nightHawkResponse: Incident Response Forensic Framework


nightHawk Response

Custom built an application for asynchronus forensic data presentation on an Elasticsearch backend.
This application is designed to ingest a Mandiant Redline “collections” file and give flexibility in search/stack and tagging.

The application was born out of the inability to control multiple investigations (or hundreds of endpoints) in a single pane of glass.

To ingest redline audits, we created nightHawkResponse, a fully fledge GOpher application designed to accompany this framework. The source code to the application is available in this repo, a binary has been compiled and is running inside the iso ready to ingest from first boot.


  1. Single view endpoint forensics (multiple audit types).
  2. Global search.
  3. Timelining.
  4. Stacking.
  5. Tagging.
  6. Interactive process tree view.
  7. Multiple file upload & Named investigations