Shell
Need help with Ultimate-Forensics-VM?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.
theflakes

Description

Evolving directions on building the best Open Source Forensics VM

139 Stars 26 Forks 74 Commits 0 Opened issues

Services available

Need anything else?

Had issues with APT updates breaking and I don't feel like messing with APT problems. Therefore I am attempting to move to a Docker based forensics VM. See the docker directory for more information.
The below may still work but I don't feel like troubleshooting the APT conflicts.

Ultimate-Forensics-VM

Evolving directions on building the best Open Source Forensics VM

VM minimum config recommendations:
- 2 procs
- 4GB RAM
- 30GB disk space
- 2 NICs
- One shared or direct connect
- One host only
- Use this NIC for the SO monitor interface
- Replay your PCAPs on this interface

Install Ubuntu 14.04 LTS and run:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

Install SIFT Workstation:
wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s -- -i
sudo apt-get update
sudo apt-get upgrade
sudo reboot

Install Remnux Tools:
wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash
sudo apt-get update
sudo apt-get upgrade
sudo reboot

(above three steps sourced from: https://digital-forensics.sans.org/blog/2015/06/13/how-to-install-sift-workstation-and-remnux-on-the-same-forensics-system)

Install JSDetox Docker:
- Awesome JavaScript forensic tool: http://www.relentless-coding.com/projects/jsdetox/
sudo apt-get install docker
sudo apt-get update
sudo apt-get upgrade
Run JSDetox:
docker run
sudo docker run --rm -p 3000:3000 remnux/jsdetox
To stop JSDetox --> use "sudo docker ps -l" to obtain the container ID, then use the "sudo docker stop container-id" and wait about a minute.
Source: https://hub.docker.com/r/remnux/jsdetox/

Install SecurityOnion:
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
sudo apt-get -y install securityonion-all syslog-ng-core
Now setup SecurityOnion as a standalone server.
- You can now run PCAPs against the monitor interface and have Bro and Suricata run against them.
- Install all of your custom Bro scripts
- View the results of the PCAP replay in Sguil and ELSA.
Source: https://github.com/Security-Onion-Solutions/security-onion/wiki/InstallingOnUbuntu

Install Libemu:
sudo apt-get install python-libemu

Install YARA rules: https://github.com/Yara-Rules/rules
mkdir yara
cd yara
git clone https://github.com/Yara-Rules/rules.git
Update to latest YARA version and enable various support:
Download latest version of Yara
tar -xzf yara-3.X.0.tar.gz
cd yara-3.4.0/
./bootstrap.sh
sudo apt-get install libjansson-dev
./configure --with-crypto --enable-cuckoo --enable-magic
make
sudo make install
cd yara-python/
python setup.py build
sudo python setup.py install
yara -v
**more work to do here, not sure if this is the best way forward

Update SIFT and Remnux:
update-sift
update-remnux

If you have any APT keys that need added run the below command.
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEY

Reset ELSA DB
(good to do before starting a new investigation)
securityonion-elsa-reset

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.