFKit for report generation, and WebAuthn server-side validation.

AI Service Integration

Supports multiple providers including OpenAI (GPT-4, etc.), Google Gemini, and Mistral. Users can flexibly select models.

Case Management System

Full lifecycle management with status tracking, priority grading, audit logs, and multi-dimensional filtering and sorting.

Evidence Upload and Parsing

Supports drag-and-drop upload of multiple formats (LOG, CSV, JSON, etc.), automatically detects formats and calculates SHA-256 hashes, and extracts key fields after parsing.

Timeline Reconstruction and Visualization

Reconstructs a unified timeline across evidence sources, supports filtering by severity and date, and displays via multiple views.

Indicator of Compromise (IOC) Dashboard

Aggregates threat indicators, integrates AbuseIPDB and VirusTotal APIs for reputation queries, and shows distribution via a global view.

MITRE ATT&CK Rule Mapping

Automatically associates log events with MITRE ATT&CK tactics and techniques, displayed via an interactive matrix.

AI-Driven Report Generation

Automatically generates report drafts (executive summary, key findings, etc.) that require manual review, and supports PDF export.

Case Chat RAG Assistant

Based on RAG technology, allows natural language queries of case logs and retrieves relevant entries to assist analysis.

Identity authentication supports JWT tokens, two-factor authentication (TOTP), and WebAuthn passkeys. Role-Based Access Control (RBAC) defines four roles including administrator and analyst. All operations are recorded in immutable audit logs to meet compliance requirements, and real-time notifications are provided.

Applicable to enterprise SOCs for analyzing security event logs and reconstructing attack timelines; incident response teams for quickly generating reports and tracking threat indicators; law enforcement agencies for managing criminal case evidence and generating court-admissible reports; and consulting firms for providing professional forensics services. Automation reduces repetitive work, allowing investigators to focus on key analysis and decision-making.

Deployment Requirements

Requires Node.js v18+, MongoDB v6+, Git, and AI service API keys.

Installation Process

Clone the repository → Install front-end and back-end dependencies → Configure environment variables → Start services (frontend on port 5173, backend on port 5000).

First Use

Register an account (via email/password or passkey) → Log in → Create cases, upload evidence, view timelines, generate reports, etc. Supports switching between dark and light themes.

The project is released as open source, and community contributions are welcome. Contribution process: Pull the latest code → Create a feature branch → Follow conventional commit specifications (feat:, fix:, etc.) → Submit a Pull Request. Documentation includes README, SRS, and platform docs to help new contributors get started.