I’m Cuckoo For Autopsy
For my 21st Autopsy Python plugin I decided to see if I could get Autopsy to talk to Cuckoo. I am happy to report that Autopsy can now submit files to cuckoo. At this point that is all this plugin will do, fear not I have more planned for except I will need some feedback to help guide me to make this plugin great.
The GUI setup in order to run the plugin looks like this:
As you can see the first three settings are to setup the url for the api call. Once you fill these in you can use the “Check Server Status” to make sure that you can communicate with your cuckoo server. You should get one of the following messages.
If you cannot seem to connect then let me know and we can try and debug the issue. If you can connect then you are all set to use the module.
The first thing that you will need to do is find all the files that you would like to submit to cuckoo. You will need to tag all these files in a custom tag of your making/choosing. Once you tag all the files then you can then use the module. This seemed to be easiest and best solution to being able to handle multiple files and submit then without having the user type in every file in a dialog box.
All the custom tags will show up in the GUI settings screen for the module. You can pick one or multiple tags to process. You will next need to check the “Submit a File” checkbox. You can then start the module to process. Once the module finishes processing you can see what the task id’s that cuckoo generated by looking at the Ingest Messages. Each submitted file will generate a message in the Ingest Messages. One thing to note, if you have to many files to submit then you may get the following message returned “Rate limit exceeded for this API”. I have not investigated what changes need to be made in order to make it so you do not get this error. If someone has the answer then please submit it in the comments.
When a file is submitted it will only be submitted with default values. This is where I would like your input. What options should I offer to be added to a submitted file if any? Any of the options can be added to the GUI Settings and passed in, just let me know your thoughts. The same can be said/asked for the URL submission which I will be working on soon to get added.
The next big question is should any data be imported back into Autopsy from Cuckoo? If so what data should be brought over from Cuckoo? Should it be brought over by default or should there be options for the user to pick?
You can find the module here. Check it out and let me know what can be added to make it better. Comments welcomed and encouraged.
Enjoy!
