Forensic Fusion: Project Story - Team ID code: 0D75EDD904BE3AF9
Domain we would have claimed - thesilentwitness.tech
Inspiration
Memory forensics is one of the most powerful tools in cybersecurity, but it's notoriously slow to triage. Analysts spend hours parsing through raw Volatility outputs, manually correlating processes, network connections, and code injection patterns to identify threats. During incident response, every minute counts.
We were inspired to build Forensic Fusion after seeing how AI and automation could transform other domains. We asked: "What if we could turn a 2GB memory dump into a concise, actionable threat report in minutes instead of hours?" The answer was combining Volatility 3's forensic capabilities with an intelligent AI agent that understands context and can reason about security threats.
What it does
Forensic Fusion is an AI-powered forensic analysis platform that automates memory forensics, registry analysis, steganography detection, and encrypted file scanning. Users can upload memory dumps, images, or archives, and the system:
- Automatically analyzes memory dumps using Volatility 3 (processes, network connections, code injection)
- Extracts registry artifacts from memory (Run/RunOnce, USBSTOR, persistence mechanisms)
- Detects steganography in images using LSB analysis and statistical tests
- Identifies encrypted files through entropy analysis and password-protected archive detection
- Provides AI-powered insights using Google Gemini to summarize findings and recommend actions
- Uses an intelligent agent (LangChain ReAct) that understands user intent and selects the right analysis tools
The result? A clean, evidence-based report that highlights suspicious processes, network anomalies, and potential threats—all in a fraction of the time it takes to manually analyze.
How we built it
We built Forensic Fusion as a full-stack application with a modular, agentic architecture:
Backend (FastAPI + Python)
- Core analysis pipeline orchestrating Volatility 3, registry parsing, and file analysis
- LangChain ReAct agent that intelligently routes user queries to appropriate tools
- Modular design: separate modules for volatility, registry, steganography, encryption, and agent logic
- Async job processing with MongoDB for persistent storage
- Robust file handling supporting multiple formats (.vmem, .raw, .dmp, .rar, .zip, .7z)
Frontend (Next.js + TypeScript)
- Modern React interface with real-time analysis dashboard
- Agentic chat interface for natural language interaction
- Results visualization showing processes, threats, and AI insights
- Tailwind CSS for a clean, professional UI
AI Integration
- Google Gemini API for generating forensic summaries and agent reasoning
- Structured JSON-only responses for reliable parsing
- Context-aware prompt building that includes evidence and suspicion scores
Deployment
- Docker Compose for containerized services
- Support for VPS deployment with systemd and Nginx
Challenges we ran into
The biggest challenge: Obtaining forensic data files. Memory dumps and malware samples are extremely limited in public datasets. Most require special access, academic credentials, or are behind paywalls. For a hackathon with limited resources, finding quality test data was our primary blocker. We overcame this by using publicly available samples like the 0zapftis.vmem (R2D2 malware) and building robust archive extraction to handle password-protected samples.
Technical challenges:
- Volatility symbol management: Each memory dump requires exact Windows symbols. We implemented automatic symbol downloading and caching from Microsoft's Symbol Server.
- Archive extraction: Malware samples often come in password-protected archives. We built a handler that tries common passwords (infected, malware, virus) and supports multiple formats.
- Agent tool selection: The AI agent sometimes chose tools based on file extensions rather than user intent. We enhanced the system prompt with explicit rules prioritizing user queries.
- Python 3.13 SSL compatibility: MongoDB Atlas connections failed due to stricter SSL defaults. We added SSL context patching for compatibility.
- Large file handling: Memory dumps can be 2GB+. We implemented streaming uploads and configurable size limits.
Accomplishments that we're proud of
- Built a working agentic AI system that understands forensic analysis context and intelligently routes queries to the right tools
- Integrated multiple forensic domains (memory, registry, steganography, encryption) into a unified platform
- Created a production-ready architecture with async processing, job management, and persistent storage
- Delivered a clean, intuitive UI that makes complex forensic analysis accessible
- Overcame data limitations by building a flexible system that works with any available memory dump format
- Achieved end-to-end automation from file upload to AI-generated threat report
What we learned
Technical skills:
- Memory forensics with Volatility 3: understanding Windows memory structures, process injection detection, network artifact extraction
- Agentic AI architecture: LangChain ReAct pattern, tool-based reasoning, LLM orchestration
- Multi-domain forensics: registry analysis, steganography detection (LSB, chi-square tests), entropy-based encryption detection
- System design: async job processing, Docker containerization, MongoDB integration, RESTful API design
Domain knowledge:
- Malware detection patterns: code injection, suspicious processes, network anomalies
- Windows forensics: registry artifacts, persistence mechanisms, USB device tracking
- File analysis: steganography techniques, entropy analysis, archive formats
Lessons:
- The importance of modular architecture when integrating multiple complex systems
- How AI agents can bridge the gap between user intent and technical tool execution
- The value of robust error handling and user-friendly error messages in forensic tools
- Working with limited resources teaches creative problem-solving
What's next for Forensic Fusion
Long-term:
- Advanced ML models for anomaly detection and pattern recognition
- Integration with threat intelligence feeds (VirusTotal, AlienVault)
- Automated report generation in multiple formats (PDF, JSON, STIX)
- Support for additional operating systems (Linux, macOS memory dumps)
- Cloud-native deployment with auto-scaling capabilities
Our vision is to make forensic analysis as accessible as possible, helping security teams respond to incidents faster and more effectively.
Domain we would have claimed - thesilentwitness.tech
Built With
- aiofiles
- built-with-languages:-python
- docker-compose-libraries:-pydantic
- javascript-backend:-fastapi
- langchain
- langchain-react-agent-database:-mongodb-deployment:-docker
- motor
- numpy
- pillow
- react
- regipy-frontend:-next.js
- tailwind-css-ai:-google-gemini-api
- typescript
- volatility-3
Log in or sign up for Devpost to join the conversation.