Monday, October 27, 2014

Forensicator-FATE

I wrote a Gold Paper for my GCFA, the cert corresponding to the SANS Institute FOR508 Advanced Forensics course,which may be found at the following link:
https://www.giac.org/paper/gcfa/9858/forensicator-fate-artisan-engineer/115803
It's also in the SANS Reading Room in the forensics section, linked:
http://www.sans.org/reading-room/whitepapers/forensics/forensicator-fate-artisan-engineer-35522


In short the paper describes automating the evidence processing phase of a DFIR investigation, using Jenkins to control the automation and storing the results in an ELK (Elasticsearch-Logstash-Kibana) stack for visualisation. A lightweight DFIR case manager is also provided.

The software can be found at:
https://github.com/z3ndrag0n/forensicator-fate

A list of current open issues (bugs and enhancement requests) is at:
https://github.com/z3ndrag0n/forensicator-fate/issues

Bug reports and requests for enhancement will be accepted with gratitude!

Thursday, January 09, 2014

Post-processing AWS CLI output with jq

I've been using the AWS CLI to dump information out of AWS for some time now, but just started using jq to post-process the JSON format AWS CLI produces. Here is (I think) a useful one-liner (it assumes you're using Tags, and have a useful tag with Key "Name"; it also assumes you're using VPC's, but of course you're using VPC's):
aws ec2 describe-instances | jq '.Reservations[].Instances[]| .InstanceId, .VpcId, .SubnetId, .InstanceType, .NetworkInterfaces[].PrivateIpAddress, (.Tags[]|select(.Key == "Name").Value), .SecurityGroups'