- gets the latest docker version of Timesketch, Plaso
- downloads the latest tagger file from this repo
- creates the first user account in Timesketch.
OPTIONAL - Node-RED based bulk triage processing workflow
Usage Note: You need to be running Ubuntu 20.04 LTS for this.
wget https://raw.githubusercontent.com/blueteam0ps/AllthingsTimesketch/master/tsplaso_docker_install.sh
chmod a+x ./tsplaso_docker_install.sh
sudo ./tsplaso_docker_install.sh
Tags file for faster triage Use the following tags file to get most out of TS (It is already part of the tsplaso_docker_install.sh script https://github.com/blueteam0ps/AllthingsTimesketch/blob/master/tags.yaml
The customised docker-compose file can be used in instances where a separate Dockerised Kibana is required. Further, the ES docker config was updated to have the ES ports exposed to the host. Please ensure the host based firewall is configured to lock down the ports in production environment. My inspiration for the following mini projects were from the work carried by Eric Capuano (AWS DFIR Automation) and knowledge sharing sessions with Mike Pilkington. Special thanks to Sam Machin (https://github.com/sammachin) for his continous support with troubleshooting Node-RED workflow issues with me. Node-RED is a browser based flow editor which provides an easier way to achieve automation. I've created an automation flow where the flow will watch for ZIP files in /cases/processor directory. When new triage zip files get uploaded (Tested with CyLR zips) it will automatically unzip into a unique folder, parses it with Log2timeline and ingests into Timesketch using Timesketch-Importer script. It has the ability to queue up zip files for processing. This was you can control how many zips gets processed at a point in time.NOTICE : This workflow currently does not process E01 files. However, I am planning to have that included in the near future
-
Install Node-RED using the instructions given at https://nodered.org/docs/getting-started/. I've tested this on Ubuntu 20.04 (https://nodered.org/docs/getting-started/raspberrypi)
-
This automation depends on the following additonal nodes. I recommend installing it directly via the GUI -> Manage Pallette -> Install after you install Node-RED NOTICE - I have removed the unzip node from the flow as it had some issues with certain zip files. Latest flows uses the "unzip" utility available for Linux. Therefore, make sure you have it pre-installed before using this flow. -node-red-contrib-fs -node-red-contrib-fs-ops -node-red-contrib-simple-queue -node-red-contrib-watchdirectory
-
You should have /cases/plaso and /cases/processor folders already created. The account you are running Node-RED must have permission on /cases and its sub-folders.
-
You should have Timesketch and Log2timeline pre-installed on the same host as your Node-RED installation. This has been tested using TS and L2T's docker versions.
-
You should update the Log2timeline and Timesketch CLI parameters within the flow to meet your requirements.
How to install the workflow?
-
Download the workflow JSON and Import it using the Node-RED GUI. https://github.com/blueteam0ps/AllthingsTimesketch/blob/master/NR_DFIRFlow.json
-
Update the "Timesketch CLI Params" with you TS credentials
-
Update the "Queue Zips" with the amount of ZIPs you would like to process at any given time
-
Hit Deploy Full!
-
Node-RED will watch for new files into the /cases/processor folder and it will kick off the flow
Planned Improvements
- Zip file integrity validation
- Dialog box to enter timesketch auth details so the token can be created at the start
- Add flow branching to cater for E01 , Raw and VHDs
- Notification of success and failures