No longer having to maintain forensic artifact libraries for every security vendor has provided me time to tackle other repetitive investigation tasks with automation.
My next challenge is to eliminate the need for manual updates to the artifact library. As software patches are released, I want to collect the new artifacts and update the database.
AWS System Manager allows you to automate operational tasks for Linux and Windows systems through an installed SSM agent. I set up a maintenance window to apply all available patches to EC2 instances for CentOS, Ubuntu, and Windows operating systems. The Microsoft system rebooted when required, but I needed shell scripts to test if the Linux boxes required a restart after patching.
#!/bin/bash if [ -f /var/run/reboot-required ] then init 6 fi
#!/usr/bin/bash needs-restarting -r if [ $? -eq 1 ] then init 6 fi
I am capturing the SHA256 values of directory names, file full paths, file contents, and filenames for my primary use cases. I decided to leave MD5 available for legacy vendor support for now. The data is sent to an S3 bucket that gets inserted into DynamoDB that is accessible from an API Gateway.
If you would like to try using the data set, I have provided code samples here: https://4n6ir.com/matchmeta/