Build Your Forensic Workstation​

Workstation Setup Instructions

1) Install a Hypervisor

For an overview of virtualization options as well as useful information regarding VirtualBox see Virtualization Primer.

1.1 Download and install a hypervisor: VirtualBox (recommended)

Note: At the time of writing, VirtualBox and others only support WSL1, which is important to consider, but OK for our purposes.

2) Install Windows Guest VM

You can find various and free Windows trial versions in the Microsoft Evaluation Center!

We recommend downloading a Windows Server 2019 VHD version, as it provides the best performance and the setup process for WSL1 is easier than with others. It’s also the quickest way to download a ready-to-go VHD, which skips the need to install the operating system from an ISO.

2.1) Download the Guest VM

a) Windows 2019 Server ISO or VHD from the Evaluation Center (VHD direct link).

b) Alternatively, you can download other versions. However, carefully read the instructions in the WSL setup section below!

• This post on the Microsoft Tech Community page contains direct links to all available ISOs for Windows 10/11 and Windows server 2019/2022

Important to note that the Windows client comes with a 90-day and Windows server with a 180-day evaluation period. There are ways to extend the period for some systems by re-arming them. 

2.2) Install a new Windows VM 

For detailed instructions see the setup guides for VirtualBox and a Windows 10 VM or a Windows 2019 Server.

1. VM requirements:
   • 100 GB disk – dynamically allocated! That way the disk is kept small and grows larger when needed. However, it can’t go beyond the initial size. So make sure to choose the right size based on the expected amount of data to be analyzed. 
   • 4+ GB RAM
   • 2 or more CPUs
   • NAT Networking Mode
   • Additionally, install VirtualBox Guest Additions and enable features such as Drag & Drop, bi-directional clipboard, and folder sharing with the host in the VMs settings.
2. Install Windows from the ISO.
3. When finished, shut down the system and create a snapshot.

3) Enable Windows Subsystem for Linux (WSL) and Install Ubuntu

As mentioned above, VirtualBox does not support WSL2. It is important to read the respective instructions carefully to set up a Ubuntu subsytem using WSL1 on your Windows VM.

a) Microsoft Installation Guide for Windows Server

• Open PowerShell as Administrator and run the following command:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

• Download the Ubuntu 20.04 Distribution here
• When downloaded, rename the package from .appxbundle to .zip and extract the archive
• Install the x64.appx package contained within the archive using the following PowerShell command (as administrator!):

Add-AppxPackage .\Ubuntu_2004.4.2.0_x64.appx

• Reboot the system
• Finish the installation by opening “Ubuntu” in your Start Menu and setting up a user account when asked for it.

b) Other Windows Versions

• Windows 10/11 from ISO
  • Use the manual steps in for older versions guide to set up WSL1 on your Windows system. Do NOT upgrade to WSL2 and skip steps 2 to 5!
  • Install Ubuntu from the Microsoft store
• Windows 11 Developer VM
  • This version comes with WSL2 and Ubuntu out of the box. You need to downgrade to WSL1.

c) WSL Troubleshooting

• Do not use the new Microsoft command “wsl –install”, since this is going to install WSL2, which won’t work with VirtualBox.
• To check if you have WSL2 installed type “wsl –version” in PowerShell. It will show several options for using WSL with version 2 if you have it. Otherwise, for version 1 you will only see a limited help menu.
• If you installed WSL2, you need to downgrade to WSL1 before you can install any Linux environment: “wsl –set-default-version 1”

4) Configure the Windows Environment

1. Set the time zone to UTC – important!
   • This is a general best practice for conducting forensic analysis and ensures a standard time zone is being used across all tools. It also helps to correlate events that possibly happened across different time zones or where the origin is not clear. 
2. Configure Windows Explorer to show hidden files. This enables viewing file types that a relevant in forensic analysis such as NTFS metadata, etc.
   • Open File Explorer -> View -> check “Hidden items” and “File name extensions”.
3. Create a “C:\Cases” and a “C:\Tools” folder for evidence data and tools respectively.
   • Having your folders in the root of your file system saves you from typing long paths on the command line when using them. You may also want to add a shortcut to your Desktop. 
4. Configure Microsoft Defender to avoid interference with evidence or tools.
   • Open Virus & threat protection settings.
   • Disable Defender’s “Real-time protection” when needed for a temporary period of time. If you want to permanently turn off real-time protection you need to disable it via GPO as described in the next section.
   • Disable “Cloud-delivered protection” and “Automatic sample submission”, which only needs to be done once.
   • Exclude your working directories e.g. “C:\Cases” and “C:\Tools” from Defender’s virus and threat protection scanning. That way Defender won’t detect and remove important files during an investigation. Go to “Exclusions” -> “Add an exclusion” -> “Folder”. 

5) Download and Install Forensic Tools

The required tools depend on the objective. Traditionally, in forensics, you’ll need tools to acquire, extract and analyze memory, disk, and file-based artifacts. Below outlines the installation steps for the most commonly used tools.

a) Linux-based tools

Below are installation instructions for common Linux-based forensic tools. Open your Ubuntu Linux subsystem and install the following tools as needed.

Note: In a fresh environment you may need to update the package index files with their sources first by running: “sudo apt-get update”

• pip3 – Python packet manager
  • • Run: “sudo apt install python3-pip“
    • Verify that pip3 is working by executing “pip3” 
• Volatility3
  • • Use pip3 to install: “pip3 install volatility3“
    • Install the optional capstone library “pip3 install capstone“
    • Verify that Volatility3 is working by executing “vol“.
      (You may have to reload/restart the Bash shell)
• Log2Timeline (plaso tools)
  • • Add the plaso GIFT repository: “sudo add-apt-repository ppa:gift/stable”
    • Install plaso: “sudo apt-get install plaso-tools“
    • Verify that log2timline is working by typing “log2timeline.py -h“
• oletools
  • • • Use pip3 to install the Python-based oletools: “pip3 install oletools“
      • If you type “ole” and hit tab for autocomplete, you should now see several options such as oleid, olefile, olevba, etc. 

b) Windows-based tools

• Download and install the Windows-based tools as listed in the table below.