• Stars
    star
    779
  • Rank 58,364 (Top 2 %)
  • Language
  • License
    GNU Affero Genera...
  • Created over 2 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

dissect

Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

This project is a meta package, it will install all other Dissect modules with the right combination of versions. For more information, please see the documentation.

What is Dissect?

Dissect is an incident response framework build from various parsers and implementations of file formats. Tying this all together, Dissect allows you to work with tools named target-query and target-shell to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs, just to name a few!

Singular approach

And the best thing: all in a singular way, regardless of underlying container (E01, VMDK, QCoW), filesystem (NTFS, ExtFS, FFS), or Operating System (Windows, Linux, ESXi) structure / combination. You no longer have to bother extracting files from your forensic container, mount them (in case of VMDKs and such), retrieve the MFT, and parse it using a separate tool, to finally create a timeline to analyse. This is all handled under the hood by Dissect in a user-friendly manner.

If we take the example above, you can start analysing parsed MFT entries by just using a command like target-query -f mft <PATH_TO_YOUR_IMAGE>!

Create a lightweight container using Acquire

Dissect also provides you with a tool called acquire. You can deploy this tool on endpoint(s) to create a lightweight container of these machine(s). What is convenient as well, is that you can deploy acquire on a hypervisor to quickly create lightweight containers of all the (running) virtual machines on there! All without having to worry about file-locks. These lightweight containers can then be analysed using the tools like target-query and target-shell, but feel free to use other tools as well.

A modular setup

Dissect is made with a modular approach in mind. This means that each individual project can be used on its own (or in combination) to create a completely new tool for your engagement or future use!

Try it out now!

Interested in trying it out for yourself? You can simply pip install dissect and start using the target-* tooling right away. Or you can use the interactive playground at https://try.dissect.tools to try Dissect in your browser.

Don’t know where to start? Check out the introduction page.

Want to get a detailed overview? Check out the overview page.

Want to read everything? Check out the documentation.

Projects

Dissect currently consists of the following projects.

Related

These projects are closely related to Dissect, but not installed by this meta package.

Requirements

This project is part of the Dissect framework and requires Python.

Information on the supported Python versions can be found in the Getting Started section of the documentation.

Installation

dissect is available on PyPI.

pip install dissect

Build and test instructions

This project uses tox to build source and wheel distributions. Run the following command from the root folder to build these:

tox -e build

The build artifacts can be found in the dist/ directory.

tox is also used to run linting and unit tests in a self-contained environment. To run both linting and unit tests using the default installed Python version, run:

tox

For a more elaborate explanation on how to build and test the project, please see the documentation.

Contributing

The Dissect project encourages any contribution to the codebase. To make your contribution fit into the project, please refer to the development guide.

Copyright and license

Dissect is released as open source by Fox-IT (https://www.fox-it.com) part of NCC Group Plc (https://www.nccgroup.com).

Developed by the Dissect Team ([email protected]) and made available at https://github.com/fox-it/dissect.

License terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html). For more information, see the LICENSE file.

More Repositories

1

aclpwn.py

Active Directory ACL exploitation with BloodHound
Python
632
star
2

log4j-finder

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)
Python
435
star
3

cve-2019-1040-scanner

Python
276
star
4

dissect.cstruct_legacy

A no-nonsense c-like structure parsing library for Python
Python
240
star
5

quantuminsert

Quantum Insert
HTML
211
star
6

LDAPFragger

C#
181
star
7

mkYARA

Generating YARA rules based on binary code
Python
179
star
8

linux-luks-tpm-boot

A guide for setting up LUKS boot with a key from TPM in Linux
Shell
175
star
9

Invoke-CredentialPhisher

PowerShell
170
star
10

bloodhound-import

Python based BloodHound data importer
Python
141
star
11

dissect.cobaltstrike

Python library for dissecting and parsing Cobalt Strike related data such as Beacon payloads and Malleable C2 Profiles
Python
139
star
12

danderspritz-evtx

Parse evtx files and detect use of the DanderSpritz eventlogedit module
Python
139
star
13

cryptophp

CryptoPHP Indicators of Compromise
Python
128
star
14

cobaltstrike-extraneous-space

Historical list of {Cobalt Strike,NanoHTTPD} servers
125
star
15

cobaltstrike-beacon-data

Open Dataset of Cobalt Strike Beacon metadata (2018-2022)
Jupyter Notebook
114
star
16

OpenSSH-Session-Key-Recovery

Project containing several tools/ scripts to recover the OpenSSH session keys used to encrypt/ decrypt SSH traffic.
Python
72
star
17

acquire

acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.
Python
57
star
18

OpenSSH-Network-Parser

Project to decrypt and parse SSH traffic
Python
54
star
19

bro-scripts

Bro-IDS scripts
Bro
51
star
20

cisco-ios-xe-implant-detection

Cisco IOS XE implant scanning & detection (CVE-2023-20198, CVE-2023-20273)
Python
38
star
21

dissect.cstruct

A Dissect module implementing a parser for C-like structures.
Python
30
star
22

operation-wocao

Operation Wocao - Indicators of Compromise
YARA
30
star
23

dissect.target

The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).
Python
27
star
24

dll-hijacking-poc

A quick POC on how to embed a meterpreter in Firefox via DLL hijacking
C
17
star
25

citrix-netscaler-triage

Dissect triage script for Citrix NetScaler devices
Python
17
star
26

Decrypt-TFSSecretVariables

PowerShell
15
star
27

ponmocup

Ponmocup Indicators of Compromise
13
star
28

signed-phishing-email

Python
11
star
29

pcap-broker

PCAP-over-IP server written in Golang
Go
11
star
30

mofang

Mofang Indicators of Compromise
10
star
31

spookyssl-pcaps

SpookySSL PCAPS and Network Coverage
10
star
32

dissect.esedb

A Dissect module implementing a parser for Microsofts Extensible Storage Engine Database (ESEDB), used for example in Active Directory, Exchange and Windows Update.
Python
10
star
33

dissect-docs

Dissect documentation project
7
star
34

log4shell-pcaps

Log4Shell PCAPS and Network Coverage
Java
7
star
35

dissect.evidence

A Dissect module implementing a parsers for various forensic evidence file containers, currently: AD1, ASDF and EWF.
Python
7
star
36

dissect.ntfs

A Dissect module implementing a parser for the NTFS file system, used by the Windows operating system.
Python
7
star
37

dissect.eventlog

A Dissect module implementing parsers for the Windows EVT, EVTX and WEVT log file formats.
Python
6
star
38

saitama-server

Server-side implementation for the Saitama implant, useful for detection engineering purposes
Python
6
star
39

flow.record

Recordization library
Python
6
star
40

django-auth-policy

Django Authentication Policy
Python
6
star
41

psixbot

PsiXBot Indicators of Compromise
5
star
42

reasm

Extract parts of the malware and re-compile it on linux for decrypting stuff using same malware algorithms.
Python
5
star
43

aws-lambda-kinesis-windowseventlog

AWS lambda to transform the json from AWS kinesis agent to useful json documents for elasticsearch
Python
5
star
44

dissect.cim

A Dissect module implementing a parser for the Windows Common Information Model (CIM) database, used in the Windows operating system.
Python
5
star
45

dissect.hypervisor

A Dissect module implementing parsers for various hypervisor disk, backup and configuration files.
Python
4
star
46

Decrypt-OrchestratorSecretVariables

PowerShell
4
star
47

dissect.sql

A Dissect module implementing a parsers for the SQLite database file format, commonly used by applications to store configuration data.
Python
4
star
48

blister-research

Scripts, YARA and IOCs from our research on the Blister malware 🩹
Python
3
star
49

dissect.clfs

A Dissect module implementing a parser for the CLFS (Common Log File System) file system of Windows.
Python
3
star
50

dissect.volume

A Dissect module implementing a parser for different disk volume and partition systems, for example LVM2, GPT and MBR.
Python
3
star
51

dissect.ole

A Dissect module implementing a parser for the Object Linking & Embedding (OLE) format, commonly used by document editors on Windows operating systems.
Python
3
star
52

dissect.vmfs

Dissect module implementing a parser for the VMFS file system, used by VMware virtualization software.
Python
3
star
53

dissect.regf

A Dissect module implementing a parser for Windows registry file format, used to store application and OS configuration on Windows operating systems.
Python
3
star
54

Invoke-BadPwdCountSprayer

2
star
55

dissect.fat

A Dissect module implementing parsers for the FAT and exFAT file systems, commonly used on flash memory based storage devices and UEFI partitions.
Python
2
star
56

dissect.shellitem

A Dissect module implementing a parser for the Shellitem structures, commonly used by Microsoft Windows.
Python
2
star
57

dissect.util

A Dissect module implementing various utility functions for the other Dissect modules.
Python
2
star
58

dissect.ffs

A Dissect module implementing a parser for the FFS file system, commonly used by BSD operating systems.
Python
2
star
59

dissect.xfs

A Dissect module implementing a parser for the XFS file system, commonly used by RedHat Linux distributions.
Python
2
star
60

dissect-workflow-templates

Workflow templates for the dissect projects
2
star
61

dissect_legacy

Namespace and collection package for all dissect projects
Python
2
star
62

dissect.extfs

A Dissect module implementing a parser for the ExtFS file system, the native filesystem for Linux operating systems.
Python
1
star
63

dissect.btrfs

A Dissect module implementing a parser for the btrfs file system.
Python
1
star
64

dissect.etl

A Dissect module implementing a parser for Event Trace Log (ETL) files, used by the Windows operating system to log kernel events.
Python
1
star