I'll take some ElasticSearch/Kibana with my Plaso (Windows edition)

By Anonymous
This post is based off of Kristinn Gudjonsson’s blog post on Kibana integration here. This is meant to complement it and is a Windows specific install guide. For more information on how to use plaso, psort, Log2Timeline, or any other tools, please see the documentation site here. The following steps worked on a Windows 7 Enterprise 64-bit machine.

In order to use this functionality, you must have the latest release OR build plaso from the latest source found here. If you have never built from source before, you will need to follow the Windows specific directions here. Wonder if your version has the output to Elastic option? Skip to step 5.

1) Install Java and set environment variable.
You need JDK or JRE 7 or higher. Oracle explains how to download and install in detail here.

Now, you need to create an environment variable. To do this, navigate to Start > right click Computer > Properties.

Now you navigate to Advanced system settings > Advanced > Environment Variables... > New and enter in a new variable called “JAVA_HOME”. The path is usually C:\Program Files\Java or C:\Program Files\Java\jdk-[version].

2) Setup download directory.
To keep things simple, let’s create a folder called plaso-kibana. The C drive worked fine for me.

3) Download and start ElasticSearch.
Download and unzip the .zip file in your plaso-kibana directory from here.

Note: Since we are doing a local run and install, you do not need to configure anything in elasticsearch. If you are running on a server, you would need to modify the elasticsearch.yml file in the config directory with the appropriate variables.

Start ElasticSearch by navigating to [elasticsearch_directory]\bin. Run elasticsearch.bat (double click). You know the run was successful if a new command window pops up. You can double check by navigating to http://127.0.0.1:9200/. You should receive a message with a status of 200.

4) Download and install pyelasticsearch from source (if building from source).
This step is similar to Linux. Open a command line and run:

cd pyelasticsearch
python setup.py build
python setup.py install

From Kristinn’s post:
To make sure everything is working we can now do:

psort -o list

If things are working we should see the following results:

******************************** Output Modules ********************************
   L2tcsv : The CSV format used by log2timeline, with 17 fixed fields.
  Elastic : Saves the events into an ElasticSearch database.
 Mysql4n6 : Contains functions for outputing as 4n6time MySQL database.
  Dynamic : Dynamic selection of fields for a separated value output format.
    Rawpy : Prints out a "raw" interpretation of the EventObject.
      Raw : Prints out a "raw" interpretation of the EventObject protobuf.
   Sql4n6 : Saves the data in a SQLite database, used by the tool 4n6Time.
 Pstorage : Dumps event objects to a plaso storage file.
--------------------------------------------------------------------------------
5) Download and start a web server.
I am using nginx, but you can use any web server that is compatible with Kibana. The full nginx documentation for Windows is here.

Grab the latest nginx for Windows download here. Unzip to your plaso-kibana folder. Open your nginx-[ver]\conf\nginx.conf file in a text editor or IDE. You may consider using the configuration noted here, but modified for your setup. For instance, you might set the following variables with Windows paths:

server_name           kibana;
access_log            C:\plaso-kibana\nginx-1.7.1\logs\access.log;

 location / {
   root  C:\plaso-kibana\nginx-1.7.1\kibana;
   index  index.html  index.htm;
 }

Double click nginx.exe to start the server. To confirm the server is running, open a command line and run from the nginx directory:

path\to\nginx> tasklist /fi "imagename eq nginx.exe"

You should see some tasks running.

6) Download and deploy Kibana.
Download Kibana from here and unzip to your plaso-kibana folder. Methods to deploy will vary depending on your webserver. Generally it will involve copying the unzipped Kibana folder to the code directory. If you are using nginx, move the kibana folder to the ..\plaso-kibana\nginx-[ver]\html directory. I changed my kibana-[ver] folder name to “kibana” for simplicity.

The Kibana\config.js file should have an elastisearch value set to  "http://127.0.0.1:9200/" if you are running local.

Open http://127.0.0.1/kibana/index.html#/dashboard/file/default.json. You should see the Kibana default page with no errors.

7) Psort to elastic.
From Kristinn’s blog:
Run:
psort.py -o elastic yourfile.dump

On the output you should see something like the following:


Note the index name. Navigate to plaso-kibana\elasticsearch-[ver]\data\elasticsearch\nodes\0\indices. You should see a folder with the same name as the index name output. You may need to dig around in other nodes to find it if more than one node exist.

Now, download the example plaso dashboard from here and copy it to plaso-kibana\nginx-[ver]\html\kibana\app\dashboards. Rename the file as plaso.json.


Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more