About Kirjuri

Kirjuri is a digital forensic evidence item management system. It is a web application designed to help forensic teams manage, track and report devices delivered for forensic examination. It was born in the Helsinki Police Department, which handles over a thousand devices annually. Managing these devices and keeping track of the changes and locations to all this material proved to be a difficult task, since no ready software suites for multi-user evidence device management existed.

Kirjuri was written from the ground-up with one task in mind - easing the clerical tasks of the forensic investigator by organizing devices under examination requests. It is easy to deploy on an internal network using a Linux-based virtual machine as a server. Kirjuri is being used by a number of private organizations and law enforcement agencies in a number of countries. The current public release for Kirjuri is 0.9.2 .

Kirjuri requires a web server with MySQL and PHP7 installed. Some performance issues have been noticed when running Kirjuri on a WAMP server, so installing on a Linux server is recommended.

Click here to try the Demo version

Main features


Installation and requirements

Kirjuri requires a web server with PHP7 and MySQL installed. You can install Kirjuri on your server by following these steps:

Additionally, it is advisable to configure your web browser to not allow direct access to cache, conf or logs folders. This can be achieved by adding the following directives to your web server:


  location ~ \.(conf|log|txt|local)$
    deny all;
    return 403;


  <Files ~ "(.js|.css)">
    Order allow,deny
    Deny from all

Updating to the latest release

Localizing Kirjuri

Important security information

Kirjuri is not designed to be installed on an internet-facing server. Forensic evidence and the metadata about the devices and findings is usually extremely sensitive information. It is strongly recommended that you install Kirjuri on an air-gapped network to serve your forensic examiners locally. Familiarize yourself with the software prior to installing it into a production environment. The developers accept no liability on possible security breaches caused by programming errors.

If absolutely you need to deploy Kirjuri over the internet, it is advisable to limit access by requiring VPN to access the site. Additionally you can configure your web server to require client certificates and whitelist IP-addresses on server level. Per-user and global application IP whitelists should be deployed both on Kirjuri itself and the server serving the application.

Even though care has been taken to protect Kirjuri from unauthorized use, XSS, CSRF, SQLi and other common vulnerabilites, the author will not accept any responsibility or liability on the security of this software. Kirjuri can be secure, if it is installed and used securely. A PHP application cannot be trusted to handle that for the administrator and configuring your production server is your responsibility.


Kirjuri has been released under the MIT License. See the GitHub repository for licensing details. Kirjuri uses Twig, HTMLPurify, Bootstrap CSS, Font Awesome, Freepik image resources, Chart.js, vis.js, TinyMCE editor and jQuery.


This software has been written by Antti Kurittu, who currently works as a senior specialist at the National Cyber Security Center of Finland (FICORA NCSC-FI). German localization work has been done by Dennis Schreiber. If you are interested in contributing, giving feedback or just letting me know you use and enjoy Kirjuri - please Send me an email! Want to try to hack Kirjuri? Use the demo installation here. The username is "hacker" and the password is "hunter2". Let me know if you find the secret and how you did it.

Kirjuri on GitHub Me on Twitter

Subscribe to our mailing list

* indicates required