In 2008 Flo Rida had a song "Low" featuring T-Pain with a line "Boots with da fur" which my family loved belting out whenever we heard this song on the radio. This blog article has nothing to do with getting your club on. Rather, DFIR (Digital Forensics and Incident Response) pronounced Dee-FUR just reminded me of it. DFIR has a significant place in competitions for cybersecurity. Many of the California and National competitions are composed of a large portion of digital forensics, so having the right tools for the job makes all the difference. Some bright students I've been mentoring have asked, "What OS do you recommend for DFIR?" My default response is typically Kali Linux, but I wanted to take a deeper look into SANS' SIFT workstation.
If you found yourself accidentally, or intentionally, reading my earlier blog postings, you'll note that many of these high school and middle school competitions require that the competitors use Open Source and freely available software. This was another reason why this was a great opportunity to revisit and try out SANS' SIFT Workstation. This Ubuntu distribution based on Debian Linux was developed, and is maintained, by a formidable training group, SANS,' very own Rob T Lee. It features automatic updates, and a plethora of free and often updated tools one can use for Digital Forensics and Incident Response. Learning to use these tools is for other blog postings, this blog discusses getting the most recent version of a great DFIR tool installed and working on this OS build. There are a lot of DFIR tools and Operating Systems available for use A small sampling of them includes Linux
Get your SIFTv3 workstation image/installation and update/upgrade it I'll assume you're familiar with obtaining a virtual image of SIFT and getting it installed. I'll use VirtualBox for my blog, as it's free and feature-rich. You can download a pre-configured SIFT workstation as a Virtual Machine in OVA format at https://digital-forensics.sans.org/community/downloads under the section "Download SIFT Workstation VM Appliance". After you get your workstation up and running (there are other tutorials for that) then update it through it's built in update or open a shell/terminal window and type sudo apt-get update && upgrade to get the build to update. After this, there are only a few other steps to install the required Java version to support TSK and Autopsy 4+. Installing testdisk for photorec functionality Note that I did not find this necessary for versions 4.6 or 4.7 of autopsy, however, it can't hurt for you to test. Enter into a shell the command: sudo apt-get install testdisk Installing Java to support TSK/Autopsy 4+ After you've updated the Operating System and verified that you have installed testdisk, check to see if Java's version is 1.8 or higher by typing in the shell/terminal: javac -version Your output should show something like javac 1.8.0_171 . Ensure it starts with at least version 1.8.0. If not, then add Java's repository to update sources by typing the command: sudo add-apt-repository ppa:webupd8team/java then update your local repository with command: sudo apt-get update and finally install the Java 8 installer with the command: sudo apt-get install oracle-java8-installer When installation completes (it may take one-five minutes or more) then check your Java version again with command and copy the installation path that appears next to Java version 1.8. javac -version Often times you'll have more than one version of Java installed, so another command is required to check which version is the primary one and also show us the file path where it is located. Check this with the command sudo update-alternatives --config java to show a list of Java installations on the system. Check that 1.8 shows the default/primary version with an * in it's row and copy down the path to Java 1.8 as you'll need to add that path to your environmental variables. Type the command sudo nano /etc/environment to open up the nano text editor, and add the JAVA_HOME line below (with your path) as a new line in the /etc/environment file. *Note that you only need to include the path up to /java-8/oracle. JAVA_HOME="/usr/lib/jvm/java-8-oracle" Press CTRL+X to exit, and when asked save the changes. Reload your environmental variables with command source /etc/environment then verify the variable shows the correct path by running the command echo $JAVA_HOME. *Note: These installation instructions comes from the article https://medium.com/coderscorner/installing-oracle-java-8-in-ubuntu-16-10-845507b13343 which you can visit for more details. Getting and Installing the latest version of The Sleuth Kit and Autopsy Visit https://github.com/sleuthkit/sleuthkit/releases and download the latest version of the .deb package, typically named something like sleuthkit-java_4.6.1-1_amd64.deb. Then install this Debian package of sleuth kit by running the command sudo apt install ./sleuthkit-java_4.6.1-1_amd64.deb. Now that we have the latest version of The Sleuth Kit, go download the latest version of Autopsy. It will typically be released in a zip file at https://github.com/sleuthkit/autopsy/releases and be named something like autopsy-4.7.0.zip. Create a directory for Autopsy wherever you prefer mkdir autopsy-4.7.0 and then unzip the file you downloaded there unzip autopsy-4.7.0.zip Finally, run the setup script in that directory sudo sh unix_setup.sh If everything is in order, you'll have a working version of Autopsy and The Sleuth Kit. You may run Autopsy by changing to the ‘bin’ directory in the autopsy folder you created and then typing the command ./autopsy Summary With a recent working version of The Sleuth Kit and Autopsy on SIFTv3 you have many of the tools competitions require for DFIR tasks. There are many things you won't be able to do without additional work, for example extracting specific registry keys and values from forensic images or other tasks. Fortunately Autopsy includes a modular framework which supports both Java and Python, and the community has created many of these tools for us check these out at https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules Today's digital forensic investigators benefit greatly by the ease with which the tools and maintenance of them can be done by an opearting system such as SANS' SIFT Workstation. Combined with great open source tools like The Sleuth Kit and Autopsy the hardest part is now learning how to investigate. For example discovering where you need to look, and what information you need to look for as well as how to get it. I found one great resource shared by a student at Cal Poly's California Cyber Innovation Challenge website which discusses analyzing Windows 7-10 and Android operating systems. The papers here contain great tutorials and basic training. Visit the Cal Poly California Cyber Innovation Challenge site and review their awesome site and the downloadable material at https://cci.calpoly.edu/events/ccichttps://cci.calpoly.edu/events/ccic/2018-df-downloads Happy hunting and many thanks to Cal Poly, The Sleuth Kit and Autopsy developers and SANS Digital Forensics!
1 Comment
|
AuthorI am a Doctoral Scholar at Colorado Technical University and a graduate of the Cyber Security Operations and Leadership program from the University of San Diego. I work in cybersecurity, and have accumulated twenty years in the IT industry. There are few IT roles I have not performed, which gives me great insights into making sense of all the IT confusion. Archives
February 2022
Categories
All
|