Background
Seeker is my undergraduate project for my information technology degree at Middlesex University Dubai.
Seeker is an open-source project, the files can be found on my GitHub repository.
Seeker is still under constant development as of writing this article. Expect errors, changes and inconsistencies.
The following is a high level description of Seeker, what it does and how it does it.
The Toolkit
Seeker is a digital forensics toolkit, composed of two parts; a data extraction script, and a web interface.
Data Extraction Script
A simple script that is written in C, that is CLI based and collects various information off of Debian-based Linux machines, and stores the collected data in a central directory.
Some of the data that is extracted includes:-
- Operating system information: OS versions, timezones, hostnames and users.
- Device information: Disk names, partitions, sizes and mount points.
- System logs: /var/log/auth.log, /var/log/dpkg.log, /var/log/syslog, and user logs.
- IOC-related information: File hashes and file contents.
Overlooking some of the basic information that is collected, the core features of this toolkit are its abilities to utilize third-party APIs from security vendors to detect IOCs, represent system logs in a searchable, timeline-view format (think Splunk), and apply YARA rules to collected file contents.
Web Interface
Written in Python, the web interface currently runs locally on a machine, this may be updated to be hosted online in future development.
The web interface is built on Streamlit, which is an open-source Python library that allows for data exploration and visualization.
Utilizing the collected file names and their hashes, Seeker uses VirusTotal’s API to get possible IOCs based on security vendors’ analyses. This offloads the manual labor of searching for malicious file names, file hashes and other common filesystem IOCs. Furthermore, this assures that IOC signatures are not static, and are constantly updated by community and security vendors’ reports on VirusTotal.
A common drawback of some other open-source DFIR tools is the use of static IOC signatures, which can often become outdated.
In addition, Seeker collects file content which can then be searched in the web interface with YARA rules. Again, this automates the application of YARA rules, and only displays matching files. Seeker presents users with options to manually write YARA rules in the web interface, or utilize a pre-compiled list of YARA signatures.
To form a timeline of system events, Seeker charts the logs in the web interface, and allows for searching, filtering and export of data to csv files.
Log events are displayed along with their date and timestamps, as well as a full breakdown of the event and it’s source.
Summary
Requirements for digital forensics cycles can vary from one organization to another, and DFIR professionals must constantly adapt to ever-evolving TTPs of threat actors. Seeker is a contribution to the open-source and DFIR community that is backed by academic research, however, Seeker is by no means a complete toolkit that encompasses all aspects of DFIR investigations.
The following infographic summarizes the steps Seeker takes from setting up investigation files to data collection.
Contributing
If you would like to contribute to or fork the project, you are welcome to do so.
Further Development
Continuous development is expected to continue up until April 2023, after which Seeker’s source code will remain open-source and free to use, with no current roadmap for future updates.
Seeker requires no maintenance, and will be kept as a side project that is open to the public to contribute, fork and update.