Recipe list

dfTimewolf uses recipes, which are a way to configure Collectors, Processors, and Exporters (called Modules).

grr_artifact_hosts

Use this recipe to collect a predefined set of artifacts from a specific list of hosts. If you want to collect the BrowserHistory and LinuxLogFiles from tomchop.greendale.xyz and admin.greendale.xyz, use this command:

$ dftimewolf grr_artifact_hosts tomchop.greendale.xyz,admin.greendale.xyz --artifact_list=BrowserHistory,LinuxLogFiles

If artifact_list is not provided, the list defaults to:

  • Linux
    • AllUsersShellHistory
    • BrowserHistory
    • LinuxLogFiles
    • AllLinuxScheduleFiles
    • LinuxScheduleFiles
    • ZeitgeistDatabase
    • AllShellConfigs
  • Mac OS
    • MacOSRecentItems
    • MacOSBashHistory
    • MacOSLaunchAgentsPlistFiles
    • MacOSAuditLogFiles
    • MacOSSystemLogFiles
    • MacOSAppleSystemLogFiles
    • MacOSMiscLogs
    • MacOSSystemInstallationTime
    • MacOSQuarantineEvents
    • MacOSLaunchDaemonsPlistFiles
    • MacOSInstallationHistory
    • MacOSUserApplicationLogs
    • MacOSInstallationLogFile
  • Windows
    • WindowsAppCompatCache
    • WindowsEventLogs
    • WindowsPrefetchFiles
    • WindowsScheduledTasks
    • WindowsSearchDatabase
    • WindowsSuperFetchFiles
    • WindowsSystemRegistryFiles
    • WindowsUserRegistryFiles
    • WindowsXMLEventLogTerminalServices

grr_flow_download

Use this recipe to download the results of a given GRR flow.

If because of test_reason you want to fetch flow F:920AFD8 from tomchop.greendale.xyz and dump results into /tmp/tomflow/, use the following command:

$ dftimewolf grr_flow_download tomchop.greendale.xyz F:920AFD8 test_reason /tmp/tomflow

grr_hunt_artifacts

Launches a hunt for specific artifacts. The hunt is launched with a client limit set to 100 hosts.

If because of test_reason you want to launch a fleet-wide artifact hunt on BrowserHistory artifacts, use the following command:

$ dftimewolf grr_hunt_artifacts BrowserHistory test_reason

NOTE: Since hunts take time to complete, dfTimewolf will launch the hunt and return a Hunt ID that you can then feed to grr_huntresults_plaso_timesketch.

grr_hunt_file

Launches a hunt for specific files. The hunt is launched with a client limit set to 100 hosts. This is standard procedure for creating new hunts anyways.

If because of test_reason you want to launch a fleet-wide file hunt on /tmp/billgates.pl files, use the following command:

$ dftimewolf grr_hunt_file /tmp/billgates.pl test_reason

Note

Since hunts take time to complete, dfTimewolf will launch the hunt and return a Hunt ID that you can then feed to grr_huntresults_plaso_timesketch.

grr_huntresults_plaso_timesketch

Use this recipe to collect results from a GRR Hunt, process them with a local instance of plaso, and send them to our Timesketch server.

If you want to fetch results for H:7481F262 because of test_reason, use the following command:

$ dftimewolf grr_huntresults_plaso_timesketch H:7481F262 test_reason

local_plaso

Use this recipe to process a local file using plaso and send the results to our Timesketch server.

If because of test_reason you want to process all files in /mnt/winroot with plaso and send results to Timesketch, use the following command:

$ dftimewolf local_plaso /mnt/winroot test_reason

timesketch_upload

Use this recipe to upload a .plaso or .csv file to Timesketch:

$ dftimewolf timesketch_upload ~/cases/sem12345/sdb1.plaso