This website www.ds4n6.io uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.

OK

[ds4n6_lib] User Manual (v0.5) >> [ds4n6_lib] v0.5 Highlights

[ds4n6_lib] v0.5 Highlights

Tools Supported autoruns, kape, kansa, plaso, mactime, macrobber, volatility
Advanced Artifact Support (HAM) svclist, pslist, flist, amcache, evtx, winreg, fstl

New Core Functions

The main purpose of the project has been doing your job as easier as possible, creating new functions to perform all the hard work for you.

Function Usage Type Description
whatis() whatis(obj) CLI Identifies the forensic data type of an object (DataFrame -df- or DataFrame Collection -dfs-)
xread() xread(options) GUI Reads tool output data (e.g. plaso output) and stores it in a df/dfs
xmenu() xmenu(obj) GUI Used to easily select a dataframe from dfs, or a column from a df, displaying the selected data and allowing manual (Excel-like) analysis on it
xanalysis() xanalysis(obj, options) GUI Displays a menu with the advanced analysis functions available for the data type (i.e. forensic artifact) given
xdisplay() xdisplay() GUI Used to select the display settings for the dataframes that will be displayed (max. rows, max. columns, etc.)
simple() df.simple(options) CLI Simplifies forensic output (df) showing only the most interesting columns for analysis.
xgrep() xgrep(obj, options) CLI UNIX-like grep for the DataFrame world. Allows the user to search for a regular expression in a DF column or full DF
plaso_get_evtxdfs() plaso_get_evtxdfs(obj,options) CLI Creates dictionary of events from evtx files using Plaso Dataframe dictionary and the hostname.
evtid_dfs_build() evtid_dfs_build(obj) CLI Creates dictionary of event IDs from Security/System events DataFrame. This helps to identify events based on individual event IDs.

There are other functions available in ds4n6_lib, but we have selected the ones that are more user-friendly as the “Core” ones, which allow you to access most of the functionalities of the framework with minimum effort. In the future we will be publishing more low level details for those users who need more flexibility in order to create scripts, analysis pipelines, etc.

You can find examples on how to use those functions here.

Priorities

As a summary, in this release we have focused on the following aspects:

  • Usability: we want the average forensicator to have an easy transition so they can use the environment in a similar way as traditional tools, while it opens the window to a new world of flexibility and analysis power. So we've been creating on how to integrate GUI components wherever possible (dropdown menus, buttons, excel-like analysis front-ends, etc.). Moreover, we have integrated the library with qgrid and ag-grid
  • Simplicity: the number of commands you need to use is minimal, the library hides a lot of the complexity of the python & DS world. Of course you will need to learn more as you go, but this lowers the bar to start easily and get quick wins. We have created the following functions to make your life easier: simple / xray / analysis / findevil Global Accessors / dfgrep
  • Integration: you can import the data from multiple different analysis tools (kape, kansa, etc.).
  • Knowledge Enrichment: the library incorporates knowledge information that enriches the output of analysis tools (e.g. for Windows events, it will show the description of the eventID, it will add the corresponding description of the LogonTypes numbers, etc.).
  • One platform that rules them all: the forensicator will now be able to use a single environment (Jupyter) to analyze all the output from all the different tools (kansa, kape, plaso, volatility, etc.).

Main Features

  • Posibility of reading data from different forensic tools (plaso, kape, kansa, volatility, …)
  • xmenu() and xanalysis() graphical utilities for manual and automated forensic data analysis
  • Harmonization (HAM) of forensic tool output from different tools into a Harmonized unified format per artifact
  • Easy evtx analysis
  • User friendly
  • Data export possibility
  • Test notebooks for educational/template purposes

You can find more technical information about the library here.