This website www.ds4n6.io uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.

OK

DS4N6 Blog >> DAISY: Say Hi to the New DS/AI-for-DFIR Virtual Machine!

DAISY: Say Hi to the New DS/AI-for-DFIR Virtual Machine!

370x370_jess-garcia.jpg [17/05/21] May 17, 2021
Jess Garcia - One eSecurity
Twitter: j3ssgarcia - LinkedIn: garciajess

We are very excited to announce the release of the first version of DAISY, the DFIR Data Science & AI Virtual Machine.

DFIR daisy-wall-e-left.jpg
Data D
A Artificial
I Intelligence
Science S
Y

DAISY is the next step of the DS4N6 project to facilitate the adoption of Data Science & AI by the DFIR Community at large.

Last month we released the ds4n6_lib library, which made much easier the ingestion and DS/AI analysis of forensic tool output (such as plaso, kape, kansa or volatility). That was a good first step.

But we felt the need to have a way to deliver the whole environment easily to Forensicators. Installing via pip or github, and deploying containers is not certainly intuitive for many people, so we thought a virtual machine was the way to go. DAISY is that resulting Virtual Machine.

The priority when building this first (modest) version of DAISY was also to make it as intuitive and easy to use as possible for the average Forensicator.

You just need to download the DAISY Virtual Machine, launch it on VMware or Virtual Box, click on the Browser Icon on the desktop, and there you go! You have a Jupyter environment in front of you!

Then you can use the demo notebooks and evidence provided to get familiar with the ds4n6_lib library functions (also super-easy to use).

We have included on the desktop cheatsheets, documentation, notebooks, evidence, … Everything at hand so your trip from the DFIR world to the DS/AI Universe is as comfortable as possible.

A nice addition to DAISY has been the inclusion of Timesketch, a popular open source platform by Google for collaborative plaso supertimeline analysis, and picatrix, it's Jupyter companion. Thanks to Kristinn Gudjonsson and Johan Berggren for their support. It's always a pleasure to work together! We will do our best to include more valuable DS/AI-oriented tools in the DAISY in the future.

DAISY contains a small set of common forensic tools (sleuthkit, plaso, volatility, etc.), in case you want to process your evidence directly on the VM.

In order to get started and learn the basics, take a look at this blog post: Getting Started With DAISY.

You can then refer to the blog posts in the ds4n6_lib section to learn how to work with the ds4n6_lib, or refer to the Timesketch / picatrix documentation if you want to use those tools.

Maybe the most important advice I can give you when working with DAISY (and Jupyter in general) is to give your virtual machine as much memory as possible. 8GB is the minimum, we recommend 16GB or more if possible. You can actually get a PC with 128GB or 256GB of RAM at a very reasonable price these days, so I would suggest that you consider that option so you can get the best analysis user experience possible (we run it on servers with 1TB+ RAM, but I guess that's not so affordable for the average Forensicator).

Anyway, as said, this is our first take, so I'm pretty sure there are tons of things to improve and features to add. So please contact us with any feedback, question or comment you may have.

Remember that we are just taking the first steps in the road. In the coming months we will publishing more information about how to make the most of Data Science and AI for DFIR with the use of the ds4n6_lib and DAISY. But one step at a time!

Enjoy!!

Follow us: Twitter: @ds4n6_io - RSS News Feed - Youtube