Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Forensic Investigator
SHA256 checksum (forensic-investigator_118.tgz) 74e295e61e2a1ed8e7aa4be0a215df2b1a794496c92e9e8d5e2dff2b36a5a11b SHA256 checksum (forensic-investigator_117.tgz) fbe062b428d2447a51386256a340861462bd7fbbc47552e9ea7ebbab1b74c38d SHA256 checksum (forensic-investigator_114.tgz) 05e8823164924ba5de8bd3fb0f1b5ffcc02d873161ce6e5f7793d8e4f0e97c71 SHA256 checksum (forensic-investigator_113.tgz) def2bcbb039ba26c050773549cea68f2d7b6883fbba142f6a2306c66dff56b8f SHA256 checksum (forensic-investigator_112.tgz) 161f1ec44bcc31831e5003bd31bb05f52d74c7ccb6788535a6ec571e4e36e3e5 SHA256 checksum (forensic-investigator_109.tgz) 56326e3c9afab24970542c7d9e90f9f17abfcb6bf3375bc7e618b0ce343249f4 SHA256 checksum (forensic-investigator_108.tgz) d1b050a516ba694c2aff0ea41806750164145e565d54ab8b607a67e440df049c SHA256 checksum (forensic-investigator_107.tgz) 7713011fb0b6c4890e7ee1ee10ba32bf6a9287dc34758691d4e9d9b288ed4060 SHA256 checksum (forensic-investigator_105.tgz) d70e84189d1ee777a7bc70241856eb2656e8d1aa50bc6e98a3ccce7fbfd4c539 SHA256 checksum (forensic-investigator_104.tgz) 3f951a69551ed638ca03d82d97fc7fcdf7d264b8c741ef612cac0cb14b70187f SHA256 checksum (forensic-investigator_103.tgz) c6999ada2a4c35f98b60f69e5e760e47f5d57d3790c42f6137e3657ded4671fa SHA256 checksum (forensic-investigator_101.tgz) 3d893d10a3ef70d432c895d6c0764252b171bfa77e67ed5cb22a06447362435a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Forensic Investigator

Overview
Details
The TekDefense Forensic Investigator app is designed to be a Splunk toolkit for the first responder. Most tools do not need Internet access with the exception of a couple which use API calls. This Splunk app provides free tools for the forensic investigator which include, but are not limited to the following:
- VirusTotal Lookups
- Metascan Lookups
- Automater
- Base64 conversion
- XOR conversion
- HEX conversion
- and more... (check our documentation tab)

The Crew
- Tony Lee
- Ian Ahl
- Dennis Hanzlik
- Dan Dumond
- Dave Pany
- Matt Kemelhar
- Chris Lee
- Kyle Champlin

Automater Error:
- If you get the following error when running Automater: "External search command 'automater_wrapper"
- Make sure you have python installed and associated with .py files (especially Windows environments)
- Please run the following command: chmod +x /opt/splunk/etc/apps/ForensicInvestigator/bin/Automater.py
- This will be fixed in the next release. Thanks for your patience.

Note: To make the Investigator Chat work for regular users, they must have the admin_all_objects capability assigned. This can be accomplished by creating a role called chat_write and assign that role to the users. Finally assign the admin_all_objects capability to that newly created role.

Installation is very easy. Either download it within Splunk or from this Splunkbase page. Run setup (Help -> Configure App)

Currently the app contains no props or transforms (unless processing MIR output) so there is no risk of it modifying your data.

Stay tuned as we will be adding more tools as they are requested.

The current tools are:


URL/IP Domain Files En/Decoder Host
VT Lookup * WHOIS Lookup 1 * VT Lookup * Cyber Chef MAC OUI Lookup
Automater * WHOIS Lookup 2 * Automater * Base64 Converter Ping
Metascan IP * Metscan hash * Hex Converter Traceroute
URL Unshortener File Hasher XOR Converter SMB Share View
LinkExtractor * Hash Identifier NetBios Viewer
GeoIP Lookup ROT(n) Converter Port Scanner
DNS Resolver IP Converter Banner Grabber
URL Decoder
URL Parser

* Requires Internet access / API calls

The Toolbox menu contains:

  • ePO Connector <- Edit the bin\epoconnector.py to add ePO IP, port, username, and password
  • Investigator Chat Program
  • Bulk searching - wild
  • Bulk searching - specific field
  • Cheat sheets

The Help menu contains:

  • User Metrics
  • License Usage
  • Disk Usage
  • About
  • Send Feedback

Processing Redline and MIR files

  • Install Forensic Investigator app
  • default/eventtypes.bak -> default/eventtypes.conf
  • default/inputs.bak -> default/inputs.conf
  • default/indexes.bak -> default/indexes.conf
  • default/props.bak -> default/props.conf
  • Help -> Configure app, Make sure "MIR evidence dashboards" is checked
  • Restart Splunk

Setup Monitor directory

Install Samba

vim /etc/samba/smb.conf (add to the bottom of the file)

[monitor]
comment = Watch for incoming files
available = yes
writeable = yes
browseable = yes
public = yes
path = /monitor
guest ok = yes
read only = no
create mask = 0644
directory mask = 0755
force user = mirmonitor

Add the user

useradd mirmonitor
passwd mirmonitor
<enter password="">

smbpasswd –a mirmonitor
<enter password="">

Restart Samba

Service smbd restart
Service nmbd restart

Use the monitor directory

Drop Redline and MIR xml files in the following directory structure:

Structure:

/monitor/<host>/<xml-files>

Example:

/monitor/TEK1/w32processes.xml

Release Notes

Version 1.1.8
Dec. 25, 2016

Version 1.1.8
- Added option to hide the MIR menus via the setup screen
- Added proxy support to setup screen
- Made vtLookup proxy aware
- Made vtLookup accept and use non-default API key
- Added CyberChef (En/Decoder -> CyberChef) - Big thanks to GCHQ for the awesome tool!
- Added ePO Connector to control McAfee ePolicy Orchestrator
- Requires editing bin\epoconnector.py and adding ePO IP, port, username, and password

Version 1.1.7
Sept. 5, 2016

Version 1.1.7
- Added Traceroute (Host -> Traceroute)
- Added Unshortener (URL/IP -> URL Unshortener)
- Added IP Converter (En/Decoder -> IP Converter)
- Added Processing of FireEye/Mandiant MIR output (Check details tab for instructions)
- System
- Network
- Processes
- Services
- Ports
- Tasks
- Prefetch
- ShimCache
- DNS
- User account
- URL History
- Driver Modules
- Persistence
- File
- Eventlog

Version 1.1.4
May 8, 2016

New Features in v1.1.4
- Updated Investigator Chat 2.0!
- Added Ping tool (Host --> Ping)
- Added SMB Share Viewer (Host --> SMB Share Viewer)
- Added NetBIOS Viewer (Host --> NetBIOS Viewer)
- Added Port scanner (Host --> Port Scanner)
- Added Banner grabber (Host --> Banner grabber)
- Added Bulk searching of data using any field (Toolbox -> Bulk Search - Wild)
- Added Bulk searching of data using a specific field (Toolbox -> Bulk Search - Field)
- Added ASCII Table cheatsheet (Toolbox -> Cheat sheets -> ASCII Table)
- Added Ports and services cheatsheet (Toolbox -> Cheat sheets -> Ports and Services)
- Added subnetting cheatsheet (Toolbox -> Cheat sheets -> Subnetting)

Maintenance in v.1.1.4
- Renamed the xml files to increase simplicity

Version 1.1.3
April 14, 2016

Version 1.1.3
- Added a chat program for collaboration! It is a first stab, but give it a try (Help -> Chat Program)
- Added an additional whois lookup vendor - api.hackertarget.com - ex: http://api.hackertarget.com/whois/?q=splunk.com
- Added a link extractor to rip links out of a page (URL/IP -> Link Extractor)
- Added permalink information to VT lookup page
- Added disk usage monitor (Help -> Disk Monitor) (Uses REST API)
- Added license analysis page (Help -> License Usage) (*Need to have _internal logs on indexer and role based access)
- Fixed VT lookup script, incorrectly detecting MD5 hashes in URL - if (re.findall(r"(^[a-fA-F\d]{32})", sys.argv[1]))
- Fixed VT Lookup script, removed leading white spaces lstrip()
- Fixed bug in BulkWhois to provide state/province information

Version 1.1.2
April 12, 2016

Version 1.1.2
- First version of the app that is Splunk certified!
- Removed temporary csv file from package
- Edited python script to clean up temp files

Version 1.0.9
Feb. 17, 2016

v 1.0.9 - Conforming to app development/certification requirements
- app.conf now has a proper description
- Separated the file hasher stanzas from app.conf and placed them in filehasher.conf
- Created a README file in the install package
- removed local directory

Version 1.0.8
Nov. 23, 2015

- Removed hard-coded path from MAC OUI lookup (Thanks Darla!)
- Changed permissions on automater (Splunk upload bug?)
- Added Metascan IP (props to Josh)
- Added Metascan Hash (props to Josh)
- Added Automater Hash lookup
- Remove leading white spaces for metascan, hash-id, and other tools - they are now more human-proof

Version 1.0.7
Nov. 15, 2015

1.0.7
- raw_data properly parsed in whois tool
- Hasher now outputs hashes in caps
- Added File Hasher tool - based on file upload
- Temporarily removed Owner Search - it will be back

Version 1.0.5
Oct. 1, 2015

1.0.5
- Renamed category headings - parsed based on new tools and future plans
- Added whois lookup
- Added hashing tool - MD5, SHA1, SHA224, SHA256, SHA384, SHA512
- Added hash-identifier.py (Props to Zion3R at Blackploit)

Version 1.0.4
Sept. 25, 2015

1.0.4
- Updated MAC OUI Lookup to return multiple values based on partial match
- Added Automater!
- CSS updates
- Fixed word wrap for results with no white space
- Added drop shadow on dropdown menu
- Changed dropdown menu text color to teal

Version 1.0.3
Sept. 23, 2015

1.0.3
- ROT conversion is now case sensitive
- Added Hex panel to Base64
- Added GeoIP lookup for user selected IP
- Added MAC OUI lookup
- DNS lookup - local lookups

Version 1.0.1
Sept. 17, 2015

Version 1.0.1
- Introduce the apps and tools

338
Installs
3,799
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.