Getting Started With DAISY

First of all, let me welcome you to our new DS/AI-for-DFIR Virtual Machine, DAISY. The goal of this post is to explain you how to start working with DAISY by telling you how to run the main tools and what we have prepared for you. In case these are your first steps with this VM and you want to know more about how to get it or what it includes, here you have some references you may be interested in:

• DAISY: Say Hi to the New DS/AI-for-DFIR Virtual Machine!
• Download/Install Instructions DAISY v0.5
• Cheat Sheet DAISY v0.5
• ds4n6_lib Library Documentation

Before telling you what everything is, it is important to say that we have two versions of DAISY:

• Demo: it has some evidence we got from parsing some public evidence with the tools compatible with ds4n6_lib. It has some notebooks ready-to-use with these evidence so you don't need anything else to play
• Production: this VM has not any precooked evidence/notebooks to play

Everything is exactly the same in both versions, except for the differences explained above.

Here you have the credentials for the first login:

Username: ds4n6
Password: forensics

In the same way we did with ds4n6_lib, we are trying to make as easier as possible the use of DS and AI for all the forensicators, so you will see a Desktop with all the links you need to work: tools, evidence, notebooks, cheat sheets, etc. Let me explain you a little bit more about this.

What is JupyerLab?

JupyterLab is the web-based user interface for Project Jupyter. This tool is the one we are going to use to run our notebooks.

How can I open it?

As working with notebooks is the main goal of DAISY, it is the default webpage for the browsers. Also, You can access from the JupyterLab link in the Desktop and it is bookmarked in the browsers too.

How can I log in?

For the login, you will need a token you can get by running with a double click the “Get Jupyter Token” script you have in the Desktop. Just copy the token you get on the terminal and paste it in the browser form to access.

How can I start playing?

To make your life easier with JupyterLab and show you how it works together with our new ds4n6_lib library, we have created some notebooks you will find under the “Notebooks” folder when you open JupyterLab for the first time. As you can see, there are two different folders “Notebooks”: “Demo_notebooks” and “Template_notebooks”.

• The “Demo notebooks” are already prepared to work with the precooked evidence you have in /mnt/data (only if you download the version with precooked evidence), so you just run all cells and start playing.
• The “Template_notebooks” are created to work with your own data, so you just fill the variables (file path or whatever each notebook needs), and start working with it.

The structure that these notebooks follow is the same as we have published previously for the d4n6_lib library. If you want more information about them or/and the functions used I recommend you to take a look in here.

What is TimeSketch?

TimeSketch is an open-source tool for collaborative forensic timeline analysis created by Google.

How can I open it?

You will find it on your browser on port 80, bookmarked in the browsers and via Desktop link

How can I log in?

Fill the form with these credentials:

User: timesketch
Password: timesketch

How can I start playing?

Once you have accessed, you can import your timelines to start working with them. If you want to try TimeSketch, you have a plaso CSV already prepared to be imported in /mnt/Precooked/Szechuan/szechuan_dc01_plaso_log2timeline_reduced.csv. Once the timeline is uploaded, you can perform different actions to your data. These analysis can be imported to a Jupyter DataFrame with Picatrix

What is Picatrix?

Picatrix is a designed library to run TimeSketch functionalities in Jupyter notebooks, allowing the import of the data we are analyzing with TimeSketch as dataframes to continue your analysis in JupyterLab.

How can I open it?

Picatrix is installed as a package of the JupyterLab installation, so if you want to use the picatrix functions, you have to log into the JupyterLab as explained above

How can I log in?

There are no specific credentials for picatrix, you only have to log into the JupyterLab

How can I start playing?

If you want to know all the picatrix functions and some basic functionality, you have a notebook created under the “Notebooks/Template_notebooks/picatrix.ipynb” folder when you open JupyterLab (/opt/ds4n6/anaconda3/Notebooks/Template_notebooks/picatrix.ipynb), so you just have to run the cells

In the DAISY VM you will not find only tools, but other resources that can be interesting for you and make your work easier:

• Data: the data link in the Desktop points to /mnt/data, where you will find some precooked evidence (if you have downloaded this version) you can use to learn and play. We have precooked evidence for all the tools supported by ds4n6_lib
• Notebooks: this link in the Desktop points to the /opt/ds4n6/anaconda3/Notebooks folder, so you can easily work with the notebooks
• Browser links in the Desktop: you have links to TimeSketch (http://localhost), JupyterLab (http://localhost:8888) and DS4N6 site, where you will find many interesting blogs and other resources about DAISY, ds4n6_lib and other Data Science and Machine Learning references
• Cheat Sheets: we have included some DAISY and ds4n6_lib Cheat Sheets in the Desktop, so you have the most relevant information in every moment

So that's all for the moment. Stay tuned as we will keep posting many interesting resources and blog posts to show you everything you can do with DAISY.

Stay Tuned and contact us if you have any comment or question!

Enjoy!!

Follow us: Twitter: @ds4n6_io - RSS News Feed - Youtube