We will be working on making this a pre-baked AMI, but here are the deployment steps in the meantime <3
Note: You may need to add/modify fs.inotify.max_user_watches in /etc/sysctl.conf. The default is 8192, and you may need to increase this number. Run sysctl -p after modifying.
- Deploy Timesketch instance - Deployment Directions
- python3/pip3, awscli, and inotify-tools are required
apt install python3 python3-pip inotify-tools pip3 install --upgrade awscli - Configure AWS CLI
aws configure - Modify
bucket_nameinwatch-s3-to-timesketch.pywith S3 bucket name - Modify
BUCKET_NAMEinwatch-plaso-to-s3.shwith S3 bucket name - Modify
$usernameand$passwordinwatch-to-timesketch.sh - Add Velociraptor artifact in Velociraptor and configure with AWS S3 bucket, region, and IAM credentials
- Run deploy.sh
./deploy.sh - Kick off
Windows.KapeFiles.Targetscollection on one or more clients in Velociraptor- Wait for triage zip to upload to S3
- Wait for zip to download to Timesketch instance from S3
- log2timeline will begin processing data into a Plaso file
- timesketch_importer will then bring it into Timesketch