Forensics

Log2Timeline / Plaso

docker pull log2timeline/plaso
docker run -v /root/LiveResponseData/CopiedFiles/eventlogs/Logs:/data log2timeline/plaso psteal --source /data -w /data/plaso.csv --workers 10

LogonTracer

docker pull jpcertcc/docker-logontracer
docker run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME=[IP_Address] jpcertcc/docker-logontracer

TimeSketch

curl -s -O https://raw.githubusercontent.com/google/timesketch/master/contrib/deploy_timesketch.sh
chmod 755 deploy_timesketch.sh
sudo ~/deploy_timesketch.sh
cd timesketch
sudo docker compose up -d
sudo docker compose exec timesketch-web tsctl create-user <USERNAME>

SofElk

PreviousCaptive Portal NextPlaso

Last updated 1 year ago

Forensics

Log2Timeline / Plaso

docker pull log2timeline/plaso
docker run -v /root/LiveResponseData/CopiedFiles/eventlogs/Logs:/data log2timeline/plaso psteal --source /data -w /data/plaso.csv --workers 10

LogonTracer

docker pull jpcertcc/docker-logontracer
docker run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME=[IP_Address] jpcertcc/docker-logontracer

TimeSketch

curl -s -O https://raw.githubusercontent.com/google/timesketch/master/contrib/deploy_timesketch.sh
chmod 755 deploy_timesketch.sh
sudo ~/deploy_timesketch.sh
cd timesketch
sudo docker compose up -d
sudo docker compose exec timesketch-web tsctl create-user <USERNAME>

SofElk

PreviousCaptive Portal NextPlaso

Last updated 1 year ago