Configuration

DFIRe is configured through the web-based System Settings interface. This guide covers all available configuration options.

Default Settings: New DFIRe instances are initialized with preconfigured case types, evidence types, workflow steps, and compliance timers. You can download the default settings file (JSON) to review the baseline configuration or use it to reset your instance to factory defaults via Settings → Import/Export.

Accessing System Settings

To access System Settings, click the gear icon in the application header. Access to the Settings page requires the edit_tenant permission. Superusers have full access to all settings tabs.

Settings are organized into tabs based on functionality. The tabs visible to you depend on your permissions:

Tab Access Level Description
Tenant Superuser only Organization identity, data lifecycle, report customization
Storage Superuser only File storage backend configuration
Collaboration Superuser only Slack integration settings
Single Sign-On Superuser only OIDC identity provider configuration
License Superuser only License management and activation
Log Sender Superuser only Audit log forwarding to external systems
Webhooks Delegatable Outgoing and incoming webhook configuration
Workflow Delegatable Investigation step definitions
Lifecycle Delegatable Incident response phase definitions
Report Sections Delegatable Report section templates
Compliance Timers Delegatable Regulatory deadline tracking
User Accounts Delegatable Local user management
Entities Delegatable Legal entity management
Flags Delegatable Evidence item flag definitions
Projects Delegatable Project management
Case Types Delegatable Case type schemas and action templates
Evidence Types Delegatable Evidence type schemas

Tenant Settings

The Tenant tab contains organization-wide configuration organized into three sub-tabs:

Identity

  • Organization Name: Your organization's display name
  • Contact Email: Used for license server communication

Lifecycle

  • Default Data Retention (Days): How long closed cases are retained before action
  • Removal & Purge Policy:
    • Manual Purge Only: Cases must be manually deleted
    • Automatic Archive: Cases are automatically archived after retention period
    • Automatic Permanent Delete: Cases are automatically deleted after retention period

Reporting

  • Report Logo: Upload your organization's logo (PNG or JPEG, max 500KB) to display on the title page of printable reports
  • Title Page Disclaimer: Custom text that appears at the bottom of report title pages (e.g., confidentiality notices)

Configuration Import/Export

The Identity sub-tab also includes Data Portability features:

  • Export JSON: Download a complete backup of all system configuration (groups, types, flags, phases, webhooks, etc.)
  • Import JSON: Restore or migrate configuration from a previously exported file

Before importing, DFIRe shows a preview of what will be added, updated, or removed.

Storage Backend

DFIRe supports three storage backends for file attachments. All files are encrypted with AES-256-GCM regardless of which backend you choose.

Local Filesystem

Stores files on the server's local disk. Always available and requires no additional configuration.

  • Storage Quota (GB): Optional limit on total storage usage

S3-Compatible Storage

Works with AWS S3, MinIO, Backblaze B2, and other S3-compatible services.

  • Endpoint URL: Leave empty for AWS S3, or specify your S3-compatible endpoint
  • Region: AWS region (e.g., us-east-1)
  • Bucket Name: The S3 bucket to use
  • Access Key ID / Secret Access Key: AWS credentials with bucket access
  • Use SSL/TLS: Enable HTTPS connections
  • Verify SSL certificates: Validate SSL certificates (disable only for testing)
  • Storage Quota (GB): Optional limit on total storage usage

SMB/CIFS File Share

Stores files on Windows file shares, Samba servers, or NAS devices.

  • Hostname / IP: Server address
  • Share Name: The network share name
  • Username / Password: Credentials with read/write access
  • Domain: Windows domain (or WORKGROUP for local accounts)
  • Storage Quota (GB): Optional limit on total storage usage

Testing Storage

Before activating a storage backend:

  1. Configure the connection settings
  2. Click Quick Test to verify connectivity
  3. Click Full Test (Verify Encryption) to test file upload, download, encryption verification, and cleanup
  4. Once the full test passes, click Set as Active to start using the backend

Important: Changing the active storage backend does not migrate existing files. Ensure all cases are closed and files are backed up before switching backends.

Collaboration (Slack)

DFIRe integrates with Slack for real-time case collaboration, message capture, and team coordination.

Features

  • Automatic channel creation for cases
  • Message and file capture from Slack to case timeline
  • /dfire slash commands for case management
  • User account linking between DFIRe and Slack
  • Reaction-based message capture (pin messages with reactions)

Setup

The setup wizard provides two options:

  1. Quick Setup: Copy the provided App Manifest JSON and paste it when creating a new Slack app from manifest
  2. Detailed Setup: Step-by-step guide for manual configuration including OAuth scopes, event subscriptions, and slash commands

Credentials

  • Bot User OAuth Token: Starts with xoxb-, found in OAuth & Permissions
  • Signing Secret: Found in Basic Information → App Credentials
  • App ID: Optional, for reference

Channel Settings

  • Channel Prefix: Prefix for auto-created channels (e.g., case creates #case-2025-001-incident-name)
  • Command Channel: Public channel where /dfire create commands are allowed
  • Frontend URL: Your DFIRe URL for generating clickable links in Slack notifications
  • Create private channels by default: Toggle channel visibility
  • Auto-create channels when cases are created: Automatic channel creation

See Webhooks for additional Slack notification options.

Single Sign-On (OIDC)

DFIRe supports any OpenID Connect (OIDC) compliant identity provider for single sign-on authentication.

Supported Providers

Built-in templates are available for:

  • Google Workspace
  • Microsoft Entra ID (formerly Azure AD)
  • Okta
  • Any custom OIDC provider

Configuration

  1. Click Add Provider and select a template or choose Custom OIDC Provider
  2. Enter the Discovery URL (the .well-known/openid-configuration endpoint)
  3. Click Validate to verify the discovery URL
  4. Enter the Client ID and Client Secret from your identity provider
  5. Copy the Redirect URI shown and configure it in your identity provider's application settings
  6. Select a Default Role for new users created via SSO
  7. Click Save Configuration

Application Base URL

Set this to your public URL (e.g., https://dfire.example.com) to ensure correct callback URLs. If left empty, DFIRe will attempt to auto-detect from request headers.

Tip: Access control (who can login) should be configured in your identity provider. DFIRe will accept any authenticated user from enabled providers.

See Single Sign-On for detailed provider-specific setup guides.

License Management

The License tab shows your current license status and allows you to manage your DFIRe license.

License Status

The status card shows:

  • Active License: License is valid and verified
  • Trial Period: Operating in trial mode (30 days)
  • License Expired: License has expired, application is read-only
  • Offline License Mode: Using an offline license for air-gapped environments

License Server Connection

For online licenses, the status shows:

  • Registration status with the license server
  • Last check-in time
  • Installation information transmitted during check-ins

Activating a License

  1. Obtain a license key from contact@dfire.fi
  2. Enter the license key in the format DFIRE-XXXX-XXXX-XXXX-XXXX
  3. Click Activate

Offline Licensing

For air-gapped environments that cannot connect to the license server:

  1. Copy the Installation ID shown in the Offline License section
  2. Contact contact@dfire.fi to request an offline license
  3. Upload the .dfire-license file provided

Note: Offline licenses are bound to a specific installation and cannot be transferred. There is no extra cost for offline licensing.

Privacy Settings

Send usage statistics: When enabled, sends aggregated counts (users, cases, evidence items) to the license server. Organization name, contact email, and version information are always sent for license validation.

Webhooks

Webhooks enable integration with external systems by sending HTTP requests when events occur in DFIRe.

Outgoing Webhooks

Send notifications to external systems (SIEMs, ticketing systems, notification services) when:

  • Cases are created, updated, or status changes
  • Evidence items are added or modified
  • Timeline events are recorded
  • Incidents change phases
  • And other configurable events

Each webhook can be configured with:

  • Endpoint URL: The target URL to receive webhook payloads
  • Event Types: Which events trigger the webhook
  • Authentication: None, Basic Auth, Bearer Token, or Custom Headers
  • Payload Template: Custom JSON payload using template variables
  • Value Mappings: Transform field values (e.g., severity levels to ticket priorities)
  • Signing Secret: HMAC-SHA256 signing for payload verification

Webhook Secrets

Store reusable secrets (API keys, tokens) that can be referenced in webhook configurations.

Incoming Webhooks

Allow external systems (SOAR platforms, monitoring tools) to create cases in DFIRe via authenticated HTTP requests.

See Webhooks for detailed configuration examples.

Workflow Configuration

Define the stages of your investigation and incident response processes.

Investigation Workflow

Investigation steps define the stages of your digital forensic process. Each step has:

  • Order: Determines display order (use gaps like 10, 20, 30 for easy reordering)
  • Name: Step name (e.g., "Intake", "Analysis", "Reporting")
  • Description: What happens during this step

Incident Response Lifecycle

Incident phases define the stages of your incident response process (typically based on NIST). Each phase has:

  • Order: Determines display order
  • Name: Phase name (e.g., "Detection", "Containment", "Eradication")
  • Description: What happens during this phase
  • Color: Visual identifier for the phase

See Workflow Configuration for best practices.

Case and Evidence Types

Define the structure of your cases and evidence items through customizable schemas.

Case Types

Each case type defines:

  • Name: Display name (e.g., "Security Incident", "Malware Analysis")
  • Custom Fields: Additional data fields specific to this case type
  • Action Template: Pre-defined checklist items for incident response cases

Evidence Types

Each evidence type defines:

  • Name: Display name (e.g., "Mobile Phone", "Hard Drive", "Memory Dump")
  • Icon: Visual identifier for the evidence type
  • Custom Fields: Additional data fields specific to this evidence type

Custom Fields

Both case and evidence types support custom fields with:

  • Text, number, date, dropdown, and multi-select field types
  • Required or optional fields
  • Default values
  • Field ordering

See Case Types and Evidence Types for detailed configuration.

Additional Settings

Report Section Templates

Define reusable sections for investigation reports. Each template has a slug (identifier), title, and default content that can be customized per case.

Compliance Timers

Track regulatory deadlines (e.g., GDPR 72-hour breach notification). See Compliance Timers for details.

User Accounts

Manage local user accounts (for environments not using SSO). See User Management.

Legal Entities

Define organizations that may be involved in cases (clients, suspects, etc.).

Item Flags

Create custom flags to categorize evidence items (e.g., "Needs Review", "Priority", "Encrypted").

Projects

Group related cases together under projects for better organization.