{"id":22913749,"url":"https://github.com/0cm/banditlab","last_synced_at":"2025-05-12T13:26:42.861Z","repository":{"id":246793389,"uuid":"822272763","full_name":"0CM/BanditLab","owner":"0CM","description":"Forensic Linux VM for Apple Silicon, ARM64 and x86-64 compatible platforms","archived":false,"fork":false,"pushed_at":"2025-04-21T09:32:52.000Z","size":102,"stargazers_count":8,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-21T10:33:24.915Z","etag":null,"topics":["aarm64","apple-silicon","dfir","digital-forensic-tool","digital-forensics","eztools","incident-response","linux","linux-distribution","macos","multipass","security","ubuntu","x86-64"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0CM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-30T19:14:36.000Z","updated_at":"2025-04-21T09:32:55.000Z","dependencies_parsed_at":"2024-07-15T06:47:25.165Z","dependency_job_id":"4e1f8aec-0b6b-44d4-9955-27b75fa02672","html_url":"https://github.com/0CM/BanditLab","commit_stats":null,"previous_names":["0cm/binarybanditsforensicvm","0cm/binarybanditsforensiclab","0cm/banditlab"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0CM%2FBanditLab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0CM%2FBanditLab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0CM%2FBanditLab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0CM%2FBanditLab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0CM","download_url":"https://codeload.github.com/0CM/BanditLab/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253746873,"owners_count":21957649,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aarm64","apple-silicon","dfir","digital-forensic-tool","digital-forensics","eztools","incident-response","linux","linux-distribution","macos","multipass","security","ubuntu","x86-64"],"created_at":"2024-12-14T05:11:28.270Z","updated_at":"2025-05-12T13:26:42.854Z","avatar_url":"https://github.com/0CM.png","language":"Shell","readme":"BanditLab - Ubuntu based Linux VM for Digital Forensics\n----------------\nIt was supposed to be a lightweight Linux distribution for digital forensics\nand incident response, but it kind of spiraled out of control.\n\nPrimarily focused on the Apple Silicon and ARM64 based systems.\nThe X86_64 architecture is now supported as well!\n\n\nPrerequisites:\n---------------\n**Multipass**\n\nUbuntu Multipass is a tool developed by Canonical that allows users to create, manage, \nand configure lightweight virtual machines (VMs) on their local system, \nspecifically designed for Ubuntu environments.\n\nInstallation:\n\n* via Brew -\u003e brew install multipass \n* via stand alone installer -\u003e \u003chttps://multipass.run/install\u003e\n\nLab Deployment:\n----------------\nThe following command will create a VM named BanditLab with 2 CPU cores, 4GB of RAM and a 20GB disk. \n - You can adjust the VM name and hardware specifications according to your preferences.\n\nCloud-Init for the MacOS or ARM architecture: \n```\n\nmultipass launch -n BanditLab -c2 -m 4GB -d 20G --cloud-init https://github.com/0CM/BanditLab/raw/main/BanditLab-aarch64.yaml\n\n```\n\nCloud-Init for the X86_64 architecture: \n```\n\nmultipass launch -n BanditLab -c2 -m 4GB -d 20G --cloud-init https://github.com/0CM/BanditLab/raw/main/BanditLab-x86-64.yaml\n\n```\n\n\n\n\nLog into the VM:\n```\nmultipass shell BanditLab\n```\nStop the VM:\n```\nmultipass stop BanditLab\n```\nDelete the VM:\n```\nmultipass delete BanditLab\nmultipass purge\n```\nShare folder between the VM and host system:\n```\nmultipass mount path/to/local/folder BanditLab:/home/ubuntu/DATA\n```\n\nIn order to see files in the macOS folder Full Disk access for Multipass is required.\n\n```\nSystem Preferences \u003e Security \u0026 Privacy Preferences \u003e  Full Disk Access \n```\n\nAlternatively you can copy files to and from the VM via transfer command\n\nCopy file  FROM the VM to a host machine\n```\nmultipass transfer BanditLab:/home/ubuntu/evidence/MFT.csv ./\n```\n\nCopy file TO the VM from a host machine\n```\nmultipass transfer  ./image.E01 BanditLab:/home/ubuntu/evidence\n```\n\nLab Help:\n----------------\nRun the alias command to get a list of shortcuts for running the custom tools.\n\n```\nalias\n```\n\nForensics Tools:\n----------------\n\n* **EZTools** - [Eric Zimmerman's tools](https://ericzimmerman.github.io/#!index.md)\n  * **JLECmd** version 1.5.0.0 - Jump List parser\n  * **EvtxECmd** version 1.5.0.0 - Event log (evtx) parser\n  * **LECmd** version 1.5.0.0 -  Lnk file parser\n  * **MFTECmd** version 1.2.2.1 - $MFT, $Boot, $J, $SDS, $I30 parser\n  * **RBCmd** version 1.5.0.0 - Recycle Bin artifact (INFO2/$I) parser\n  * **RECmd** version 2.0.0.0 - Command line Registry tool \n  * **rla** version 2.0.0.0 - Replay transaction logs and update Registry hives \n  * **RecentFileCacheParser** version 1.5.0.0\n  * **WxTCmd** version 1.0.0.0\n  * **bstrings** version 1.5.2.0\n\n* **SIDR** - [Github Repository](https://github.com/strozfriedberg/sidr)\n  * SIDR (Search Index DB Reporter) is a Rust-based tool designed to parse Windows \n    search artifacts from Windows 10 (and prior) and Windows 11 systems.\n    \n* **MemProcFS** - [Github Repository](https://github.com/ufrisk/MemProcFS)\n  * MemProcFS: MemProcFS is an easy and convenient way of viewing \n    physical memory as files in a virtual file system.   \n\n* **Timeliner** - [Github Repository](https://github.com/airbus-cert/timeliner)\n  * Timeliner uses a real expression engine to parse\n    and apply the BPF logic to filter events based on the time.  \n\n\n**SIGMA, YARA, IOC and other scanners:**\n--------------------------\n* **Chainsaw** - [Github Repository](https://github.com/WithSecureLabs/chainsaw)\n\t - Chainsaw offers a generic and fast method of searching through event logs\n\t   for keywords, and by identifying threats using built-in support for Sigma \n\t   detection rules, and via custom Chainsaw detection rules.\n\t\t\n* **Hayabusa** - [Github Repository](https://github.com/Yamato-Security/hayabusa)\n\t - Hayabusa is a Windows event log fast forensics timeline generator\n\t   and threat hunting tool created by the Yamato Security.\n\n* **VT-CLI** - [Github Repository](https://github.com/VirusTotal)\n\t - VirusTotal Command Line Interface\n\n* **Nikto**\t- [Github Repository](https://github.com/sullo/nikto)\n\t- Nikto web server scanner\n\n* **Nuclei**\t- [Github Repository](https://github.com/projectdiscovery/nuclei)\n\t-  Fast and customisable vulnerability scanner based on simple YAML based DSL.\n\n* **ioc-scanner**\t- [Github Repository](https://github.com/cisagov/ioc-scanner)\n\t-  Cybersecurity and Infrastructure Security Agency IoC scanner\n\n* **yara**\t- [Github Repository](https://virustotal.github.io/yara/)\n\t-  Pattern matching swiss knife for malware researchers\n\n\n**Sensitive Data / Secrets Scanners:**\n--------------------------\n* **Nosey Parker** - [Github Repository](https://github.com/praetorian-inc/noseyparker)\n\t - Nosey Parker is a command-line program that finds secrets\n\t   and sensitive information in textual data.\n\t \n* **Trufflehog** - [Github Repository](https://github.com/trufflesecurity/trufflehog)\n\t - TruffleHog is an open-source secret scanning engine that detects\n\t   and helps resolve exposed secrets across your entire tech stack.\n\n\n**Text Manipulation Tools:**\n--------------------------\n \n* **JQ** - [Github Repository](https://jqlang.github.io/jq/)\n\t - Slice and filter and map and transform JSON structured data \n\n* **PUP** - [Github Repository](https://github.com/ericchiang/pup)\n\t - Command line tool for processing HTML\n\n* **ugrep** - [Github Repository](https://github.com/Genivia/ugrep)\n\t - Faster grep with an interactive query UI \n\n\n**Python Libs and Tools:**\n--------------------------\nPython tools are in pyapps virtenv: activate it with \"pyapps\" or \"source pyapps/bin/activate\"\n\n* **peepdf** - [Github Repository](https://github.com/jesparza/peepdf) - tool to explore \nPDF files, it can parse different versions of a file, object streams and encrypted files.\n* **pdfid** - [Github Repository](https://github.com/DidierStevens)\n\t  - Didier Stevens’s tool to test a PDF file\n* **dfir\\_ntfs** - [Github Repository](https://github.com/msuhanov/dfir_ntfs)\n\t  - an NTFS/FAT parser for digital forensics \u0026 incident response\n* **oletools** - [Github Repository](https://github.com/decalage2/oletools)\n\t  - oletools is a package of python tools to analyze Microsoft OLE2 files\n* **hindsight** - [Github Repository](https://github.com/obsidianforensics/hindsight)\n\t  - web artefacts and browsing history from Chromium-based web browsers\n* **browserexport** - [Github Repository](https://github.com/seanbreckenridge/browserexport)\n\t  - web artefacts and browsing history from Chrome-based web browsers,Firefox, Safari and more. \t  \n* **windowsprefetch** - [Github Repository](https://github.com/PoorBillionaire/Windows-Prefetch-Parser)\n\t  - Parser for Windows XP - Windows 10 Prefetch files \t  \n* **xlsxgrep** - [Github Repository](https://github.com/zazuum/xlsxgrep)\n\t  - tool to search text in XLSX, XLS, CSV, TSV and ODS files.\t\n* **DomainTools** - [Github Repository](https://github.com/DomainTools/python_api)\n\t  - The DomainTools Python API Wrapper provides an interface to work with \n\t    cybersecurity and related data tools provided by the Iris Investigate.\n* **Prefetcher** - [Github Repository](https://github.com/ajread4/prefetcher)\n\t  - Windows Prefetch Parser\n* **parse_smsdb** - [Github Repository](https://github.com/h4x0r/parse_sms.db)\n\t  - Extracts iMessage, RCS, SMS/MMS chat history from iOS database file.\n* **OneDrive Parser** - [Github Repository](https://github.com/ydkhatri/OneDrive/)\n\t  - A parser for OneDrive .odl files.\n\n**Optional Tools**:\n-------------------\n* **azure-cli** - [Github Repository](https://github.com/Azure/azure-cli) - Azure Command-Line Interface\n\t- run ```installazurecli``` to install the package\n\n* **gcloud-cli** - [Home Page](https://cloud.google.com/cli?hl=en) - Google Cloud Command Line Interface\n\t- run ```installgcloudcli``` to install the package\n\n* **PowerShell 7.4** - [Home Page](https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4) - Microsoft PowerShell \n\t- run ```installpwsh``` to install the package\n\n**Linux Packages**:\n-------------------\n* **aeskeyfind**\n\t  - tool for locating AES keys in a captured memory image\n* **afflib-tools**\n\t  - Advanced Forensics Format Library (utilities)\n* **binwalk**\n\t  - tool library for analyzing binary blobs and executable code\n* **cewl**\n\t  - custom word list generator\n* **dc3dd**\n\t  - patched version of GNU dd with forensic features\n* **dislocker**\n\t  - read/write encrypted BitLocker volumes\n* **dnsrecon**\n\t  - DNS enumeration script\n* **ewf-tools**\n\t  - collection of tools for reading and writing EWF (E01) files\n* **exifprobe**\n\t  - read metadata from digital pictures\n* **extundelete**\n\t  - utility to recover deleted files from ext3/ext4 partition\n* **fcrackzip**\n\t  - password cracker for zip archives\n* **forensic-artifacts**\n\t  - knowledge base of forensic artifacts (data files)\n* **forensics-colorize**\n\t  - show differences between files using color graphics\n* **getxattr**\n\t  - getxattr() retrieves the value of the extended attribute identified \n\t     by name and associated with the given path in the file system.\n* **hashdeep**\n\t  - recursively compute hashsums or piecewise hashings\n* **pff-tools**\n\t  - utilities for MS Outlook PAB, PST and OST files\n* **mc**\n\t  - MidnightCommander File Manager\n* **recoverdm**\n\t  - recover files on disks with damaged sectors\n* **scrounge-ntfs**\n\t  - Data recovery program for NTFS filesystems\n* **sleuthkit**\n\t  - tools for forensics analysis on volume and filesystem data\n* **ssdeep**\n\t  - recursive piecewise hashing tool\n* **ext3grep**\n\t  - tool to help recover deleted files on ext3 filesystems\n* **libimage-exiftool-perl**\n\t  - Exiftool - program to read and write meta information in multimedia files\n* **binvis**\n\t  - project to visualize binary-file structures in unique ways\n* **testdisk**\n\t  - partition scanner and disk recovery tool, and PhotoRec file recovery tool\n* **mblaze**\n\t  - UNIX utilities to deal with Maildir\n* **mboxgrep**\n\t  - grep through mailboxes\n* **pev**\n\t  - text-based tool to analyze PE files\n* **tshark**\n\t  - network traffic analyzer - console version\n* **unar**\n\t  - unarchiver for a variety of file formats\n* **libvshadow-utils**\n\t  - libvshadow is a library to access the Volume Shadow Snapshot (VSS) format.\n* **dotnet-runtime-6.0**\n\t  - .NET runtime v 6.0 for Linux\n* **python3.12-venv**\n\t  - Python Virtual Environments\n* **python3-pip**\n\t  - package installer for Python\n* **tesseract-ocr**\n\t  - Tesseract 4 adds a new neural net (LSTM) based OCR engine\n* **readpe**\n\t  - readpe is a toolkit designed to analyze Microsoft Windows PE (Portable Executable)\n\t    binary files. Its tools can parse and compare PE32/PE32+ executable files (EXE, \n\t    DLL, OCX, etc), and analyze them in search of suspicious characteristics\n* **parallel**\t- GNU parallel is a shell tool for executing jobs in parallel using one or more computers.  \n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0cm%2Fbanditlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0cm%2Fbanditlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0cm%2Fbanditlab/lists"}