December 8, 2014

Setting Up My Forensic Lab

I have finally bowed to the pressure of my good friend Kev and now have a server! I must point out that it is his old server and through his immense generosity now my new server! Thanks Kev 🙂

The server is an old IBM X3455:

4 CPUs x 2.593GHZ

Dual Core AMD Opteron Processor 2218

Running ESXi-5.1.0

With 12GB of RAM

it only has a 500Gb drive to hold the OS and the Datastore, which is more than enough for my initial testing needs. The VM infrastructure makes it easy to deploy VM’s that i can use to generate a varierty of Forensic scenarios and artefacts that i can use to develop my DFIR skills.

Eventually I will also be using it to develop python applications, Honeypots, Malware RE, IDS and many more interesting research projects which I am sure will be the subject of future blog posts.

I have set the server up in my garage which presented me with my first problem……Connectivity to my home network.  Thankfully technology, as always, has the answer . Ethernet over Power adapters.  luckily  I  live in a new build home so I had faith that the power lines would be clean and allow me this option.  Again I relied on the generosity of a friend who has lent me a pair of TP-Link TL-PA211KIT AV200 Nano 200Mbps Powerline Adapters.

51R4UfdWnDL._SL1280_

I will initially be using these adaptors but plan to upgrade to a pair of 500Mbps adaptors in the new year.  The main benefits of using these adaptors is my very patient wife will appreciate the noisy server being located elsewhere and as we all know ‘A happy wife is a happy life’ 🙂

Administering the server is initially done remotely via the vSphere client from there I can use VM workstation to run and deploy Virtual Machines. The web interface doesn’t seem to be available on the free esxi license.

The server is equipped with 2 x nic cards and I setup the following network:

VM Network Topology

I have opted to start with a simple network configuration.

  • Main management network that will hold my development / research machines.
  • An isolated network that i can deploy malware and other nasty things without affecting my home network.
  • And eventually with the introduction of a second router/firewall i hope to add a live ‘Controlled’ malware network that will allow for external C2 traffic.

Currently I have setup 4 VMs on the server:

  • Kali Linux installation
  • Python_Dev is a clean ubuntu 14.04 server
  • Windows 7 32 bit
  • SIFT 3 on an ubuntu desktop installation

I am currently still tweaking my setup and have taken snapshots of each VM when completed before I start messing with things and breaking them.

As a test I used EnCase on my analysis workstation and created a Windows servlet which I placed on the windows 7 VM.  Initially I ran into connection problems because EnCase reported ‘Could not connect to any network device’.  My first thought was this may be due to the firewall on the VM so I turned that off but was still presented with the error.  It then occurred to me that I had not used the servlet in quite some time and there had been updates to EnCase in that time, so I decided to create a new encryption key pair within EnCase and a new servlet.  This of course worked immediately 🙂  The moral of the story for me is that I will start afresh each time!

For me this is a good initial server setup and a nice network for me to develop and learn on before i expand its resources.  I am always open to advice and suggestions as there are some very skilled and knowledgeable people out there in DFIRland, who have the same collaboration ethos as me and I hope to learn from them.

I want to again give my personal thanks to Kev who has been a massive help on my DFIR journey and really helped me to the point where I find myself now.