Beagle事件響應(yīng)和數(shù)字取證工具

Beagle是一個(gè)事件響應(yīng)和數(shù)字取證工具，它將數(shù)據(jù)源和日志轉(zhuǎn)換為圖形。支持的數(shù)據(jù)源包括FireEye HX分類、Windows EVTX文件、Sysmon日志和原始Windows內(nèi)存映像。生成的圖形可以發(fā)送到圖形數(shù)據(jù)庫(kù)（如NEO4J或DGraph），也可以作為python networkx對(duì)象保存在本地。

Beagle 可作為一個(gè) Python 開發(fā)包直接使用，或者通過(guò)其 Web 接口使用。

也可以作為函數(shù)調(diào)用：

>>> from beagle.datasources import SysmonEVTX

>>> graph = SysmonEVTX("malicious.evtx").to_graph()
>>> graph
<networkx.classes.multidigraph.MultiDiGraph at 0x12700ee10>

>>> from beagle.backends import NetworkX
>>> from beagle.datasources import SysmonEVTX
>>> from beagle.transformers import SysmonTransformer

>>> datasource = SysmonEVTX("malicious.evtx")

# Transformers take a datasource, and transform each event
# into a tuple of one or more nodes.
>>> transformer = SysmonTransformer(datasource=datasource)
>>> nodes = transformer.run()

# Transformers output an array of nodes.
[
    (<SysMonProc> process_guid="{0ad3e319-0c16-59c8-0000-0010d47d0000}"),
    (<File> host="DESKTOP-2C3IQHO" full_path="C:\Windows\System32\services.exe"),
    ...
]

# Backends take the nodes, and transform them into graphs
>>> backend = NetworkX(nodes=nodes)
>>> G = backend.graph()
<networkx.classes.multidigraph.MultiDiGraph at 0x126b887f0>