Forensics artefact acquisition scripts to be used in conjunction with elrond.
gandalf has been created to help fellow digitial forensicators with the live collection of forensic artefacts from a Windows, Linux and masOS hosts. Depending on the host OS, either gandalf.ps1 or gandalf.py will be required; to ensure compatibility for Windows and *nix hosts respectively. gandalf is designed to be faster, but additional features ({-Memory, -CollectFiles}/{-M, -A, -F}) may result is longer acquisitions times, subject to network speeds and latency of course.
gandalf is responsible for the acquisition-side of digital forensics, but what about analysis? elrond, converts all of the artefacts to either JSON or CSV and can then stand up an on-the-fly Splunk or elastic instance whilst mapping the evidence within those artefacts to the MITRE ATT&CK® Framework using ATT&CK Navigator, if desired.
To collect privileged disk arterfacts, namely the $MFT, you will need to download the disk_tools.zip.enc archive (password is infected) and place the enclosed archive (disk_tools.zip) into gandalf\gandalf\tools\ before deploying and invoking gandalf.
Then copy the parent \gandalf\ directory into C:\TEMP, or /tmp/ of the acquisition host.
You must have necessary admin rights to obtain the forensic artefacts from hosts within your environment. This is true for both Local and Remote acquisitions.
Ensure all respective intermediate firewalls do not block the acquisition
- Enable PowerShell remoting:
Enable-PSRemoting -SkipNetworkProfileCheck -Force - Update TrustedHosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "<ACQUISITION_HOSTNAME>" -Force
- Ensure SSH is listening for open connections (for Linux/macOS targets)
Ensure you revert any changes made in preperation of forensic artefact acquisition.
Please review SUPPORT.md for instructions on how to leverage and deploy gandalf.
Please read the CONFIG.md file for instructions on how to enable PowerShell remoting (for Windows Targets) and SSH remoting (for Linux/macOS hosts).
- Open 'Windows PowerShell' (not PowerShell Core) with Local Administrator privileges
- Keyboard shortcut: WIN + X + A
.\Invoke-Gandalf.ps1 [-EncryptionObject <Key/Password/None>] [-Acquisition <Local/Remote>] [-OutputDirectory <C:\Path\To\Output\Location>] [-Memory] [-ShowProgress] [-CollectFiles]
- Open 'Terminal' as root
sudo python3 gandalf.py [-h] <Key/Password/None> <Local/Remote> [-O <output_directory>] [-M] [-A] [-C]
- Open 'Windows PowerShell' (not PowerShell Core) with Local Administrator privileges
python3 gandalf.py [-h] <Key/Password/None> <Local/Remote> [-O <output_directory>] [-M] [-A] [-C]
- Open 'Terminal' as root
pwsh
./Invoke-Gandalf.ps1 [-EncryptionObject <Key/Password/None>] [-Acquisition <Local/Remote>] [-OutputDirectory <\Path\To\Output\Location>] [-Memory] [-ShowProgress] [-CollectFiles]
Below is a list of all the artefacts collected and processed from the respective operating systems.
_
_
_