Forensic Analysis Toolset for VMware Environments
ForenWare is a forensic data collection toolset tailored for VMware environments, supporting both vCenter and ESXi. It streamlines memory and disk acquisition, forensic file collection, and threat detection for digital investigations.
- Dual Environment Support: Seamless operation in vCenter and ESXi contexts.
- Forensic Data Acquisition: Capture memory snapshots and disk images for in-depth forensic analysis.
- Threat Detection: Integrates with THOR and Yara-x to detect malware and indicators of compromise (IOCs).
Run the dependencies.sh script to set up the required tools and libraries:
./dependencies.shEdit inventory.ini to define your target VMware hosts. Example structure:
[vcenter]
vcenter_host ansible_host=your-vcenter-ip ansible_user=your-username ansible_password=your-password
[esxi]
esxi_host ansible_host=your-esxi-ip ansible_user=your-username ansible_password=your-passwordModify the appropriate variable file based on your target environment:
vars-esxi.yamlfor ESXi.vars-vcenter.yamlfor vCenter.
After setting up the inventory and variables, execute the Ansible playbook with the following command:
ansible-playbook -i inventory.ini site.yaml -e "target_environment=esxi"ansible-playbook -i inventory.ini site.yaml -e "target_environment=vcenter"The toolset includes the following Ansible roles:
- Mem_Acquisition: Captures VM memory snapshots, crucial for analyzing volatile data.
- Disk_Acquisition: Creates VM disk snapshots for non-volatile data acquisition.
- Forensic_File_Collection: Collects specified forensic files from the environment.
- IOC_Sweep: Executes Yara-x or Thor scans for malware and IOC detection.
Contributions are welcome! To contribute:
- Fork the repository.
- Make your changes.
- Submit a pull request for review.
This project is distributed under the MIT License. See the LICENSE file for details.