Until now, FastIR has been used as a standalone enterprise forensics solution. Many users asked for an agent based solution. Now it is reality, we have given a client-server capability to FastIR Collector. Enjoy!
Last week, at RMLL 2016 in Paris, Sekoia released a new version of FastIR Collector with an expected feature: a client-server architecture. As a reminder, FastIR Collector is an open source forensic collector developed by Sekoia and available on GitHub: https://github.com/SekoiaLab/Fastir_Collector. We have always released FastIR for free to allow a Do It Yourself forensics investigations at enterprise scale. FastIR collector is a standalone application, without dependencies and that works by simply double-clicking on it. Without changing the philosophy, we developed a centralized server and an agent around the collector. The purpose of this feature is to provide a flexible and efficient way to centralize forensics collection configuration. This article describes the design and the principles of the agent.
FastIR Agent is composed of 2 elements:
– A Windows service;
– A configuration utility.
The service periodically (by default 60 minutes) performs a request to the FastIR server in order to:
– Get the last version of the FastIR Collector binary;
– Check if a collection order has been scheduled and download the related profile;
– Execute the collection.
FastIR Agent is convenient; the service can be managed as a common Windows Service:
FastIR agent logs are stored in the event logs, they can be analysed easily and centralized as every other event logs:
The configuration is stored in the registry of the service (HKLM\SYSTEM\CurrentControlSet\Services\FastIR
In order to configure the agent, we also provide a configuration tool:
For obvious security reasons, the communication between the agent and the server implements SSL encryption and also SSL pinning in order to prevent man in the middle attacks. Additionally, before the execution of FastIR Collector, the agent verifies the signature of the binary in order to avoid execution of an illegitimate application.
The source code of the FastIR Agent is available on GitHub: https://github.com/SekoiaLab/FastIR_Agent.
The server is developed in Python. It’s a web server powered by Flask. In addition, the data are accessed via the SQLAlchemy library, this library allows the administrators to use different types of databases (PostgreSQL, MySQL, SQLite and so on).
The configuration is stored in the server.ini file:
[web] host=0.0.0.0 port=5000 [api] # /!\ CHANGE ME /!\ key=CHANGEME [binaries] x86=fastir.exe x64=fastir64.exe [db] uri=sqlite:///fastir.db
The FastIR Binaries must be placed in the binaries/ directory. The files of the forensics collection profiles must be placed in the config/ directory, the profiles are described in the FastIR Collector repository. To make it simpler, we also provide a few scripts in order to help administrators:
– gen_ssl.sh: to generate the certificates in order to have the SSL supports with Flask;
– fastirsrvctl.py: to schedule collection, list the scheduled collection, etc.
The source code of the FastIR Server is available on Github: https://github.com/SekoiaLab/FastIR_Server
For a long time, CERT Sekoia has used FastIR Collector for its forensics investigations, whether it is localized or large scale. This open-source tool has been largely adopted by many information security communities. However, some of them considered that the agent based capability was missing. Today, we fill this gap and one again choose the open source approach in order to help organizations and information security community.
Senior threat researcher, malware analyst and IT conf speaker…