Forti-DFIR: Open-Source Framework for Fortinet Forensics & Incident Response
Filling a Critical Gap in Fortinet DFIR
At IONSEC, we’re proud to introduce Forti-DFIR — an open-source initiative created to give security teams the tools they need for forensic investigations and incident response in Fortinet environments.
While Fortinet solutions are widely deployed across enterprises, forensic visibility and automation remain a challenge. Forti-DFIR was designed by responders, for responders, to make investigations faster, repeatable, and evidentiary sound.
🔗 Explore the project on GitHub: Forti-DFIR
Why Forti-DFIR?
When investigating intrusions or misconfigurations in Fortinet products, responders often rely on manual CLI commands or fragmented log exports. This slows down investigations and introduces the risk of missed artifacts.
Forti-DFIR changes that by offering:
- Automated Evidence Collection – Extracts logs, configs, and artifacts from FortiGate appliances.
- Forensic Integrity – Uses hashing and timestamping to maintain defensibility of collected evidence.
- Modular Workflows – Enables responders to target specific incident types (intrusions, misconfigs, malware).
- Cloud & On-Prem Support – Adaptable to diverse Fortinet deployments.
Core Capabilities
- Log Acquisition: Unified export of system, traffic, and event logs.
- Configuration Snapshots: Preserve running and saved configs for baselining.
- Network Forensics: Extracts session data and suspicious traffic patterns.
- Malware Investigation Hooks: Integrates with sandboxing for artifact enrichment.
- Reporting Outputs: JSON/CSV for machine analysis and HTML for human-readable summaries.
Built for the DFIR Community
Forti-DFIR is designed for:
- Incident Responders handling Fortinet-targeted intrusions
- Forensic Analysts needing structured evidence collection
- SOC Teams & MSPs monitoring multi-tenant Fortinet infrastructures
By standardizing how evidence is collected and preserved, Forti-DFIR helps practitioners reduce dwell time, ensure compliance, and defend findings in court or audits.
Join the Project
Forti-DFIR is a community-driven project. We invite practitioners, researchers, and developers to extend its capabilities, share use cases, and contribute modules.
🔗 Get started on GitHub: https://github.com/ionsec/Forti-DFIR
