Skip to content

The CDQR Docker Image

Jump to bottom
@AlanOrlikoski edited this page Jan 16, 2019 · 3 revisions

Location

https://hub.docker.com/r/aorlikoski/cdqr

Requirements

Installation of Docker

Usage

Process a Folder of Artifacts; TimeSketch formatted output

All of the connections for the TimeSketch server (remote or local) need to be passed using the timesketch.conf file

docker run \
  -v <path to data>:/data/ \
  -v <path to timesketch.conf>:/etc/timesketch.conf \
  -v <path to output directory>:/data/output/ \
  aorlikoski/cdqr /data/ /data/output/ \
  --es_ts Archive_test \

Process a Zip file of Artifacts; Output to Local ElasticSearch DB (not TimeSketch)

A .zip file full of forensic artifacts (such as those collected by CyLR)

docker run \
  -v <path to data>/LR.zip:/data/LR.zip \
  -v <path to output directory>:/data/output/ \
  aorlikoski/cdqr -z /data/LR.zip /data/output/ --es_kb <index name> \
  --es_kb LR_test \

Process Disk Image; Output to Remote ElasticSearch DB

Any unencrypted disk image (or mounted folder) such as .dd or .vmdk

docker run \
  -v <path to data>/collected_image.dd:/data/collected_image.dd \
  -v <path to output directory>:/data/output/ \
  aorlikoski/cdqr /data/collected_image.dd /data/output/ --es_kb <index name> \
  --es_kb collected_image --es_kb_server <remote server>\
Clone this wiki locally