Jymit
commented
4 years ago Closed Jymit closed 4 years ago
Jymit
commented
4 years ago Jymit
commented
4 years ago https://github.com/google/grr
https://grr-doc.readthedocs.io/en/latest/installing-grr-server/from-release-deb.html
"GRR server debs are built for Ubuntu Xenial" AKA Ubuntu 16.04.6 LTS (Xenial Xerus)
DigiOcean
TBD
https://github.com/log2timeline/plaso
Super timeline all the things
https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html
Log2Timeline
Plasto
https://digital-forensics.sans.org/media/Plaso-Cheat-Sheet.pdf
log2timeline
log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point) or storage media image or device. log2timeline creates a plaso storage file which can be analyzed with the pinfo and psort tools.
The plaso storage file contains the extracted events and various metadata about the collection process alongside information collected from the source data. It may also contain information about tags applied to events and reports from analysis plugins.
Ub
sudo add-apt-repository ppa:gift/stable
sudo apt-get update
sudo apt-get install plaso-tools
dd if=/dev/vda1 of=capture.img conv=noerror, sync
ctrl+c, 501mb file
log2timeline.py output.plaso capture.img
file capture.img
capture.img: Linux rev 1.0 ext4 filesystem data, UUID=48e3b830-ff84-4434-ac74-b57b2ca59842, volume name "cloudimg-rootfs" (needs journal recovery) (extents) (64bit) (large files) (huge files)https://github.com/log2timeline/dftimewolf
A framework for orchestrating forensic collection, processing and data export
https://dftimewolf.readthedocs.io/en/latest/getting-started.html
Ideally you’ll want to install dftimewolf in its own virtual environment.
$ git clone https://github.com/log2timeline/dftimewolf.git && cd dftimewolf
$ pip install -r requirements.txt
$ pip install -e .
If you want to leverage other modules such as log2timeline, you'll have to install them separately and make them available in your virtual environment.
You can then invoke the dftimewolf command from any directory.
You can still use python setup.py install or pip install -e . if you’d rather install dftimewolf this way.
Quick how-to
dfTimewolf is typically run by specifying a recipe name and any arguments the recipe defines. For example:
$ dftimewolf local_plaso /tmp/path1,/tmp/path2 --incident_id 12345
https://github.com/osquery/osquery
SQL powered operating system instrumentation, monitoring, and analytics. https://osquery.io
Osquery is a universal endpoint agent that was developed by Facebook in 2014
Kolide
https://www.kolide.com/pricing
Kolide Fleet. Open Source Osquery Manager. Write queries on the fly. Explore live results.
https://github.com/aol/moloch
Moloch is an open source, large scale, full packet capturing, indexing, and database system. http://molo.ch
https://github.com/aol/moloch#install
https://github.com/google/turbinia
Automation and Scaling of Digital Forensics Tools
https://github.com/google/turbinia/blob/master/docs/install.md
https://github.com/google/turbinia/blob/master/docs/install.md#gcp-project-setup
https://github.com/forseti-security/forseti-security
A community-driven collection of open source tools to improve the security of your Google Cloud Platform environments.
https://forsetisecurity.org/