Digital Evidence Investigation of Cybercrime

DEIC Local HTTP Service

DEIC is distributed as a local Python service. It runs on the investigator's own machine, receives CSV exports through a local HTTP endpoint, and returns candidate Digital Evidence Objects with transparent stage counts.

How it works

Local service, object results

The service accepts CSV text and settings, applies HiD and DEO filtering, and returns JSON containing the imported count, reduced review count, stage counts, and ranked evidence objects.

01

Unzip

Download the ZIP and extract it on the examination workstation or a controlled analysis machine.

02

Start

Run the Python service on 127.0.0.1 so it is reachable only from the local machine by default.

03

Analyze

Send a CSV export and case settings to /analyze; the service searches for candidate evidence objects.

04

Validate

Use the selected object set as a guide for review in the original forensic environment.

Detailed instructions

Run DEIC locally

  1. Download and extract. Use the ZIP file linked above. The package contains service.py, deic_tool.py, sample.csv, sample-request.json, and README.md.
  2. Start the service. From the extracted folder, run python3 service.py --host 127.0.0.1 --port 8765.
  3. Confirm health. In another terminal, run curl http://127.0.0.1:8765/health.
  4. Run the sample. Run curl -X POST http://127.0.0.1:8765/analyze -H "Content-Type: application/json" --data-binary @sample-request.json.
  5. Use your own export. Replace the csv field in the request body with your forensic CSV text and set the DEO parameters for the case.
  6. Read the returned objects. The response includes summary, counts, columns, and rows; each row is a candidate object scored by the 5W and habit cues.
  7. Stop the service. Press Ctrl+C in the service terminal when analysis is complete.

Request shape

Object filters in JSON

DEIC settings map directly to the DEO lens. Blank values are allowed when a case hypothesis does not yet contain that object attribute.

Start

python3 service.py --host 127.0.0.1 --port 8765

Analyze

{
  "csv": "Name,Path,Created\\n...",
  "settings": {
    "caseType": "CD",
    "investigationStart": "2016-01-08T00:00",
    "investigationEnd": "2016-04-08T00:00",
    "eventStart": "2016-03-21T00:00",
    "eventEnd": "2016-04-01T00:00",
    "whereTokens": "TeamViewer, USBSTOR, CEIS",
    "whoTokens": "gintas, admin",
    "habitTokens": "gint, v",
    "analysisColumns": "Name, Path, Ext, Category, User, Process, Source"
  }
}