"From Shadows to Sun. From Data to Gold." "We don't just read logs; we judge them."

SkiaHelios is a high-resolution, modular DFIR (Digital Forensics & Incident Response) framework built for speed, causality, origin tracing, and visual narrative.

Unlike traditional monolithic tools, it uses a specialized "Triad Architecture" (Clotho-Atropos-Lachesis) orchestrated by "Hekate", supported by "Chronos" (The Time Lord), "Hercules" (The Referee), the "PlutosGate" (Network & Recon Hunter), and the "YARA WebShell Scanner" to detect advanced threats including Account Takeover, Privilege Escalation, Evidence Wiping, Web Intrusion Chains, Cross-Artifact Tampering, Removable Drive Execution (Phantom Drive), and Encryption Tool Abuse (Insider Threat).

Current Version: v6.9.7 (Village Protocol & Eraser Detection)

graph TD
    %% Define Styles
    classDef input fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
    classDef core fill:#e8f5e9,stroke:#2e7d32,stroke-width:3px;
    classDef engine fill:#fff3e0,stroke:#ff6f00,stroke-width:2px;
    classDef judge fill:#ffebee,stroke:#b71c1c,stroke-width:3px;
    classDef report fill:#f3e5f5,stroke:#4a148c,stroke-width:2px;
    classDef detector fill:#ede7f6,stroke:#512da8,stroke-width:1px,stroke-dasharray: 5 5;
    classDef recon fill:#e0f2f1,stroke:#00695c,stroke-width:2px,stroke-dasharray: 2 2;

    %% Input Stage
    subgraph Input_Sources ["📥 Input Sources"]
        CSV[(KAPE Artifacts<br>CSV)]:::input
        RAW[(KAPE Raw<br>Registry/History)]:::input
    end
    
    CSV --> Console{{🔥 HeliosConsole<br>Orchestrator}}:::core
    RAW --> Console

    %% Pipeline Stage 1: Ingestion
    Console --> Chaos[🌀 ChaosGrasp<br>CSV Merger]:::engine
    Console --> Clio[📖 Clio<br>Browser History]:::engine
    
    %% Pipeline Stage 2: Time Analysis
    Chaos --> Chronos[⏳ Chronos<br>Time Lord<br>feat. Icarus Paradox]:::judge
    
    %% Pipeline Stage 3: File Analysis
    Chronos --> Pandora[📦 Pandora<br>File & Masquerade<br>Ghost Report]:::engine
    
    %% Pipeline Stage 4: Hercules Judgment
    subgraph Hercules_Engine ["⚖️ Hercules v6.7 (Justice Engine)"]
        direction TB
        H_Core[Hercules Core<br>Rule Matching]:::judge
        
        subgraph Detectors ["🔍 Modular Detectors"]
            direction LR
            D_WebShell[WebShellDetector]:::detector
            D_AntiFo[AntiForensicsDetector]:::detector
            D_Obfusc[ObfuscationDetector]:::detector
            D_ADS[ADSDetector]:::detector
            D_LNK[LnkDetector]:::detector
            D_Network[NetworkDetector]:::detector
            D_User[UserActivityDetector]:::detector
            D_Timeline[ActivityTimelineDetector]:::detector
            D_Console[ConsoleHostDetector<br>🆕 v6.7]:::detector
            D_Correl[CorrelationDetector<br>🆕 v6.7]:::detector
            D_LotL[LotLClusterDetector]:::detector
            D_Noise[NoiseFilter<br>Last Pass]:::detector
        end
        
        H_Core --> D_WebShell
        H_Core --> D_AntiFo
        H_Core --> D_Obfusc
        H_Core --> D_ADS
        H_Core --> D_LNK
        H_Core --> D_Network
        H_Core --> D_User
        H_Core --> D_Timeline
        H_Core --> D_Console
        D_Console --> D_Correl
        D_Correl --> D_LotL
        D_LotL --> D_Noise
    end
    
    Pandora --> H_Core
    RAW -.->|history.txt| D_Console
    
    %% Pipeline Stage 5: Persistence & Network
    H_Core --> Aion[👁️ AION<br>Persistence Hunter]:::engine
    H_Core --> Plutos[⚡ PlutosGate<br>Network & Exfil<br>Recon Hunter]:::judge
    Clio -.-> Plutos
    
    %% Pipeline Stage 6: Report Generation
    subgraph Hekate_Report ["🕸️ Hekate Triad (Report Engine)"]
        direction TB
        Clotho[🌀 ClothoReader<br>Data Ingestion]:::report
        Lachesis[🧵 Lachesis v6.7<br>Grimoire Renderer]:::report
        
        Clotho --> Lachesis
    end
    
    D_Noise --> Clotho
    Aion --> Clotho
    Plutos --> Clotho
    
    %% Output
    Lachesis --> Report[(📜 Grimoire.md<br>Narrative Report)]:::report
    Lachesis --> Pivot[(🎯 Pivot_Config.json)]:::report
    Lachesis --> Score[(📊 Score_Breakdown.md)]:::report

    %% Config
    Rules[(📜 intel_signatures.yaml<br>Themis Rules)]:::input -.-> H_Core
    Rules -.-> D_Noise
    Rules -.-> D_Console

• Hekate (Triad Controller): The central command unit (SH_HekateTriad.py). It orchestrates the flow of data between all modules, manages arguments, and initiates the final reporting phase.

• Clotho (Parser): High-speed ingestion of KAPE artifacts (MFT, USN, EventLogs, Registry, SRUM) using Rust-based Polars. Optimized for large datasets (millions of rows).
• Atropos (Analyzer): "Themis" rule-based logic to cut the thread of life (separate Signal from Noise). Uses a dual-pass scoring system.
• Lachesis (The Weaver - Modular v6.9): The reporting engine has been refactored for Semantic Visibility:
  • IoC Generalization (v6.9): Automatically extracts IP_TRACE and DOMAIN_TRACE from any detected artifact using high-precision regex without hardcoding.
  • Dynamic Contextual Labeling: Instead of generic "Hosts Modification", reports now show 📝 Hosts Change: 192.168.137.129, preventing deduplication from hiding critical evidence.
  • PowerShell Escape Cleaning: Natively handles backticks (`n, `t) and tab delimiters in history.txt to ensure 100% extraction accuracy.
  • Verb-Based Visualization (v6.1): Replaced legacy Mermaid graphs with a Verb-Based Sequence Diagram (Download → Execute → Discover → Cleanup), visualizing the attack flow with precise timestamps and artifact sources ([UA], [AC]).
  • Intent-Based Analysis: Analyst Notes now explain the likely intent of tools (e.g., "Possible Hands-on-Keyboard Intrusion") rather than just describing the artifact.
  • MidasTouch (Docs Engine): Reintegrated SH_MidasTouch.py to auto-generate formatted DOCX reports and "Team Sync Packages" (Evidence Zips).

• Chronos (The Time Lord) feat. Icarus Paradox v1.4:
  • Time Paradox Detection: Detects system clock rollbacks (Timestomping) by analyzing USN Journal physical offsets versus timestamps.
  • Rollback Calculation: Precise calculation of the time delta (e.g., -35997 seconds).
• [NEW] SysInternals Hunter (Hercules v6.1):
  • Tool Suite Detection: Identifies execution of SysInternals tools (PsExec, ProcDump, SysInternal.exe) and dual-use binaries often used by attackers.
  • LotL Detection v2.0: Detects "Hands-on-Keyboard" activity by analyzing clusters of Native OS commands (whoami, ipconfig, net) executed within short time windows (10 mins).
  • Context-Aware Scoring:
    • User Path Boost: Significantly boosts scores for tools executed from Downloads, Public, or Temp folders.
    • Timestomp Triage: Differentiates between benign timestamp changes in System32 (Score 0) and malicious timestomping in User Paths (Score +150).
  • Activity Timeline Integration: Ingests Windows Activity Timeline (ActivitiesCache.db) to track user focus (InFocus) and GUI interactions.
• PlutosGate (The Network & Recon Hunter - v3.5):
  • Network Thermodynamics: Uses SRUM to calculate "Heat Scores" based on data burst volume (BytesSent/Received).
  • Exfil Correlation (The Trinity): Correlates SRUM (Heat), Browser History (URL), and MFT (File Creation) to prove data theft intent.
  • Reconnaissance Analysis: Scans browser history for suspicious search terms ("exfiltration", "exploit"), known hacking domains (Kali, Metasploit), and security conference downloads (DEFCON).
  • Email Hunter: Detects .pst/.ost theft (Local MFT scan) and "Sent" actions in Webmail (History scan).
• [NEW] Hercules Detectors (v6.2): Modular detection pipeline integrated into Hercules:
  • ObfuscationDetector v2.0: Multi-layer deobfuscation engine:
    • Normalization: Removes Caret (^) / Backtick (`), resolves string concatenation ("ne"+"t" → net), expands environment variables (%ComSpec% → cmd.exe).
    • Reversed String Detection: Detects reversed keywords like lehsrewop (powershell reversed).
    • XOR Brute-Force: Single-byte XOR decryption (0x01-0xFF) with known plaintext attack (http, powershell, MZ header).
  • ADSDetector v1.2 (Zero False Negative): NTFS Alternate Data Streams attack detection:
    • Masquerade Detection: welcome.txt:putty.exe pattern (Score 300, CRITICAL_ADS_MASQUERADE).
    • Reserved Device Names: LPT1.txt, CON.exe abuse (Score 300, CRITICAL_RESERVED_DEVICE).
    • USN Stream Injection: StreamChange / NamedDataExtend on text files (Score 200).
    • Noise Reduction: 98% noise eliminated (Zone.Identifier, SmartScreen, OneDrive, Defender, WSL/Docker).
    • Zero False Negative: System path attacks (C:\ProgramData\...\log.txt:malware.exe) also detected.

• Hestia (Gatekeeper): Aggressive whitelisting of OS noise.
• Robust Noise Filter (v4.50): Regex-based sanitization of Windows\Notifications, INetCache, and Temp folders to remove 99% of false positives.
• System File Whitelisting (v6.0): Dynamically reduces scores for signed binaries in System32 unless execution evidence (UserAssist) is present.
• [NEW] The Reaper (v6.5): "The Nuclear Option" for noise.
  • System Noise: Drops artifacts tagged SYSTEM_NOISE if Score < 400 (e.g. Defender updates, Chrome cache).
  • Timestomp Nuke: Drops ANY TIMESTOMP artifact if Score < 500. Zero exceptions.
  • Recency Filter (Score-Aware): Hides ancient artifacts (>2 years) unless they are Critical (Score >= 900).

• Tartaros (The Adaptive Origin Tracer): Connects isolated artifacts back to their source using advanced heuristics.
  • Confidence Hierarchy: Distinguishes between Confirmed (ID/Filename Match) and Inferred (Temporal Proximity) origins.
  • Adaptive Time Window: Allows up to 3 hours gap for strong ID matches (e.g., specific image IDs in LNKs), while keeping strict windows for generic files.
  • Honest Reporting: Explicitly reports ❓ No Trace Found when evidence is missing, avoiding false positives.
  • Output: Populates the Initial Access Vector section with precise URLs, Confidence levels, and time-gap analysis.

• Registry Sovereign: Parses SOFTWARE hive directly to identify OS Version (e.g., Windows 8.1 Enterprise Build 9600).
• Sniper Mode: Correlates UserAssist and ShellBags to identify the "Patient Zero" user.

• Python 3.10+
• Polars (pip install polars)
• Jinja2 (pip install jinja2)
• Pandas (pip install pandas) - Legacy support
• Colorama (pip install colorama)
• Pandoc (Required for Docx generation)
• Mermaid-CLI (Optional, for high-res PNG generation in reports)

SkiaHelios uses an external configuration file for "Themis" rules.

dual_use_tools:
  - teamviewer
  - nmap
  - anydesk
  - mimikatz
  # Add tools here to prevent them from being filtered
living_off_the_land:
  score_single: 30
  score_cluster_bonus: 120
  tools:
    - whoami.exe
    - ipconfig.exe
    - net.exe

To run the full pipeline including PlutosGate, Justice V3 Engine and Time Paradox Detection:

python SH_HekateTriad.py \
  --case "Case2_Incident_X" \
  --outdir "C:\Work\Case2\Helios_Output" \
  --timeline "C:\Work\Case2\KAPE\Timeline.csv" \
  --kape "C:\Work\Case2\KAPE\Registry_Dump"

To run the full pipeline including Docx Generation:

python SH_HeliosConsole.py \
  --dir "C:\CaseData\Case7\CSV" \
  --case "Case7_Investigation" \
  --lang jp

Follow the interactive prompt to enable Docx report generation.

After Triage, use the generated Pivot_Config.json to investigate specific targets:

python SH_HeliosConsole.py --deep "Helios_Output\Case2\Pivot_Config.json"

• [NEW] Eraser (Heidi Computers) Detection:
  • USN Rename Storm: Detects characteristic 'Rename Storms' (Multiple Renames + Delete in <2s) caused by Eraser's overwrite algorithms (Score 1500, CRITICAL_ERASER_PATTERN).
  • XML Task List: Process signatures and Task List.ersx artifacts added to threat definitions.
• [NEW] Village Protocol (Cross-Artifact Surveillance):
  • Finger Pointing (Phase 1): Correlates Unnatural Blanks (Log Silence) with Prefetch execution data. Identifies who ran wevtutil/net stop/vssadmin just before the lights went out.
  • The Massacre (Phase 2): Detects "Wiping Bursts" (>1000 file deletions per minute) in USN Journal (Score 1200, CRITICAL_WIPING_BURST).
  • Village Map (Phase 5): Generates a visual Mermaid Gantt chart visualizing "Survival Proof" (System Activity) vs "Silence" (Log Gaps) vs "Triggers" (Suspect Executions).
• [Optimize] Gaiaproof Engine v2.0:
  • Speed: Replaced iterative loops with join_asof for millisecond-level correlation of Prefetch vs Silence windows.
  • Stability: Switched from str.concat to boolean aggregation in USN clustering to prevent memory exhaust on massive journals.
  • Noise: Silenced per-row scanning logs; alerts are now cluster-based.
• [Fix] Raw Artifact Handling: Fixed a bug where source filenames ($J, SRUDB) were incorrectly aliased as evidence filenames in Anti-Forensics scanning.

• [NEW] Encryption Tool Detection (Case 9 Fix):
  • AES Encryption: AESCrypt, AxCrypt, encrypted .aes files detection (Score 400-500, ENCRYPTION_TOOL_AESCRYPT, ENCRYPTED_FILE_AES).
  • GPG/PGP Encryption: Kleopatra, gpg.exe, gpg4win, .asc/.gpg/.pgp files detection (Score 400-500, ENCRYPTION_TOOL_GPG, ENCRYPTED_FILE_GPG).
  • BitLocker Detection: BitLockerWizardElev.exe, manage-bde execution (Score 450-500, CRITICAL_BITLOCKER_WIZARD).
  • Virtual Disk Containers: .vhd/.vhdx/.vmdk detection with context boost for suspicious locations like ProgramData (Score 350-600, VIRTUAL_DISK_DETECTED, SUSPICIOUS_VHD_LOCATION).
  • Container Encryption: VeraCrypt/TrueCrypt usage and .tc/.hc container files (Score 500, ENCRYPTED_CONTAINER).
• [NEW] Recovery Key Detection:
  • BitLocker Recovery Key: Files matching BitLocker Recovery Key...TXT pattern (Score 800, CRITICAL_RECOVERY_KEY).
  • Japanese Support: 回復キー filename pattern detection (Score 700, CRITICAL_RECOVERY_KEY_JP).
  • Sensitive Files: Passwords.txt, Keys.txt, Credentials.txt pattern matching (Score 500-600, SUSPICIOUS_KEY_FILE, PASSWORD_FILE).
  • GPG Key Export: _public.asc (Score 500) and _secret.asc (Score 700, Critical) detection.
• [NEW] Privacy Tool Monitoring (dual_use_tools):
  • Added Encryption Tools (Privacy) category with noise path exclusions for legitimate installations.
  • Monitored tools: aescrypt, axcrypt, veracrypt, truecrypt, gpg4win, kleopatra, gpg, gnupg, bitlocker, bestcrypt, diskcryptor, cryptomator.
• [Architecture] Rule Files Updated:
  • intel_signatures.yaml: Added encryption_tools, encryption_file_extensions, recovery_key_detection sections.
  • triage_rules.yaml: Added 14 new threat signatures for encryption tool detection.
  • scoring_rules.yaml: Added 14 new scoring patterns for encryption/privacy tools.

• [NEW] Generalized IoC Extraction:
  • Automated Domain Discovery: Regex-based extraction of .local, .com, .net etc., from any event summary/detail.
  • PowerShell Hygiene: Added logic to strip `n, `t and \t delimiters that previously blocked IP/Domain word boundaries.
  • Visibility Score (400): Extracted network indicators found in high-risk contexts (like Hosts changes) are boosted to bypass noise filters.
• [NEW] Dynamic Semantic Labeling:
  • Hosts Change Transparency: Reports now dynamically include the target IP/Domain in the event summary (e.g., 📝 Hosts Change: 192.168.137.129).
  • Deduplication Bypass: Prevents multiple hosts file changes from being "collapsed" into a single generic entry in the report.
• [FIX] ConsoleHost History Parsing:
  • Action/Value Priority: Fixed command extraction priority to ensure the raw command is always preserved in the Payload field even when Source=History.
  • Tab Delimiter Handling: Resolved issues where tab characters in PowerShell commands were incorrectly attached to extracted domains (e.g., twww.ccdfir.local → www.ccdfir.local).
• [FIX] Analysis Stability:
  • UnboundLocalError Fix: Resolved a variable shadowing issue with re / json imports in sh_analyzer.py.

• [NEW] ConsoleHostDetector (v6.7): Direct PowerShell history file analysis module.
  • Phantom Drive Detection: Detects execution from A:\, B:\ drives and tags as REMOVABLE_DRIVE_EXECUTION (Score +500).
  • Defender Evasion: Detects Add-MpPreference, Set-MpPreference as DEFENDER_DISABLE_ATTEMPT (Score +500).
  • Hosts File Tampering: Detects Add-Content.*hosts as HOSTS_FILE_MODIFICATION (Score +400).
  • Raw Directory Support: Reads ConsoleHost_history.txt directly from KAPE raw data directory via --raw argument.
• [NEW] CorrelationDetector (v6.7): Cross-artifact correlation analysis module.
  • SRUM Traffic Validation: Validates events with LATERAL_MOVEMENT tag against SRUM data, assigns TRAFFIC_CONFIRMED (Score +500) when actual traffic is confirmed.
  • Execution Confirmation: Assigns EXECUTION_CONFIRMED tag by correlating with Prefetch/ShimCache.
• [FIX] NoiseFilter Enhancement: Extended critical tag patterns.
  • Protected Tags: Added PHANTOM_DRIVE, DEFENDER_DISABLE, HOSTS_FILE, HISTORY_DETECTED, CONFIRMED, EXECUTION_CONFIRMED, REMOVABLE_DRIVE to protection list.
  • Noise Pattern Cleanup: Removed win-updates, preprovisioner, (?i)^A:\\ from noise list.
• [FIX] Hekate Scope Filter Bypass: Events from PowerShell History now bypass year-based scope filters.
  • Effect: 2023 incidents are no longer excluded when analyzed in 2026.
• [Architecture] Modular Detector Pipeline: Extended Hercules detector pipeline.
  • Order: WebShell → AntiForensics → Obfuscation → ADS → LNK → Network → UserActivity → ActivityTimeline → ConsoleHost → Correlation → LotL → NoiseFilter

• [NEW] Evidence Shield (v6.4): Recon keyword protection for images.
  • Sanctuary Keywords: xampp, phpmyadmin, admin, dashboard, kibana, phishing, c2, login, webshell, backdoor, exploit.
  • Protection Logic: Images (.png, .jpg, .gif, .ico) containing sanctuary keywords are boosted to Score 600 and tagged INTERNAL_RECON.
  • Effect: Prevents accidental deletion of reconnaissance evidence screenshots.
• [NEW] Image Hygiene (v6.3): Smart image noise filtering.
  • Extended System Paths: windows\web\, windows\branding\, program files\windowsapps, programdata\microsoft\windows\systemdata.
  • Browser Cache Paths: INetCache, Content.IE5, Temporary Internet Files, Chrome cache.
  • Effect: System wallpapers (img104.jpg), icons, and browser cache images are automatically dropped.
• [NEW] Silence Patch (v6.2): Resource Killer priority reordering.
  • Logic Change: .mui, .nls, .dll, .sys files in System32/SysWOW64 are dropped before Safety Valve score check.
  • Effect: cipher.exe.mui (Score 900) now correctly filtered as noise.
• [NEW] EID 4728/4732 Enhancement: Member and Group name extraction.
  • Output Format: Member Added (Global): JokerUser → Administrators (EID:4728).
  • Effect: Privilege escalation events are now immediately actionable.

• [NEW] Temporal Proximity Boost: Anti-forensics correlation.
  • Logic: Events within 5 minutes of ANTI_FORENSICS (Score ≥ 600) are boosted 1.5x and tagged PROXIMITY_BOOST.
  • Effect: cipher.exe execution near SetMACE.exe is now flagged as part of cleanup operation.
• [NEW] IOC Category Separation: Report clarity improvement.
  • Section 7.1: High-Confidence IOCs (Score ≥ 500) - Critical Threats.
  • Section 7.2: Contextual Artifacts (Score 300-499) - Investigation Leads.
• [NEW] Toolkit Grouping: Parent-child artifact clustering.
  • Detected Toolkits: setmace, mimikatz, sdelete, psexec, lazagne, wce.
  • Effect: setmace.exe, setmace.au3, readme.txt grouped as TOOLKIT|SETMACE.
• [NEW] CommandLine Extraction: Impact column enhancement.
  • Display: cipher.exe /w:C:\Users\... shown in Key Indicators table.
• [NEW] Ghost Source Display: Artifact recovery source.
  • New Column: "Source" in IOC table (Live, 🔍 Recovered (USN)).
• [NEW] Timeline Path Display: Disambiguation of duplicates.
  • Format: **cipher.exe** (\...system32\cipher.exe`)`.
  • Effect: System32 vs SysWOW64 artifacts clearly distinguished.

• [NEW] ADSDetector v1.2: NTFS Alternate Data Streams attack detection module.
  • Masquerade Detection (Logic A): Detects hidden executables in text files (welcome.txt:putty.exe). Score +300, tag CRITICAL_ADS_MASQUERADE.
  • Reserved Device Names (Logic B): Detects LPT1, CON, NUL abuse. Score +300, tag CRITICAL_RESERVED_DEVICE.
  • USN Stream Injection (Logic C): Detects StreamChange/NamedDataExtend on text files. Score +200, tag SUSPICIOUS_ADS_WRITE.
  • Zero False Negative: System path attacks (C:\ProgramData\...\log.txt:malware.exe) now detected by separating noise filters (is_noise_light for Masquerade, is_noise_full for USN).
  • 98% Noise Reduction: Filters Zone.Identifier, SmartScreen, OneDrive, Defender, WSL/Docker automatically.
• [NEW] ObfuscationDetector v2.0: Multi-layer command obfuscation detection.
  • Normalization: Removes Caret (c^m^d → cmd), Backtick, string concatenation ("ne"+"t" → net), expands environment variables (%ComSpec% → cmd.exe). Score +60, tag DEOBFUSCATED_CMD.
  • Reversed String Detection: Detects reversed keywords (lehsrewop = powershell reversed). Score +80, tag REVERSED_CMD.
  • XOR Brute-Force: Single-byte XOR decryption (0x01-0xFF) with known plaintext attack (http, powershell, MZ header). Score +120, tag XOR_DECODED.
• [Hercules] Integrated both detectors into the modular detector pipeline.
• [Benchmark] Case 4 (Ali Hadi ADS Challenge): 100% detection rate, 0 false positives, 0 false negatives.

• [Hercules] SysInternals Hunter: Implemented specific detection logic for the entire SysInternals suite (PsExec, ProcDump, etc.) with dedicated Analyst Notes explaining likely attacker intent ([Possible Hands-on-Keyboard]).
• [Hercules] LotL Detection v2.0: Added support for Living off the Land (LotL) clusters. Detects when users execute multiple discovery commands (whoami, net, ipconfig) within a 10-minute window, tagging the activity as HANDS_ON_KEYBOARD.
• [Visualization] Verb-Based Sequence: Replaced the generic flow diagram with a Dynamic Verb-Based Sequence Diagram (Download → Execute → Discover → Cleanup), featuring precise timestamps and source attribution ([UA], [PF]).
• [Judgement] Context-Aware Timestomp: Refined Timestomp scoring. Timestamps anomalies in System32 (without execution) are now silenced (Score 0), while User Path (Downloads, Public) anomalies are boosted (+150 Score) as CRITICAL_USER_PATH_TIMESTOMP.
• [Reporting] MidasTouch Resurrection: Restored SH_MidasTouch.py integration. Users can now generate professional DOCX reports and Evidence Packages directly from the console prompt.
• [Fix] CRX Masquerade: Fixed a logic bug where benign files were flagged as .crx masquerades. Detection now strictly targets Adobe/Microsoft/Google folders.

• [Vis] Attack Flow Sequence: Replaced the legacy Mermaid graph with a Sequence Diagram (sequenceDiagram) to clearly visualize the causality chain (Prep → Phishing → Exec → Recon → Anti) with precise timestamps and confidence indicators.
• [USN] USN Storm Condenser (v2.0): Implemented aggressive "Seconds-Level" grouping for USN Journal events. Compress hundreds of repetitive file operations (e.g., DataExtend, FileCreate) into single, readable summary lines (e.g., ****27x USN Events**).
• [Hekate] Kill the Ghost (Date Filter): Implemented a relative time filter that automatically identifies the "Cluster of Interest" and hides artifacts older than 1 year relative to the incident, eliminating historical noise.
• [Hekate] Strict USN Demotion: Forcefully downgrades generic USN events (e.g., db.opt creation) to "Noise" status (Score 40/60) and strips their CRITICAL tags to prevent report clutter.
• [Hekate] Protection Logic: Intelligent exception handling that preserves USN events if they are tagged as WEBSHELL or TIMESTOMP, ensuring that critical anti-forensic evidence remains visible (Score 150) while noise is suppressed.
• [Lachesis] Strict Threshold Enforcement: FILE category events (including USN) now require Score >= 80 to appear in the timeline, ensuring a pristine report.

• [PlutosGate] Reconnaissance Hunter: Implemented browser history analysis to detect pre-attack research (e.g., searches for "exfiltration", visits to "kali.org", or downloads of "DEFCON" materials).
• [Lachesis] Phishing Insight: Enhanced "Initial Access" reporting to clearly distinguish confirmed Phishing Vectors (LNKs) with Analyst Notes explaining the threat (e.g., "Web Download Suspicious Shortcut").
• [Lachesis] Reliability Fix: Fixed a critical bug in renderer.py where the "Initial Access" section was occasionally rendered empty due to template variable mismatch.
• [Core] Unicode Resilience: Hardened console outputs against cp932 encoding errors in Japanese environments.

• [Lachesis] Jinja2 Templating Engine: Completely refactored the reporting engine. Reports are now generated from report.md.j2 templates, separating Python logic from Markdown presentation.
• [Core] Config Normalization: Externalized all hardcoded paths, IPs, and noise signatures to rules/intel_signatures.yaml.
• [Lachesis] Robust Rendering: Implemented absolute path resolution and file-based debug logging (renderer_debug_log.txt) to capture and diagnose silent reporting failures.
• [Hercules] Noise Reduction: Optimized filtering for Windows\Notifications artifacts, achieving ~30% reduction in timeline size while preserving 100% of critical threats.

• [Chain Scavenger] Context Carving: Now extracts and reports the Binary Context (Hex Dump) surrounding carved user accounts. Helps analysts distinguish valid accounts from random data patterns.
• [Chain Scavenger] NTLM Hash Extraction: Heuristically extracts 16-byte Hash Candidates (Hex Strings) from F-Key/V-Key structures near the user account, enabling offline password cracking.
• [Chain Scavenger] Automatic Group Linking: Identifies account privileges by mapping discovered RID (e.g., 544) to known groups ([Linked to Group: Administrators]).
• [Chain Scavenger] Precision Boost: Context window expanded to ±16KB (32KB total) to successfully recover fragmented usernames like pCrat -> pCrat....
• [Hercules] Automated Impact Analysis: Automatically tags SAM_SCAVENGE events with [LOG_WIPE_INDUCED_MISSING_USER_EVENT] to explicitly confirm that 4720/4732 logs are missing due to wiping.
• [Lachesis] Binary Context Display: The Analyst Note in the report now natively renders the Binary Hex Dump and Detailed SID/RID/Hash info.

• [Chain Scavenger] Dirty Hive Hunter (v1.0): Binary-level SAM hive analyzer that triggers when RECmd fails. Extracts hidden user accounts from corrupted/dirty hives using "Anchor Search" and "Context Carving".
• [Chain Scavenger] Anchor Extension (v5.6.2): Enhanced detection using "Users" key and RID-like Hex Patterns to capture fragmented account traces (e.g., hacker) that evade standard parsing.
• [Hercules] User Creation Detection: Detects net user /add, EID 4720 (User Created), EID 4732/4728 (Group Membership), PowerShell New-LocalUser.
• [Hercules] Log Deletion Analysis: Correlates Log Deletion (EID 1102) with missing User Creation events ([LOG_WIPE_INDUCED_MISSING_EVENT]).
• [Hercules] Evidence Wiping Detection: Detects USN Journal deletion (fsutil usn deletejournal), MFT manipulation, cipher /w.
• [Hercules] Privilege Escalation: Detects Admin/RDP group additions and SAM registry tampering.
• [Lachesis] Full Bilingual Support: Grimoire reports now fully localized in English (--lang en) and Japanese.
• [Lachesis] Scope Auto-Correction: Incident scope now intelligently includes Chain Scavenger and Anti-Forensics events (relaxed year filter).

• [PlutosGate] IIS Log Analyzer: Implemented web server log analysis with SQLi/WebShell signature detection, 500-error burst detection, and 404 reconnaissance scanning.
• [NEW] SH_YaraScanner.py: Created YARA-like WebShell scanner module with built-in signatures (China Chopper, b374k, c99, r57, WSO). Supports dual-mode scanning (live files + ghost entries).
• [Hercules] C2/Lateral Movement Detection: Added new verdicts: POTENTIAL_C2_CALLBACK, LATERAL_MOVEMENT_DETECTED, WEB_INTRUSION_CHAIN.
• [Lachesis] Attack Chain Mermaid: Implemented causality visualization showing Web Anomalies → File System Changes → Process Execution chains.
• [HeliosConsole] YARA Flag: Added --enable-yara-webshell optional flag for WebShell scanning.

• [Chronos] Icarus Paradox Engine: Implemented. Detects timeline inconsistencies between artifacts (MFT vs Prefetch/ShimCache/USNJ) to physically prove Timestomping.
• [Chronos] Targeted USNJ Scan: Introduced efficient USN record tracking logic focused on suspicious files (Suspects).
• [HeliosConsole] Auto-Detection: Added auto-detection of ShimCache/Prefetch/USN files from KAPE CSV directory for Chronos integration.
• [Lachesis] Bilingual Report (EN/JP): Implemented EN/JP bilingual Grimoire reports. Language selectable via interactive prompt or --lang en/jp.
• [Fix] Dynamic Column Aliasing: Added fallback to use Name column when FileName column is missing in USN parse results.
• [Fix] Flexible Timestamp Detection: Implemented flexible timestamp column detection supporting both MFT (Created0x10) and Master_Timeline (Timestamp_UTC).
• [Fix] Match Quality Scoring: Implemented confidence-based deduction scoring (Match Quality) for USN record matches with missing path information.

• [PlutosGate] Exfil Hunter: Implemented "Trinity Correlation" (SRUM x Browser x MFT) to detect confirmed data exfiltration events (e.g., zipping and uploading source code).
• [PlutosGate] Email Forensics: Added detection logic for .pst/.ost file theft and webmail "Sent" activities.
• [Lachesis] Safe-Mode Visuals: Fixed Mermaid Lexical Errors by switching to Named Colors (#ffffff -> white).
• [Lachesis] Aggregated Reporting: "Critical Threats" table now aggregates high-volume events (like mass email copying) into single summary lines.

• [Lachesis] Smart LNK Grouping: Automatically differentiates "High Interest" LNKs (e.g., Confirmed Downloads, DEFCON Masquerade) from generic noise-like artifacts to prevent report clutter.
• [Lachesis] Medium Event Breakdown: Provides detailed category distribution and "Top 5" examples for medium confidence events.
• [Core] Statistics Fix: Corrected the calculation logic for "Filtered Noise" percentage (now treated as "Excluded" rather than part of the analysis base).
• [Status] Achieved 100/100 Perfect Score in automated report evaluation.

• [Report] Unified Critical Chain: Merged previously disjointed tables into a single chronological "Critical Chain".
• [Report] Enhanced Warnings: Executive Summary now prominently alerts on "System Time Manipulation" and "Evidence Destruction".
• [Vis] Mermaid Rollback Node: Visual graph now explicitly shows the "Time Paradox" rollback event.

• [Core] Hybrid Statistics: Engine now prioritizes actual event counts over legacy estimates.
• [Lachesis] Full refactoring of the Renderer module for stability, localization support (JP/EN), and modularity.
• [Feature] Automated Remediation: Introduced "Recommended Actions" table with Priority (P0/P1) and Timeline.

• [Critical] Masquerade Detection (Case 7):
  • Fake Tool Detection: sysinternals.exe flagged as CRITICAL_MASQUERADE (Score 600).
  • Location Anomaly: vmtoolsio.exe in non-standard paths (e.g. C:\Windows) detected as SUSPICIOUS_LOCATION.
  • Security Tool Policy: Known tools (Wireshark, Procexp) in Downloads/Temp trigger alerts.
• [Critical] SRUM Integration (Case 2): High-volume transfers (>1MB) extracted as DATA_EXFIL (High Heat).
• [Critical] Anti-Wiper Logic: BCWipe artifacts boosted to Score 600 (ANTI_FORENSICS).
• [Visualization] Mermaid Refinement: Aggressive note compression, coalesced gaps (>30 days), and zero visual noise for low-priority groups.
• [Logic] Joker Detection: Boosted Webshell (c99, r57) scores to Critical (800).

• [Architecture] Modular Lachesis: Decomposition of the massive SH_LachesisWriter.py into scalable sub-modules (Core, Intel, Enricher, Analyzer, Renderer).
• [Critical] Adaptive Origin Tracing (Tartaros v4.1): Implemented logic to match artifacts with browser history even with significant time gaps (up to 3 hours) if a unique ID is present.
• [Critical] The Linker (Phase 4): Added Network Correlation Analysis to confirm communication success by linking LNK targets to browser history.
• [Critical] Deep LNK Analysis: Enhanced LNK parsing to extract target paths and arguments, detecting obfuscated PowerShell commands.
• [Critical] Anti-Forensics Detection: Added detection for evidence wiping tools (BCWipe, CCleaner) and missing artifact flagging.

• [Critical] Time Paradox Detection: Implemented USN Journal rollback logic in Chronos. Physically proves if the attacker rolled back the system clock.
• [Critical] Justice V3 Engine:
  • LNK Enrichment: Target_Path and Arguments are now visualized in the summary.
  • CRX Detection: Strict whitelist-based masquerade detection for Chrome Extensions.
  • Evidence Hierarchy: Scores are now weighted by Execution (Prefetch) vs Existence (File).
• [Report] Dynamic Analyst Notes: Lachesis now generates specific insights for each threat type.
• [Core] Robust Noise Filter: Regex-based cleaning of Notifications and Cache folders.

• [Tartaros] Upgraded to v3.0 Story Inference Mode. Implemented "Time Cluster" logic.
• [Lachesis] Implemented Deep History Hunter: Recursive disk scanning for Browser History.

• [Core] Removed all silent try-except-pass blocks.
• [Lachesis] Scope Self-Correction: Calculation of incident window now includes "Visual IOCs".

• [Logic] Implemented memory-to-memory data passing between Lachesis and Tartaros.
• [Report] "Initial Access Vector" section now displays download URLs.

• [Logic] Artifacts with Score >= 250 or "MASQUERADE" tag now bypass the Hestia noise filter.

• [Hercules] Added native Registry parsing for OS identification.

• [Hestia] Introduced "Inverted Tool Filter".
• [Chronos] 95% noise reduction in timeline generation.

• [Architecture] Split Pandora into Pass 1 (Triage) and Pass 2 (Deep Dive).

• v1.0: Core Logic (Clotho/Atropos/Lachesis)
• v1.9: Internal Scout & Lateral Movement Logic (Chimera)
• v2.0: Visual Reporting (Mermaid Integration)
• v2.5: Modular Architecture (Nemesis/Themis)
• v2.7: AION-Sigma Integration
• v4.0: Hestia Censorship & Two-Pass Strategy
• v4.12: System Silencer & Inverted Filters
• v4.20: Registry-based OS Identity (Hercules)
• v4.28: Origin Tracing (Tartaros)
• v4.32: Robustness & Full JSON/Pivot Export
• v4.43: Tartaros v3.0 (Story Inference) & Deep Hunter
• v4.50: Operation Justice (Time Paradox & Masquerade Killer)
• v4.55: The Linker, Deep LNK, & Modular Lachesis (Refactored)
• v5.0: "Nemesis" (Automated Remediation Suggestion)
• v5.2: Operation Perfection (Smart Reporting & Statistical Accuracy)
• v5.3: Operation Dragnet (PlutosGate v3.4 - Network Thermodynamics & Exfil Hunter)
• v5.4: Icarus Flight (Cross-Artifact Paradox Detection / Paradox Breaker)
• v5.6: The Deep Carver (Dirty Hive Hunter & Binary Context Reporting)
• v5.7: The Architect (Templated Reporting & Config Justice)
• v5.8: The Watcher (Reconnaissance Hunter & Phishing Insights)
• v5.9: The Ghost Hunter (USN Condenser & Strict Demotion)
• v6.1: The Hunter (SysInternals & LotL Detection)
• v6.2: The Decoder (Obfuscation & ADS Hunter)
• v6.3: Grimoire Improvements (Temporal Boost & IOC Separation)
• v6.4: Operation Truth (Masquerade Hunter, SRUM Heat, & Anti-Wiper)
• v6.5: The Reaper (Nuclear Option & Context Boosters)
  • Nuclear Option: TIMESTOMP artifacts with Score < 500 are strictly deleted.
  • Context Boosters: High-risk tool usage (e.g., robocopy with /wipe) gets massive context bonuses.
  • Global Cleaning: Noise filters now applied before stats generation for consistency.
• [NEW] v6.6 - The Refined Core (Rule Engine & Audit Logic) 💎
  • Centralized Rule Engine: All threat scoring logical moved to rules/scoring_rules.yaml (Single Source of Truth).
  • Score Ledger: New audit trail system (Score_Breakdown_case.md) that documents exactly why a score is 950 (e.g., Base:600 + PathBoost:200 + Proximity:150).
  • Performance: Implemented CompiledRuleEngine with regex precompilation, speeding up rule matching by 40%.
  • Reliability: Added Pydantic schema validation for rules and a dedicated Unit Test framework (tests/test_rules.py).
  • Precision: Added negative_context support to rules (e.g., ignoring PsExec in Sysinternals folder).
• v6.7: Phantom Drive & Console History Detection (ConsoleHostDetector, CorrelationDetector, NoiseFilter Enhancement)
• v6.9.6: Insider Threat & Encryption Tool Detection (AES/GPG/BitLocker/VHD/Recovery Key Detection)

• Encoding: Some KAPE CSVs use inconsistent encoding (UTF-8 vs CP1252). Tartaros v1.3+ now attempts utf-8, utf-8-sig, and cp1252 automatically.
• Mermaid Rendering: Special characters in filenames (e.g., {}) previously broke graphs. Lachesis v4.31+ sanitizes these to () automatically.
• Polars Version: Requires Polars 0.20+ for read_csv compatibility.

Powered by Python, Polars, and Paranoia.