DFIRVault

DFIR ELK Setup Guide

The following is a step-by-step guide on setting up a DFIR ELK instance on Windows.

Step 1: Prerequisites

Before installation, ensure:

  • Windows 10/11 or Windows Server 2016+ (64-bit)

  • Java JDK 17 (Required for Elasticsearch & Logstash)

  • At least 8GB RAM (16GB+ recommended)

  • Administrator privileges

  • PowerShell 5.1+

Step 2: Install Java JDK 17

ELK requires Java. Download and install:

  1. Download JDK 17 from Oracle or Adoptium.

  2. Run the installer and follow prompts.

  3. Set JAVA_HOME environment variable:

    • Open System Properties > Environment Variables.

    • Add a new variable:

       
       
      Copy
       
      Download
      Variable: JAVA_HOME  
Value: C:\Program Files\Java\jdk-17.x.x (your JDK path)

    • Update Path variable to include %JAVA_HOME%\bin.

Step 3: Download & Configure Elasticsearch

  1. Download Elasticsearch (v8.x) from Elastic.co.

  2. Extract the ZIP to C:\ELK\elasticsearch.

  3. Configure Elasticsearch:

    • Open C:\ELK\elasticsearch\config\elasticsearch.yml in a text editor.

    • Modify:

      yaml
       
      Copy
       
      Download
      cluster.name: dfir-cluster
node.name: dfir-node
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node  # For single-node setup
xpack.security.enabled: false  # Disable security for testing (enable in prod)

  4. Run Elasticsearch:

    • Open PowerShell as Admin and execute:

      powershell
       
      Copy
       
      Download
      cd C:\ELK\elasticsearch\bin
.\elasticsearch.bat

    • Verify it’s running:
      Open http://localhost:9200 in a browser (should return JSON).

Step 4: Install & Configure Logstash

  1. Download Logstash from Elastic.co.

  2. Extract to C:\ELK\logstash.

  3. Create a DFIR Pipeline Config:

    • Open C:\ELK\logstash\config\logstash-sample.conf and modify:

      conf
       
      Copy
       
      Download
      input {
  file {
    path => "C:\DFIR_Logs\*.log"  # Path to forensic logs (e.g., Sysmon, Windows Event Logs)
    start_position => "beginning"
  }
}
filter {
  grok {  # Parse logs (customize for your log format)
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} %{GREEDYDATA:message}" }
  }
}
output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "dfir-logs-%{+YYYY.MM.dd}"
  }
}

  4. Run Logstash:

    powershell
     
    Copy
     
    Download
    cd C:\ELK\logstash\bin
.\logstash.bat -f C:\ELK\logstash\config\logstash-sample.conf

Step 5: Install & Configure Kibana

  1. Download Kibana from Elastic.co.

  2. Extract to C:\ELK\kibana.

  3. Configure Kibana:

    • Open C:\ELK\kibana\config\kibana.yml and modify:

      yaml
       
      Copy
       
      Download
      server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]

  4. Run Kibana:

    powershell
     
    Copy
     
    Download
    cd C:\ELK\kibana\bin
.\kibana.bat

  5. Access Kibana:

    • Open http://localhost:5601 in a browser.

    • Go to Discover > Create Index Pattern (dfir-logs-*).

Step 6: Ingest DFIR Data (Example: Sysmon Logs)

  1. Install Sysmon (if not already):

    powershell
     
    Copy
     
    Download
    sysmon.exe -i -accepteula -h md5,sha256 -l -n

  2. Forward Sysmon logs to Logstash:

    • Use Winlogbeat or NXLog to send Windows Event Logs to Logstash.

    • Example Winlogbeat config (winlogbeat.yml):

      yaml
       
      Copy
       
      Download
      winlogbeat.event_logs:
  - name: Microsoft-Windows-Sysmon/Operational
output.logstash:
  hosts: ["localhost:5044"]

Step 7: Visualize DFIR Data in Kibana

  1. Create Dashboards:

  2. Example Visualizations:

    • Timeline of Suspicious Processes

    • Network Connections Heatmap

    • Malware Detection Alerts

Tags: