This week I talk about threat intelligence tool Hostintel by Keith Jones.

Show Notes

In a previous episode I talked about JustMetadata, a host intelligence tool that streamlines gathering open source intelligence on domain names and ip addresses. A comparable tool for host based intelligence gathering is Hostintel by Keith Jones (

Hostintel may be installed on a Linux forensic system, such as the SANS SIFT workstation which is freely available. Once installed input your API keys in your config file and you are off the command line. Just point the tool at your text file containing your notable domain names and IP addresses and HostIntel will gather any open source information, such as if the addresses are associated with unwanted traffic, and display the results in a CSV file.

This is great tool for Incident Response triage where you may be looking to generate leads for follow-up from log files or traffic captures. For disk forensics this tool pairs well with malware triage efforts. Pulling ip addresses or domain names from a browser activity, a memory capture or unallocated space and then running the results through Hostintel may identify a malicious site that was navigated to by a user. Further analysis into such a lead may show it as the initial point of exploration where the system was compromised. This methodology may be used as a “next level” malware triage for a dead box case to answer questions about unknown malicious sites a user may have gone to.

See Keith Jone’s Youtube introduction of Hostintel:

SDF Training Class of the Week

Learn More

OS X Timestamps

Learn how to interpret OS X dates and times.
Learn More