reuteras / dfirws Goto Github PK

Add ghidriff to the sandbox to get be able to test the interesting binary diff reports. Access symbolservers during run so will require network access when running.

Add clamav

Add ipinfo.io data to enrichment.ps1 as an optional download

https://ipinfo.io/products/free-ip-database

Download via Winget

Install plaso in new venv:

• https://pypi.org/project/plaso/
• https://github.com/log2timeline/plaso

Add:

• Maxmind (needs API key)
• Tor exits - https://collector.torproject.org/archive/exit-lists/

More?

Add https://pypi.org/project/malwarebazaar/

Add Golang

Add dfirws folder to start menu.

Install https://procdot.com/

Install frida-tools in separate venv.

https://frida.re/

curl -L -o firefox.msi "https://download.mozilla.org/?product=firefox-msi-latest-ssl&os=win64&lang=en-US"

Add the tool parseusbs from based on this blog post:

https://github.com/khyrenz/parseusbs

It requires the PYPI module regipy.

Install plugins during download to be able to use offline.

It would be nice to https://github.com/mvt-project/mvt installed but at the moment (2023-12-03) the documentation (https://docs.mvt.re/en/latest/install/) says:

MVT does not currently officially support running natively on Windows. While most functionality should work out of the box, there are known issues especially with mvt-android.

They recommend WSL which isn't available in the sandbox.

Revisit later.

Download via git in a sandbox and save the needed tools. Need to remove some tools since AV sometimes flags binary files as malware.

Add hashcat: https://hashcat.net/hashcat/

Look at having Chocolatey available in the container to make it easier to install nuget packages.

https://docs.chocolatey.org/en-us/choco/setup#completely-offline-install

Packages that would be available:

• https://github.com/horsicq/Detect-It-Easy - new build are only available via https://community.chocolatey.org/packages/die

Add https://pypi.org/project/pdfalyzer/

Add better help and documentations. See https://learn.microsoft.com/en-us/powershell/scripting/developer/help/writing-help-for-windows-powershell-scripts-and-functions?view=powershell-7.4

Download exe from https://www.maltego.com/downloads/

Add Strawberry Perl. It's available on GitHub so easier to download then ActiveState Perl.

Look at the possibility to change this tool to make it possible to use the downloaded files for installation in a VM or in the local machine.

How to do upgrades then?

Look at tools in Flare VM and install relevant missing tools. See

https://raw.githubusercontent.com/mandiant/flare-vm/main/config.xml

Look at the following repositories:

• https://github.com/damienvanrobaeys/Run-in-Sandbox
• https://github.com/karkason/pywinsandbox

Goals:

• Add support to start a minimal sandbox
• Send command to sandbox. Useful to open file in special tool or unzip file.

Would be nice to have the Windows Terminal in the Sandbox.

Since JSON is a very common format add more tools to handle JSON-data.

Add tools:

• fx
• gron

Watch releases and security notifications.

• fx
• gron

Tool that currently isn't supported on Windows is jless.

Related:

• Add links to tools
• Add JSON-page in wiki

Look for solutions in these posts:

• https://jdhitsolutions.com/blog/powershell/8420/managing-the-windows-10-taskbar-with-powershell/
• https://stackoverflow.com/questions/31416438/how-to-auto-hide-the-taskbar-from-the-command-line

It is possible to install Microsoft KM-TEST Loopback Adapter in a sandbox running in Windows 10. That options doesn't seem to be available in Windows 11.

With that loopback adapter it is possible to run fakenet without configuring full networking for the sandbox. Atleast that works on Windows 10.

Update Python to 3.11 if everything works

Add toolong https://github.com/Textualize/toolong

Add https://github.com/pstirparo/machofile

Example

• https://github.com/arkadiyt/protodump
• https://github.com/chainguard-dev/bincapz

Move binary-refinery to separate venv and install it as

binary-refinery[all]

Update links and documentation at the same time.

See https://github.com/binref/refinery

Look at the possibility to add KAPE. Should not be default since you should add your own version of KAPE due to license reasons.

• https://github.com/AndrewRathbun/KAPE-EZToolsAncillaryUpdater
• https://aboutdfir.com/toolsandartifacts/windows/kape/

Add https://github.com/netspooky/scare with the following Python requirements:

keystone-engine
unicorn
capstone

Clone https://github.com/Seabreg/Regshot and add to path

Look at adding which requires JavaFX. To install the latest JavaFX the minimum version of the Java JDK is version 17 but preferably install version 21.

• https://github.com/Col-E/Recaf
• https://gluonhq.com/products/javafx/
• https://learn.microsoft.com/en-us/java/openjdk/download

Add jpterm in seperate venv. See

• https://polar.sh/davidbrochart/posts/jpterm
• https://davidbrochart.github.io/jpterm/
• https://github.com/davidbrochart/jpterm

Tools can be added from https://repo.msys2.org/msys/x86_64/. Files are compressed by zstd by Facebook so a version of https://github.com/facebook/zstd must be available to expand since zstd is not included in Git for Windows. Some packages to add are:

• binutils
• bash-completion
• cpio
• nasm
• pv
• tree
• zstd

This will be optional since zstd is needed. After installing zstd packages can be uncompressed by running:

C:\Tools\bin\zstd.exe -d C:\Users\reuteras\Downloads\binutils-2.40-1-x86_64.pkg.tar.zst

In bash you can unpack the tar-file:

cd /
tar -x -vf ~/Desktop/readonly/binutils-2.40-1-x86_64.pkg.tar

The latest version of a package can be found with:

curl --silent https://repo.msys2.org/msys/x86_64/ | findstr '"binutils' | findstr /v ".sig" | select -Last 1 | foreach { ($_ -split '"')[1]}

With binutils and nasm code like https://github.com/accidentalrebel/shcode2exe should work.

Add apimonitor from http://www.rohitab.com/apimonitor.

• http://www.rohitab.com/download/api-monitor-v2r13-setup-x86.exe
• http://www.rohitab.com/download/api-monitor-v2r13-setup-x64.exe

Add https://github.com/google/magika

Look at Search Index DB Reporter (SIDR) for inclusion, https://github.com/strozfriedberg/sidr.

Add https://github.com/seladb/PcapPlusPlus/releases/tag/v22.11 for working with pcap files.

Install Rust:

• https://forge.rust-lang.org/infra/other-installation-methods.html

And then add:

• https://github.com/dfir-dd/dfir-toolkit

See the following pages:

• https://www.mandiant.com/resources/blog/ghidrathon-snaking-ghidra-python-3-scripting
• https://github.com/mandiant/Ghidrathon

Consider adding ruby to the sandbox. Look at https://github.com/oneclick/rubyinstaller2. Would make it possible to add https://github.com/gollum/gollum and read GitHub wikis offline making it easier to read the wiki for this project with tips and help when that have been added.

Add apktool https://apktool.org/docs/install/