OSDFIR Infrastructure simplifies the deployment and integration of Open Source Digital Forensics tools to Kubernetes clusters (local or cloud) using Helm.
Currently, OSDFIR Infrastructure supports the deployment and integration of the following tools:
- dfTimewolf for orchestrating forensic collection, processing and data export, helping pass data between tools using recipes (e.g. importing processed Plaso files from Turbinia into Timesketch)
- Timesketch for collaborative forensic timeline analysis featuring analyzers to help identitify patterns in data, support for Plaso, JSONL, or CSV file imports, and built-in integrations to tools such as:
- Turbinia for automating processing of forensic evidence at scale helping find prevelant badness and includes built-in integrations to many tools such as:
- Container Explorer for container level processing
- Docker Explorer for docker container level processing
- Fraken for multi-threaded yara scanning
- Libcloudforensics for mounting evidence from cloud platforms
- Plaso (and related projects such as dfVFS, libyal) for extracting data from a variety of sources into a correlated super timeline
- Yeti for DFIR and threat intelligence tracking, enabling responders to store and analyze CTI (observables, TTPs, campaigns, etc.) from internal and external systems and integrates with Timesketch
- GRR for incident response and remote live forensics.
These tools can be used independently as well by following the documentation on the tool's repository or by installing a tool specific Helm chart which includes any built-in integrations.
To get started, ensure you have Helm installed and are authenticated to your Kubernetes cluster.
IMPORTANT: For cloud deployments, Turbinia currently only supports attaching disks from GCP environments. Manual disk attachment or utilizing other evidence types is necessary for other cloud providers.
Once complete, add the repo containing the Helm charts as follows:
helm repo add osdfir-charts https://google.github.io/osdfir-infrastructureIf you had already added this repo earlier, run helm repo update to retrieve the latest versions of the packages.
You can then run helm search repo osdfir-charts to see the available charts.
To install the OSDFIR Infrastructure chart using a release name of my-release:
helm install my-release osdfir-charts/osdfir-infrastructureNote: The default configuration of the Helm chart installs it within your cluster for internal access. To enable external access, follow the instructions provided in the Helm chart's README.
To uninstall the chart:
helm uninstall my-releasePlease refer to the links below for more details on configuring OSDFIR Infrastructure, using individual tools, and accessing helpful guides.
- Getting Started with Minikube
- OSDFIR Infrastructure Helm Chart
- Timesketch Helm Chart
- Turbinia Helm Chart
- Troubleshooting Helm Charts
- Understanding Helm Charts
- Yeti Helm Chart
- GRR Helm Chart
This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.