This project contains a set of Terraform and Ansible scripts for AWS and Azure to create a disposable, IaaC, cloud-based forensic system. The goal of this project is to provide blue teams with the ability to deploy a quick pre-configured Windows-based server to perform basic forensic investigation on various artifacts with minimal overhead. The system and data can be easily deleted after investigation is concluded.
A global YAML config file, os-setup.yml, sets the versions of the tools and specific URLs which should be downloaded along with system names, credentials and other details.
The following tools are currently deployed in the default configuration of Cloud Investigate:
| Tool | Tool Location | Notes |
|---|---|---|
| Sysinternals Suite | C:\Tools\SysinternalsSuite\ | Unzipped tool suite |
| Aresnal Image Mouter | C:\Tools\ArsenalTools\ | Installer |
| Arsenal Registry Recon | C:\Tools\ArsenalTools\ | Installer |
| Arsenal Hive Recon | C:\Tools\ArsenalTools\ | Installer |
| Arsenal Hibernation Recon | C:\Tools\ArsenalTools\ | Installer |
| Arsenal HIBN Recon | C:\Tools\ArsenalTools\ | Installer |
| Arsenal ODC Recon | C:\Tools\ArsenalTools\ | Installer |
| Burp Community Edition | C:\Program Files\BurpSuiteCommunity\ | Installed tool |
| Velociraptor | C:\Tools\Velociraptor\ | Unzipped tool suite |
| Kape | C:\tools\KAPE\ | Unzipped tool suite |
| Windows Subsystem for Linux | C:\Linux | Installed tool |
| Autopsy | C:\Program Files\ | Installed tool |
| Chocolatey | C:\ProgramData\Chocolatey | Installed tool |
| NirLauncher Package | C:\tools\NirLauncher | Installed tool |
| 7zip | C:\Program Files\7-Zip | Installed tool |
| Winrar | C:\ProgramData\Chocolatey | Installed tool |
| Notepad++ | C:\Program Files\Notepad++ | Installed tool |
| Megatools | C:\ProgramData\Chocolatey | Installed tool |
| WinDBG | C:\Program Files (x86)\Windows Kits\ | Installed tool |
| WinSCP | C:\Program Files (x86)\WinSCP | Installed and added to PATH |
| EricZimmerman Tools | C:\tools\ericzimmermantools | Unzipped tool suite |
| wireshark | C:\Program Files\Wireshark | Installed and added to PATH |
| ext2fsd | C:\Program Files\Ext2Fsd | Installed and added to PATH |
| Firefox Browser | C:\Program Files\Mozilla Firefox | Installed tool |
| Chrome Browser | C:\Program Files\Google | Installed tool |
| Python3.10 | C:\Python310 | Installed and added to PATH |
| Volatility2 | C:\ProgramData\Chocolatey | Installed and added to PATH |
| radare2 | C:\ProgramData\Chocolatey | Installed and added to PATH |
| qemu-img | C:\ProgramData\Chocolatey | Installed and added to PATH |
| qemu | C:\Program Files\qemu | Installed and added to PATH |
| sandboxie-plus | C:\Program Files\Sandboxie-Plus | Installed tool |
| smartftp | C:\Program Files\SmartFTP Client | Installed tool |
| Cygwin | C:\tools\Cygwin | Installed tool |
| kubernetes-cli | C:\ProgramData\Chocolatey | Installed tool |
| putty | C:\Program Files\PuTTY | Installed tool |
| yara | C:\ProgramData\Chocolatey | Installed and added to PATH |
| powertoys | C:\Program Files\PowerToys | Installed tool |
| virtualmachineconverter | C:\Program Files\Microsoft Virtual Machine Converter | Installed tool |
| HashCheck | C:\Program Files\HashCheck | Installed and added as a menu option |
| Plaso | C:\tools\plaso | Source Code |
| volatility3 | C:\tools\volatility3\ | Source Code |
| SANS Sift packages (200+) | C:\Linux\download\ | Tool installed inside WSL via nohup job |
| TOR Browser | C:\ProgramData\chocolatey\lib\tor-browser\tools\tor-browser\Browser | Installed tool |
| PassMark OSForensics | C:\Program Files\OSForensics | Installed tool |
| PassMark OSFMount | C:\Program Files\OSFMount | Installed tool |
| PassMark VolatilityWorkbench | C:\tools\passmark | Installer |
| Secure remove contex menu using sDelete64 | C:\tools\sdelete.reg | Installed and added as a menu option |
| BitVise SSH Server | C:\Program Files\Bitvise SSH Server | Installed tool |
| NetworkMiner | C:\tools\NetworkMiner | Installer |
| DidierStevensSuite | C:\tools\DidierStevensSuite | Zipped tool suite |
| Splunk | C:\tools\SplunkInstaller | Installer |
| Docker | N/A | Installed inside of WSL |
| Sysmon | C:\Windows\ | Installed as service to log all actions on the system |
| Zircolite | C:\tools\Zircolite\ | Source Code |
| RITA | C:\tools\RITA\ | Source Code |
| PESTUDIO | C:\tools\pestudio\ | Zipped tool suite |
The following KAPE plugins/addones were also added for KAPE installation in C:\tools\KAPE:
| Tool | Tool Location | Notes |
|---|---|---|
| KAPE-EZToolsAncillaryUpdater | C:\tools\KAPE\ | KAPE updater executed during deployment |
| reg_hunter | C:\tools\KAPE\Modules\bin\ | reg_hunter plugin |
| SEPparser | C:\tools\KAPE\Modules\bin\ | SEPparser plugin |
| srum_dump | C:\tools\KAPE\Modules\bin\ | srum_dump plugin |
| OneDriveExplorer | C:\tools\KAPE\Modules\bin\ | OneDriveExplorer plugin |
| hindsight | C:\tools\KAPE\Modules\bin\ | hindsight plugin |
| dhparser | C:\tools\KAPE\Modules\bin\ | dhparser plugin |
| CCMRUAFinder_RecentlyUsedApps | C:\tools\KAPE\Modules\bin\ | CCMRUAFinder_RecentlyUsedApps plugin |
| BMC-Tools_RDPBitmapCacheParse | C:\tools\KAPE\Modules\bin\ | BMC-Tools_RDPBitmapCacheParse plugin |
| sigcheck | C:\tools\KAPE\Modules\bin\ | sigcheck plugin |
| INDXRipper | C:\tools\KAPE\Modules\bin\ | INDXRipper plugin |
| Chainsaw | C:\tools\KAPE\Modules\bin\ | Chainsaw plugin |
| hayabusa | C:\tools\KAPE\Modules\bin\ | hayabusa plugin |
| LevelDBDumper | C:\tools\KAPE\Modules\bin\ | LevelDBDumper plugin |
| McAfeeStinger | C:\tools\KAPE\Modules\bin\ | McAfeeStinger plugin |
| Kaspersky_TDSSKiller | C:\tools\KAPE\Modules\bin\ | Kaspersky_TDSSKiller plugin |
| EvtxHussar | C:\tools\KAPE\Modules\bin\ | EvtxHussar plugin |
| Nirsoft Tools | C:\tools\KAPE\Modules\bin\ | Various Nirsoft plugins as defined by Kape files |
| RegRipper | C:\tools\KAPE\Modules\bin\ | RegRipper plugin |
| TZWorks CAFAE | C:\tools\KAPE\Modules\bin\ | TZWorks CAFAE plugin |
| TZWorks evtwalk64 | C:\tools\KAPE\Modules\bin\ | TZWorks evtwalk64 plugin |
| NTFS Log Tracker v1.7 CMD | C:\tools\KAPE\Modules\bin\ | NTFS Log Tracker v1.7 CMD plugin |
A number of features need to be installed on your system in order to use this setup. Please follow steps below to ensure that CLI and API required by Azure/AWS are fully functional before deployment.
# Step 1 - Install Azure CLI. More details on https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Step 2 - Install Terraform. More details on https://learn.hashicorp.com/tutorials/terraform/install-cli
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install terraform
# Step 3 - Install Ansible. More details on https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository --yes --update ppa:ansible/ansible
sudo apt update
sudo apt install ansible
# Step 4 - Finally install python and various packages needed for remote connections and other activities
sudo apt install python3 python3-pip
pip3 install pywinrm requests msrest msrestazure azure-cli requests-ntlm
pip3 install -r https://raw.githubusercontent.com/ansible-collections/azure/v1.14.0/requirements-azure.txt# Step 1 - Install AWS CLI. More details on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# Step 2 - Install Terraform. More details on https://learn.hashicorp.com/tutorials/terraform/install-cli
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install terraform
# Step 3 - Install Ansible. More details on https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository --yes --update ppa:ansible/ansible
sudo apt update
sudo apt install ansible
# Step 4 - Finally install python and various packages needed for remote connections and other activities
sudo apt install python3 python3-pip
pip3 install pywinrm requests requests-ntlmOnce all the prerequisites are installed, perform the following series of steps:
# Log in to Azure or AWS from command line to ensure that the access token is valid or credentials are added for AWS:
az login # For Azure
aws configure # For AWS
# Clone Repository and move to Cloud-Investigate folder:
git clone https://github.com/op7ic/Cloud-Investigate.git
cd Cloud-Investigate/azure # For Azure
cd Cloud-Investigate/aws # For AWS
# Initialize Terraform and begin planning:
terraform init && terraform plan
# Create your lab using the following command:
terraform apply -auto-approve
# Once done, destroy your lab using the following command:
terraform destroy -auto-approve
# If you would like to time the execution use the following command:
start_time=`date +%s` && terraform apply -auto-approve && end_time=`date +%s` && echo execution time was `expr $end_time - $start_time` sA global YAML config file, Azure variables.tf or AWS variables.tf, sets the type of operating system, SKU, AMI and VM size used for the deployment of the VMs.
Commands az vm image list (Azure) or aws ec2 describe-images (AWS) can be used to identify various OS versions so that global operating system file (Azure variables.tf or AWS variables.tf can be modified with the correspodning SKU or AMI. Examples of commands helping to identify specific AMI/SKU can be found below.
# Azure
# List all Windows workstation SKUs and images
az vm image list --publisher MicrosoftWindowsDesktop --all -o table
# List all Windows server SKUs and images
az vm image list --publisher WindowsServer --all -o table
# List all Debian server SKUs and images
az vm image list --publisher Debian --all -o table
# List all RedHat server SKUs and images
az vm image list --publisher RedHat --all -o table
# List all Canonical server SKUs and images
az vm image list --publisher Canonical --all -o table
# AWS
# List all Windows server AMIs
aws ec2 describe-images --owners amazon --filters Name=root-device-type,Values=ebs Name=architecture,Values=x86_64 Name=name,Values=*Windows_Server*English*Base* --query 'Images[].{ID:ImageId,Name:Name,Created:CreationDate}' --region us-east-1Please note that Windows desktop (i.e. Windows 10/11) is currently not supported on AWS EC2 without a custom AMI, so the AWS version of Cloud-Investigate does not support its deployment, as it relies on the pre-existing images. That said, AWS variables.tf can be easily modified to include a reference to custom AMIs.
Location and network ranges can be set using global variables in Azure variables.tf or the AWS variables.tf file. A simple modification to runtime variables also allows to specify regions or network ranges as seen below:
# Use default options for Azure or AWS
terraform apply -auto-approve
# Use East US region to deploy the lab for Azure
terraform apply -auto-approve -var="region=East US"
# Use East US region to deploy the lab for AWS
terraform apply -auto-approve -var="region=us-east-1a"
# Use East US and change Windows Workstation or Server ranges for Azure
terraform apply -auto-approve -var="region=East US" -var="windows_server_subnet_cidr=10.0.0.0/24"
# Use East US and change Windows Workstation or Server ranges for AWS
terraform apply -auto-approve -var="region=us-east-1a" -var="windows_server_subnet_cidr=10.0.0.0/24"
The following table summarises a set of firewall rules applied across the Cloud Investigate enviroment in default configuration. Please modify the azure main.tf or aws main.tf file to add new firewall rules, as needed, in the Firewall Rule Setup section.
| Rule Name | Network Security Group | Source Host | Source Port | Destination Host | Destination Port |
|---|---|---|---|---|---|
| Allow-RDP | windows-nsg | Your Public IP | * | Windows Servers, Windows Desktops | 3389 |
| Allow-WinRM | windows-nsg | Your Public IP | * | PWindows Servers, Windows Desktops | 5985 |
| Allow-WinRM-secure | windows-nsg | Your Public IP | * | Windows Servers, Windows Desktops | 5986 |
| Allow-SMB | windows-nsg | Your Public IP | * | Windows Servers, Windows Desktops | 445 |
| Allow-SFTP | windows-nsg | Your Public IP | * | Windows Servers, Windows Desktops | 22 |
Internally the following static IP ranges are used for this enviroment in the default configuration:
| Hosts | Internal IP range | Notes |
|---|---|---|
| Windows System | 10.0.10.0/24 |
-
How to add new KAPE module?
- Edit both kape Ansible role and os-setup.yml to handle actions such as downloading, unpacking and adjusting location of binary as per mkape module.
-
How do I add new tools?
- Edit both tools Ansible role and os-setup.yml to handle actions such as downloading, unpacking and adjusting location of the tool you would like to add to the list. Alternatively drop me a pull request to add it to master repository.
-
How do I securely wipe the data?
- This system comes with a sdelete installed as 'Secure Delete' option in right-click menu that you can execute on a folder or specific file. It will use sdelete binary to remove and overwrite content of the file/folder three times. Alternatively there is a copy of sdelete binaries in C:\tools\SysinternalsSuite
-
I get
Disk *-disk already exists in resource group Cloud-Investigate. Only CreateOption.Attach is supported.or something similar to this error.- Re-run terraform commands
terraform destroy -auto-approve && terraform apply -auto-approveto destroy and re-create the lab. This error seems to show up when Azure doesn't clean up all the disks properly so there are leftover resources with the same name.
- Re-run terraform commands
-
How do I modify network segments, deployment size or other variables?
- Modify the Terraform Azure variables.tf or AWS variables.tf file to change your setup. Alternatively, each variable can be changed during runtime by appending
-vartoterraform apply. For example,terraform apply --auto-approve -var="region=East US 2"would modify a region to be different then the default set in the Azure variables.tf or AWS variables.tf file. The entire setup, including network ranges, operating systems and the VM size can be changed, using a chain of the-varparameters.
- Modify the Terraform Azure variables.tf or AWS variables.tf file to change your setup. Alternatively, each variable can be changed during runtime by appending
-
I get
Max retries exceeded with url: /wsmanand then connection gets refused when building a system.- Unfortunately WinRM limitations mean that, on occasion, WinRM will simply stop working as expected and instead connections will freeze up. As a result, execution won't behave properly. Rerun
terraform apply -auto-approveto repair the damaged host and redeploy incomplete Ansible steps.
- Unfortunately WinRM limitations mean that, on occasion, WinRM will simply stop working as expected and instead connections will freeze up. As a result, execution won't behave properly. Rerun
Contributions, fixes, and improvements can be submitted directly for this project as a GitHub issue or a pull request.