DFIR_ELK Project
Abstract
Incident Response Team usually working on the offline data, and analyze it with their own tools,
DFIR_ELK project customized build of the open-source consisting of Elasticsearch, Logstash,
Kibana dashboard, Filebeat, Suricata,Zeek,and Volatility,additionally parsing and visualizing
the critical output data for forensics tool “Kape by Eric Zimmerman” that help IR team
for investigating and analyzing the information security
Get Starting
Building your own DFIR VM Doc_DFIR_Download_V1
Memory Forensics DFIR VMv2 Doc_DFIR_Download_V2
DFIR_ELK_PROJECT using Doc_DFIR_Download_How to use .
Download DFIR VM DFIR_Download
VM_IP_Address: 192.168.60.133
Kibana : 192.168.60.133:5601
Elasticsearch : 192.168.60.133:9200
User: elk
Password: elk-dfir
Type of indexing data
output_logs | Ext |
---|---|
IIS Exchange | Log |
Log2timeline | CSV |
KAPE | JSON |
KAPE Windows event logs | JSON |
Windows Event Logs | EVTX |
Volatility | CSV |
TOOLS
Elasticsearch
Kibana
Logstash
Filebeat
Winlogbeat
Suricata
Zeek
Volatility
How to use
Send kape output (JSON format)
$ scp kape.json elk@192.168.60.133:/logstash/kape/
Send kape windows event Logs (JSON Format)
$ scp kape.json elk@192.168.60.133:logstash/winlog/
Send output data log2timeline (CSV Format)
$ scp timeline.csv elk@192.168.60.133:logstash/timeline/
Send IIS exchange logs (Log Format)
$ scp -r /path_to_logs/ elk@192.168.60.133:logstash/iis/
Send Window event Logs to elasticsearch (EVTX)
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -e
Zeek read PCAP files and send data to elasticsearch.
Note: zeek output must be at path: /logstash/zeek/
$ /logstash/zeek$ zeek -r file.pcap
Suricate read PCAP file and send data to elasticsearch
$ suricata -c /etc/suricata/suricata.yaml -r file.pcap -l /logstash/suricata/
Continuous reading any pcap files add on /logstash/suricata/
$ suricata -c /etc/suricata/suricata.yaml --pcap-file-continuous -r /logstash/suricata/ -l /logstash/suricata/
Volatility plugins
Pslist print all running processes with the EPROCESS doubly linked list
$ vol.py -f memdump.mem --profile=Win2016x64_14393 pslist > /logstash/memory/pslist.csv
Psscan scan physical memory for Eprosses but it’s can identify the terminated processes with unlocaked
$ vol.py -f memdump.mem --profile=Win2016x64_14393 psscan > /logstash/memory/pscan.csv
Pstree print process list as tree collect the parent relationships (using Eprocess linked list)
$ vol.py -f memdump.mem --profile=Win2016x64_14393 pstree > /logstash/memory/pstree.csv
Psxview helps you detect hidden processes by comparing what PsActiveProcessHead contains with what is reported by various other sources of process listings.
$ vol.py -f memdump.mem --profile=Win2016x64_14393 psxview > /logstash/memory/psxview.csv
Netscan Network artifacts and socket. (it’s helps to discover suspicious network connections)
$ vol.py -f memdump.mem --profile=Win2016x64_14393 netscan > /logstash/memory/netscan.csv
FileScan search for file object in memory and Identifies file in memory even if there are no handled (closed file) finds NTFS special files (such as $MFT) that are not present in VAD tree or process handles list.
$ vol.py -f memdump.mem --profile=Win2016x64_14393 filescan > /logstash/memory/filescan.csv
Strings used to extract English ASCII and Unicode string from data stream
$ strings -a -td -el memdump.mem > /logstash/memory/strings.csv
Troubleshooting.
- Make sure all the services are running and active
$ sudo service elasticsearch status
$ sudo service elasticsearch stop
$ sudo service elasticsearch start
if you restart elatsicsearch make sure to restart logstash after
$ sudo service logstash restart