Listen to this Post
Introduction:
Open-source intelligence (OSINT) investigations often drown analysts in scattered data—usernames, domains, emails, and URLs from dozens of sources, with no centralized way to correlate evidence or track case progress. REKOS emerges as a local-first, command-line workspace designed specifically for evidence correlation, relationship graphing, and case management, putting full control back into the hands of the investigator without relying on cloud-based privacy risks. This article dives into REKOS’s technical architecture, installation, hands-on usage for DFIR and threat intelligence, and how you can harden your OSINT workflow against data leakage and API throttling.
Learning Objectives:
– Install and configure REKOS on Linux and Windows (via WSL) for offline OSINT case management.
– Correlate heterogeneous indicators (usernames, domains, emails, URLs) and generate relationship graphs using built-in CLI tools.
– Implement evidence tracking, case reporting, and integrate REKOS with external OSINT tools while applying API security and proxy hardening.
You Should Know:
1. Installing REKOS and Setting Up a Local-First Workspace
REKOS is a Python-based CLI tool that runs entirely on your local machine. It stores evidence in a local SQLite database and graph files, ensuring no third-party cloud exposure. Below are verified installation steps for both Linux and Windows environments.
Linux (Debian/Ubuntu):
Update system and install dependencies sudo apt update && sudo apt install -y git python3 python3-pip python3-venv sqlite3 Clone REKOS repository (assuming GitHub, adjust if different source) git clone https://github.com/example/rekos.git Replace with actual REKOS URL cd rekos Create virtual environment and install requirements python3 -m venv venv source venv/bin/activate pip install -r requirements.txt Initialize database python rekos.py --init-db
Windows (via WSL2):
In PowerShell as Admin: Enable WSL and install Ubuntu wsl --install -d Ubuntu Launch WSL and follow Linux steps above wsl sudo apt update && sudo apt install -y git python3 python3-pip python3-venv sqlite3 git clone https://github.com/example/rekos.git cd rekos python3 -m venv venv source venv/bin/activate pip install -r requirements.txt python rekos.py --init-db
What this does and how to use it:
The commands create an isolated Python environment for REKOS, install its dependencies (e.g., networkx for graphing, pandas for data handling), and initialize a local `evidence.db` file. After setup, run `python rekos.py –help` to see available commands. Use `–case` to create or switch between investigation cases, e.g., `python rekos.py –case apt28_2026 –1ew`.
2. Ingesting and Correlating OSINT Evidence
REKOS ingests indicators from CSV, JSON, or manual entry. Correlation links usernames to domains, emails to URLs, and builds weighted relationships based on co-occurrence.
Step-by-step guide:
1. Add a username:
`python rekos.py –add-indicator username “john_doe” –type username –source twitter`
2. Add a domain:
`python rekos.py –add-indicator domain “evilcorp.ru” –type domain –source threatfox`
3. Add email:
`python rekos.py –add-indicator email “[email protected]” –type email –source pastebin`
4. Manual correlation:
`python rekos.py –correlate username=john_doe –with domain=evilcorp.ru –weight 0.85`
5. Bulk import from CSV:
`python rekos.py –import-csv indicators.csv` (CSV headers: indicator,type,source)
Verification commands:
– List all indicators: `python rekos.py –list-indicators`
– Search by type: `python rekos.py –search domain=evilcorp.ru`
REKOS automatically creates timestamps and hashes each entry (SHA256) for integrity verification, stored in `evidence.db` under `indicators` and `correlations` tables.
3. Building Relationship Graphs for Visual Analysis
Visualizing connections helps identify campaign infrastructure. REKOS exports GraphML and DOT formats compatible with Gephi or Graphviz.
Generate graph from current case:
python rekos.py --build-graph --format dot --output case_graph.dot Convert DOT to PNG (requires graphviz) dot -Tpng case_graph.dot -o case_graph.png
For Windows (without graphviz):
Install Gephi (free) and import the GraphML file:
`python rekos.py –build-graph –format graphml –output case_graph.graphml`
What the graph shows:
Nodes represent indicators (color-coded by type), edges show correlations with weights. Hover/click reveals metadata: source, first_seen, last_seen, and notes. REKOS also supports `–centrality` to compute the most connected node (e.g., the primary C2 domain).
4. Case Management and Evidence Tracking for DFIR
DFIR teams need audit trails. REKOS provides evidence tagging, chain-of-custody logs, and exportable reports.
Create a case with metadata:
python rekos.py --case "Phishing_2026_01" --1ew \ --description "Massive QR phishing targeting finance dept" \ --owner "DFIR_Team_Alpha" --classification TL:AMBER
Add evidence artifacts:
python rekos.py --add-evidence --file phishing_email.eml --hash $(sha256sum phishing_email.eml | cut -d' ' -f1) \ --description "Original phishing email with malicious QR code"
Tag indicators to evidence:
python rekos.py --tag indicator_id=12 --with-evidence evidence_id=5 --tag "initial_access"
Generate timeline report:
`python rekos.py –report –format html –output case_report.html` – includes all indicators, correlations, evidence hashes, and a timeline of when each artifact was added.
For Windows, use `certutil -hashfile phishing_email.eml SHA256` to compute hashes.
5. Integrating REKOS with External OSINT Tools and API Security
Combine REKOS with tools like theHarvester, SpiderFoot, or Shodan, while protecting your API keys and avoiding rate limits.
Step-by-step integration:
1. Run theHarvester against a domain:
`theHarvester -d target.com -b google,bing,linkedin -f theh_result.json`
2. Convert JSON to REKOS CSV format using jq (Linux) or PowerShell (Windows):
Linux: `jq -r ‘.emails[] | [., “email”, “theHarvester”] | @csv’ theh_result.json > emails.csv`
Windows PowerShell:
Get-Content theh_result.json | ConvertFrom-Json | Select-Object -ExpandProperty emails | ForEach-Object { "$_,email,theHarvester" } | Out-File emails.csv
3. Import into REKOS:
`python rekos.py –import-csv emails.csv`
API Security Hardening:
– Store API keys in environment variables, never in REKOS database.
`export SHODAN_API_KEY=”your_key”` (Linux) or `set SHODAN_API_KEY=your_key` (Windows cmd).
– Use a local proxy (e.g., mitmproxy or Burp Suite) to monitor and rate-limit outbound OSINT queries. Configure REKOS with `–proxy http://127.0.0.1:8080`.
– Implement request jitter by wrapping API calls: `python rekos.py –fetch-shodan –ip 8.8.8.8 –delay 5` (adds 3-7 second random delay).
6. Cloud Hardening for REKOS Data Storage (Optional Sync)
While REKOS is local-first, you may sync encrypted case files to cloud backups. Use VeraCrypt or Cryptomator for encryption.
Encrypt REKOS case directory (Linux):
sudo apt install veracrypt veracrypt -c /path/to/rekos_cases.hc create container (size 1GB) veracrypt /path/to/rekos_cases.hc /mnt/rekos_mount cp -r ~/rekos/cases/ /mnt/rekos_mount/ veracrypt -d
Windows (using BitLocker or VeraCrypt):
Create a VHDX container, enable BitLocker, then mount before REKOS usage.
Create VHDX (Admin PowerShell) New-VHD -Path C:\REKOS_Encrypted.vhdx -SizeBytes 2GB -Dynamic Mount-VHD -Path C:\REKOS_Encrypted.vhdx -PassThru | Initialize-Disk -PartitionStyle MBR New-Partition -DriveLetter R -UseMaximumSize Format-Volume -DriveLetter R -FileSystem NTFS -1ewFileSystemLabel REKOS_Cases Then enable BitLocker on R: Manage-bde -on R:
After mounting, point REKOS to the encrypted drive: `python rekos.py –config –data-dir R:\cases`.
7. Vulnerability Exploitation and Mitigation: REKOS’s Own Security Considerations
As a local evidence store, REKOS could be targeted by malware that exfiltrates `evidence.db`. Mitigate with host hardening.
Linux hardening commands:
Restrict database permissions chmod 600 ~/rekos/evidence.db Set immutable flag on critical case files (requires root) sudo chattr +i ~/rekos/cases/.db Monitor file integrity with AIDE sudo apt install aide sudo aideinit sudo aide.wrapper --check | grep rekos
Windows hardening (PowerShell as Admin):
Disable SMBv1 and firewall inbound for REKOS port (if using web UI variant) Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol New-1etFirewallRule -DisplayName "Block-REKOS-Inbound" -Direction Inbound -Protocol TCP -LocalPort 5000 -Action Block Use Sysmon to log access to REKOS directory Sysmon64.exe -accepteula -i sysmonconfig.xml
Mitigation for SQL injection: REKOS uses parameterized queries (verify in source). Always update: `git pull && pip install -r requirements.txt –upgrade`.
What Undercode Say:
– REKOS shifts OSINT from scattered browser tabs to a structured, command-line-first evidence graph, drastically reducing context switching for threat hunters.
– Its local-first design is a double-edged sword: absolute privacy and control, but no built-in collaboration—teams must implement their own encrypted sync or shared drive.
The analysis: REKOS fills a critical gap between ad-hoc OSINT note-taking and enterprise-grade platforms like Maltego (which can be overkill and costly). By storing everything in SQLite and GraphML, it integrates seamlessly with existing data science pipelines (pandas, networkx). However, the lack of a REST API means automation requires shell wrappers. For DFIR, the evidence hashing and chain-of-custody logs meet basic forensic requirements, but advanced users will want to extend REKOS with plugins for MISP or OpenCTI. The command-line interface may deter non-technical analysts, but for those comfortable with CLI, it offers unmatched speed and scriptability.
Expected Output:
After following the steps above, you will have a fully functional REKOS workspace with ingested indicators, correlated graphs, encrypted case storage, and hardened local security. Running `python rekos.py –report –format json` yields structured output that can be fed into SIEMs or SOAR platforms, enabling automated alerting when new indicators match existing case evidence.
Prediction:
+1 REKOS will become a standard component in open-source DFIR toolkits, alongside Autopsy and Volatility, as analysts demand privacy-preserving, auditable OSINT workflows.
-1 Without built-in team sync and API-driven automation, REKOS risks fragmentation—enterprises may opt for commercial alternatives unless the community adds federation features.
+1 The rise of local-first tools like REKOS signals a backlash against cloud-dependent SaaS, driving innovation in offline threat intelligence and reducing data leakage from third-party OSINT platforms.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Syed Muneeb](https://www.linkedin.com/posts/syed-muneeb-shah-4b5424266_osint-threatintel-dfir-share-7469846620600229888-qZfi/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
