magneto

Incident response and forensic tool

Thank you for your interest. Please contact author for other essential files required to run this tool.

Features:

Parse and process triage output files, saving them in pgsql
Process memory captures using volatility
Parse and process volatility output files, saving them in pgsql
Perform baseline, long tail analysis and correlation using above data, stored in pgsql

Step by Step Guide to power up MAGNETO on Windows

Download Magneto Files
Install Python 2.7 (32 bit). Remember to check the box to configure Python Path in Windows System Environment Variables, or do it yourself.
Install all necessary python modules using pip.

C:\Python27\Scripts\pip.exe install argparse bs4 chardet fuzzywuzzy netaddr numpy openpyxl pandas psycopg2 requests scandir sqlalchemy stem win_inet_pton xlrd xlwings

Install PostgreSQL

Database admin account: postgres
Password: (set your own password)

Launch pgadmin and connect to local PostgreSQL server on 127.0.0.1. Create database "magneto"
Make sure that workstation has Powershell v4.0 and above installed, follow this table.
Install Strawberry Perl.
Install Perl modules by typing command prompt:

cpan
install Parse::Win32Registry Regexp::Common Regexp::Common::time

Configure the system environment variable PERL5LIB in command prompt:

setx PERL5LIB c:\path\to\magneto\Tools\RegRipper

Download the NVD XML 2.0 Schema feeds from NIST and unzip them in nvd_cache
Download the NirLauncher Package and unzip in Tools/nirsoft_package

Triage Post-Processing

Suggested Steps

Launch Ubuntu VM and process Memory (.raw) file using PROCESS_memory.py file. Save the output into the Evidence folder within each Incident folder.
Process Event Logs using Windows Powershell (WINTEL.ps1) file by running this in a powershell console:

WINTEL_WindowsLogParser.ps1 -logPath c:\path\to\individual_triage\Evidence\Logs -project PROJECTNAME

Run submit.py

python submit.py -d c:\path\to\parent\ -p PROJECTNAME
OR
python submit.py -d c:\path\to\parent\individual_triage -p PROJECTNAME

Generate output (as required)

python OUTPUT_baselineCSV.py -p PROJECTNAME
python OUTPUT_baselineXLSM.py -p PROJECTNAME
python OUTPUT_baselineXLSX.py -p PROJECTNAME
and other OUTPUT_* python modules

Name		Name	Last commit message	Last commit date
Latest commit History 110 Commits
Tools		Tools
Triage		Triage
WINTEL		WINTEL
nvd_cache		nvd_cache
.gitignore		.gitignore
IO_browserOperations.py		IO_browserOperations.py
IO_databaseOperations.py		IO_databaseOperations.py
IO_fileProcessor.py		IO_fileProcessor.py
IO_updatePgsqlCveDatabase.py		IO_updatePgsqlCveDatabase.py
MAGNETO_Host_Analysis_Checklist_Results_template2.xlsx		MAGNETO_Host_Analysis_Checklist_Results_template2.xlsx
MAGNETO_Timeline_template.xlsx		MAGNETO_Timeline_template.xlsx
OUTPUT_appCveChecker.py		OUTPUT_appCveChecker.py
OUTPUT_appendix.py		OUTPUT_appendix.py
OUTPUT_arpspoof.py		OUTPUT_arpspoof.py
OUTPUT_autorunMerge.py		OUTPUT_autorunMerge.py
OUTPUT_baselineCSV.py		OUTPUT_baselineCSV.py
OUTPUT_baselineXLSM.py		OUTPUT_baselineXLSM.py
OUTPUT_baselineXLSX.py		OUTPUT_baselineXLSX.py
OUTPUT_cveChecker.py		OUTPUT_cveChecker.py
OUTPUT_ipReputationChecker.py		OUTPUT_ipReputationChecker.py
OUTPUT_ipv4BlacklistChecker.py		OUTPUT_ipv4BlacklistChecker.py
OUTPUT_log.py		OUTPUT_log.py
OUTPUT_maliciousDocChecker.py		OUTPUT_maliciousDocChecker.py
OUTPUT_processDifference.py		OUTPUT_processDifference.py
OUTPUT_processNetworkConn.py		OUTPUT_processNetworkConn.py
OUTPUT_summary.py		OUTPUT_summary.py
OUTPUT_timeline.py		OUTPUT_timeline.py
OUTPUT_vtChecker.py		OUTPUT_vtChecker.py
OUTPUT_vtCheckerCuckoo.py		OUTPUT_vtCheckerCuckoo.py
PARSER_parseMemoryEnvars.py		PARSER_parseMemoryEnvars.py
PARSER_parseMemoryNetscan.py		PARSER_parseMemoryNetscan.py
PARSER_parseMemoryPslist.py		PARSER_parseMemoryPslist.py
PARSER_parseMemoryPstree.py		PARSER_parseMemoryPstree.py
PARSER_parseMemoryPsxview.py		PARSER_parseMemoryPsxview.py
PARSER_parseTriageARPInfo.py		PARSER_parseTriageARPInfo.py
PARSER_parseTriageNetworkConnections.py		PARSER_parseTriageNetworkConnections.py
PARSER_parseTriageProcesses.py		PARSER_parseTriageProcesses.py
PARSER_parseTriageSystemInfo.py		PARSER_parseTriageSystemInfo.py
PARSER_parseTriageSystemVariables.py		PARSER_parseTriageSystemVariables.py
PARSER_parseWMIProcesses.py		PARSER_parseWMIProcesses.py
PROCESS_checkTriageOutput.py		PROCESS_checkTriageOutput.py
PROCESS_memory.py		PROCESS_memory.py
PROCESS_postTriage.py		PROCESS_postTriage.py
PROCESS_pythonVba.py		PROCESS_pythonVba.py
PROCESS_submitDatabase.py		PROCESS_submitDatabase.py
README.md		README.md
REFERENCE_targetedcleanup.sql		REFERENCE_targetedcleanup.sql
RESET_resetDb.py		RESET_resetDb.py
SETUP_tor.py		SETUP_tor.py
config.py		config.py
config_vtKeys.txt		config_vtKeys.txt
requirements.txt		requirements.txt
setup.ps1		setup.ps1
submit.py		submit.py

padfoot999/magneto

Folders and files

Latest commit

History

Repository files navigation

magneto

Incident response and forensic tool

Step by Step Guide to power up MAGNETO on Windows

Triage Post-Processing

Suggested Steps

About

Resources

Stars

Watchers

Forks

Languages