digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-02-20 13:40:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

add docker for digital forensics

Browse Source
This commit is contained in:
Frank Xu
2023-08-28 20:55:30 -04:00
parent 28056bcb65
commit e239e418b6
3 changed files with 172 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Help/Docker_4_Digital_Forensics.pptx Normal file
View File

Binary file not shown.

205
Help/scripts/docker/Dockerfile
View File

@@ -2,6 +2,9 @@ FROM ubuntu:22.04
LABEL author=Chimezie
# Set environmental variable to store installation summary
# Forces the selection of US Eastern Standard time Zone.
ENV TZ=US/Eastern \
DEBIAN_FRONTEND=noninteractive
@@ -31,7 +34,8 @@ RUN sudo dpkg --add-architecture i386 \
&& dpkg --add-architecture amd64 \
&& apt-get update \
&& apt-get install -y --no-install-recommends wine32 \
&& apt-get install --no-install-recommends --assume-yes wine
&& apt-get install --no-install-recommends --assume-yes wine
ENV DISPLAY :0
# Install other packages
@@ -51,24 +55,28 @@ RUN sudo apt -y install python3-pip \
# Install pff-tools
RUN sudo apt-get update \
&& sudo apt-get -y install pff-tools
&& sudo apt-get -y install pff-tools
# Install libesedb-utils
RUN sudo apt-get update \
&& sudo apt-get -y install libesedb-utils
&& sudo apt-get -y install libesedb-utils
# Install liblnk-utils
RUN sudo apt-get update
RUN sudo apt-get install -y liblnk-utils || { echo 'Package installation failed'; exit 1; }
RUN sudo apt-get install -y liblnk-utils || { echo 'Package installation failed'; exit 1; }
# Install usncarve
RUN sudo sudo apt-get update \
&& pip install usncarve
RUN sudo sudo apt-get update \
&& pip install usncarve
# Install usnparser
RUN sudo apt-get update \
&& pip install usnparser
&& pip install usnparser
# Install RegRipper
WORKDIR /tools
@@ -94,7 +102,7 @@ RUN dos2unix /tools/RegRipper30/RegRipper30-apt-git-Install.sh
RUN chmod +x /tools/RegRipper30/RegRipper30-apt-git-Install.sh
# Run the installer script
RUN /tools/RegRipper30/RegRipper30-apt-git-Install.sh
RUN /tools/RegRipper30/RegRipper30-apt-git-Install.sh
# Add RegRipper to the PATH
ENV PATH="/tools/RegRipper30:$PATH"
@@ -103,8 +111,7 @@ ENV PATH="/tools/RegRipper30:$PATH"
# Install Vinetto for Thumbcache
# Install Vinetto
RUN sudo apt-get update \
&& sudo apt-get -y install vinetto
&& sudo apt-get -y install vinetto
# Install time_decode
# Set the working directory
@@ -119,6 +126,7 @@ RUN git clone https://github.com/digitalsleuth/time_decode.git tools/time_decode
# Move the time_decode.py script to /usr/local/bin
RUN mv tools/time_decode/time_decode/time_decode.py /usr/local/bin/
# Set the working directory to the lab directory
WORKDIR /tools/lab
@@ -134,8 +142,8 @@ RUN sudo sh -c 'mv tools/INDXParse/*.py /usr/local/bin/.'
# Clone the INDXParse repository
RUN sudo apt-get update \
&& git clone https://github.com/williballenthin/INDXParse.git
&& git clone https://github.com/williballenthin/INDXParse.git
# Install the required Python packages
RUN sudo pip install construct
@@ -147,7 +155,7 @@ RUN git clone https://github.com/dkovar/analyzeMFT.git analyzeMFT \
&& cd analyzeMFT \
&& apt-get update \
&& apt-get install -y python3 \
&& python3 setup.py install
&& python3 setup.py install
# Install imgclip
# Set the working directory
@@ -156,9 +164,8 @@ WORKDIR /tools/lab
# Update and install imgclip dependencies
RUN sudo apt-get update \
&& apt-get install -y npm \
&& npm install -g imgclip
&& npm install -g imgclip
# Copy the necessary files to the container
# Set the working directory to the location of the index.js file
WORKDIR /usr/local/lib/node_modules/imgclip/node_modules/copy-paste
@@ -172,7 +179,8 @@ RUN sed -i '58s/if(text?.pipe)/if(text \&\& pipe)/' /usr/local/lib/node_modules/
# Install libvshadow-alpha-20210425
# Update the package repository and install required dependencies
RUN sudo apt-get update \
&& apt-get install -y libfuse-dev git autoconf automake autopoint libtool pkg-config
&& apt-get install -y libfuse-dev git autoconf automake autopoint libtool pkg-config
# Download libvshadow
@@ -189,7 +197,7 @@ RUN wget -q https://github.com/libyal/libvshadow/releases/download/20221030/libv
RUN tar -xzf libvshadow-alpha-20221030.tar.gz
# Cleanup unnecessary files
RUN rm libvshadow-alpha-20221030.tar.gz
RUN rm libvshadow-alpha-20221030.tar.gz
# Change directory to libvshadow-20210425
WORKDIR /tools/libvshadow-20221030
@@ -227,7 +235,7 @@ WORKDIR /tools/python-evtx
RUN sudo python3 setup.py install
# Install windowsprefetch
RUN sudo pip install windowsprefetch
RUN sudo pip install windowsprefetch
# Install undark for carving sqlite .db
WORKDIR /tools
@@ -329,7 +337,7 @@ RUN sudo apt-get install -y python3 python3-pip dwarfdump yara zip git
RUN git clone https://github.com/volatilityfoundation/volatility3.git /tools/volatility3
# Install Volatility 3 dependencies
RUN sudo pip3 install -r /tools/volatility3/requirements.txt
RUN sudo pip3 install -r /tools/volatility3/requirements.txt
# Add Volatility 3 to the PATH
ENV PATH="/opt/volatility3:${PATH}"
@@ -351,7 +359,7 @@ WORKDIR /tools/stego-toolkit/install
RUN chmod +x /tools/stego-toolkit/install/jphide.sh
# Run jphide.sh installation script
RUN /tools/stego-toolkit/install/jphide.sh
RUN /tools/stego-toolkit/install/jphide.sh
# Install stegdetect
# Set the working directory
@@ -367,34 +375,143 @@ RUN wget -q https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/mai
# Copy stegdetect and stegbreak binaries to /usr/bin
RUN cp tools/stegdetect/stegdetect /usr/bin/. \
&& cp tools/stegdetect/stegbreak /usr/bin/.
&& cp tools/stegdetect/stegbreak /usr/bin/.
WORKDIR /
# Verify installations
RUN wine --version
RUN imgclip -h
RUN pffexport -h
RUN esedbexport -h
RUN lnkinfo -h
RUN usncarve.py -h
RUN usn.py -h
RUN rip.pl -h
RUN vinetto -h
RUN time_decode.py -h
RUN prefetch.py -h
RUN evtx_dump.py -h
RUN INDXParse.py -h
RUN analyzeMFT.py -h
RUN vshadowinfo -h
RUN undark -h
RUN true || jphide
RUN true || jpseek
RUN vol.py -h
RUN stegdetect -V || true
RUN wine --version
RUN imgclip -h
RUN pffexport -h
RUN esedbexport -h
RUN lnkinfo -h
RUN usncarve.py -h
RUN usn.py -h
RUN rip.pl -h
RUN vinetto -h
RUN time_decode.py -h
RUN prefetch.py -h
RUN evtx_dump.py -h
RUN INDXParse.py -h
RUN analyzeMFT.py -h
RUN vshadowinfo -h
RUN undark -h
RUN true || jphide
RUN true || jpseek
RUN vol.py -h
RUN stegdetect -V || true
RUN stegbreak -V || true
# Set the entry point or default command
# Set up environmental variables
ENV COLOR_GREEN='\e[1;32m'
ENV COLOR_RED='\e[1;31m'
ENV COLOR_RESET='\e[0m'
# Create an installation report directory
WORKDIR /installation_report
# Run tools' help commands to check installation status
RUN wine --version | grep -iq "wine32,Wine64" &>/dev/null \
&& echo "${COLOR_GREEN}Tool wine: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool wine: Installation failed" >> /installation_report/installation_report.txt
RUN imgclip -h | grep -iq "imgclip" &>/dev/null \
&& echo "${COLOR_GREEN}Tool imgclip: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool imgclip: Installation failed" >> /installation_report/installation_report.txt
RUN pffexport -h | grep -iq "pff-tools" &>/dev/null \
&& echo "${COLOR_GREEN}Tool pff-tools: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool pff-tools: Installation failed" >> /installation_report/installation_report.txt
RUN esedbexport -h | grep -iq "libesedb-utils" &>/dev/null \
&& echo "${COLOR_GREEN}Tool libesedb-utils: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool libesedb-utils: Installation failed" >> /installation_report/installation_report.txt
RUN lnkinfo -h | grep -iq "liblnk-utils" &>/dev/null \
&& echo "${COLOR_GREEN}Tool liblnk-utils: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool liblnk-utils: Installation failed" >> /installation_report/installation_report.txt
RUN usncarve.py -h | grep -iq "usncarve" &>/dev/null \
&& echo "${COLOR_GREEN}Tool usncarve: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool usncarve: Installation failed" >> /installation_report/installation_report.txt
RUN usn.py -h | grep -iq "usnparse" &>/dev/null \
&& echo "${COLOR_GREEN}Tool usnparse: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool usnparse: Installation failed" >> /installation_report/installation_report.txt
RUN rip.pl -h | grep -iq "RegRipper30" &>/dev/null \
&& echo "${COLOR_GREEN}Tool RegRipper30: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool RegRipper30: Installation failed" >> /installation_report/installation_report.txt
RUN vinetto -h | grep -iq "vinetto" &>/dev/null \
&& echo "${COLOR_GREEN}Tool vinetto: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool vinetto: Installation failed" >> /installation_report/installation_report.txt
RUN prefetch.py -h | grep -iq "windowsprefetch" &>/dev/null \
&& echo "${COLOR_GREEN}Tool windowsprefetch: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool windowsprefetch: Installation failed" >> /installation_report/installation_report.txt
RUN time_decode.py -h | grep -iq "time_decoder" &>/dev/null \
&& echo "${COLOR_GREEN}Tool time_decoder: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool time_decoder: Installation failed" >> /installation_report/installation_report.txt
RUN evtx_dump.py -h | grep -iq "evtx_dump" &>/dev/null \
&& echo "${COLOR_GREEN}Tool evtx_dump: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool evtx_dump: Installation failed" >> /installation_report/installation_report.txt
RUN INDXParse.py -h | grep -iq "INDXParser" &>/dev/null \
&& echo "${COLOR_GREEN}Tool INDXParser: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool INDXParser: Installation failed" >> /installation_report/installation_report.txt
RUN analyzeMFT.py -h | grep -iq "analyzeMFT" &>/dev/null \
&& echo "${COLOR_GREEN}Tool analyzeMFT: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool analyzeMFT: Installation failed" >> /installation_report/installation_report.txt
RUN vshadowinfo -h | grep -iq "libvshadow" &>/dev/null \
&& echo "${COLOR_GREEN}Tool libvshadow: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool libvshadow: Installation failed" >> /installation_report/installation_report.txt
RUN undark -h | grep -iq "undark" &>/dev/null \
&& echo "${COLOR_GREEN}Tool lundark: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool undark: Installation failed" >> /installation_report/installation_report.txt
RUN true || jphide | grep -iq "undark" &>/dev/null \
&& echo "${COLOR_GREEN}Tool jphide: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool jphide: Installation failed" >> /installation_report/installation_report.txt
RUN true || jpseek | grep -iq "jpseek" &>/dev/null \
&& echo "${COLOR_GREEN}Tool jpseek: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool jpseek: Installation failed" >> /installation_report/installation_report.txt
RUN vol.py -h | grep -iq "jpseek" &>/dev/null \
&& echo "${COLOR_GREEN}Tool volatilty2, volatility3: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Toolvolatilty2, volatility3: Installation failed" >> /installation_report/installation_report.txt
RUN stegdetect -V || true | grep -iq "jpseek" &>/dev/null \
&& echo "${COLOR_GREEN}Tool stegdetect: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool stegdetect: Installation failed" >> /installation_report/installation_report.txt
RUN stegbreak -V || true | grep -iq "stegbreak" &>/dev/null \
&& echo "${COLOR_GREEN}Tool stegbreak: Installation successful" >> /installation_report/installation_report.txt \
|| echo "${COLOR_RED}Tool stegbreak: Installation failed" >> /installation_report/installation_report.txt
# Display the installation report
RUN cat /installation_report/installation_report.txt
# Installation summary report
# Display summary information
# Copy the script into the current directory
# COPY entrypoint.sh .
# Make the script executable
# RUN chmod +x entrypoint.sh
# Execute the script
# RUN /entrypoint.sh
# Mount an inteactive terminal when container starts
CMD ["/bin/bash"]
# End of the Dockerfile

15
README.md
View File

@@ -1,6 +1,6 @@
# Digital Forensics Lab & Shared Cyber Forensic Intelligence Repository
<img src="https://upload.wikimedia.org/wikipedia/commons/3/3c/BJA_Logo.png" width="150"> <img src="https://www.nist.gov/sites/default/files/images/2017/06/16/dsh-st.jpg" width="150">
<img src="https://upload.wikimedia.org/wikipedia/commons/3/3c/BJA_Logo.png" width="150"> <img src="https://www.nist.gov/sites/default/files/images/2017/06/16/dsh-st.jpg" width="150"><img src="https://www.nsf.gov/news/mmg/media/images/bitmaplogo_nolayers_f_e50fcd0b-607b-4271-a808-914d9c2f65dc.png" width="110">
### Features of Repository
@@ -35,7 +35,7 @@ or in BibTeX
---
## Table of Contents (Added: AI for Forensics - Identifying IPs with a Fine-tuned Model, 8/2023)
## Table of Contents (Newly Added: 1. AI for Forensics - Identifying IPs with a Fine-tuned Model, 2. Docker for Digital Forensics, 09/2023)
- Basic Computer Skills for Digital Forensics
@@ -84,7 +84,7 @@ or in BibTeX
- AI for Forensics
- [Identifying IP Addresses using a Fine-tuned AI Model](/AI4Forensics/IP_Identifier_Fine_Tuning/IP_Identifer_Fine_Tuning.pptx)
## Tool Installation (newly added on 12/6/2021)
## Tool Installation
### Method 1: Importing customized Kali VM image
@@ -101,7 +101,7 @@ The following script will install tools needed for completing most of the labs l
- Install [Kali 2021.4](http://old.kali.org/kali-images/kali-2021.4/). Notes: Suggest You configure the disk size of Kali VM 80G because the size of each leakage cases image is 30G+
- How to run the installation script [instructions](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Tool_installation.pptx), or you can simply follow the commands below
- Run a tool installation script [instructions](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Tool_installation.pptx), or you can simply follow the commands below
```
wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
@@ -111,6 +111,13 @@ chmod +x tool-install-zsh.sh
- Installed [tools](#Tools). Note that most of the commands for tools can executed globally. Now you can skip most of tool installation steps in PPTs.
### Method 3: Using a Docker container based on Ubuntu 22.04 LTS (added in 09/23, may need more testing, report any issues please)
- The host machine of the Docker container is Ubuntu 22.04 LTS.
- The container is built on top of Ubuntu 22.04 LTS as well.
- All tools are pre-install on the Ubuntu container.
- You can follow the tuturial [Docker for Digital Forensic Investgiation](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Docker_4_Digital_Forensics.pptx)
---
### Investigating NIST Data Leakage