A Workshop by Eve Count

Operation Nightfall

This workshop reimagines the "Introduction to Pandas" curriculum through the lens of a Digital Forensics & Incident Response (DFIR) investigation. Instead of analyzing fruit, you will hunt a hacker.

Explore the Investigation on GitHub

Project Nightfall: The Open Source Forensic Grid

We believe cybersecurity education shouldn't just be about reading logs; it should be about hunting threats. This repository is more than a tutorial—it's a complete forensic simulation where students track a hacker's lateral movement using Data Science.

It culminates in the deployment of Sentinel, a browser-based Threat Console that allows analysts to visualize attack vectors and pledge their findings to a decentralized global intelligence grid.

Mission Objectives

By the end of this investigation, you will have hands-on experience with industry-standard forensic analysis techniques using Python and Pandas.

Understand the Pandas Library for security log analysis.
Grasp forensic concepts like Triage, Baselining, and IoC hunting.
Load CSV logs into DataFrames and clean attacker data.
Use indexing and filtering to find 'Patient Zero' (malware).
Join Process and Network logs to prove data exfiltration.
Aggregate data to assess total damage and report findings.

Case Files (Course Structure)

Your briefing is organized into the following sections within the GitHub repository.

Pre-Class

Setting up your forensic lab (Environment Setup).

Operation Nightfall (Lesson)

The core investigation workbook.

Sentinel Web App

The interactive Threat Hunting Console.

Post-Class

Interactive Sentinel Mockup

Experience a non-functional, high-fidelity mockup of the Sentinel console. This demonstrates the user experience before you dive into the code.

This is a Mockup, Not a Live App

This interface is a visual simulation to showcase the Sentinel app's design. The buttons and inputs are for display only. The real, functional application is built by you as part of the Operation Nightfall workbook.

Sentinel: Forensic Threat Console

Case Evidence

Contribute to Grid

Join the decentralized forensic network.

Sponsor the Grid

Sentinel is currently running in Local Mode. To build the real-time Cloud Backend for the Global Grid, we need server resources.

Evidence Loaded

process_log.csv (2,845 rows)

Triage & Auto-Hunt

Total Events

2,845

Unique Processes

🚨 Threat Hits

CRITICAL

Detected Suspicious Processes

powershell.exe, nmap.exe

Threat Hunting Console

X-Axis

Y-Axis

Color By (Z-Axis)

The AI Bridge

What you see above as "clusters" or "lines" are what Machine Learning models use to detect attacks. Vertical lines often indicate scanning, while dense clusters can signify brute force or data exfiltration.

Operation Sentinel Web App

Want to run the analysis in a dashboard?

The repository includes `app.py`, a Streamlit application that provides an interactive Threat Hunting Console.

Install requirements: pip install -r requirements.txt
Run the app: streamlit run app.py
Upload your evidence files and begin hunting.

Stack: Python, Pandas, Streamlit, Plotly, Jupyter.

Data Safety Warning

A note from your Senior Analyst.

This course primarily uses Synthetic Data generated securely within the notebook to simulate an attack without risk. However, a sample real-world dataset is also provided. In the security world, downloading and running unverified files is a major risk. Always verify your sources.

Co-created by Gwendalynn Lim and Gemini.