You can find my contact information at reuteras.com.
reuteras / dfirws Goto Github PK
View Code? Open in Web Editor NEWDo DFIR work in Windows Sandbox
License: MIT License
Do DFIR work in Windows Sandbox
License: MIT License
You can find my contact information at reuteras.com.
Add clamav
Add ipinfo.io data to enrichment.ps1 as an optional download
Download via Winget
Install plaso in new venv:
Add Golang
Add dfirws folder to start menu.
Install https://procdot.com/
Install frida-tools in separate venv.
curl -L -o firefox.msi "https://download.mozilla.org/?product=firefox-msi-latest-ssl&os=win64&lang=en-US"
Add the tool parseusbs from based on this blog post:
https://github.com/khyrenz/parseusbs
It requires the PYPI module regipy.
Install plugins during download to be able to use offline.
It would be nice to https://github.com/mvt-project/mvt installed but at the moment (2023-12-03) the documentation (https://docs.mvt.re/en/latest/install/) says:
MVT does not currently officially support running natively on Windows. While most functionality should work out of the box, there are known issues especially with mvt-android.
They recommend WSL which isn't available in the sandbox.
Revisit later.
Download via git in a sandbox and save the needed tools. Need to remove some tools since AV sometimes flags binary files as malware.
Add hashcat: https://hashcat.net/hashcat/
Look at having Chocolatey available in the container to make it easier to install nuget packages.
https://docs.chocolatey.org/en-us/choco/setup#completely-offline-install
Packages that would be available:
Add better help and documentations. See https://learn.microsoft.com/en-us/powershell/scripting/developer/help/writing-help-for-windows-powershell-scripts-and-functions?view=powershell-7.4
Download exe from https://www.maltego.com/downloads/
Add Strawberry Perl. It's available on GitHub so easier to download then ActiveState Perl.
Look at the possibility to change this tool to make it possible to use the downloaded files for installation in a VM or in the local machine.
How to do upgrades then?
Look at tools in Flare VM and install relevant missing tools. See
https://raw.githubusercontent.com/mandiant/flare-vm/main/config.xml
Look at the following repositories:
Goals:
Would be nice to have the Windows Terminal in the Sandbox.
It is possible to install Microsoft KM-TEST Loopback Adapter in a sandbox running in Windows 10. That options doesn't seem to be available in Windows 11.
With that loopback adapter it is possible to run fakenet without configuring full networking for the sandbox. Atleast that works on Windows 10.
Update Python to 3.11 if everything works
Add toolong https://github.com/Textualize/toolong
Move binary-refinery to separate venv and install it as
binary-refinery[all]
Update links and documentation at the same time.
Look at the possibility to add KAPE. Should not be default since you should add your own version of KAPE due to license reasons.
Add https://github.com/netspooky/scare with the following Python requirements:
keystone-engine
unicorn
capstone
Clone https://github.com/Seabreg/Regshot and add to path
Look at adding which requires JavaFX. To install the latest JavaFX the minimum version of the Java JDK is version 17 but preferably install version 21.
Add jpterm in seperate venv. See
Tools can be added from https://repo.msys2.org/msys/x86_64/. Files are compressed by zstd by Facebook so a version of https://github.com/facebook/zstd must be available to expand since zstd is not included in Git for Windows. Some packages to add are:
This will be optional since zstd is needed. After installing zstd packages can be uncompressed by running:
C:\Tools\bin\zstd.exe -d C:\Users\reuteras\Downloads\binutils-2.40-1-x86_64.pkg.tar.zst
In bash you can unpack the tar-file:
cd /
tar -x -vf ~/Desktop/readonly/binutils-2.40-1-x86_64.pkg.tar
The latest version of a package can be found with:
curl --silent https://repo.msys2.org/msys/x86_64/ | findstr '"binutils' | findstr /v ".sig" | select -Last 1 | foreach { ($_ -split '"')[1]}
With binutils and nasm code like https://github.com/accidentalrebel/shcode2exe should work.
Look at Search Index DB Reporter (SIDR) for inclusion, https://github.com/strozfriedberg/sidr.
Add https://github.com/seladb/PcapPlusPlus/releases/tag/v22.11 for working with pcap files.
Install Rust:
And then add:
Consider adding ruby to the sandbox. Look at https://github.com/oneclick/rubyinstaller2. Would make it possible to add https://github.com/gollum/gollum and read GitHub wikis offline making it easier to read the wiki for this project with tips and help when that have been added.
Add apktool https://apktool.org/docs/install/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.