Tony LambertAug 4, 2023

New blog post! Building on my last post about malware distro via VHD, I walk through creating a simple timeline of the VHD with Plaso to show how you can get more data for intelligence. https://forensicitguy.github.io/timelining-malware-vhd-intelligence/

#malware #plaso

Timelining a Malicious VHD for More Intelligence

In a previous blog post I mentioned how adversaries using VHD files to distribute malware can leave around a lot more data than they intend, including identifiable data for tracking. In this post I want to break out the best friend everyone made during SANS FOR508, Plaso, so I can process the filesystem data for a malicious VHD and illustrate how we can establish a timeline of operations for the adversary. Just like last time, the sample I’m working with is here in MalwareBazaar: https://bazaar.abuse.ch/sample/72ba4bd27c5d95912ac5e572849f0aaf56c5873e03f5596cb82e56ac879e3614/.

Tony Lambert
Andrea Fortuna Mar 15, 2023
#Plaso is a Python-based engine that can automatically create timelines from various files found on typical computer systems. It can extract timestamps from file system metadata, log files, registry files, browser history, email archives, and many other sources, and can also filter and analyse the extracted events using various plugins and modules. #dfir https://andreafortuna.org/2023/03/11/plaso-20230226-has-been-released?utm_source=dlvr.it&utm_medium=mastodon
Plaso 20230226 has been released

Plaso is a Python-based engine that can automatically create timelines from various files found on typical computer systems. It can extract timestamps from file system metadata, log files, registry files, browser history, email archives, and many other sources, and can also filter and analyse the extracted events using various plugins and modules.

Andrea Fortuna
tomchopJan 16, 2023

"But plaso/logt2imeline are hard to install! 😭", I hear you cry.

Here's how to set up aliases and get it running in under 2 seconds using the official Docker containers 👇🏻 # DFIR #plaso #log2timeline #docker #forensics

Wes LambertDec 13, 2022

🦖Day 83 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server.Utils.BackupGCS/S3

Link:
https://docs.velociraptor.app/artifact_references/pages/server.utils.backupgcs/

https://docs.velociraptor.app/artifact_references/pages/server.utils.backups3/

----

These artifacts are server monitoring artifacts that will watch for flow completions, then zip and send the results to Google Cloud, or an S3 bucket, using the 'upload_gcs()' and 'upload_s3()' functions.

https://docs.velociraptor.app/vql_reference/plugin/upload_gcs

https://docs.velociraptor.app/vql_reference/plugin/upload_s3

----

Once uploaded, the collections can be left alone and remain archived, or special post-processing can be applied using third-party tools, depending on defenders' needs.

@eric_capuano and @shortxstack (@recon_infosec) did an excellent job presenting about using these artifacts with Timesketch to generate a timeline of events.

If you haven't already, be sure to check out their presentation from @SANS #DFIR Summit 2021!

https://www.sans.org/presentations/breaches-be-crazy/

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#Plaso
#ThreatHunting
#Timesketch

Server.Utils.BackupGCS :: Velociraptor - Digging deeper!

Z0vskyJun 3, 2019

RT @[email protected]

New #Plaso release is out! You can now exclude files to be analyzed by specifying collection filters, making processing faster (unless running on a Raspberry Pi...) #DFIR

Full blogpost with more goodies 👉🏻 http://blog.kiddaland.net/2019/06/plaso-20190531-released.html
Filters documentation 👉🏻 http://blog.kiddaland.net/2019/06/plaso-20190531-released.html

🐦🔗: https://twitter.com/tomchop_/status/1135564373374582784

Plaso 20190531 released

Blog about timeline analysis in the DFIR world. Mostly contains plaso/log2timeline related stuff with hints on tool usage, advanced features, etc.