Forensics Stack deployable with Terrafrom in AWS. Velociraptor, Timesketch, Plaso all in one.
The idea of this project is to create a forensics stack that can be deployed in AWS using Terraform. Depending on the use case, you can deploy all the components or just some of them. Working components:
- Timesketch
- Velociraptor
To be added:
- Plaso
- Custom parsing modules
- Test Windows agent
- Test Linux agent
- Bloodhound
- Maybe something more, propose :)
- Terraform installed
- AWS credentials configured
The common module provides shared resources and configurations used by other modules, such as:
- S3 configuration bucket
- RSA keys
- SSM instance profile
The timesketch module deploys Timesketch, a forensic timeline analysis tool. It is conditionally created based on the create_timesketch variable.
The velociraptor module deploys Velociraptor, a digital forensic and incident response tool. It is conditionally created based on the create_velociraptor variable.
create_timesketch: Boolean to determine whether to create the Timesketch module.create_velociraptor: Boolean to determine whether to create the Velociraptor module.
velo_url: The URL for accessing the Velociraptor instance, if created.
-
Clone this repository.
-
Initialize Terraform:
terraform init
-
Review and customize the variables in your terraform.tfvars file.
-
Apply the configuration:
terraform apply
-
Access the Velociraptor/Timesketch instance using the provided URL in the output.
-
To destroy the resources, run:
terraform destroy