Posts

Plaso 20200717 released

Plaso 20200717 releasedThe Plaso team is pleased to announce a new Plaso release, 20200717. This release is mainly a bug fix release.
The full list of cleanups, performance tweaks and bug fixes can be found in therelease milestone
Where/how to get Plaso 20200717?See Plaso's Users' Guide. The development team recommends using Docker to install Plaso without hassle. 
If Docker does not fit your needs there are installation instructions available for MacOS,Ubuntu and Fedora
If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the Open Source DFIR slack oropen an issue on the tracker.

Forensic Disk Copies in Azure

In a previous blog post, we presented how libcloudforensics facilitates digital forensics investigation in the cloud, in particular we focused on disk copy functionality in Google Cloud Platform (GCP) and Amazon Web Services (AWS). We recently added support for Microsoft Azure. In this post we show how the library can be used to respond to incidents occurring on Azure, and present solutions to the main challenges we faced while adding support for this cloud provider.
ArchitectureAzure’s architecture is pretty straightforward: each account has a set of “subscriptions”, within which resources can be organized by “resource groups”. Resource groups can contain any valid Microsoft Azure resource, be it a Compute resource (e.g. a virtual machine) or another kind of resource (e.g. a Network resource such as a network interface).
Snapshotting disks in the cloudThe following code snippets give examples of forensic acquisition within the Azure environment using the libcloudforensics API. Note tha…

Set up a development environment for Timesketch

Image
BackgroundThis article should walk you through the process for creating an environment where you can develop on Timesketch.
The target audience for this blogpost is an engineer who is familiar with Python, git and GitHub and has some basic understanding of operating systems as well.What is Timesketch?
Timesketch is an open source tool for collaborative (digital) forensic timeline analysis. Those timelines can be from separate systems and investigated by multiple analysts in parallel. Timesketch is written in Python 3. Elasticsearch is used as the storage backend together with a SQL database to store additional attributes and metadata.
One of the benefits of open source digital forensic and incident response software (OSDFIR) is the ability to write code to extend the capabilities and to match their own workflow. This article will explain how to set up a development environment and how to contribute to the Timesketch project (also referred to as upstream).System requirementsLinux / MacOS …