Turbinia : Automation and Scaling of Digital Forensics Tools

Turbinia is an open-source framework for deploying, managing, and running distributed forensic workloads.

It is intended to automate running of common forensic processing tools (i.e. Plaso, TSK, strings, etc) to help with processing evidence in the Cloud, scaling the processing of large amounts of evidence, and decreasing response time by parallelizing processing where possible.

How it works

Turbinia is composed of different components for the client, server and the workers.

These components can be run in the Cloud, on local machines, or as a hybrid of both. The Turbinia client makes requests to process evidence to the Turbinia server.

The Turbinia server creates logical jobs from these incoming user requests, which creates and schedules forensic processing tasks to be run by the workers.

The evidence to be processed will be split up by the jobs when possible, and many tasks can be created in order to process the evidence in parallel.

One or more workers run continuously to process tasks from the server. Any new evidence created or discovered by the tasks will be fed back into Turbinia for further processing.

Also Read – RPI-Hunter : Automate Discovering & Dropping Payloads on LAN Raspberry

Usage

The basic steps to get things running after the initial installation and configuration are:

Start Turbinia server component with turbiniactl server command Start one or more Turbinia workers with turbiniactl psqworker Send evidence to be processed from the turbinia client with turbiniactl ${evidencetype} Check status of running tasks with turbiniactl status

turbiniactl can be used to start the different components, and here is the basic usage:

$ turbiniactl –help
usage: turbiniactl [-h] [-q] [-v] [-d] [-a] [-f] [-o OUTPUT_DIR] [-L LOG_FILE]
[-r REQUEST_ID] [-R] [-S] [-C] [-V] [-D]
[-F FILTER_PATTERNS_FILE] [-j JOBS_WHITELIST]
[-J JOBS_BLACKLIST] [-p POLL_INTERVAL] [-t TASK] [-w]

optional arguments:
-h, –help show this help message and exit
-q, –quiet Show minimal output
-v, –verbose Show verbose output
-d, –debug Show debug output
-a, –all_fields Show all task status fields in output
-f, –force_evidence Force evidence processing request in potentially
unsafe conditions
-o OUTPUT_DIR, –output_dir OUTPUT_DIR
Directory path for output
-L LOG_FILE, –log_file LOG_FILE
Log file
-r REQUEST_ID, –request_id REQUEST_ID
Create new requests with this Request ID
-R, –run_local Run completely locally without any server or other
infrastructure. This can be used to run one-off Tasks
to process data locally.
-S, –server Run Turbinia Server indefinitely
-C, –use_celery Pass this flag when using Celery/Kombu for task
queuing and messaging (instead of Google PSQ/pubsub)
-V, –version Show the version
-D, –dump_json Dump JSON output of Turbinia Request instead of
sending it
-F FILTER_PATTERNS_FILE, –filter_patterns_file FILTER_PATTERNS_FILE
A file containing newline separated string patterns to
filter text based evidence files with (in extended
grep regex format). This filtered output will be in
addition to the complete output
-j JOBS_WHITELIST, –jobs_whitelist JOBS_WHITELIST
A whitelist for Jobs that we will allow to run (note
that it will not force them to run).
-J JOBS_BLACKLIST, –jobs_blacklist JOBS_BLACKLIST
A blacklist for Jobs we will not allow to run
-p POLL_INTERVAL, –poll_interval POLL_INTERVAL
Number of seconds to wait between polling for task
state info
-t TASK, –task TASK The name of a single Task to run locally (must be used with –run_local.
-w, –wait Wait to exit until all tasks for the given request
have completed
Commands:

rawdisk Process RawDisk as Evidence
googleclouddisk Process Google Cloud Persistent Disk as Evidence
googleclouddiskembedded
Process Google Cloud Persistent Disk with an embedded
raw disk image as Evidence
directory Process a directory as Evidence
listjobs List all available jobs
psqworker Run PSQ worker
celeryworker Run Celery worker
status Get Turbinia Task status
server Run Turbinia Server

The commands for processing the evidence types of rawdisk and directory specify information about evidence that Turbinia should process.

By default, when adding new evidence to be processed, turbiniactl will act as a client and send a request to the configured Turbinia server, otherwise if –server is specified, it will start up its own Turbinia server process.

Here’s the turbiniactl usage for adding a raw disk type of evidence to be processed by Turbinia:

$ ./turbiniactl rawdisk -h
usage: turbiniactl rawdisk [-h] -l LOCAL_PATH [-s SOURCE] [-n NAME]
optional arguments:
-h, –help show this help message and exit
-l LOCAL_PATH, –local_path LOCAL_PATH
Local path to the evidence
-s SOURCE, –source SOURCE
Description of the source of the evidence
-n NAME, –name NAME Descriptive name of the evidence

Notes

  • Turbinia currently assumes that Evidence is equally available to all worker nodes (e.g. through locally mapped storage, or through attachable persistent Google Cloud Disks, etc).
  • Not all evidence types are supported yet
  • Still only a small number of processing job types supported, but more are being developed.
R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago