patroclica / velociraptor-to-timesketch

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

velociraptor-to-timesketch

sketch

Watch our DFIR Summit talk

Breaches Be Crazy

We will be working on making this a pre-baked AMI, but here are the deployment steps in the meantime <3

Note: You may need to add/modify fs.inotify.max_user_watches in /etc/sysctl.conf. The default is 8192, and you may need to increase this number. Run sysctl -p after modifying.

Deployment

  • Deploy Timesketch instance - Deployment Directions
  • python3/pip3, awscli, unzip, and inotify-tools are required
    apt install python3 python3-pip unzip inotify-tools -y
    pip3 install --upgrade awscli
    
  • Configure AWS CLI
    aws configure 
    
  • Modify bucket_name in watch-s3-to-timesketch.py with S3 bucket name
  • Modify BUCKET_NAME in watch-plaso-to-s3.sh with S3 bucket name
  • Modify $username and $password in watch-to-timesketch.sh
  • Add Velociraptor artifact in Velociraptor and configure with AWS S3 bucket, region, and IAM credentials Screen Shot 2021-07-08 at 2 36 18 PM
  • Run deploy.sh
    ./deploy.sh
    
  • Kick off Windows.KapeFiles.Targets collection on one or more clients in Velociraptor
    • Wait for triage zip to upload to S3
    • Wait for zip to download to Timesketch instance from S3
    • log2timeline will begin processing data into a Plaso file
    • timesketch_importer will then bring it into Timesketch

About

License:MIT License


Languages

Language:Shell 82.8%Language:Python 17.2%