Skip to content

A preconfigured Windows-based system designed for rapid forensic investigations in both Azure and AWS.

License

Notifications You must be signed in to change notification settings

CiscoCXSecurity/Cloud-Investigate

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Cloud-Investigate

Cloud-Investigate

Purpose

This project contains a set of Terraform and Ansible scripts for AWS and Azure to create a disposable, IaaC, cloud-based forensic system. The goal of this project is to provide blue teams with the ability to deploy a quick pre-configured Windows-based server to perform basic forensic investigation on various artifacts with minimal overhead. The system and data can be easily deleted after investigation is concluded.


Tools included

A global YAML config file, os-setup.yml, sets the versions of the tools and specific URLs which should be downloaded along with system names, credentials and other details.

The following tools are currently deployed in the default configuration of Cloud Investigate:

Tool Tool Location Notes
Sysinternals Suite C:\Tools\SysinternalsSuite\ Unzipped tool suite
Aresnal Image Mouter C:\Tools\ArsenalTools\ Installer
Arsenal Registry Recon C:\Tools\ArsenalTools\ Installer
Arsenal Hive Recon C:\Tools\ArsenalTools\ Installer
Arsenal Hibernation Recon C:\Tools\ArsenalTools\ Installer
Arsenal HIBN Recon C:\Tools\ArsenalTools\ Installer
Arsenal ODC Recon C:\Tools\ArsenalTools\ Installer
Burp Community Edition C:\Program Files\BurpSuiteCommunity\ Installed tool
Fireeye Redline C:\Tools\MandiantTools\ Installer
Fireeye Memoryze C:\Tools\MandiantTools\ Installer
Fireeye Highlighter C:\Tools\MandiantTools\ Installer
Velociraptor C:\Tools\Velociraptor\ Unzipped tool suite
Kape C:\tools\KAPE\ Unzipped tool suite
Windows Subsystem for Linux C:\Linux Installed tool
Autopsy C:\Program Files\ Installed tool
Chocolatey C:\ProgramData\Chocolatey Installed tool
NirLauncher Package C:\tools\NirLauncher Installed tool
7zip C:\Program Files\7-Zip Installed tool
Winrar C:\ProgramData\Chocolatey Installed tool
Notepad++ C:\Program Files\Notepad++ Installed tool
Megatools C:\ProgramData\Chocolatey Installed tool
WinDBG C:\Program Files (x86)\Windows Kits\ Installed tool
WinSCP C:\Program Files (x86)\WinSCP Installed and added to PATH
EricZimmerman Tools C:\tools\ericzimmermantools Unzipped tool suite
wireshark C:\Program Files\Wireshark Installed and added to PATH
ext2fsd C:\Program Files\Ext2Fsd Installed and added to PATH
Firefox Browser C:\Program Files\Mozilla Firefox Installed tool
Chrome Browser C:\Program Files\Google Installed tool
Python3.10 C:\Python310 Installed and added to PATH
Volatility2 C:\ProgramData\Chocolatey Installed and added to PATH
radare2 C:\ProgramData\Chocolatey Installed and added to PATH
qemu-img C:\ProgramData\Chocolatey Installed and added to PATH
qemu C:\Program Files\qemu Installed and added to PATH
sandboxie-plus C:\Program Files\Sandboxie-Plus Installed tool
smartftp C:\Program Files\SmartFTP Client Installed tool
Cygwin C:\tools\Cygwin Installed tool
kubernetes-cli C:\ProgramData\Chocolatey Installed tool
putty C:\Program Files\PuTTY Installed tool
yara C:\ProgramData\Chocolatey Installed and added to PATH
powertoys C:\Program Files\PowerToys Installed tool
virtualmachineconverter C:\Program Files\Microsoft Virtual Machine Converter Installed tool
HashCheck C:\Program Files\HashCheck Installed and added as a menu option
Brim C:\Users\\AppData\Local\Programs\brim\ Installed tool
Plaso C:\tools\plaso Source Code
volatility3 C:\tools\volatility3\ Source Code
SANS Sift packages (200+) C:\Linux\download\ Tool installed inside WSL via nohup job
TOR Browser C:\ProgramData\chocolatey\lib\tor-browser\tools\tor-browser\Browser Installed tool
PassMark OSForensics C:\Program Files\OSForensics Installed tool
PassMark OSFMount C:\Program Files\OSFMount Installed tool
PassMark VolatilityWorkbench C:\tools\passmark Installer
Secure remove contex menu using sDelete64 C:\tools\sdelete.reg Installed and added as a menu option
BitVise SSH Server C:\Program Files\Bitvise SSH Server Installed tool
NetworkMiner C:\tools\NetworkMiner Installer
DidierStevensSuite C:\tools\DidierStevensSuite Zipped tool suite
Splunk C:\tools\SplunkInstaller Installer
Docker N/A Installed inside of WSL
Sysmon C:\Windows\ Installed as service to log all actions on the system
Zircolite C:\tools\Zircolite\ Source Code
RITA C:\tools\RITA\ Source Code
PESTUDIO C:\tools\pestudio\ Zipped tool suite

The following KAPE plugins/addones were also added for KAPE installation in C:\tools\KAPE:

Tool Tool Location Notes
KAPE-EZToolsAncillaryUpdater C:\tools\KAPE\ KAPE updater executed during deployment
reg_hunter C:\tools\KAPE\Modules\bin\ reg_hunter plugin
SEPparser C:\tools\KAPE\Modules\bin\ SEPparser plugin
srum_dump C:\tools\KAPE\Modules\bin\ srum_dump plugin
OneDriveExplorer C:\tools\KAPE\Modules\bin\ OneDriveExplorer plugin
hindsight C:\tools\KAPE\Modules\bin\ hindsight plugin
dhparser C:\tools\KAPE\Modules\bin\ dhparser plugin
CCMRUAFinder_RecentlyUsedApps C:\tools\KAPE\Modules\bin\ CCMRUAFinder_RecentlyUsedApps plugin
BMC-Tools_RDPBitmapCacheParse C:\tools\KAPE\Modules\bin\ BMC-Tools_RDPBitmapCacheParse plugin
sigcheck C:\tools\KAPE\Modules\bin\ sigcheck plugin
INDXRipper C:\tools\KAPE\Modules\bin\ INDXRipper plugin
Chainsaw C:\tools\KAPE\Modules\bin\ Chainsaw plugin
hayabusa C:\tools\KAPE\Modules\bin\ hayabusa plugin
LevelDBDumper C:\tools\KAPE\Modules\bin\ LevelDBDumper plugin
McAfeeStinger C:\tools\KAPE\Modules\bin\ McAfeeStinger plugin
Kaspersky_TDSSKiller C:\tools\KAPE\Modules\bin\ Kaspersky_TDSSKiller plugin
EvtxHussar C:\tools\KAPE\Modules\bin\ EvtxHussar plugin
Nirsoft Tools C:\tools\KAPE\Modules\bin\ Various Nirsoft plugins as defined by Kape files
RegRipper C:\tools\KAPE\Modules\bin\ RegRipper plugin
TZWorks CAFAE C:\tools\KAPE\Modules\bin\ TZWorks CAFAE plugin
TZWorks evtwalk64 C:\tools\KAPE\Modules\bin\ TZWorks evtwalk64 plugin
NTFS Log Tracker v1.7 CMD C:\tools\KAPE\Modules\bin\ NTFS Log Tracker v1.7 CMD plugin

Prerequisites for Azure

A number of features need to be installed on your system in order to use this setup. Please follow steps below to ensure that CLI and API required by Azure/AWS are fully functional before deployment.

# Step 1 - Install Azure CLI. More details on https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# Step 2 - Install Terraform. More details on https://learn.hashicorp.com/tutorials/terraform/install-cli
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install terraform

# Step 3 - Install Ansible. More details on https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository --yes --update ppa:ansible/ansible
sudo apt update
sudo apt install ansible

# Step 4 - Finally install python and various packages needed for remote connections and other activities
sudo apt install python3 python3-pip
pip3 install pywinrm requests msrest msrestazure azure-cli requests-ntlm

Prerequisites for AWS

# Step 1 - Install AWS CLI. More details on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

# Step 2 - Install Terraform. More details on https://learn.hashicorp.com/tutorials/terraform/install-cli
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install terraform

# Step 3 - Install Ansible. More details on https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository --yes --update ppa:ansible/ansible
sudo apt update
sudo apt install ansible

# Step 4 - Finally install python and various packages needed for remote connections and other activities
sudo apt install python3 python3-pip pywinrm requests requests-ntlm

Building and Deploying Cloud Investigate system

Once all the prerequisites are installed, perform the following series of steps:

# Log in to Azure or AWS from command line to ensure that the access token is valid or credentials are added for AWS:
az login # For Azure
aws configure # For AWS

# Clone Repository and move to Cloud-Investigate folder:
git clone https://github.com/op7ic/Cloud-Investigate.git
cd Cloud-Investigate/azure # For Azure
cd Cloud-Investigate/aws # For AWS

# Initialize Terraform and begin planning:
terraform init && terraform plan

# Create your lab using the following command: 
terraform apply -auto-approve

# Once done, destroy your lab using the following command:
terraform destroy -auto-approve

# If you would like to time the execution use the following command:
start_time=`date +%s` && terraform apply -auto-approve && end_time=`date +%s` && echo execution time was `expr $end_time - $start_time` s

Deploying different OS versions or limiting the number of created hosts

A global YAML config file, Azure variables.tf or AWS variables.tf, sets the type of operating system, SKU, AMI and VM size used for the deployment of the VMs.

Commands az vm image list (Azure) or aws ec2 describe-images (AWS) can be used to identify various OS versions so that global operating system file (Azure variables.tf or AWS variables.tf can be modified with the correspodning SKU or AMI. Examples of commands helping to identify specific AMI/SKU can be found below.

# Azure

# List all Windows workstation SKUs and images
az vm image list --publisher MicrosoftWindowsDesktop --all -o table
# List all Windows server SKUs and images
az vm image list --publisher WindowsServer --all -o table
# List all Debian server SKUs and images
az vm image list --publisher Debian --all -o table
# List all RedHat server SKUs and images
az vm image list --publisher RedHat --all -o table
# List all Canonical server SKUs and images
az vm image list --publisher Canonical --all -o table

# AWS

# List all Windows server AMIs
aws ec2 describe-images --owners amazon --filters Name=root-device-type,Values=ebs Name=architecture,Values=x86_64 Name=name,Values=*Windows_Server*English*Base* --query 'Images[].{ID:ImageId,Name:Name,Created:CreationDate}' --region us-east-1

Please note that Windows desktop (i.e. Windows 10/11) is currently not supported on AWS EC2 without a custom AMI, so the AWS version of Cloud-Investigate does not support its deployment, as it relies on the pre-existing images. That said, AWS variables.tf can be easily modified to include a reference to custom AMIs.

Changing network ranges and deployment location

Location and network ranges can be set using global variables in Azure variables.tf or the AWS variables.tf file. A simple modification to runtime variables also allows to specify regions or network ranges as seen below:

# Use default options for Azure or AWS
terraform apply -auto-approve

# Use East US region to deploy the lab for Azure
terraform apply -auto-approve -var="region=East US"

# Use East US region to deploy the lab for AWS
terraform apply -auto-approve -var="region=us-east-1a"

# Use East US and change Windows Workstation or Server ranges for Azure
terraform apply -auto-approve -var="region=East US" -var="windows_server_subnet_cidr=10.0.0.0/24"

# Use East US and change Windows Workstation or Server ranges for AWS
terraform apply -auto-approve -var="region=us-east-1a" -var="windows_server_subnet_cidr=10.0.0.0/24"

Firewall Configuration

The following table summarises a set of firewall rules applied across the Cloud Investigate enviroment in default configuration. Please modify the azure main.tf or aws main.tf file to add new firewall rules, as needed, in the Firewall Rule Setup section.

Rule Name Network Security Group Source Host Source Port Destination Host Destination Port
Allow-RDP windows-nsg Your Public IP * Windows Servers, Windows Desktops 3389
Allow-WinRM windows-nsg Your Public IP * PWindows Servers, Windows Desktops 5985
Allow-WinRM-secure windows-nsg Your Public IP * Windows Servers, Windows Desktops 5986
Allow-SMB windows-nsg Your Public IP * Windows Servers, Windows Desktops 445
Allow-SFTP windows-nsg Your Public IP * Windows Servers, Windows Desktops 22

Internally the following static IP ranges are used for this enviroment in the default configuration:

Hosts Internal IP range Notes
Windows System 10.0.10.0/24

FAQ

  • How to add new KAPE module?

    • Edit both kape Ansible role and os-setup.yml to handle actions such as downloading, unpacking and adjusting location of binary as per mkape module.
  • How do I add new tools?

    • Edit both tools Ansible role and os-setup.yml to handle actions such as downloading, unpacking and adjusting location of the tool you would like to add to the list. Alternatively drop me a pull request to add it to master repository.
  • How do I securely wipe the data?

    • This system comes with a sdelete installed as 'Secure Delete' option in right-click menu that you can execute on a folder or specific file. It will use sdelete binary to remove and overwrite content of the file/folder three times. Alternatively there is a copy of sdelete binaries in C:\tools\SysinternalsSuite
  • I get Disk *-disk already exists in resource group Cloud-Investigate. Only CreateOption.Attach is supported. or something similar to this error.

    • Re-run terraform commands terraform destroy -auto-approve && terraform apply -auto-approve to destroy and re-create the lab. This error seems to show up when Azure doesn't clean up all the disks properly so there are leftover resources with the same name.
  • How do I modify network segments, deployment size or other variables?

    • Modify the Terraform Azure variables.tf or AWS variables.tf file to change your setup. Alternatively, each variable can be changed during runtime by appending -var to terraform apply. For example, terraform apply --auto-approve -var="region=East US 2" would modify a region to be different then the default set in the Azure variables.tf or AWS variables.tf file. The entire setup, including network ranges, operating systems and the VM size can be changed, using a chain of the -var parameters.
  • I get Max retries exceeded with url: /wsman and then connection gets refused when building a system.

    • Unfortunately WinRM limitations mean that, on occasion, WinRM will simply stop working as expected and instead connections will freeze up. As a result, execution won't behave properly. Rerun terraform apply -auto-approve to repair the damaged host and redeploy incomplete Ansible steps.

Contributing

Contributions, fixes, and improvements can be submitted directly for this project as a GitHub issue or a pull request.

About

A preconfigured Windows-based system designed for rapid forensic investigations in both Azure and AWS.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HCL 100.0%