nightHawkResponse: Incident Response Forensic Framework

nightHawkResponse

nightHawk Response

Custom built an application for asynchronus forensic data presentation on an Elasticsearch backend.
This application is designed to ingest a Mandiant Redline “collections” file and give flexibility in search/stack and tagging.

The application was born out of the inability to control multiple investigations (or hundreds of endpoints) in a single pane of glass.

To ingest redline audits, we created nightHawkResponse, a fully fledge GOpher application designed to accompany this framework. The source code to the application is available in this repo, a binary has been compiled and is running inside the iso ready to ingest from first boot.

Features

  1. Single view endpoint forensics (multiple audit types).
  2. Global search.
  3. Timelining.
  4. Stacking.
  5. Tagging.
  6. Interactive process tree view.
  7. Multiple file upload & Named investigations.

Installation 

  • Version 1.0.4 would work on any Ubuntu x64 OS (we have tested in Ubuntu 16.04LTS)
  • Update Ubuntu to latesth patch
  • Download release/nhr-1.0.4.tar.gz
  • Unarchive nhr-1.0.4.tar.gz
  • Change directory to nhr-1.0.4
  • Change nhr-setup.sh to executable (chmod +x nhr-setup.sh)
  • Install dependencies and nightHawk Response packages (sudo ./nhr-setup.sh install)
    Note: Internet access is required during installation.
  • Initial installation may fail to create Elasticsearch index. If that happens please re-run (sudo ./nhr-setup.sh install)
  • Verify all the components are running
    —- sudo systemctl status elasticsearch
    —- sudo systemctl status kibana
    —- sudo systemctl status rabbitmq-server
    —- sudo systemctl status nginx
    —- sudo systemctl status nighthawk-api
    —- sudo systemctl status nighthawk-worker
  • You can access it by browsing to https://ipaddress
  • Default username and password is both admin/admin

Use

Demo

Source: https://github.com/biggiesmallsAG/