Building a DFIR Analysis Fort

September 24, 2020 Guidance, Tips for Muggles
23,446 views
Reading Time: 6 minutes

Building a DFIR Fort Kickass

A not so original approach to a modern analyst workstation. What is a Fort Kickass?

Courtesy of https://vignette.wikia.nocookie.net/archer/images/8/8e/Fort_kickass.JPG/

Approach to Learning

These instructions will not be step by step by step. Posts like that never age well due to the pace at which the material changes. Instead, this post is a guide for you to learn how to do this on your own (it’s still practically step by step). You will need to watch some YouTube videos linked below and follow some vendor instructions. You got this.

Learning Objectives

  • Understand how to deploy and use Virtual Machines
  • Learn how to save and load Snapshots
  • Move files from the Host to the Guest
    • Host: Your bare metal machine
    • Guest: The Operating System running in a Virtual Machine
  • Understand what SANS SIFT and REMnux do for the analyst
  • Understand the need for a Windows Analyst VM

Virtual Machines

Use virtual machines. You will be touching malware during lab exercises on this site as well during actual Incident Response. Don’t be the person who infected your network with malware you were examining. Virtual machines are simulated machines inside your machine. You need a simulator, known as a hypervisor, to run these ‘machines’. Two of the easiest and most popular are Virtualbox and VMware Workstation. Both VMware Player and Virtualbox are FREE! VMware Workstation Pro is the best of the bunch and keys can be purchased cheaply from second hand sellers. VMware is orders of magnitude better than Virtualbox.

Snapshots

Snapshots are ‘saved states’ of Virtual Machines. It is always a good idea to take a snapshot when you get a new machine up and running. It is an even better idea to take them periodically; especially just before doing something with malware.

  • Do not do DFIR on your host machine
  • Take Snapshots often

The Build

  • Create a free account at sans.org.
  • Grab a copy of the SANS SIFT VM.
  • Import the VM into your Hypervisor (VMware or Virtualbox)
  • Run a SIFT Update
  • Add REMnux
  • Run a REMnux Update

NOTE: A good practice is to ensure these machines are living in a private network. The Network selected for these VM’s should be something like ‘NAT’ or ‘Host Only’. It is highly recommended you DO NOT bridge these machines to your home or production network. This is to help ensure that any malware you might trigger doesn’t escape into a network you want to keep safe!

The Idea

SANS is the global leader on Digital Forensics and Incident Response training. They have top tier talent doing the instructing and many of the faculty there give back to the community through tool development and projects like SIFT. SIFT is a turn-key DFIR Analyst workstation maintained by dedicated folks in the industry. It comes preloaded with just about every tool an analyst could want. REMnux is a malware reverse engineering workstation maintained by Lenny Zeltser and his team. It has just about every tool a Malware Analyst could want. The objective here will be to combine these two systems into one kick ass analyst station.

Installing VMware or Virtualbox

Simply install it. To get started with Virtualbox or VMware player simply download them and install one or the other. Again, VMware Player or Workstation Pro is recommended.

Creating a SIFT + REMnux Workstation

Download SANS SIFT OVA (thats a virtual machine appliance) and import it into VMware or Virtualbox.

Video Walkthroughs from Others

Broken SIFT as of September 2020

At the time of this writing the VM found on the SANS Website is currently without the SIFT Binary. After speaking with the Dev’s on Github it seems this was an oversight. Simply download the binary and ‘install’ it by placing it in the /usr/local/bin directory. This will place it in the path of all users and thus can be called from anywhere in the OS. This, by the way, is how you make any Ubuntu 18 box a SIFT box. Run the following commands to get this done (This won’t age well so more than likely its a guide, and they’ll fix the VM soon anyhow):

Bottom line, you need SIFT 1.9.2 or better. Make sure to check their github for the latest.

From inside the SIFT VM

sudo curl -Lo /usr/local/bin/sift https://github.com/sans-dfir/sift-cli/releases/download/v1.9.2/sift-cli-linux
sudo chmod +x /usr/local/bin/sift
sudo sift upgrade

If it is still having issues – it is likely because the salt packages are being held, or apt needs to finish some upgrades. First try the apt upgrade, then unhold the packages and try the above commands again.

sudo apt-mark unhold salt*
sudo apt update && sudo apt upgrade -y

Once you have the SANS SIFT VM running, logon and update it. To update it simply run:

$ sudo sift update
$ sudo sift upgrade

Once that is complete it is time to add the REMnux workstation to this one. Follow the directions provided by the REMnux team.

Then update the REMnux Build:

$ sudo remnux update
$ sudo remnux upgrade

If it finishes with some errors after a long update you likely got everything installed that you will need. To test try running capa, floss, and vol3.

$ capa
$ floss
$ vol3

If those programs run and dump out into a help menu or error saying they need a file to examine you likely got what you needed.

The Windows VM

A rookie mistake would be to believe there is no need for Windows in the elite world of DFIR and Linux. There are a lot of amazing tools built for DFIR that only run in Windows. In fact there is a great distribution maintained by FireEye for just this purpose. Due to Window licensing the user must build the distribution out. Windows trial licenses work well for training similar what is found on this site and elsewhere. Microsoft allows for a 90 day trial of Windows 10 Enterprise. Simply download the ISO and install in a Virtual Machine. If you prefer Windows 10 Pro use a Linux OS to get an ISO from Microsoft easily here. From here you have two options: run the FLARE VM Script from FireEye, or manually install your tools. In any case ensure that you add Eric Zimmermans tools to the build.

Steps to Follow

  1. Obtain Windows 10 ISO
  2. Create Windows 10 VM
  3. Snapshot the VM
  4. Run the Flare Script (Optional)
    1. Get the script and instructions from their GitHub
  5. Install Eric Zimmerman’s Tools inside the Windows VM:
    1. Download his POSH Script from Zimmerman’s Github
    2. Unzip the file
    3. Go to the directory where the ps1 file from the Zip is installed
    4. Open a PowerShell terminal there
    5. Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
    6. Accept the risk
    7. Run it with ./Get-ZimmermanTools.ps1
    8. Accept the warning with All
    9. Set-ExecutionPolicy -ExecutionPolicy Default

VM Isolation

Both VMware and Virtualbox have settings for Isolating the VM from the Host. There are 3 main ways of sharing data between the Guests and the Hosts.

  1. Drag and Drop
  2. Cut and Paste
  3. Shared Folders

There are options for Bi-Directional or One way. The safest option is to disable all 3. The acceptable option is to have cut and paste, and drag and drop enabled. The slightly safer mod to that option is make it one way from the host to the guest. The most dangerous option is having all 3 on. You could also have all 3 off and simply use a USB between the Guest and the Host. There is always some risk. Ensure your host has adequate AntiVirus. For Windows, Defender is great. Honestly – it’s awesome. Its not 2014 anymore – it’s great. Regardless of your choice here you will need some way to get artifacts such as images into the VM for analysis.

A Note On Malware Transfers

Imagine your VM’s as a space craft and you have airlocks to transfer hazardous beings through. The captain would likely demand these beings be housed in a containment vessel (a cage) of some kind. Do yourself a solid, and transfer hazardous files in a password protected ZIPs. Most folks simply give it a password of: infected. This prevents host AV, Enterprise E-Mail AV etc. from zapping the file at best, and harming forensic evidence, or at worst infecting your host and resident network.

Courtesy Pixel empire

Final Overview

  1. Pick a hypervisor and install it.
  2. Obtain a SIFT OVA and Windows ISO
  3. Build a SIFT-REMnux Super Box in a private Virtual Network (Host Only or NAT)
  4. Build a Windows Analyst Machine with Zimmermans tools at a minimum in a private Virtual Network (Host Only or NAT)
  5. Determine how to share large files with the VM’s

 

3 Replies to “Building a DFIR Analysis Fort”

  1. democrite says:

    The link to Eriz Zimerman tool refers to Flare VM.
    Here’s the proper URL for zimmerman’ s tool : https://ericzimmerman.github.io/

  2. mike says:

    Thanks James for the very nice writeup! I was having trouble installing remnux.. This might help people running in to the same problem.

    ——————————–
    >> Running: ssh
    Update returned exit code not zero
    Error: Update returned exit code not zero
    at ChildProcess. (/snapshot/remnux-cli/remnux-cli.js:562:23)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)
    ——————————–

    SOLUTION (https://github.com/REMnux/remnux-cli/issues/14):
    sudo python3 -m pip install r2pipe
    sudo remnux install –mode=addon

  3. James says:

    Great write-up and easy instructions to follow along. Thanks!

Leave a Reply

Additional Resources

Archives