Autopsy Plugin - Pihole lookup

This plugin is similar to the other plugin URLcheck. The difference is, that this uses your Pihole as a reference. (BE AWARE STILL UNDER DEVELOPMENT AND TEST!)

The thourght behind this plugin, is to identify if any sites should be investegated or give probaple cause to dig a little deeper.

Plugin - version 1.0

piholelookup (ZIP, 3.06 KB)

SHA256 - b4755f277846a27f2cfa7160a3213d99226d1ce47c61b307bf456f8f0eba8d61

pre-requisites

You need a pihole on your network. this is pretty easy to set up.

curl -sSL https://install.pi-hole.net | bash

This command will install pi-hole on your Ubuntu 24.04 LTS and you are up and running in a short time.

For more references on installations methods, please refer to piholes webpage

Blocklists

There are many blocklists you can incorporate into your PI-hole

• https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
• https://adaway.org/hosts.txt
• https://someonewhocares.org/hosts/
• https://big.oisd.nl/
• https://nsfw.oisd.nl/
• https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20AntiMalware%20List/AntiMalwareHosts.txt
• https://easylist.to/easylist/easylist.txt
• https://blocklist.sefinek.net/generated/v1/0.0.0.0/fakenews/marktron/hosts.fork.txt
• https://urlhaus.abuse.ch/downloads/hostfile/
• https://phishing.army/download/phishing_army_blocklist_extended.txt
• https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
• https://v.firebog.net/hosts/Easyprivacy.txt
• https://v.firebog.net/hosts/Prigent-Ads.txt
• https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
• https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
• https://blocklist.sefinek.net/generated/v1/0.0.0.0/hate-and-junk/developerdan/extended.fork.txt
• https://blocklist.sefinek.net/generated/v1/0.0.0.0/drugs/blocklistproject/drugs.fork.txt
• https://blocklist.sefinek.net/generated/v1/0.0.0.0/abuse/blocklistproject/hosts.fork.txt
• https://blocklist.sefinek.net/generated/v1/0.0.0.0/abuse/urlhaus.abuse.ch/hostfile.fork.txt
• https://blocklist.sefinek.net/generated/v1/0.0.0.0/scam/durablenapkin/scamblocklist.fork.txt
• https://blocklist.sefinek.net/generated/v1/0.0.0.0/dating-services/developerdan/extended.fork.txt
• https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/pro.txt
• https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.txt

BE AWARE: These block sites are autogenerated by people from the internet. Use them as such. Personaly i use them as reference, for my investegation and also a flag for investegation. To validate if there are any malicious activity to look out for.

The way it works

Start autopsy and load your Image file.

Run ingest modules and start with ingestmodule "recent history". Let that run, it will read through the browser history and make a output.

Next run the pihole plugin and watch for the output.

How to validate?

Make a simple testdomain and put it in your pi-hole block list under "domains". You can fx call it evildomain.local and set it as deny!

create a virtual machine with fx ubuntu desktop, and browse around the net and also the evildomain.local .

Clone the Vm to another folder and start autoopsy. Make a new case and in stead of an image you choose a VM. This will mount your image.

Do the above steps to see if you catch the domain.

Have fun!

LEGAL DISCLAIMER: This software is provided "as is" for educational and investigative purposes only. This Autopsy plugin connects to an external or local Pi-hole server to verify domains and IP addresses. By using this plugin, you acknowledge that it generates network traffic which could potentially be monitored. It is the investigator's responsibility to ensure this tool is used in a manner that preserves the integrity of the investigation and complies with all applicable laws and procedures

Use the software at your own risk!