/DFIR

Incident response teams usually working on the offline data, collecting the evidence, then analyze the data

DFIR_ELK Project

Abstract

 Incident Response Team usually working on the offline data, and analyze it with their own tools,
 DFIR_ELK project customized build of the open-source consisting of Elasticsearch, Logstash,
 Kibana dashboard, Filebeat, Suricata,Zeek,and Volatility,additionally parsing and visualizing 
 the critical output data for forensics tool “Kape by Eric Zimmerman” that help IR team 
 for investigating and analyzing the information security

alt text

Get Starting

Building your own DFIR VM Doc_DFIR_Download_V1
Memory Forensics DFIR VMv2 Doc_DFIR_Download_V2
DFIR_ELK_PROJECT using Doc_DFIR_Download_How to use .
Download DFIR VM DFIR_Download
VM_IP_Address: 192.168.60.133
Kibana : 192.168.60.133:5601
Elasticsearch : 192.168.60.133:9200
User: elk
Password: elk-dfir

Type of indexing data

output_logs Ext
IIS Exchange Log
Log2timeline CSV
KAPE JSON
KAPE Windows event logs JSON
Windows Event Logs EVTX
Volatility CSV

TOOLS

Elasticsearch
Kibana
Logstash
Filebeat
Winlogbeat
Suricata
Zeek
Volatility

How to use

Send kape output (JSON format)

 $ scp kape.json elk@192.168.60.133:/logstash/kape/

Send kape windows event Logs (JSON Format)

$ scp kape.json elk@192.168.60.133:logstash/winlog/

Send output data log2timeline (CSV Format)

$ scp timeline.csv elk@192.168.60.133:logstash/timeline/

Send IIS exchange logs (Log Format)

$ scp -r /path_to_logs/ elk@192.168.60.133:logstash/iis/

Send Window event Logs to elasticsearch (EVTX)

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -e

Zeek read PCAP files and send data to elasticsearch.

Note: zeek output must be at path: /logstash/zeek/

$ /logstash/zeek$ zeek -r file.pcap

Suricate read PCAP file and send data to elasticsearch

$ suricata -c /etc/suricata/suricata.yaml   -r file.pcap -l  /logstash/suricata/

Continuous reading any pcap files add on /logstash/suricata/

 $ suricata   -c /etc/suricata/suricata.yaml  --pcap-file-continuous -r /logstash/suricata/    -l /logstash/suricata/

Volatility plugins

Pslist print all running processes with the EPROCESS doubly linked list

$ vol.py -f memdump.mem --profile=Win2016x64_14393 pslist  > /logstash/memory/pslist.csv

Psscan scan physical memory for Eprosses but it’s can identify the terminated processes with unlocaked

$ vol.py -f memdump.mem --profile=Win2016x64_14393 psscan  > /logstash/memory/pscan.csv

Pstree print process list as tree collect the parent relationships (using Eprocess linked list)

$ vol.py -f memdump.mem --profile=Win2016x64_14393 pstree  > /logstash/memory/pstree.csv

Psxview helps you detect hidden processes by comparing what PsActiveProcessHead contains with what is reported by various other sources of process listings.

$ vol.py -f memdump.mem --profile=Win2016x64_14393 psxview  > /logstash/memory/psxview.csv

Netscan Network artifacts and socket. (it’s helps to discover suspicious network connections)

$ vol.py -f memdump.mem --profile=Win2016x64_14393 netscan  > /logstash/memory/netscan.csv

FileScan search for file object in memory and Identifies file in memory even if there are no handled (closed file) finds NTFS special files (such as $MFT) that are not present in VAD tree or process handles list.

$ vol.py -f memdump.mem --profile=Win2016x64_14393 filescan  > /logstash/memory/filescan.csv

Strings used to extract English ASCII and Unicode string from data stream

$ strings -a -td -el  memdump.mem  >  /logstash/memory/strings.csv

Troubleshooting.


  • Make sure all the services are running and active
$ sudo service elasticsearch status
$ sudo service elasticsearch stop
$ sudo service elasticsearch start 

if you restart elatsicsearch make sure to restart logstash after

$ sudo service logstash restart