Digital Forensic home lab-how-to!
I'm a growing fanatic of Digital Forensics. However, almost every "push-to-analyze" tool on the commercial market has a price tag out of range for any hobbyist like me. When I decided that Digital Forensics was a hobby for now, and absolutely my future, I began to construct my very own virtualized lab. I found that a VM network provided multiple benefits for an amateur like myself.
Pro tip: Are you a college student? Many schools offer FREE downloads of often costly OSs such as Windows 10 free via school contracts. If you have this, starting with a clean install of all the OS is a great start to building a successful lab!
Framework (suggested):
Pick a Digital Forensic suite or many!
For me, having a primary suite to operate in was my goal. I chose:
*too many tools to list! However, as a student of the field, these have been able to afford me the ability to study, investigate, and complete many investigations...never paying a fee.
Many of the tools listed above might be native to Autopsy, or your suite of choice. Additionally, Autopsy allows for user-built plugins that add many of these forms of features. I also suggest adding any NSRL database to your Autopsy download (if you have space). This can quickly provide lead directions for investigation efficiency.
I certainly did not get all the tools or even the obvious ones, so I hope this gets you started, Please comment below if you have any thoughts on this subject!
I'm a growing fanatic of Digital Forensics. However, almost every "push-to-analyze" tool on the commercial market has a price tag out of range for any hobbyist like me. When I decided that Digital Forensics was a hobby for now, and absolutely my future, I began to construct my very own virtualized lab. I found that a VM network provided multiple benefits for an amateur like myself.
- A space to collect. I download and continue to download a plethora of freeware/open-source tools that I might never use.
- Safety to download, install, and use without compromise on my local machine.
- Choice of more than one environment use. I have a working SANS SIFT machine and a custom Windows environment I switch back and forth to.
- A place to practice. Sometimes, testing tools like Mimikatz will wreak havoc on a local firewall. I would never suggest modifying a local machine's firewall simply to allow a single tool to function. The cascading effects might minimize your security stance over time.
- Portable. A virtualized machine can be hosted in the cloud or even moved to a new host machine, keeping your home machine safe from all your forensics fun!
Build your VM lab! (this environment will focus on a Windows framework suggestion)
I won't go deep into deploying a virtual environment. Multiple resources exist on how to utilize Virtualbox as a VM environment. So simply obtain your .iso of choice and follow the instructions, setting your custom settings for each .iso.
Pro tip: Are you a college student? Many schools offer FREE downloads of often costly OSs such as Windows 10 free via school contracts. If you have this, starting with a clean install of all the OS is a great start to building a successful lab!
Framework (suggested):
- Pick a primary analysis suite, or adopt a distributed tool technique (multiple tools for evaluation of each aspect of your investigation).
- Build folders to hold forensic programs. With the plethora of tools at your desposal and the multitude of software names, matching programs to a goal are key. i.e "OSTviewer" might go into an "e-mail processing" folder. Many programs do not "install" onto the local machine, therefore relying on your start menu might not be a best practice.
- Ensure your VM internet connection is "bridged" to your local network. You want this environment function as if it was your primary machine. If you cannot download, install, or communicate with your home network, refer back to your VM install guide and look under "bridge network connection".
- Create an initial configuration snapshot PRIOR to installing forensics software. Build you VM, update the OS, get it ready for use...then snapshot! As a best practice, snapshot your machine to an initial configuration. Knowing you can safely revert will improve your confidence in exploring the many tools available to you, even if you chose less...forensically tested...options.
So now I will just simply list tools for your consideration. I won't bother you with my opinion or example use of these tools, as they are all very well documented. Using the framework above, using the tools listed below should allow you start any case completely FREE!
For me, having a primary suite to operate in was my goal. I chose:
- Sleuthkit/Autopsy suite.
- NirLauncher. (A distributed, yet collected suite...an INSTITUTION!)
Image Capture:
Browser Analysis:
Registry Analysis:
File Analysis:
Network (PCAP) Analysis:
- Wireshark
- Network Miner
- Grass Marlin
Memory Analysis:
Many of the tools listed above might be native to Autopsy, or your suite of choice. Additionally, Autopsy allows for user-built plugins that add many of these forms of features. I also suggest adding any NSRL database to your Autopsy download (if you have space). This can quickly provide lead directions for investigation efficiency.
I certainly did not get all the tools or even the obvious ones, so I hope this gets you started, Please comment below if you have any thoughts on this subject!
Comments
Post a Comment