Overview
CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
Investigations
Investigations are the core of CIRTKit. Incident responders and forensic analysts generate large amounts of data during investigations. Normally this data is stored in ticketing systems, governance and risk systems, or some other variation of persistent data storage.
CIRTKit aims to bring core DFIR (Digital Forensics and Incident Response) tools into one console, centralizing the investigation process. There are many tools available that incident responders use to collect, parse, and interpret data. If we can bring all of these tools together to one console that can store information and malware artifacts centrally, we may be able to better combat the adversaries.
Inspiration
The inspiration behind CIRTKit came from the Metasploit Framework. Metasploit was revolutionary to the offensive security industry, allowing users to not only centrally manage penetration tests, but also use and develop new tools/exploits to further their cause. The key question that spurred the initiation of CIRTKit was this: "Why are attackers more equipped than defenders?"
With Metasploit, attackers are always equipped, constantly sharing new exploits and tools with the framework to enable others to take advantage of known vulnerabilities. The time has come for network defenders to centralize our toolsets and share new detection and response capabilities easily with the community.
Database Setup
lib/core/database.py
CIRTKit requires a database to store malware artifacts and investigation data. Currently, CIRTKit is equipped to use SQLite and Postgres SQL databases. If you need to have multiple analysts collaborate on investigations, then you need to setup CIRTKit to use Postgres, otherwise if you want to store information locally, you can use SQLite.
DB_USER = '<username>'
DB_PASSWD = '<password>'
Install Dependencies
You can install decencies with pip (Python packaging system) using the provided requirements.txt file "pip install -r requirements.txt"
Execute
Download CIRTKit
CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
Investigations
Investigations are the core of CIRTKit. Incident responders and forensic analysts generate large amounts of data during investigations. Normally this data is stored in ticketing systems, governance and risk systems, or some other variation of persistent data storage.
CIRTKit aims to bring core DFIR (Digital Forensics and Incident Response) tools into one console, centralizing the investigation process. There are many tools available that incident responders use to collect, parse, and interpret data. If we can bring all of these tools together to one console that can store information and malware artifacts centrally, we may be able to better combat the adversaries.
Inspiration
The inspiration behind CIRTKit came from the Metasploit Framework. Metasploit was revolutionary to the offensive security industry, allowing users to not only centrally manage penetration tests, but also use and develop new tools/exploits to further their cause. The key question that spurred the initiation of CIRTKit was this: "Why are attackers more equipped than defenders?"
With Metasploit, attackers are always equipped, constantly sharing new exploits and tools with the framework to enable others to take advantage of known vulnerabilities. The time has come for network defenders to centralize our toolsets and share new detection and response capabilities easily with the community.
Database Setup
lib/core/database.py
CIRTKit requires a database to store malware artifacts and investigation data. Currently, CIRTKit is equipped to use SQLite and Postgres SQL databases. If you need to have multiple analysts collaborate on investigations, then you need to setup CIRTKit to use Postgres, otherwise if you want to store information locally, you can use SQLite.
- SQLite
- Postgres
DB_USER = '<username>'
DB_PASSWD = '<password>'
Install Dependencies
You can install decencies with pip (Python packaging system) using the provided requirements.txt file "pip install -r requirements.txt"
Execute
Download CIRTKit