Welcoming OpenRelik to the OSDFIR Infrastructure family

By

Authored by Johan Berggren and Wajih Yassine

Overview

If you’ve been keeping a close eye on the OSDFIR Infrastructure repository over the last few months, you might have noticed a new face in the lineup. While many of you have already begun the migration, we are excited (and perhaps a little overdue!) to announce that OpenRelik is available for use through the OSDFIR Infrastructure project!

What is OpenRelik?

OpenRelik is an open-source platform designed to support collaborative digital forensic investigations. It provides a modular processing pipeline for DFIR teams, combining an interface for workflow management, real-time collaboration features, and a centralized repository for shared artifacts. The platform addresses challenges related to running disparate tools, managing isolated dependencies, and tracking intermediate data across different systems.

The primary goal of OpenRelik is to automate the processing of forensic artifacts while using a resilient, distributed architecture. It allows teams to integrate custom workflows, run analysis tasks in parallel, and share methodologies across different cases. By decoupling the architecture, the system enables users to add new tools without relying on the core system, providing a consistent and scalable approach to incident response.

A Look Inside an OpenRelik Workflow

The image below illustrates how OpenRelik visualizes a processing pipeline. Instead of running command-line tools sequentially and losing track of outputs, analysts can build and execute a workflow that processes evidence dynamically and in parallel.

Here is a breakdown of what is happening in this specific triage flow:

  • The Source Evidence: The pipeline originates from a single piece of initial evidence on the left, in this case, a raw disk image (2020JimmyWilson.E01).

  • Targeted & Parallel Extraction: The workflow branches out to perform specific, concurrent extractions. The top branch pulls Windows Event Logs (WindowsEventLogs), while the bottom branch targets a suspicious executable (setup.exe).

  • Automated Tool Chaining: Once the files are extracted, they are automatically handed off to the right tools. The event logs are fed into Hayabusa (generating HTML reports and CSV timelines) and Plaso. Simultaneously, setup.exe is routed to Capa for malware analysis and a Strings extraction for basic analysis.

  • The Timesketch Handoff: Trailing the Hayabusa node, you can see Upload to Timesketch flow. As soon as the timeline is generated, OpenRelik pushes the data directly into Timesketch, eliminating the manual download/upload step.

  • Granular Visibility: Selecting any node, like the highlighted Plaso Psort CSV task; gives you a transparent view of the exact command executed (psort.py), how long it took to run, and the resulting output file (a 27.25MB CSV), which is ready for immediate download.

Finally, because these processes are highly repeatable, you can use the Save workflow as a template feature. This allows you to standardize workflows and deploy this exact triage pipeline for future investigations with just a few clicks.

A Growing Ecosystem of Specialized Workers

The true power of OpenRelik lies in its extensible, containerized worker architecture. Instead of relying on a monolithic application, you can construct your workflows using a diverse library of specialized forensic tools.

As shown in the marketplace view above, the ecosystem supports a wide range of DFIR tasks out of the box, including:

  • Timeline Generation: Create super timelines from disk images using Plaso, or parse Windows event logs with Hayabusa.

  • Malware & Binary Analysis: Detect capabilities in suspicious executables with Capa, or extract and deobfuscate strings using the FLARE Obfuscated String Solver (FLOSS).

  • Data Extraction & Export: Pull structured information with bulk_extractor, or seamlessly push your processed timelines directly into Timesketch.

  • Utility & AI Integrations: Leverage utility workers like Grep for pattern matching, or use the LLM Prompter to run automated prompts against parsed text files.

Because each worker operates independently within its own sandbox, adding new tools or updating existing ones won't disrupt your underlying environment. To explore the ever expanding library of available integrations, head over to the OpenRelik Workers Page.

How does OpenRelik integrate with the OSDFIR stack?

OpenRelik integrates directly with Timesketch; a platform for collaborative forensic timeline analysis. The integration works by allowing processed timelines, typically generated by workers like Plaso or Hayabusa to be sent directly into Timesketch seamlessly from your OpenRelik workflow, avoiding manual data juggling.

When configuring the Upload to Timesketch task, OpenRelik provides a dedicated interface to control how the data lands in Timesketch:

From this configuration pane, you can:

  • Target a Sketch: Choose to append the data to an existing Timesketch Sketch using its numerical ID, or create a new Sketch.

  • Customize the Timeline: Set a descriptive name for the incoming timeline to keep your investigations organized.

  • Trigger Downstream Analyzers: Pre-select which Timesketch Analyzers (such as browser searches, account finders, or Yeti threat intelligence lookups) should run automatically upon import.

  • Note: Additional settings, such as managing access for specific users and groups, are also available further down the configuration menu.

Once saved, this task acts as a seamless bridge at the tail end of your processing chain:

As shown in this workflow:

  • The raw evidence file (artifact_disk.dd) is processed via Plaso.

  • The output (artifact_disk.dd.plaso) is automatically picked up by the Upload to Timesketch worker.

  • The worker triggers the Timesketch Importer Client and displays a direct hyperlink to the active case (e.g., sketch/1).

Clicking the link takes the investigator directly from the data processing stage straight into a fully parsed, indexed, and enriched collaborative timeline interface.

Looking Ahead: OpenRelik & Yeti Integration

While the integration between OpenRelik and Timesketch streamlines importing timeline data into Timesketch, we are also looking into the future connection between OpenRelik and Yeti to bridge the gap between forensic processing and Cyber Threat Intelligence (CTI). By automating the ingestion of YARA rules directly from Yeti into OpenRelik, the OpenRelik Yara Worker will be able to scan raw evidence using up to date YARA rules, whether they are curated internally by your team or synced from open-source intelligence feeds like Neo23x0's signature-base.

Moving from Turbinia to OpenRelik

While Turbinia paved the way for automated forensics, its evolution brought its own set of challenges. As a project that attempted to orchestrate dozens of first and third party forensics tools (each with its own shifting dependencies), Turbinia became increasingly difficult to maintain and debug.


OpenRelik was designed specifically to solve these "Turbinia-scale" problems by shifting the philosophy from tight integration to modular isolation. You can find a comparison in the table below:


Feature / Challenge

Turbinia

OpenRelik

Dependency Management

Monolithic: All tools and libraries live in one container. Upgrading one library (like dfVFS) can break others.

Isolated: Each worker runs in its own container. You can update or replace individual tools without affecting the rest of the stack.

Resource State Management

State tracking may get out of sync with the underlying task runner (Celery), leading to outdated metadata (e.g. disk state tracking)

Uses a more transparent orchestration layer. It replaces "loose coupling" with a direct, event-driven state machine, providing higher visibility into the actual state of a resource at any given moment.

Architecture

Pre-processors are baked into workers, making it difficult to test analysis tasks without a full setup.

OpenRelik treats preparation and analysis as distinct steps in a Directed Acyclic Graph (DAG). This decoupling allows developers to easily test individual workers locally.

Visibility & Logs

Errors can be buried in worker logs, or system dmesg, stdout, making debugging difficult at times

Provides granular, real time logging and status updates directly in the UI for every step of the pipeline

System Scaling

Scaling requires duplicating the entire heavy worker, regardless of the task.

Scale specific workers (e.g., spin up 10 extra Plaso workers) while keeping the rest of the infrastructure lean.

The Benefits of deploying through OSDFIR Infrastructure

OSDFIR Infrastructure helps to fill that gap by streamlining the deployment, integration, maintenance, and scaling of multiple open-source DFIR tools. It provides the following key benefits:

  • Faster Deployment Times: Deploy a full forensic stack in as little as minutes, allowing responders to focus on more critical tasks.

  • Provides Consistent Configuration: Automated  integration between tools reduces the risk of misconfiguration or human error.

  • Certified Deployments: No more looking at multiple tools documentation, reduces complexity from shared resources, centralized way to learn about many DFIR tools.

  • Easy to Scale: Can be installed on minimal resources and any component can be modularly scaled with a single command. Kubernetes autoscaling is a powerful feature.

  • Improves Reliability: Built-in Chart linting and testing. More ways to run integration tests to catch issues between them.

The benefits can also be summarized into the diagram below, where current processes require a lot of steps versus a single simplified deployment through OSDFIR Infrastructure.

Getting Started

To get started, please visit our  getting started guide for setting up your own infrastructure locally on your machine using Minikube.

In Summary

The transition to OpenRelik marks a significant milestone in the evolution of OSDFIR Infrastructure. By moving away from the "complexity tax" of Turbinia and embracing a modular, containerized approach, we are making automated forensic processing more accessible and easier to maintain than ever before.


With OpenRelik handling the orchestration, the journey from raw disk image to a queryable Timesketch timeline is now even more seamless. By selecting the Upload to Timesketch workflow, you can trigger the direct ingestion of Plaso files into Timesketch, eliminating the need for manually downloading and uploading the file.


Setting up and maintaining a full stack forensics deployment can be time-consuming and error-prone. Our Kubernetes and HELM charts provide a turnkey solution that reduces the time and effort required to set up and maintain an effective incident response infrastructure. 

We hope this project serves as an accessible way for anyone to get started with open source DFIR tools without spending hours of time setting them up to work together. The easiest way to stay up-to-date is by starring our repository or any of the tools mentioned above for tool specific updates.  We would love to hear your feedback on how this works for you!

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more