2022-07-06, 11:25–11:45 (Europe/Paris), Amphitheater
This talk will present two new open-source incident response tools and a new rust library dedicated to Incident Response.
bin2json a tool to extract metadata from multiple file formats to json and TapIR a collaborative server for incident response accessible through a REST API, a web ui, and python command line tools.
This talk is about two new incident response tool : TapIr and bin2json and the Tap rust library there are based on.
Those two tools are based on the TAP (Trustable Artifact Parser) rust library, that come with different plugins to parse specific artefacts (NTFS, MTF, regitry, evtx, prefetch, ...),
and include a search engine that let you create complex query.
-
bin2json can take different kinds of input like : disk image, partition, or collection of artifacts and automatically generate a json file containing metadata extracted from those inputs.
It can also generate the json file as a timeline. The generated file can then be analyzed via tools like jq or sent to elastic search or splunk for further analysis. -
TapIR is a service that can ingest the same kind of file as bin2json, then let you access extracted data and metadata through a rest API.
You can install it and make it accessible on a local network, a remote host or on the cloud, thus leveraging remote collaborative analysis.
TapIR come with web UI and a python client as command lines tools that lets you automate your IR task via scripting.
- The two aforementioned tools take advantage of the TAP library, written in RUST that make parsing secure and fast by leveraging heavy multithreading
During the presentation we will go through the architecture of the TAP library, when and how to use TapIR and bin2json, and finally we will make a demonstration of the different tools.
See also: 🎥 video
Solal Jacob is an incident responder but also a contributor and developer of open source tools. He is the creator of DFF (Digital Forensics Framework), and other tools related to forensics and memory analysis.