DarkHorse InfoSec

HADES

Hidden Artifact Detection & EXIF Scanner - Enterprise Forensic Analysis Platform

🔬 ENTERPRISE FORENSIC PLATFORM | v0.5.0 🔬

Advanced metadata forensics for security teams, incident responders, and CI/CD pipelines. 851 tests passing. 100% detection rate on validated malware corpus.

HADES is a metadata forensics engine built for security teams and incident responders — 851 tests passing with a 100% detection rate on its validated malware corpus. It ships with a FastAPI REST API and web dashboard, hash-chained evidence management, cloud and network integrations, and 41 purpose-built YARA rules. Install from PyPI with pip install hades-scanner or deploy via Docker.

$ pip install hades-scanner
$ hades --help
$ hades-enhanced --serve --port 8666

Metadata Forensics & Deep Format Analysis

Core scanning engine — extracts metadata from 200+ formats, deep-parses PDF/Office/SVG internals, detects polyglot files, identifies steganography patterns, and scores threats using ML anomaly detection.

Technical Capabilities:

  • ExifTool + native parsers (pikepdf, olefile)
  • GPS/timestamp forensics, camera fingerprinting
  • Polyglot detection (JPEG+ZIP, PDF+JS, PNG+HTML)
  • Entropy analysis for steganography detection
  • ML-based Isolation Forest anomaly scoring
$ hades-enhanced -r /evidence --format json --workers 8

YARA Rules & Threat Detection

41 metadata-specific YARA rules across 7 rule files — the only public rule set purpose-built for metadata threats. Detects injection attacks, obfuscated payloads, steganography markers, and suspicious metadata patterns.

Detection Capabilities:

  • Dynamic rule loading, metadata injection rules (SQL/XSS/command)
  • Polyglot detection rules
  • Suspicious metadata patterns (Base64 blobs, embedded URLs, PII leakage)
  • Enterprise threat rules
  • IOC matching with VirusTotal/AbuseIPDB/OTX integration
$ hades-enhanced --yara-rules rules/ --min-score 5 -r /suspect_files

REST API & Web Dashboard

FastAPI server with 22+ authenticated endpoints, automatic OpenAPI docs, WebSocket live updates, and a browser-based dashboard — no desktop app required. Scan files, manage cases, monitor directories, and export to SIEM from any browser.

API Features:

  • FastAPI with async endpoints, Pydantic models
  • X-API-Key auth, rate limiting, CORS
  • Swagger UI at /docs
  • WebSocket real-time alerts
  • Dark-themed SPA dashboard with 5 views
$ hades-enhanced --serve --port 8666 --api-workers 4

Evidence Chain & Case Management

Forensic-grade evidence handling — SHA-256 hash-chained immutable audit log, case management with analyst notes, self-verifying evidence export packages with HMAC signatures. Built for court-admissible forensics.

Forensic Features:

  • Append-only hash-chained audit log with tamper detection
  • Case CRUD with scan linking and analyst notes
  • Evidence export as self-verifying ZIP (includes verify_package.py)
  • HMAC-SHA256 report signing
  • Chain of custody timeline
$ hades-enhanced --case-create "IR-2026-001" --audit-verify --export-case <id>

Network & Email Security

Integrate HADES into existing security infrastructure — watch Zeek/Suricata file extraction directories for automatic scanning, or deploy as an SMTP email attachment gateway with quarantine management.

Integration Features:

  • Zeek connector (TSV + JSON log parsing)
  • Suricata connector (eve.json fileinfo)
  • Automatic scan-enrich-log-forward pipeline
  • SMTP email gateway on configurable port
  • Threat-based routing (pass/warn/quarantine)
$ hades-enhanced --zeek-watch /nsm/extract_files --email-gateway --smtp-port 10025

Cloud Storage Scanning

Scan files in cloud storage buckets across AWS S3, Google Cloud Storage, and Azure Blob Storage. Concurrent downloads, automatic object tagging with scan results, and scheduled bucket scans.

Cloud Features:

  • Provider-agnostic interface (S3/GCS/Azure)
  • Concurrent scanning with ThreadPoolExecutor
  • Object tagging (hades-scanned, threat-level)
  • Size and file type filtering
  • Assume-role support for cross-account S3
$ hades-enhanced --s3-scan my-bucket --cloud-prefix uploads/ --cloud-tag-results

CI/CD & Team Chat Integration

Shift-left security — scan files in pull requests with GitHub Actions, fail pipelines on high-threat scores, output SARIF for GitHub Code Scanning, and respond to on-demand scan requests via Slack or Teams bots.

CI/CD Features:

  • GitHub Actions reusable workflow, configurable fail threshold
  • SARIF output for Code Scanning
  • Markdown PR comments
  • Slack bot (/hades scan with Block Kit formatting)
  • Teams bot with Adaptive Cards, GitLab MR note formatting
$ hades-enhanced --ci-scan *.jpg *.pdf --ci-threshold 7.0 --ci-format sarif

Deployment & Distribution

Install in seconds, deploy anywhere. PyPI package with optional dependency groups, production Docker image with health checks, or Homebrew on macOS. SIEM export in CEF/Syslog/STIX/LEEF/ECS formats.

Deployment Options:

  • pip install hades-scanner[full] with 10 optional dependency groups
  • Multi-stage Docker image (non-root, <500MB)
  • Homebrew formula for macOS
  • SIEM export (CEF, Syslog, STIX, LEEF, ECS)
  • Environment variable configuration, uvicorn with configurable workers
$ pip install hades-scanner[api,yara,ml]
$ docker run -p 8666:8666 hades-scanner:0.5.0

For documentation, source code, and support — visit the project on GitHub or get in touch.

GitHub: github.com/DarkHorseInfoSec/hades-scanner | Install: pip install hades-scanner | Contact: darkhorseinfosec.com/contact