This website www.ds4n6.io uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.

OK

AIDFIR / DS4N6 Tools >> ds4n6_lib v.01 (ds4n6.py)

ds4n6_lib v.01 (ds4n6.py)

Overview

The ds4n6.py library provides multiple functions that can be used either standalone or in Jupyter (some of the functions are specifically designed to provide a friendly Jupyter output/visualization).

The library is divided in 3 broad categories:

  • DS4N6 (Post-)Processing & Analysis Functions.
  • Knowledge Variables & Functions.
  • Helper Functions.

Since most of the functions are designed (as of today) to aid in the post-processing / analysis of the output of traditional forensics tools (sleuthkit, plaso, etc.) the DS4N6 functions are aggregated by their corresponding tool.

Download

Latest version:

Functions

DS4N6 Functions

Name Description
GENERIC ANALYSIS FUNCTIONS
df_outlier_analysis(indf,sensitivity)
exefile_analysis(exefs, thisexef_path)
unique_files_folder_analysis(exefs, thisexed_path, exef_intg_max_occs, compop='==', recurse=False, prevdays=0, tsfield='m', verbose=False)
exefs_analysis(exefs,thisexef_path)
FILE SYSTEM TIMELINE
read_fstl(fstlf, windows=False)
fstl_size_top_n(fstl, n)
read_fstls_filetypes(fstld, hosts, file_types, verbose=False)
PLASO
read_plaso_l2tcsv(plasof)
read_plaso_json(plasof)
KANSA
read_kansa(kansad)
VOLATILITY
read_volatility(evd, prefix, ext)
volatility_pslist_unfrequent_process_analysis(pslistdf, n)
volatility_pslist_boot_time_anomaly_analysis(pslistdf, secs=30)
volatility_processes_parent_analysis(pslistdf, critical_only=False)
WINDOWS EVENT LOGS (evtx)
read_evtx(evtxf,verbose=True)
evtid_enrich(evtid)
evtid_stats(evt)
evtidsdf()
evtidssr()
evt_nonsysusers_stats(evts4624)
evt_nonsysusers_access_stats(evts4624,firstdate,lastdate,freq)
evt_nonsysusers_access_graph(evts4624,firstdate,lastdate)
evt_nonsysusers_autoencoder_analysis(evts4624,firstdate,lastdate)

Knowledge Variables & Functions

Variables

Variable Name Type Description
WINDOWS EVENT LOGS (evtx)
critical_processes Series Critical Windows Processes (See SANS Hunt Evil Poster)
boot_start_processes Series Windows Processes Started at Boot time (See SANS Hunt Evil Poster)
process_parents DataFrame Well-known parent processes of critical Windows processes

Helper Functions

Name Description
FILE MANAGEMENT
save_obj_pickle() Save a python object to disk (dict, DataFrame, etc.)
load_obj_pickle() Load a python object from disk (dict, DataFrame, etc.)