This website www.ds4n6.io uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.

OK

[DAISY] Documentation (v0.5) >> DAISY Cheat Sheet

DAISY Cheat Sheet

PDF DAISY Cheat Sheet

ACCESS

Username: ds4n6
Password: forensics

INSTALLED PACKAGES

Package Description
ds4n6_lib The ds4n6_lib library is a python library that provides an easy way to ingest and analyze forensic tool output (plaso, kape, kansa, volatility, etc.) in a Jupyter/pandas Data Science environment
picatrix Picatrix is a framework that is meant to be used within a Colab or Jupyter notebooks. The framework is designed around providing a security analyst with the libraries to develop helper functions that will be exposed as magics and regular python functions in notebooks.
TimeSketch Timesketch is an open-source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.
Jupyter Project Jupyter exists to develop open-source software, open-standards, and services for interactive computing across dozens of programming languages.
Anaconda3 Anaconda is a distribution of the Python and R programming languages for scientific computing (data science, machine learning applications, large-scale data processing, predictive analytics, etc.), that aims to simplify package management and deployment.

PYTHON PLUGINS

Package Description
Timesketch-api-client The Timesketch API client provides you with a set of Python libraries to connect to your Timesketch instance.
dill dill extends python’s pickle module for serializing and de-serializing python objects to the majority of the built-in python types. Serialization is the process of converting an object to a byte stream, and the inverse of which is converting a byte stream back to a python object hierarchy.
untangle untangle converts XML to a Python object.
qgrid qgrid is a Jupyter notebook widget which uses SlickGrid to render pandas DataFrames within a Jupyter notebook. This allows you to explore your DataFrames with intuitive scrolling, sorting, and filtering controls, as well as edit your DataFrames by double clicking cells.
ipyaggrid ipyaggrid displays pandas dataframes as dynamic HTML5 grids - Standard options are accessible through configuration.
eland Eland is a Python Elasticsearch client for exploring and analyzing data in Elasticsearch with a familiar Pandas-compatible API.

JUPYTER PLUGINS

Package Description
TOC A Table of Contents extension for JupyterLab. This auto-generates a table of contents in the left area when you have a notebook or markdown document open. The entries are clickable, and scroll the document to the heading in question.
Collapsible Headings Allows notebook to have collapsible sections, separated by headings.
jupyterlab-manager A JupyterLab 3.0 extension for Jupyter/IPython widgets.
ipynb Module importer for importing code from Jupyter Notebook files.
jupyterlab-favorites Adds the ability to save favorite folders to JupyterLab for quicker browsing.
osscar A button in JupyterLab to run the code cells and then to hide the code cells. This JupyterLab extension was inspired by the jlab-hide-code JupyterLab extension from Aachen (Aix) Virtual Platform for Materials Processing.
output_auto_scroll Automatically scrolls scrollable output cells to bottom when content has changed.
gdown Downloads a large file from Google Drive.

ANACONDA PLUGINS

Package Description
Ipywidgets Interactive HTML widgets for Jupyter notebooks and the IPython kernel.
pandas-bokeh Pandas-Bokeh provides a Bokeh plotting backend for Pandas, GeoPandas and Pyspark DataFrames, similar to the already existing Visualization feature of Pandas. Importing the library adds a complementary plotting method plot_bokeh() on DataFrames and Series.
pyarrow Provides a Python API for functionality provided by the Arrow C++ libraries, along with tools for Arrow integration and interoperability with pandas, NumPy, and other software in the Python ecosystem.

FORENSIC TOOLS

Package Description
ds4n6_lib The ds4n6_lib library is a python library that provides an easy way to ingest and analyze forensic tool output (plaso, kape, kansa, volatility, etc.) in a Jupyter/pandas Data Science environment
Sleuth Kit Tools (fls, mac-robber, mactime, etc.) Collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
plaso Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.
Volatility v3 Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system.
RegRipper RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

DEMO FORENSICS EVIDENCE (OPTIONAL)

Precooked data for:

Package Description
Szechuan Sauce case Used for kape, volatility, autoruns and plaso-evtx
Magnet CTF 2019 Used for fstl and plaso
Ali Hadi User Policy Violation Case Used for fls

OTHER

  • Cheat Sheets
  • Preloaded notebooks for ds4n6_lib

JUPYTERLAB

  • Browser Access Port: 8888
  • Token: Run Desktop Script

TIMESKETCH

  • Browser Access Port: 80
  • User: timesketch
  • Password: timesketch
  • Logs: /data/timesketch/logs/
  • Add new user:
    • $ cd /opt/timesketch
    • $ sudo docker-compose exec timesketch-web tsctl add_user –username <USERNAME>
  • Services control:
    • sudo systemctl (status|start|stop) docker-compose-timesketch
    • sudo docker ps

PICATRIX

  • Browser Access Port: 8888
  • Logs: /var/log/picatrix_server/picatrix_server.(out|err)
  • Services Control:
    • $ sudo supervisorclt (status|start|stop) picatrix_server
  • TS Credentials: /home/ds4n6/.timesketchrc .timesketch.token