Scope Forensics
Scope is an open source cloud forensic tool to conduct rapid incident responce in AWS, GCP and Azure environments.
Overview
Documentation
Getting Started with Scope
Installation Using Docker Download Scope onto your machine https://github.com/scope-forensics/scope.git The easiest way to get Scope up and running is by using Docker. Follow these steps: Install Docker and Docker Compose on your machine. Run the following command to initialize the environment: make init This command will set up a database, web worker, Celery worker, and Redis broker, and it will run your migrations. Once the setup is complete, you can access your local installation of Scope at http://localhost:8000.
Create a Case
New Case Each investigation in Scope revolves around a “Case” every investigation is its own case and all information in an investigation is linked back to the case. To create a new case select the Create New Case button in the top right corner of the screen and fill in the case details. A case can be linked to one or multiple cloud accounts from AWS. Support for Google Cloud Platform (GCP) and Microsoft Azure (Azure) is planned in the future.
AWS
AWS Documentation Welcome to the Scope AWS documentation section. This section will guide you through connecting AWS to Scope and getting the necessary data to start analyzing your AWS environment. Connect AWS Generate Credentials Connect to Scope Connect to AWS To connect to AWS, a user need to be created for Scope with a minimal set of permssions that allow for read-only access to the compromised AWS account. To create the Scope user, head to the IAM service and create a new user.
Analysis
Commence Analysis Once the relevant logs and resources have been collected, you can commence analysis. Generate Tags Scope comes with pre-generated tags that you can use to classify artifacts. You can also create your own tags. To generate the inital tags, run: python manage.py init_tags
