Open Source DFIR

In a previous blog post, we presented how libcloudforensics facilitates digital forensics investigation in the cloud, in particular we focused on disk copy functionality in Google Cloud Platform (GCP) and Amazon Web Services (AWS). We recently added support for Microsoft Azure. In this post we show how the library can be used to respond to incidents occurring on Azure, and present solutions to the main challenges we faced while adding support for this cloud provider.
ArchitectureAzure’s architecture is pretty straightforward: each account has a set of “subscriptions”, within which resources can be organized by “resource groups”. Resource groups can contain any valid Microsoft Azure resource, be it a Compute resource (e.g. a virtual machine) or another kind of resource (e.g. a Network resource such as a network interface).
Snapshotting disks in the cloudThe following code snippets give examples of forensic acquisition within the Azure environment using the libcloudforensics API. Note tha…

BackgroundThis article should walk you through the process for creating an environment where you can develop on Timesketch.
The target audience for this blogpost is an engineer who is familiar with Python, git and GitHub and has some basic understanding of operating systems as well.What is Timesketch?
Timesketch is an open source tool for collaborative (digital) forensic timeline analysis. Those timelines can be from separate systems and investigated by multiple analysts in parallel. Timesketch is written in Python 3. Elasticsearch is used as the storage backend together with a SQL database to store additional attributes and metadata.
One of the benefits of open source digital forensic and incident response software (OSDFIR) is the ability to write code to extend the capabilities and to match their own workflow. This article will explain how to set up a development environment and how to contribute to the Timesketch project (also referred to as upstream).System requirementsLinux / MacOS …