Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Analysis plugin: nsrlsvr
Clone this wiki locally
Notes on how to use the nsrlsvr analysis plugin.
Setting up nsrlsvr
The source of nsrlsvr can be found here
Follow the installation instructions.
To run nsrlsvr:
nsrlsvr -f /fullpath/NSRLFile.txt
To test if nsrlsvr is working you'll need nsrllookup
To run nsrllookup against your instance of nsrlsvr:
echo $MD5 | nsrllookup -s localhost -p 9120 -k
Which will return $MD5 if present in NSRLFile.txt and nothing when $MD5 does not present.
First run log2timeline to calculate the hashes:
log2timeline.py --hashers md5 timeline.plaso image.raw
Make sure to enable hashers supported by nsrlsvr, which is md5 in this example.
Next run psort to tag events:
psort.py --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host localhost --nsrlsvr-port 9120 -o null timeline.plaso