In my time in infosec I've had the privilege to work on awesome teams, projects and operational roles and gained skills that have served me well in my career. Though I'm not even close to a virtuoso or expert, I'd like to give something back to the community in the form of write-ups for commonly available forensic practice materials. In general I find that there is far more training material available for offensive security than for DFIR (CTF, "boot2root" VM's, etc). That said: Let's Go!
This is the first post in a series where we will walk through forensic practice materials. I will introduce process, tools, and try to show multiple ways to accomplish an objective. I know when I was getting started in this field I would use the practice images/memory dumps/pcaps/etc but not exercise an effective process (which can create bad habits), and as a result I didn't get the most out of the exercises.
Part 1: Create Free and Open Source VM Lab for Forensic Analysis
We will be using only free and or open source tools in this series, the one non-free requirement will be a Windows license to be used in a VM (
Win 10 Enterprise Trial here if needed).
This series will assume you have a Windows, Linux or Mac OSX laptop with at least 8GB of RAM, a processor from the last 5 years, and 100GB of free disk space. VMware Player, Fusion, or Workstation (depending on platform and licensing) needs to be installed. These exercises can also work just fine in VirtualBox, though additional configuration may be needed. I'll try to assume as little as possible about DFIR knowledge but I will assume basic OS and infosec knowledge.
VM 1: SIFT Workstation
SANS does an excellent job maintaining a Linux forensics environment free of charge, we would be downright ungrateful to not use this toolbox.
Thanks SANS. This distribution is offered as a VMware image, or as a post install script for Ubuntu 14.04. It's up to you which way you'd like to install SIFT.
Download link: https://digital-forensics.sans.org/community/downloads
Documentation: https://sift.readthedocs.org/en/latest/
YouTube Series: https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A
How to mount images: https://digital-forensics.sans.org/blog/2011/11/28/digital-forensic-sifting-mounting-ewf-or-e01-evidence-image-files
This is a fairly complete DFIR toolset, in the same way that Kali Linux is a fairly complete offensive toolset. We will add another set of malware analysis tools from Lenny Zeltser's Remnux distribution with the following command:
wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash
(Didn't your mother tell you not to pipe HTTP output to a root shell? She didn't? Ok, should be fine then :-)
Update the box:
sudo apt-get update && sudo apt-get upgrade
Take a "Fresh Install SIFT + Remnux" snapshot of this VM before proceeding.
VM 2: Windows Forensics
A mentor once told me "if you're hacking/forensicating Windows, use
Windows. If you're hacking/forensicating Linux, use Linux." and while I
often use a *nix environment for everything I can, I think there
is an element of truth to his sentiment. While performing many forensics tasks in SIFT is excellent, there are certain tasks that are simply better suited in a Windows environment. My personal ideal environment is my Macbook Pro host with Linux and Windows VM's for analysis.
Install and update a vanilla Windows 7 or 10 virtual machine. Don't install antivirus or other security tools that may stomp on our evidence. Update the system using Windows Update and take a clean "Fresh Install" snapshot of this box.
Unlike SIFT, we are going to need to download/install quite a few tools on this system to make it useful for DFIR. This is far from comprehensive, these are just the tools I can foresee us needing for the practice scenarios.
Forensics Tools:
Autopsy 4.0 - Forensics suite built on The Sleuth Kit (by Brian Carrier) with the addition of a nice GUI. This is the tool most similar to Encase or FTK suites that we'll be using in this series.
FTK Imager - This free tool from AccessData can be used to mount common image formats, create images, create filesystem timelines ("Directory Listing" feature), and even dump memory from a host.
RegRipper - Excellent Windows Registry analysis framework from Harlan Carvey. This tool dramatically simplifies our analysis of common registry artifacts.
Registry Explorer - Another Registry hive viewer from Eric Zimmerman. This is essentially a replacement for regedit that allows easy access to common evidence and the all important last write timestamps.
Shellbags Explorer - Another from Eric Z. At its simplest: Shellbags are an artifact that allows us to enumerate what folders a user viewed in Windows Explorer.
View more here on SANS blog.
MFT Parser - Redwolf Forensics free tool for processing, filtering and analyzing the master file table.
Bulk Extractor - Excellent simple tool that can scan any file(s) for significant artifacts and their frequency (image, pcap, memory dump, etc).
Volatility - Plugin based memory analysis framework. Many analysts are using the Rekall framework now, but I haven't switched. We will install both and I'll be exploring the strengths and weaknesses of both as we go.
Rekall Framework - Rekall was originally a fork from Volatility, which now likely has very little of the original code. The Google team has added many features, including remote live response for OSX when used in conjunction with GRR (very cool!)
Mandiant Redline - Mandiant's free incident response tool. This provides user configurable incident response scripts that can be run on a victim system the output can be analyzed in the Redline console. Some memory analysis operations are more convenient in this GUI than in the CLI tools.
Sysinternals Suite - Mark Russinovich rocks. Sysinternals is a must have on any Windows box and is vital for live response.
PEstudio - Malware analysis isn't the focus of this series, however PEstudio is a very simple to use all in one PE triage tool that will come in handy.
Network Tools:
Wireshark - Core pcap capture and analysis tool.
NetworkMiner - Useful tool for extracting files from a pcap and finding the significance of different objects in a pcap. Generally a good second view after Wireshark.
General:
Notepad++ - General purpose excellent text editor. Replace with your choice if desired.
HxD - Hex editor. Replace with your choice if desired.
7zip - Swiss army knife compression tool.
Firefox +
TamperData +
Firebug +
NoScript +
uBlockOrigin +
PrivacyBadger OR Chrome equivalent - Browser with security and analysis tools. Replace with your favored browser setup if desired.
Python - Sometimes it's best to just code our own tool.
Whew.. Now take a "All Tools Installed" snapshot of this VM!
Configuration Notes
- Sift workstation creates a /cases and /mnt share which are shared via Samba by default with no security. Mount these shares in your Windows VM and your host OS to allow easy sharing of mounted images and case evidence between all systems.
- Configure both VM's with a "NAT" network interface. This ensures that your (extremely open) SIFT workstation isn't exposed to the network while retaining internet and local host networking.
Next Post
In my next post we will be deep diving the classic NIST "Hacking Case", a cold case (around 10 years old!) criminal investigation with a Windows XP image. We'll be able to take that case further than the authors probably even knew was possible with modern tools! Stay tuned.