DFIR open source tools.
What it does
Allows to capture multiple types of forensic data from a windows hosts without having to install any type of agent. Using native capabilities in Windows such as Winrm, Powershell, Netsh and more. Once the data is captured it is moved into XSOAR and is parsed and analyzed by multiple tools such as XSOAR PcapMiner, Regipy (A Python library to analyze registry), and many more.
How I built it
Created a Powershell integration that allows to open a remote session to a host. Multiple Python tools such as convert ETL to PCAP, Regipy which is user to parse data and Volatility to parse memory dumps.
Challenges I ran into
Creating a Docker image to support PS remoting without SSH Developing a new OOTB Powershell integration. Covering the most critical aspects to focus on within a short time limit.
Accomplishments that I'm proud of
Creating a complete suite of tools for various forensic aspects for acquiring data, retrieving and analyzing.
What I learned
How to implement an agent less DFIR tool suite And best practices for which data to capture. Working with Powershell integrations.
What's next for Windows Forensics Using Powershell Remoting
Improving security to use HTTPS for winrm, provide more commands and playbooks to gather and parse more data. and create a polling mechanisms for Powershell.