Short presentation about CinCan & Advent calendar

Writer: Karoliina Kemppainen

In the Cincan project we have recognised the most useful investigation tools by interviewing digital forensic professionals. A part of this project has been creation of docker images of those tools []. Currently we have dockerized over 60 different tools.

This christmas we are going to present you the 24 most loved analysis tools selected by security specialists. Each day we will present new forensics tool and how it can be easily used with our command line tool called cincan.

CinCan is INEA/CEF funded project worked on by NCSC-FI, JAMK University of Applied Sciences & University of Oulu. CinCan team aims to create semi automatic analysis pipelines and ease workflows of the digital forensics investigators.

Follow us

Advent calendar posts can be found from here (CinCan blog) and from Twitter

More information about this project can be found from &&

If you have anything to ask, please don’t hesitate to contact us:

Cincan tool

Full instructions and source code can be found from

CinCan command

The tool cincan command provide for a convenient use of the native command-line tools provided as docker images.

:warning: Currently the tool is a proof-of-concept under construction.


As prerequisite you must have installed Docker for running the tools, and Python 3 and pip Python package management program for the command program. Consult your system documentation how to install them.

The command program is then installed using pip for Python 3:

% sudo pip install cincan-command

If you invoke the pip installation with sudo the command cincan should be added to your path. Otherwise, you may need to do that yourself.

NOTE: You may want to install the tool into virtualenv to avoid conflicts with other Python applications you may have. Please consult appropriate documentation.

You can check that all works as follows:

% cincan list

If all goes well you get a list of the tools dockerized in the 'Cincan' project. However, you can use any dockerized tools as long as they meet the requirements listed in the end of this document. First time running this will take a while as it must fetch information of the tools and cache it locally.

Running tools with cincan

Invoking tools

A tool can be invoked with cincan using 'run' sub-command like this:

% cincan run <tool> <parameters..>

As you may remember you get the list of tools dockerized in 'CinCan' project with cincan list. For example the tool cincan/pywhois:

% cincan run cincan/pywhois

Many tools give you help information, if you invoke them without arguments, for example:

% cincan run cincan/tshark

More help is available with options like -h or --help, depending on the tool.

More detailed instructions and source code can be found from

Please feel welcome to follow us and our advent calendar project!