Setting up your forensic workstation

Build your forensic workstation tutorial and downloads

The environment was built on a 12-ccore Classic Mac Pro as it had sufficient storage to host all the VMs.
I used the Blue Cape Security - Build your forensic workstation tutorial as it was very comprehensive:  BlueCapeSecurity - Build-your-forensic-workstation - Opens in new tab

Other Download Links:

• Microsoft Evaluation Center- Opens in new tab

• Windows 2019 Server ISO or VHD from the Evaluation Center - Opens in new tab

• Windows 2019 Server EN-US VHD direct download - Opens in new tab

• Accessing trials and kits for Windows - Opens in new tab

VirtualBox and Windows 2019 VM installation

Update VirtualBox v7 License Terms Error:

Many have encountered issues while installing Windows using VirtualBox version 7, specifically an error stating: “Windows Cannot Find the Microsoft Software License Terms”.

Windows VirtualBox Error - Opens in new tab

Troubleshooting Steps:

• Ensure that during VM creation in VirtualBox, you check the option "Skip Unattended Installation". This will disable the Product key field in the subsequent step.
• For additional solutions, refer to:
  HowToGeek - Fixing Windows License Terms Error - Opens in new tab

WSL and Ubuntu Installation on Windows 2019 Server

Important: Only proceed with this tutorial if you are setting up a forensic workstation on Windows 2019/2022 server.

• Microsoft Documentation - WSL Installation on Windows Server - Opens in new tab

• Microsoft Documentation - WSL Linux Distributions - Opens in new tab

Start by installing Windows 2019 Server. Using a VHD is recommended to expedite the installation process, as the .iso installation is time-consuming.

Once the server installation is complete, shut it down and adjust the virtual hard disk size as follows:

Navigate to: File > Tools > Virtual Media Manager.
Ensure the hard disk size is set to 100GB*.

Install the VirtualBox 7.0.14 Oracle VM VirtualBox Extension Pack - Opens in new tab

Additionally, install the Guest Additions to optimize VM performance.

Enable the Windows Subsystem for Linux (WSL) feature by executing the following command in PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Configure the Windows Environment

1. Restart the workstation.
2. Install .NET Framework 4.5, a prerequisite for Chocolatey.
3. Restart after installation.
4. Install Windows Terminal. If you encounter issues with the Microsoft Store, use Chocolatey for installation. Always review the script before execution:

Set-ExecutionPolicy Bypass -Scope Process -Force; 
[System.Net.ServicePointManager]::SecurityProtocol = 
[System.Net.ServicePointManager]::SecurityProtocol -bor 3072; 
iex ((New-Object System.Net.WebClient).DownloadString('[https://community.chocolatey.org/install.ps1](https://community.chocolatey.org/install.ps1)'))

5. Install Windows Terminal via Chocolatey:

choco install microsoft-windows-terminal

Forensic Workstation Configuration Best Practices

1. Set your time zone to UTC. • This standardizes your forensic analysis across tools and time zones, ensuring accurate event correlation.
2. Configure Windows Explorer to show hidden files. • Navigate to File Explorer -> View -> check “Hidden items” and “File name extensions”.
3. Create directories for case data and forensic tools: • C:\Cases for evidence and C:\Tools for utilities. • Placing these directories at the root minimizes path length when using command-line tools.
4. Modify Microsoft Defender settings: • Temporarily disable “Real-time protection” and, if necessary, permanently disable it via Group Policy. • Exclude “C:\Cases” and “C:\Tools” from virus and threat protection scans to prevent interference with your forensic work.

Finally, take a snapshot of the VM to preserve this configuration.

Update: December 2022!

Make sure to download the Ubuntu 20.04 package directly! There are more recent versions and many have reported issues with them.**

WSL and Ubuntu installation on Windows 10 (alternative)

Important: Follow this section only if your forensic workstation is on Windows 10/11.

• Microsoft documentation: Installing WSL manually on Windows 10/11 via the App Store

• Windows 11 Enterprise Evaluation Language Choice

• Windows 11 Enterprise Evaluation Direct Download

VirtualBox and Windows 2022 Server

• Download and install VirtualBox

• Windows Server 2022 180-day evaluation edition direct download

• Download Windows Server 2022 Evaluation Edition.iso from Microsoft

• Complete the form and select download now:

• Choose the language and select your language, and choose the appropriate format (VHD or ISO). For this setup, I recommend using the ISO format.:

Hardware Configuration for VirtualBox:

Allocate 24GB RAM and a 100GB disk with a NAT network connection.

• Ensure the VirtualBox Guest Additions are installed to enhance performance and add extra features
  • Mount the .iso file:

• Grant permission and restart after the installation has completed:

• Install pending updates
• Install the Windows Subsystem for Linux (WSL). Execute the following command in PowerShell (Run as Administrator):

wsl —install

• Wait for Ubuntu to be downloaded and installed:

Installing Windows Terminal and Configuring Linux Subsystem

Prerequisite Installation

To facilitate seamless navigation between various terminal windows (e.g., Ubuntu, Kali Linux, PowerShell), follow these steps. Ensure you're in the Downloads directory before executing the PowerShell commands.

• Microsoft.UI.Xaml.2.8.x64.app

  Install the package with:

  Add-AppxPackage .\Microsoft.UI.Xaml.2.8.x64.appx

Installing Windows Terminal

Windows Terminal Preview

• Download Windows Terminal Preview

Install the package with:

Add-AppxPackage .\Microsoft.WindowsTerminal_1.19.10821.0_8wekyb3d8bbwe.msixbundle

After installation, verify the status of the package. Ensure the Status is “OK”:

Get-AppxPackage *WindowsTerminal* -AllUsers

Installing Kali Linux Subsystem

1. Obtain the URL of the Appx package from the Kali Linux Microsoft Store.
2. Open RG-Adguard in a new tab.
3. Paste the Microsoft Store URL into RG-Adguard, and download the .appxbundle file.

To install the package, run the following command in a PowerShell window with Administrator privileges:

Add-AppxPackage .\KaliLinux.54290C8133FEE_1.2024.1.0_neutral_~_ey8k8hqnwqnmg.AppxBundle

Configuring Directories

Create the following directories to organize your work environment:

New-Item -Path "C:" -Name "Cases" -ItemType "Directory"
New-Item -Path "C:" -Name "Tools" -ItemType "Directory"

Optional: Consider creating an additional Installers folder within the Tools directory to store all installation files post-setup.

Additional Setup

Enable the viewing of hidden files and file extensions to streamline file management.

Finally, proceed with the installation of the recommended Windows tools as needed.

• Install the recommended Windows Tools:

  Application	OS	Purpose	Notes
  https://www.virtualbox.org/	Any	Essentials	Free hypervisor for all platforms.
  https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows/m-p/3361125	Any	Essentials	Windows Server 2019 Essentials is arguably the most efficient Windows operating system that can be used for forensics.
  https://docs.microsoft.com/en-us/windows/wsl/install-manual#downloading-distributions	Windows	Essentials	Kali Linux Subsystem that can be installed on Windows Server.
  https://notepad-plus-plus.org/	Windows	Essentials	Go to text editor that supports syntax formatting for various types of text and code.
  https://www.mozilla.org/en-US/firefox/new/	Windows	Essentials	Besides regular browsing, Firefox's (or Chrome's) built in Developer tools can be used for debugging websites and http requests.
  https://www.microsoft.com/en-us/microsoft-365/get-started-with-office-2019	Windows	Essentials	Ideal tool for handling large CSV data sets or building timelines.
  https://code.visualstudio.com/download	Windows	Essentials	Very advanced text editor, with lots of plugins to support various text files. Very useful for reading or writing code.
  https://www.7-zip.org/download.html	Windows	Essentials	Swiss army knife for compressing and decompressing files.
  https://accessdata.com/product-download/ftk-imager-version-4-5	Windows	Image Mounting & Data Acquisition	The most common tool for taking memory and disk images as well as loading and mounting images. The tool is free to download, but requires registration.
  https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape	Windows	Data Acquisition	KAPE is a very flexible and effective tool for collecting triage data off of disk images. It also allows for directly parsing the data.
  https://arsenalrecon.com/downloads/	Windows	Image Mounting	The most reliable tool when it comes to mounting disk images. Available for free.
  https://github.com/thimbleweed/All-In-USB/tree/master/utilities/DumpIt	Windows	Memory Acquisition	This is a simple tool to create a memory dumps of Windows systems. Note, that it can only handle 4GB RAM.
  https://ericzimmerman.github.io/	Windows	Windows Analysis	EZ's tools are famous for Windows system analysis and are widely used in the forensics community. It also includes TimelineExplorer, for analyzing the produced results. It is recommended use the "Get-ZimmermanTools" PowerShell script to install the suite: "powershell -ExecutionPolicy bypass .\Get-ZimmermanTools.ps1"
  https://github.com/keydet89/RegRipper3.0	Windows	Windows Analysis	RegRipper is another well-known tool and provides a GUI-based as well as a command line-based tool for parsing all kinds of Registry hives.
  https://eventlogxp.com/	Windows	Windows Analysis	While Windows has an Event Viewer, Event Log Explorer provides a much more advanced user interface for parsing and analyzing Windows event logs through a GUI. It requires registration, but is free for non-commercial use.
  https://docs.microsoft.com/en-us/sysinternals/	Windows	Windows Analysis	Often overlooked, Windows Sysinternals suite provides a number of tools such as autoruns, process explorer, etc that can also be very helpful for forensic analysis.
  https://www.wireshark.org/	Windows	Network Analysis	Wireshark is widely known and used for capturing as well as analyzing network traffic.
  https://github.com/gchq/CyberChef/releases	Windows	Malware Analysis	A browser based swiss-army knife for encoding, decoding and manipulating any kinds of payload.
  https://www.winitor.com/	Windows	Malware Analysis	A clean and free tool for static analysis of any Windows executable, which includes a wealth of features.
  https://exiftool.org/	Windows	Malware Analysis	A simple tool to retreive meta-data information of a wide variety of files.
  https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html	Linux	Windows & Linux Analysis	Log2Timeline is famous for creating timelines by parsing and processing all kinds of events (kitchen sink approach) supporting various operating systems. It includes a large number of parsers for different artifacts that can also be used to create targeted timelines. For some artifacts, it may be an alternative for EZ tools, where the format of the outcome between the two is often slightly different.
  https://github.com/volatilityfoundation/volatility3	Linux	Memory Analysis	Volatility is the defacto standard tool for performing memory analysis. It is important to use Volatility version 3, for compatibility reasons with newer operating systems.
  https://github.com/decalage2/oletools	Linux	Malware Analysis	oletools is a package of Python tools to analyze Microsoft OLE2 files, such as Microsoft Office documents mainly for malware analysis
  https://eventlogxp.com/	Windows	Windows Analysis	Event Log Explorer is one of the best tools for Windows Event Log analysis.

  Kali Linux for WSL	Excel or OpenOffice	https://www.exterro.com/digital-forensics-software/ftk-imager
  Notepad++	VisualStudio Code	KAPE
  Firefox	7-Zip	Ar
  -

Snapshot Shutdown and take a snapshot. The previous took a lot of time and we don’t want to go through all the steps again. - Note updated Plaso install instructions here:

Install Plaso on Windows

Plaso is not available as a Windows executable and must instead be downloaded as a python binary therefore Python 3 should be installed first so the package can be installed using pip3:

1. Install Python: - Download and install Python 3.x from the official Python website

   • Make sure to check the “Add Python to PATH” option during installation.

2. Open Command Prompt (CMD): - Press Win + R, type “cmd”, and press Enter.

3. Install plaso using pip:

   • In the Command Prompt, type the following command and press Enter:

     `pip install plaso`

4. Verify the installation:

   • To verify that plaso is installed, type the following command:

plasoinfo --version

• If you see the version number, plaso is successfully installed.

Note: If you encounter any issues during installation, make sure you have administrative privileges and that Python is added to your system PATH.

Windows Forensics Navigation

1. Windows Forensics Overview 

2. Roadmap 

3. Forensic Workstation Setup This Page

4. Data Collection Process Overview

   4.1 Target System Containment

   4.2 Memory Acquisition

   4.3 Disk Acquisition

5. Forensic Data Examination