Skip to content
/ docker-forensics-tools Public

Project to port forensics tools into docker containers. Docker containers available through Docker Hub using Github Actions.

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ilostab/docker-forensics-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

98 Commits
.github/workflows
.github/workflows
 
 
build
build
 
 
capa
capa
 
 
chainsaw
chainsaw
 
 
densityscout
densityscout
 
 
hayabusa
hayabusa
 
 
pypykatz
pypykatz
 
 
regripper
regripper
 
 
sidr
sidr
 
 
sleuthkit
sleuthkit
 
 
test
test
 
 
thor
thor
 
 
yara-x
yara-x
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
push.sh
push.sh
 
 

Repository files navigation

docker-forensics-tools

  • This project runs various forensics tools in docker containers.
Verified What Example Raw Example Run
Y pypykatz docker run ilostab6/pypykatz docker run -v $(pwd)::/w/ ilostab6/pypykatz lsa minidump /w/lsa.dump
Y sidr docker run ilostab6/sidr docker run -v $(pwd):/w/ ilostab6/sidr sidr /w/
Y yara-x docker run ilostab6/yara-x docker run -v $(pwd):/w/ ilostab6/yara-x yr scan /app/rules/ /w/capa_testfile.exe_
Y hayabusa docker run ilostab6/hayabusa docker run -v $(pwd):/w/ h-dv hayabusa csv-timeline --file /w/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx --no-wizard --min-level high
Y chainsaw docker run ilostab6/chainsaw docker run -v $(pwd):/w/ ilostab6/chainsaw chainsaw hunt /w/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -s /app/rules/ --mapping /app/mappings/sigma-event-logs-all.yml
Y capa docker run ilostab6/capa docker run -v $(pwd):/w/ ilostab6/capa /w/capa_testfile.exe_ -r /app/rules/ -s /app/sigs/
Y densityscout docker run ilostab6/densityscout docker run -v $(pwd):/w/ ilostab6/densityscout densityscout /w/capa_testfile.exe_
Y regripper 4.0 docker run ilostab6/regripper docker run -v $(pwd):/w ilostab6/regripper -r /w/SYSTEM -a
Y sleuthkit docker run ilostab6/sleuthkit docker run -v /mnt/ewf/:/w/ ilostab6/sleuthkit mmls /w/ewf1

Other projects

Verified What Example Raw Example Run
Y log2timeline docker run log2timeline/plaso docker run -v $PWD:/w/ log2timeline/plaso log2timeline.py
Y volatility2 docker run sk4la/volatility docker run -v $PWD:/w sk4la/volatility -f /w/volatile.mem
Y volatility3 docker run sk4la/volatility3 docker run -v $PWD:/w sk4la/volatility3 -f /w/volatile.mem windows.pslist
Y velociraptor docker run ... docker run ...
Y clamav sudo docker run clamav/clamav clamscan sudo docker run -v $PWD:/w/ clamav/clamav clamscan /w/

VOL3 optimization for docker

  • sudo docker volume create symbols
  • sudo docker run -v symbols:/usr/local/lib/volatility3/volatility3/symbols/ -v $PWD:/w sk4la/volatility3 -f /w/volatile.mem windows.pslist --save-config /w/volatile.conf
  • sudo docker run -v symbols:/usr/local/lib/volatility3/volatility3/symbols/ -v $PWD:/w sk4la/volatility3 -c /w/volatile.conf

BUILD AND RUN

  • git clone https://github.com/ilostab/docker-forensics-tools.git && cd docker-forensics-tools
  • chmod +x build.sh
  • ./build.sh
  • docker run <tool-name>

Alternative

  • cd <tool-folder>

  • docker build -t <tool-name> .

  • docker run <tool-name>

  • Rust projects are built with a Docker builder, then moved to a distroless docker run environment to make the image smaller.

Similar project

Export Docker image

  • docker save <image-name> | gzip > <image-name>.tar.gz

Import Docker image

  • gunzip -c <image-name>.tar.gz | docker load

Future Work

About

Project to port forensics tools into docker containers. Docker containers available through Docker Hub using Github Actions.

Topics

security forensics

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages