DFIRVault

SFTP Monitor Tool

In digital forensics and incident response (DFIR), one recurring pain point I’ve seen is managing the secure transfer of evidence and log data between environments. Whether it’s pulling artifacts from a live system, sharing files between analysts, or syncing results back into a central repository, SFTP is often the go-to choice for secure file movement.

But here’s the problem: most teams still rely on manual polling or ad-hoc scripts to keep things in sync. That wastes time, creates blind spots, and risks missing important uploads or deletions.

That’s why I built SFTPMonitor.

What’s Inside

SFTPMonitor is a lightweight Python tool designed to watch remote directories over SFTP and automatically download, upload, or synchronize files. It’s been built with DFIR and security operations in mind, but it’s flexible enough to be used for any secure file monitoring workflow.

Key features:

✅ Automated Monitoring – Watches a remote directory and syncs changes locally.
✅ Two-Way Sync – Optionally upload local changes back to the server.
✅ Live Feedback – A countdown shows you when the next sync is happening.
✅ Local Logging – Every action (download, upload, delete, failure) is timestamped in sync_log.txt.
✅ Secure – Uses Paramiko for encrypted SFTP connections; credentials are never stored in logs.

Why Build It?

During investigations, I often need to:

  • Collect logs and evidence from remote machines without missing files.

  • Keep forensic images synchronized between lab systems.

  • Audit file transfers with a clear chain of custody.

Existing tools were either too heavy, too cloud-focused, or lacked the visibility needed for DFIR workflows. SFTPMonitor fills that gap by staying lean, transparent, and purpose-built for practical incident response.

How It Works

  1. You can just run the standalone binary without python – simple double click solution.
  2. Or you can run the python script using the following:

    1. Install dependencies (pip install paramiko watchdog).

    2. Clone the repo:

      git clone https://github.com/dfirvault/sftpmonitor.git
      cd sftpmonitor

    3. Run the script and point it at your SFTP server.

    4. Watch the console countdown and log file for actions.

Use Cases

🔎 DFIR Collections – Analysts can continuously monitor suspect systems for new logs, evidence dumps, or malware artifacts.

📦 Secure Evidence Handling – Keep forensic data synchronized between acquisition and analysis environments without manual copying.

⚡ Ops & Automation – Use it as a general-purpose SFTP sync engine for servers, backups, or config management.

Final Thoughts

This project started from a simple need: stop manually refreshing SFTP sessions during investigations. It’s now grown into a tool I use in real engagements, and I’m making it open source for the wider community.

If you want to check it out, the code and documentation are here:
👉 https://github.com/dfirvault/sftpmonitor/

Tags: