Category Archives: DFIR

All DFIR related posts

DFIR 014 – Continuous IR

Nice little post here on continuous IR, and how it can feed into the program as a whole.

Making Incident Response a Security Program Enabler

The approach an organization can take to take incident response from a reactive process to proactive one involves the following steps:

– Improving an organization’s incident response capabilities
– Improving an organization’s root cause analysis capabilities
– Improving an organization’s security monitoring capabilities
– Influencing others to see incident response as a continuous process
– Operationalizing incident response information
– Collecting and documenting data for the organization’s incident response metrics
– Analyzing the organization’s incident response metrics to produce intelligence
– Presenting the intelligence to appropriate stakeholders

DFIR 013 – Adding Malformity to SIFT

This is a quick post on how I added Malformity to my SIFT workstation. This process is super complex, so you have to make sure you are really paying attention…… ;-)

First get Malformity….

git clone https://github.com/digital4rensics/Malformity.git

Change into the new Malformity folder, and run the following

sudo python setup.py install

OK, once that is done, you need to run the following

canari create-profile Malformity

Finally, open up Maltego, and click on the main icon in the upper left hand corner. Choose import, then import configuration, and just follow the prompts then.

Enjoy!

 

DFIR 012 – Clam AV rules to Yara

This post was inspired while I was playing around with the new SIFT workstation, and I needed to get my tools and scripts on the VM. A couple of team members saw what I was doing, and did not know this was possible so I figured I would write up a quick post on how to convert your Clam AV database to a set of Yara rules that you can use during your investigations.

You can get the Python script here

# for Clam AV
# should be installed, but this is to verify
sudo apt-get install clamav clamav-freshclam
sudo freshclam

# for Yara
sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install yara


sigtool –u /var/lib/clamav/main.cvd
python clamav_to_yara.py -f main.ndb -o clamav.yara

There is one rule I had to manually clean up though…….

vim +199819 clamav.yara

Once that is done, you can use this file anywhere you would use your yara rule.

Pretty cool!