I have started a new open source Java project called ArtifactIR. Many times while conducting incident response, I found myself using a combination of paper notes, notepad++, Forensic Casenotes, MS Word, and others to record my observations. I would then spend time collecting them all into my report. Typically, I would want these observations to be sorted by the time that they applied, but for after action review, I would also like to be able to display them in the order the observations were made. This includes aggregating across team members so we can see the flow of the investigation when we are reviewing our performance.So I came up with the idea of ArtifactIR, a single place where I can record my notes, connect then by case or tags, add any type of data to the observation, and then pivot the view by case, tag, observation time (for response review), or applicable time (for incident time line).
The concept is to build a stand alone Java application that will allow the incident responder to keep multiple observations open. The observations will be editable, but have full change tracking after initial save. I chose Java because it is the easiest write-once run-anywhere language that lets me build a GUI while making distribution as simple as having the user install Java Runtime Environment 7 and running a single JAR file.
I have not worked out the data storage yet. I am considering making it the application with the client-server model, where the user would interact with via browser. It will not be a Java Applet as I typically discourage users from having Java available when web browsing, but it could be configured so one server allows multiple users to maintain their observations in a single database. Views could then be generated based on this aggregated data.
For starters I am going small. I have never done an open source project, so this is pushing me outside of my comfort zone and I am likely to make mistakes. My initial goal will be to get a client side application to run on a host where the user can record and display their observations in the manner described above. I accept all criticism or suggestions.
Base build is taking place in an Ubuntu 12.04×32 VM using Eclipse 4.2 and connected to github. (https://github.com/VernMcC/ArtifactIR) There is nothing there yet, just the project shell, but I will be committing to this location as I do work. The JRE used for the build will be JRE7u7.