Offering assistance [FQ]

[digitalsleuth]

Is your feature request related to a problem? Please describe. Not related to a problem - offering assistance!

Describe the solution you'd like Not sure if you remember me, but we've spoken a few times on the SIFT GitHub page (I tend to contribute there a bit). Stumbled across this today and realized you've been working on a similar tool to the one I created a while ago and thought you might be interested in taking a look at it to see if it helps you with yours. It's at https://github.com/digitalsleuth/winfor-salt and installs all of the tools using SaltStack, and uses a PowerShell-based script to conduct the installation.

Let me know if you're interested in collaboration, or of course feel free to use what I've created and customize it for your needs if it helps.

Cheers! ds

[angry-bender]

Hi @digitalsleuth

Thanks for offering assistance here.

It could be a good idea to migrate the packages I managed to get form https://github.com/angry-bender/forensicssetup/blob/master/packages.json accross to the WINFOR-SALT.

One of the issues I have in maintaining this project, is the amount of time I need to dedicate to keeping links up to date to pluginto powershell, particuarly where tools are not maintained on GitHub. This is one of the reasons I havent had the chance to get newer tools migrated into this project.

Its been a while since I have looked at salt stack, but what do you see as the best way we could migrate the packages.json accross to a SALT stack format? Once we can figure that one out, I'd be happy to take that logic and add the tools from https://github.com/angry-bender/forensicssetup/issues/23

[digitalsleuth]

Hi @angry-bender , most of the tools from your packages.json are already available in my custom SaltStack Repo and are easily installed with minimal customization. As for the rest of them, they should be pretty quick to configure, and are easy to maintain. I'll do up a mock-up for you and add it here when I'm done.

[angry-bender]

Awesome, happy to help migrate if you like? Does salt stack cache installers, or do they fetch them from a known URL?

[digitalsleuth]

Hey, sorry for the delay in getting back to you, just getting a chance to sit back at the computer again. To answer your questions, yes SaltStack fetches the installers from the URL you identify, and also downloads from URL's defined upstream, then caches those installers during runtime. In order to free up space, the cache can be cleared so all previous installers are removed.

The URL can be configured with variable portions, so that instead of updating a URL all of the time, you can simply either update the hash value, or the version, and easily set up workflows to run on a regular basis to query if there is a new version. Then you simply just need to change a single version number or hash value and generate a new release.

For an upstream example, you can take a look at the adobereader state in Win-FOR which basically says "install this", and installs it from my upstream salt-winrepo-ng repo. This is accomplished by adding a state which adds the repo, then the pkg.installed command looks at the repo and installs.

For a configuration example, you can look at evtx-dump and see the scripting which can be done to simply modify a version or hash to set the new release.

As for the migration to Saltstack, I'll give you the mock-up for WINSIFT to show you how it lays out and executes, then you can adjust the states and configuration more to your specification. I'll attach it to a comment here in the next hour or so, and provide you with the instructions to execute and test.

[angry-bender]

Hey, sorry for the delay in getting back to you, just getting a chance to sit back at the computer again. To answer your questions, yes SaltStack fetches the installers from the URL you identify, and also downloads from URL's defined upstream, then caches those installers during runtime. In order to free up space, the cache can be cleared so all previous installers are removed.

The URL can be configured with variable portions, so that instead of updating a URL all of the time, you can simply either update the hash value, or the version, and easily set up workflows to run on a regular basis to query if there is a new version. Then you simply just need to change a single version number or hash value and generate a new release.

For an upstream example, you can take a look at the adobereader state in Win-FOR which basically says "install this", and installs it from my upstream salt-winrepo-ng repo. This is accomplished by adding a state which adds the repo, then the pkg.installed command looks at the repo and installs.

For a configuration example, you can look at evtx-dump and see the scripting which can be done to simply modify a version or hash to set the new release.

As for the migration to Saltstack, I'll give you the mock-up for WINSIFT to show you how it lays out and executes, then you can adjust the states and configuration more to your specification. I'll attach it to a comment here in the next hour or so, and provide you with the instructions to execute and test.

No dramas at all, it might take me a little to get to this one, so no rush from me

[digitalsleuth]

Hey @angry-bender , I've created a basic outline of the tools you have listed, just without customization, and I've attached them to here.

In order to test / run these, you can follow the steps here:

• Install SaltStack 3005 from here: https://repo.saltproject.io/salt/py3/windows/3005.1-2/salt-3005.1-2-windows-amd64.exe
• Ensure that the following path exists once SaltStack is installed: C:\ProgramData\Salt Project\Salt\srv\salt
• Extract the contents of this zip to the salt directory in its current structure, so your path should now be: C:\ProgramData\Salt Project\Salt\srv\salt\winsift
• Open an Admin command prompt and run the command below. This command is setup to be very verbose for your review, and to log the output into a file for your review as well: salt-call -l debug --local --retcode-passthrough --state-output=mixed state.sls winsift.install --log-file="C:\saltstack.log" --log-file-level=debug --out-file="C:\saltstack.log" --out-file-append
• I've added a state which will install the Windows Subsystem for Linux v2 and install SIFT and REMnux as well, but it will not run with the above command. This is on purpose, so you can install it separately and review it if you'd like. To do this, replace winsift.install with winsift.wsl in the previous command. It takes time to do (downloading the Ubuntu Focal image and installing the required components), and will restart in order to fully install.

Let me know what you think, and let me know if there's anything you need!

winsift.zip

[angry-bender]

Thanks so much, apologies been a very busy couple of weeks. I'll take a look this weekend 🙂

[angry-bender]

Is your feature request related to a problem? Please describe. Not related to a problem - offering assistance!

Describe the solution you'd like Not sure if you remember me, but we've spoken a few times on the SIFT GitHub page (I tend to contribute there a bit). Stumbled across this today and realized you've been working on a similar tool to the one I created a while ago and thought you might be interested in taking a look at it to see if it helps you with yours. It's at https://github.com/digitalsleuth/winfor-salt and installs all of the tools using SaltStack, and uses a PowerShell-based script to conduct the installation.

Let me know if you're interested in collaboration, or of course feel free to use what I've created and customize it for your needs if it helps.

Cheers! ds

@digitalsleuth Looking somewhat good, however it looks like the packages didn't install in this case. I've also added Hayabusa as a standalone tool. Were also missing arsenal and vscode by the looks of it too

Can we make some shortcuts by tool category to the desktop?. That can be done with PowerShell and a JSON file with something like

$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("C:\Users\Public\Desktop\Disk Tools\ftk.lnk")
$Shortcut.TargetPath = "C:\Program Files\AccessData\Ftk imager\Ftk imager.exe"
$Shortcut.Save()

Just with a foreach loop in the JSON file. Alternatively, there might be something in salst stack that could do the same?

[angry-bender]

Is your feature request related to a problem? Please describe. Not related to a problem - offering assistance!

Describe the solution you'd like Not sure if you remember me, but we've spoken a few times on the SIFT GitHub page (I tend to contribute there a bit). Stumbled across this today and realized you've been working on a similar tool to the one I created a while ago and thought you might be interested in taking a look at it to see if it helps you with yours. It's at https://github.com/digitalsleuth/winfor-salt and installs all of the tools using SaltStack, and uses a PowerShell-based script to conduct the installation.

Let me know if you're interested in collaboration, or of course feel free to use what I've created and customize it for your needs if it helps.

Cheers! ds

Nirsoft tools also seem to be broken at the moment

[digitalsleuth]

Hey @angry-bender , I'm just noticing your comment here about hayabusa, but noticed a PR over at the winfor-salt repo. Perhaps you meant to add it here?

As for the shortcut, you can do this in SaltStack by using the file.shortcut module, as seen in the Cyberchef state. If you're looking to add the shortcuts en masse, then you might want to take a look at the theme state where I create folders for the shortcuts, then place the shortcuts in the folders, but only if the application installed (avoiding any error-outs).

As for Nirsoft, I can update that in a few minutes, it looks like there was an update a couple of days ago.

[angry-bender]

Hey @angry-bender , I'm just noticing your comment here about hayabusa, but noticed a PR over at the winfor-salt repo. Perhaps you meant to add it here?

As for the shortcut, you can do this in SaltStack by using the file.shortcut module, as seen in the Cyberchef state. If you're looking to add the shortcuts en masse, then you might want to take a look at the theme state where I create folders for the shortcuts, then place the shortcuts in the folders, but only if the application installed (avoiding any error-outs).

As for Nirsoft, I can update that in a few minutes, it looks like there was an update a couple of days ago.

Awesome, thanks for clarifying, I'm actually running the prod version you have now 🙂, so I'll take a look in the morning

[digitalsleuth]

If you're interested, I've been working on new installer, it's at https://github.com/digitalsleuth/win-for as a Pre-release. I'm about 80% done the next pre-release and might have it up in the next couple of days, but it will also allow for log parsing (identifying errors), and simply just downloading the files without installing.

[angry-bender]

Depreciated this project to Win-For after testing several times. Great work there @digitalsleuth,. I've linked this repo across in the readme

[digitalsleuth]

Thanks @angry-bender , much appreciated. If you have any further ideas or suggestions for Win-FOR, please let me know! I'm also happy to set up an Angry-Bender theme for it if you'd like it personalized a bit for your installation. I'm working on adding the ability to import themes as well, more to follow on that.

Cheers!