Monthly report n⁰44 - 2025-11

Project overview

PiRogue Tool Suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management, and artifact management, which allows civil society organizations with limited resources to equip themselves at a low cost. The project consists of an open source tool suite that provides a comprehensive mobile device forensics and digital investigations platform.

• Website: pts-project.org
• Email: hello [at] pts-project.org
• GitHub: Source code - Roadmap
• Get support: Discord
• Support us: OpenCollective

📢 Announcements

• The next community meeting will happen on Jan. 30 at 2pm CET.
• Data conversion between Colander, MISP, and STIX 2.1 is now supported!
• Threatr now supports MISP, self-host it!
• NimKat conducted a “crystal-box” audit of PiRogue, take a look at the full report for more details.
• Fill in the form to select the Android app for next month.
• To ensure we’re meeting your needs and expectations, we kindly ask you to complete a brief feedback form.

🎉 Impacts and results

This month delivered major technical improvements that make the PiRogue Tool Suite more interoperable, reliable, and efficient for investigators and analysts. We have removed barriers between PTS and the wider threat intelligence ecosystem. By improving the import / export capabilities of Colander, we ensure users are not locked into a single toolset.

Colander now supports importing knowledge from CSV, MISP, and STIX2 automatically merging new data with existing entities to enrich investigations. The new import/export mechanisms significantly streamline data exchange across tools such as Colander and MISP.

Threatr now supports MISP! It allows users to access aggregated and normalized threat data (from VirusTotal, Shodan, MISP, etc.) via a single API, providing a historical cache of Indicators of Compromise (IoCs).

Following a security audit by NimKat, we have successfully fixed all identified critical- and high-severity risks, significantly hardening PiRogue. We also deployed a security patch for old PiRogue images to enforce password expiration, ensuring that default credentials do not remain active on deployed systems.

📒 Activity report

You can find more details about the different activities in the project roadmap.

📦 US3 - Interoperability

The project seeks to enhance interoperability by enabling the import and export of knowledge in industry-standard format. This includes batch importing of knowledge, data interchange in MISP format, and the support for user-defined templates to generate custom knowledge feeds. PTS users must have the freedom to move their data and findings from and to other tools such as OpenCTI or MISP.

Overview of the different activities

• ✅ Import and export cases
• ✅ Import and export knowledge from/to MISP format
• ✅ Support user-defined templates to generate custom feeds
• ✅ Use HAR to store the decrypted network traffic

Import and export cases

This month

Case export

The import and export tools are now integrated into the case management page. Users can easily import and export cases allowing them to transfer cases from one organization to another. Cases are exported as Archives.

The archive manager is also available on the front page of each case. It allows the users to download an archive that has already been generated or request the creation of a new one. It produces zip archives with easy-to-understand names, e.g. Name of my case - 2025-11-27T18_36+00_00.zip.

Case import

The new archive tool allows the users to import a case they have previously downloaded.

The importer checks the integrity of the archive and shows the items that will be imported.

The import process can be monitored in real time. Once the import is complete, the user can import new archives.

Next month

Nothing, as this task is now complete.

Import and export knowledge from/to MISP format

This month

It’s now possible to share findings across multiple Colander servers, multiple MISP servers, and any other tools that support either JSON, MISP or STIX2 formats.

Colander Data Converter

colander_data_converter is a Python library that enables interoperability between cyber threat intelligence (CTI) platforms by converting structured threat data between different formats — notably MISP, STIX 2.1, and Colander. Colander data format is an opinionated data format focused on usability and interoperability.

It supports conversion between MISP, STIX 2.1, and Colander data formats. Check out the conversion matrix for more details. Data can be exported in CSV, Mermaid and Graphviz DOT formats. The library also supports user-defined templates.

One of the main objectives of this project is to minimize the loss of information between data formats. To improve the support of MISP, two new objects will be added to the MISP data model to include Colander Events and Colander Data Fragments. Check out the definition of these new MISP objects for more details.

This project is fully documented and tested achieving >90% of code coverage.

We warmly thank Raphaël Vinot from CIRCL and Yoyodyne IT for their invaluable help.

Threatr

Threatr is an API-first threat-intelligence aggregator that unifies data from platforms like VirusTotal, OTX, Shodan, Scarlet Shark, and MISP into a single, standardized format. It delivers consistent, enriched threat intelligence through a simple and powerful REST API. It aggregates and normalizes threat data from multiple providers in one place. Threatr delivers a consistent data model for fast, reliable analysis across security workflows. Threatr keeps a persistent cache of all intelligence collected about an Indicator of Compromise. Each lookup enriches and updates the stored data, giving long-term visibility into how an IoC evolves over time.

Check the documentation to learn how to self-host Threatr, how to configure MISP integration, and how to use Threatr API.

It has never been that easy to get aggregated and normalized threat-intelligence:

curl -X POST --location "[Threatr URL]" -H "Authorization: Token [Api-Key]" \
  -d "{
     \"super_type\": \"observable\",
     \"type\": \"sha256\", \
     \"value\": \"854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3\", \
     \"force\": false}"

Colander

Colander is a web-based case management, digital investigations and knowledge-building platform. It seamlessly integrates with PiRogue and other data sources, allowing users to structure their investigative findings, visualize complex relationships, collaborate securely with their team, and share findings with other organizations.

Import knowledge

Colander now supports the import of data from different formats such as MISP, STIX2 and CSV. Colander automatically merges imported data with the case entities. Check the documentation to know how Colander converts data from MISP and STIX2.

By default, the workspace Import proposes to import a Colander feed, but users can choose other formats like CSV, MISP or STIX2, load the file or paste JSON data (MISP event, STIX2 bundle or Colander feed).

To import data from a CSV file, users need to select the CSV file to load, select the entity type (e.g., Observable or Actor), and assign a subtype to each row (e.g., URL or Domain name). Finally, each column must be mapped it to the corresponding entity property (e.g., Name or Description). Any column data that does not match the Colander data model can be placed in the entity’s Extra attributes.

Share knowledge

Facilitating the exchange of knowledge among investigators, both within the same organization and across different organizations, is crucial for promoting learning and continuous improvement. This can be achieved through formal knowledge sharing feeds. Colander supports export feeds accessible via a password-protected URL giving access to the knowledge in different formats such as JSON, STIX2, MISP, CSV, dot/Graphviz, and Mermaid.

The workspace Feeds is dedicated to the management of knowledge feeds. Check the documentation to know how Colander converts data to MISP and STIX2.

Next month

Nothing, as this task is now complete.

Support user-defined templates to generate custom feeds

This month

Colander now supports template-based feeds. It uses Jinja to render user-defined templates Feed templates. Templates are rendered in a security sandbox which prevents them from accessing Python functions.

The template context exposes the variable feed which contains all entities stored in the case. You can find examples of templates on GitHub or check the documentation to learn more about the data structure.

Next month

Nothing, as this task is now complete.

📦 US101 - Maintenance

We manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation, and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation, and fix bugs.

This month

Since the fix for PiRogue images was released (2.3.0), new PiRogue systems deployed using our Pi images make it mandatory to update the password, so that the default one doesn’t stay. We’ve published a security patch for systems deployed prior to that get a similar behavior.

This patch detects systems deployed using our PiRogue OS images from specific releases (arm64_v2.0.0, arm64_v2.1.0, and arm64_v2.2.0). Those didn’t feature an expired password (new in arm64_v2.3.0), and a security audit flagged this as a problem needing a fix.

This is why we’re introducing the following scenario:

• when upgrading from pirogue-base versions strictly earlier than 2.0.6 (which introduces this check);
• when there is a line for the pi user in /etc/shadow;
• when this line matches one of the reference lines (extracted from affected images);
• then we conclude there were no changes regarding the password for the pi user, and we expire its password to force an update the next time it’s used.

Next month

We will continue the maintenance of the tools, Debian packages we maintain, and Colander ecosystem.

📦 US103 - Governance

This month

OTF’s Security Lab partner, NimKat, conducted a “crystal-box” audit of PTS. A crystal-box audit provides the tester with complete access to source code, system architecture, and documentation, allowing for a top-to-bottom security assessment of hardware and software elements. This comprehensive approach is essential given that PTS serves individuals in repressive information contexts who are often targeted by sophisticated, well-resourced authorities.

The security assessment encompassed comprehensive testing of network rules, system fingerprinting, vulnerability scanning, and exploitation attempts targeting the various components that comprise the PTS ecosystem. Auditors found one critical-severity risk (with the potential for systemic compromise) and two high-severity risks (with the potential for significant data exposure or unauthorized control). Upon retesting, auditors found that the PTS team fixed all critical- and high-severity vulnerabilities. Take a look at the full report for more details.

The next step for us with NimKat is to define the scope of Colander security audit.

We are actively engaging with potential new partners and grant opportunities. However, the landscape is competitive, and the timeline for securing such support is typically lengthy and uncertain. While we are doing our utmost to navigate this period and find new financial backing, the future remains precarious. If PTS is a valuable asset in your work, if it helps you conduct crucial investigations, research, or defend digital rights, we now earnestly ask for your support.

Next month

We will continue with our recurring activities.