Hayabusa & Suzaku Cheatsheet

Hayabusa & Suzaku Cheatsheet

Overview

Hayabusa and Suzaku are open-source tools developed by NTT DATA to speed up digital forensics and incident response (DFIR) workflows. They were showcased at the Black Hat USA 2025 Arsenal.

• Hayabusa: A fast event log analysis tool.
• Suzaku: A tool for creating and analyzing timelines from various forensic artifacts.

Hayabusa: Fast Event Log Analysis

Hayabusa is designed to quickly analyze large volumes of Windows event logs to identify suspicious activity.

Key Features: - High-Speed Analysis: Written in Rust for maximum performance. - Sigma Rule Support: Uses Sigma rules to detect threats. - Multi-threaded: Takes advantage of modern multi-core processors. - Cross-Platform: Runs on Windows, Linux, and macOS. - Flexible Output: Supports various output formats, including CSV, JSON, and timeline.

Installation:

# Download the latest release from the Hayabusa GitHub repository
wget https://github.com/nttdata-security/hayabusa/releases/latest/download/hayabusa-linux-x64.zip
unzip hayabusa-linux-x64.zip

Usage:

# Analyze a single event log file
./hayabusa -f /path/to/security.evtx

# Analyze a directory of event logs
./hayabusa -d /path/to/logs/

# Use a custom set of Sigma rules
./hayabusa -d /path/to/logs/ -r /path/to/rules/

Suzaku: Timeline Analysis

Suzaku is a tool for creating and analyzing timelines from various forensic artifacts, including event logs, file system data, and memory dumps.

Key Features: - Artifact Aggregation: Combines data from multiple sources into a single timeline. - Timeline Visualization: Provides tools for visualizing and filtering the timeline. - Extensible: Can be extended to support new artifact types. - Collaboration: Designed to support collaborative investigations.

Installation:

# (Note: Specific installation instructions will be available in the official repository)

# Example installation (replace with actual commands)
git clone https://github.com/nttdata-security/suzaku.git
cd suzaku
pip install -r requirements.txt

Usage:

# Example usage (replace with actual commands)

# Create a new timeline from a directory of artifacts
python suzaku.py create --artifacts /path/to/artifacts/ --output my_timeline.db

# Analyze an existing timeline
python suzaku.py analyze --timeline my_timeline.db

Common DFIR Workflow

1. Collect Artifacts: Gather event logs, file system data, and other artifacts from the compromised system.
2. Analyze Event Logs: Use Hayabusa to quickly analyze the event logs and identify suspicious activity.
3. Create Timeline: Use Suzaku to create a comprehensive timeline of events from all collected artifacts.
4. Analyze Timeline: Use Suzaku's analysis tools to investigate the timeline and reconstruct the attack.

Additional Resources

• NTT DATA Press Release
• Hayabusa GitHub Repository
• (Link to Suzaku GitHub repository will be here when available)