Beagle is an incident response and digital forensics tool which transforms data sources and logs into graphs. Supported data sources include FireEye HX Triages, Windows EVTX files, SysMon logs, and Raw Windows memory images. The resulting Graphs can be sent to graph databases such as Neo4J or DGraph, or they can be kept locally as Python NetworkX objects.
Beagle can be used directly as a python library, or through a provided web interface.
Graphs are centered around the activity of individual processes, and are meant primarily to help analysts investigate activity on hosts, not between them.
Beagle’s docker image comes with a web interface that wraps around the process of both transforming data into graphs, as well as using them to investigate data.
The upload form wraps around the graph creation process, and automatically uses
NetworkX as the backend. Depending on the parameters required by the data source, the form will either prompt for a file upload, or text input. For example:
- VT API Sandbox Report asks for the hash to graph.
- FireEye HX requires the HX triage.
Any graph created is stored locally in the folder defined under the
dir key from the
storage section in the configuration. This can be modified by setting the
BEAGLE__STORAGE__DIR enviroment variable.
Optionally, a comment can be added to any graph to better help describe it.
Each data source will automatically extract metadata from the provided parameter. The metadata and comment are visible later on when viewing the existing graphs of the datasource.
Browsing Existing Graphs
Clicking on a datasource on the sidebar renders a table of all parsed graphs for that datasource.
Viewing a graph in Beagle provides a web interface that allows analysts to quickly pivot around an incident.
The interface is split into two main parts, the left part which contains various perspectives of the graph (Graph, Tree, Table, etc), and the right part which allows you to filter nodes and edges by type, search for nodes, and expand a nodes properties. It also allows you to undo and redo operations you perform on the graph.
Any element in the graph that has a divider above it is collapsible:
Inspecting Nodes and Edges
Nodes in the graph display the first 15 characters of their a specific field. For example, for a process node, this will be the process name.
Edges simply show the edge type.
A single click on a node or edge will focus that node and display its information in the “Node Info” panel on the right sidebar.
Focusing on a Node
Focusing on an Edge
A double click on a node will pull in any neighbouring nodes. A neighbouring node is any node connected to the clicked on node by an edge. If there are no neighbors to be pulled in, no change will be seen in the graph.
- This is regardless of direction. That means that a parent process or a child process could be pulled in when double clicking on a node.
- Beagle will only pull in 25 nodes at a time.
A long single click on a node will hide it from the graph, as well as any edges that depend on it.
Rekall as extras install (#19) * Makes rekall an optional install * Adds travis tests against windows, linux, osx * Opens up package to 3.7+ * Bumps version to 1.0.2
Copyright (c) 2019 Omer Yampel