Build Your Forensic Workstation
This tutoral describes how to set up a highly-functioning forensic workstation to conduct DFIR investigations.
Are you looking to learn how to perform a digital forensic investigation from start to finish? Check out our Practical Windows Forensics Course and become an expert!
In this tutorial, you will learn how to build your own forensic workstation that consists of a combination of the best and most common tools that the experts are using during professional, real-world investigations.
The stack builds upon a Windows VM with Ubuntu Linux using the Windows Subsystem for Linux (WSL) feature. The proposed tools that are either open-source, free, or free for non-commercial use – all well recognized in the industry.
Agenda:
- Workstation Setup Instructions
- 1) Install a Hypervisor
- 2) Install Windows Guest VM
- 3) Enable WSL and Install Ubuntu
- 4) Configure the Windows Environment
- 5) Download and Install Forensic Tools
- Tools Listing
- Next Steps
- Alternative Options
Why a Forensic Workstation
The DFIR world consists of a tremendous amount of open-source projects and tools. As a forensic analyst, you will often be challenged with investigating all kinds of different image types, operating systems and file types during an investigation. Having a dedicated forensic workstation and the appropriate tools ready to go in a timely manner is critical!
In this guide we’ll be using VirtualBox (Type-2 hypervisor) and a Windows Server 2019 Essentials VM, including WSL1 and Ubuntu installed. It is important to closely follow the instructions to avoid compatibility issues when it comes to VirtualBox and WSL.
There are pros and cons with this approach. Virtualization allows us to quickly have a clean and pre-configured forensic system available. This comes with some performance limitations when compared with physical systems or type-1 hypervisors. Therefore, this guide is mostly intended to be used for training purposes in your own home lab environment.
Workstation Setup Instructions
1) Install a Hypervisor
For an overview of virtualization options as well as useful information regarding VirtualBox see Virtualization Primer.
1.1 Download and install a hypervisor: VirtualBox (recommended)
Note: At the time of writing, VirtualBox and others only support WSL1, which is important to consider, but OK for our purposes.
2) Install Windows Guest VM
You can find various and free Windows trial versions in the Microsoft Evaluation Center!
We recommend downloading a Windows Server 2019 VHD version, as it provides the best performance and the setup process for WSL1 is easier than with others. It’s also the quickest way to download a ready-to-go VHD, which skips the need to install the operating system from an ISO.
2.1) Download the Guest VM
a) Windows 2019 Server ISO or VHD from the Evaluation Center (VHD direct link).
b) Alternatively, you can download other versions. However, carefully read the instructions in the WSL setup section below!
- This post on the Microsoft Tech Community page contains direct links to all available ISOs for Windows 10/11 and Windows server 2019/2022
Important to note that the Windows client comes with a 90-day and Windows server with a 180-day evaluation period. There are ways to extend the period for some systems by re-arming them.
2.2) Install a new Windows VM
For detailed instructions see the setup guides for VirtualBox and a Windows 10 VM or a Windows 2019 Server.
- VM requirements:
- 100 GB disk – dynamically allocated! That way the disk is kept small and grows larger when needed. However, it can’t go beyond the initial size. So make sure to choose the right size based on the expected amount of data to be analyzed.
- 4+ GB RAM
- 2 or more CPUs
- NAT Networking Mode
- Additionally, install VirtualBox Guest Additions and enable features such as Drag & Drop, bi-directional clipboard, and folder sharing with the host in the VMs settings.
- Install Windows from the ISO.
- When finished, shut down the system and create a snapshot.
3) Enable Windows Subsystem for Linux (WSL) and Install Ubuntu
As mentioned above, VirtualBox does not support WSL2. It is important to read the respective instructions carefully to set up a Ubuntu subsytem using WSL1 on your Windows VM.
a) Microsoft Installation Guide for Windows Server
- Open PowerShell as Administrator and run the following command:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
- Download the Ubuntu 20.04 Distribution here
- When downloaded, rename the package from .appxbundle to .zip and extract the archive
- Install the x64.appx package contained within the archive using the following PowerShell command (as administrator!):
Add-AppxPackage .\Ubuntu_2004.4.2.0_x64.appx
- Reboot the system
- Finish the installation by opening “Ubuntu” in your Start Menu and setting up a user account when asked for it.
b) Other Windows Versions
- Windows 10/11 from ISO
- Use the manual steps in for older versions guide to set up WSL1 on your Windows system. Do NOT upgrade to WSL2 and skip steps 2 to 5!
- Install Ubuntu from the Microsoft store
- Windows 11 Developer VM
- This version comes with WSL2 and Ubuntu out of the box. You need to downgrade to WSL1.
c) WSL Troubleshooting
- Do not use the new Microsoft command “wsl –install”, since this is going to install WSL2, which won’t work with VirtualBox.
- To check if you have WSL2 installed type “wsl –version” in PowerShell. It will show several options for using WSL with version 2 if you have it. Otherwise, for version 1 you will only see a limited help menu.
- If you installed WSL2, you need to downgrade to WSL1 before you can install any Linux environment: “wsl –set-default-version 1”
4) Configure the Windows Environment
- Set the time zone to UTC – important!
- This is a general best practice for conducting forensic analysis and ensures a standard time zone is being used across all tools. It also helps to correlate events that possibly happened across different time zones or where the origin is not clear.
- Configure Windows Explorer to show hidden files. This enables viewing file types that a relevant in forensic analysis such as NTFS metadata, etc.
- Open File Explorer -> View -> check “Hidden items” and “File name extensions”.
- Create a “C:\Cases” and a “C:\Tools” folder for evidence data and tools respectively.
- Having your folders in the root of your file system saves you from typing long paths on the command line when using them. You may also want to add a shortcut to your Desktop.
- Configure Microsoft Defender to avoid interference with evidence or tools.
- Open Virus & threat protection settings.
- Disable Defender’s “Real-time protection” when needed for a temporary period of time. If you want to permanently turn off real-time protection you need to disable it via GPO as described in the next section.
- Disable “Cloud-delivered protection” and “Automatic sample submission”, which only needs to be done once.
- Exclude your working directories e.g. “C:\Cases” and “C:\Tools” from Defender’s virus and threat protection scanning. That way Defender won’t detect and remove important files during an investigation. Go to “Exclusions” -> “Add an exclusion” -> “Folder”.
5) Download and Install Forensic Tools
The required tools depend on the objective. Traditionally, in forensics, you’ll need tools to acquire, extract and analyze memory, disk, and file-based artifacts. Below outlines the installation steps for the most commonly used tools.
a) Linux-based tools
Below are installation instructions for common Linux-based forensic tools. Open your Ubuntu Linux subsystem and install the following tools as needed.
Note: In a fresh environment you may need to update the package index files with their sources first by running: “sudo apt-get update”
- pip3 – Python packet manager
-
- Run: “sudo apt install python3-pip“
- Verify that pip3 is working by executing “pip3”
-
- Volatility3
-
- Use pip3 to install: “pip3 install volatility3“
- Install the optional capstone library “pip3 install capstone“
- Verify that Volatility3 is working by executing “vol“.
(You may have to reload/restart the Bash shell)
-
- Log2Timeline (plaso tools)
-
- Add the plaso GIFT repository: “sudo add-apt-repository ppa:gift/stable”
- Install plaso: “sudo apt-get install plaso-tools“
- Verify that log2timline is working by typing “log2timeline.py -h“
-
- oletools
-
-
- Use pip3 to install the Python-based oletools: “pip3 install oletools“
- If you type “ole” and hit tab for autocomplete, you should now see several options such as oleid, olefile, olevba, etc.
-
-
b) Windows-based tools
- Download and install the Windows-based tools as listed in the table below.
-
Application | OS | Purpose | Notes |
---|---|---|---|
VirtualBox | Any | Essentials | Free hypervisor for all platforms. |
Windows Server 2019 Evaluation | Any | Essentials | Windows Server 2019 Essentials is arguably the most efficient Windows operating system that can be used for forensics. |
Kali Linux Subsystem for Windows Server | Windows | Essentials | Kali Linux Subsystem that can be installed on Windows Server. |
Notepad++ | Windows | Essentials | Go to text editor that supports syntax formatting for various types of text and code. |
Firefox | Windows | Essentials | Besides regular browsing, Firefox's (or Chrome's) built in Developer tools can be used for debugging websites and http requests. |
Microsoft Excel | Windows | Essentials | Ideal tool for handling large CSV data sets or building timelines. |
Visual Studio Code | Windows | Essentials | Very advanced text editor, with lots of plugins to support various text files. Very useful for reading or writing code. |
7-Zip | Windows | Essentials | Swiss army knife for compressing and decompressing files. |
FTK Imager | Windows | Image Mounting & Data Acquisition | The most common tool for taking memory and disk images as well as loading and mounting images. The tool is free to download, but requires registration. |
KAPE - Kroll Artifact Parser and Extractor | Windows | Data Acquisition | KAPE is a very flexible and effective tool for collecting triage data off of disk images. It also allows for directly parsing the data. |
Arsenal Image Mounter | Windows | Image Mounting | The most reliable tool when it comes to mounting disk images. Available for free. |
DumpIt | Windows | Memory Acquisition | This is a simple tool to create a memory dumps of Windows systems. Note, that it can only handle 4GB RAM. |
Eric Zimmerman Tools | Windows | Windows Analysis | EZ's tools are famous for Windows system analysis and are widely used in the forensics community. It also includes TimelineExplorer, for analyzing the produced results. It is recommended use the "Get-ZimmermanTools" PowerShell script to install the suite: "powershell -ExecutionPolicy bypass .\Get-ZimmermanTools.ps1" |
RegRipper 3.0 | Windows | Windows Analysis | RegRipper is another well-known tool and provides a GUI-based as well as a command line-based tool for parsing all kinds of Registry hives. |
Event Log Explorer | Windows | Windows Analysis | While Windows has an Event Viewer, Event Log Explorer provides a much more advanced user interface for parsing and analyzing Windows event logs through a GUI. It requires registration, but is free for non-commercial use. |
Windows Sysinternals | Windows | Windows Analysis | Often overlooked, Windows Sysinternals suite provides a number of tools such as autoruns, process explorer, etc that can also be very helpful for forensic analysis. |
Wireshark | Windows | Network Analysis | Wireshark is widely known and used for capturing as well as analyzing network traffic. |
CyberChef | Windows | Malware Analysis | A browser based swiss-army knife for encoding, decoding and manipulating any kinds of payload. |
PEStudio | Windows | Malware Analysis | A clean and free tool for static analysis of any Windows executable, which includes a wealth of features. |
ExifTool | Windows | Malware Analysis | A simple tool to retreive meta-data information of a wide variety of files. |
Plaso Log2Timeline | Linux | Windows & Linux Analysis | Log2Timeline is famous for creating timelines by parsing and processing all kinds of events (kitchen sink approach) supporting various operating systems. It includes a large number of parsers for different artifacts that can also be used to create targeted timelines. For some artifacts, it may be an alternative for EZ tools, where the format of the outcome between the two is often slightly different. |
Volatility3 | Linux | Memory Analysis | Volatility is the defacto standard tool for performing memory analysis. It is important to use Volatility version 3, for compatibility reasons with newer operating systems. |
oletools | Linux | Malware Analysis | oletools is a package of Python tools to analyze Microsoft OLE2 files, such as Microsoft Office documents mainly for malware analysis |
Event Log Explorer | Windows | Windows Analysis | Event Log Explorer is one of the best tools for Windows Event Log analysis. |
Once the setup is complete take a snapshot! This is your known-good starting point when starting any new forensic investigation.
Finish!
Your final desktop setup may look similar to the screenshot below
Next Steps
With a functioning forensic workstation available, it is now time to use it.
If you already have a system that you would like to investigate, typical next steps are as follows:
- Create a memory and disk image of the system
- Export the images and import them to the forensic workstation
- Put the tools to use by starting with memory analysis and moving into analyzing the disk image.
- Create a timeline of events to understand the chronological order of what happened and when.
- Compile a list of IOCs (indicators of compromise) to understand and trace the malicious behavior.
Alternatively, we need to create something that can be analyzed. The easiest way is to search for memory and disk samples on the internet, however, those are often outdated. You can easily create your own by starting with a single “victim” VM and executing malware or simulating malicious user behavior, or use a compromised system that was part of a lab environment. To create and prepare those continue below.
DFIR Series Road Map:
Forensic Workstations – Alternative Options
There are several popular tool kits out there, most prominently the SANS SIFT Workstation and REMNUX. The SANS SIFT workstation provides an incredible amount of open-source tools designed for digital forensic examinations. In a similar fashion, REMNUX also provides a wealth of tools, particularly for malware analysis. However, both tool kits run on Linux, and there are many useful forensic tools that support Windows only. Oftentimes the life of a forensic analyst consists of switching back and forth between Windows and Linux systems. There are also arguably more investigations and attacks on Windows systems, so using Windows as the forensic systems’ operating system can be very beneficial for the forensic analyst.
Therefore, we prefer using a Windows operating system with a Linux subsystem to get the best of both worlds.
Last updated June 2, 2022
* The Microsoft Evaluation center is back online, but only for Windows 11 and Server 2022 trials. Links to VMs have been updated.