Course and peripherals

My overall thought is that everyone should be able to get started with forensic and attack management without it having to cost the entire budget. At the very least, one must be able to make a Proof Of Concept (POC). Below is my bid on what to use.

Below are the needs / requirements that are set to be able to get started properly with Security Incident Respons, Malware analysis and Forensics. You can easily get to know software with small discontinued computers, and from there work your way up. If one needs to scale up or expand. There is a lot of software that is smart in licenses, so it might be very smart to just see what your needs are before you

If you need to work with this field professionally, it is recommended that you have access to some hardware that can do something and not just a discontinued PC. There may also be some licensed software.

Hardware requirements In order to be able to participate in the course, it can be my recommendation work on the topic is done on a stand alone machine. We work with malware that can infect the system, even if you take precautions.

The computer you use must be able to run virtualization software, which places demands on what hardware you have with you. However, most computers can run virtualization software.

Minimum PC requirements

I5 processor or equivalent 16 gb ram 250 gb or more hard drive and an SSD Some USB sticks (We are going to use forensics software, which requires a fast hard drive.) If you can find a computer with the above specifications, or above, things will run better and more "painlessly".

We aim in the teaching to be able to run 2 virtual systems, in addition to the installed operating system. If you do not do this, there will be a minor functionality that is lost. The example of what it looks like is shown on the board. There will also be instructions in setting up this, so that the student can continue working on, for example, a desktop computer elsewhere.

Peripheral accessories

You must have a USB stick of at least 16 gb and preferably a few. It is best if you have USB 3.0, as other smaller versions can present challenges from time to time.

This is for data collection and we need a bootable USB stick with Caine Linux or Paladin Linux (requires registration and possible donation)

The software we will use on the course will be open source and available for free.

Then some of my examples will use VMware, as there are some things that are a little better to use here. For example, the network setup.

Before the course day, you can easily prepare to download some software.

Forensics Software:

FTK_Imager (free and requires registration) = https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager
Autopsy (free) = https://www.autopsy.com/
Caine linux (free) = https://www.caine-live.net/
Rufus (free) = https://rufus.ie/
Dumpit (free) = https://github.com/thimbleweed/All-In-USB/tree/master/utilities/DumpIt
Magnet axiom ram capture (free and requires registration) = https://www.magnetforensics.com/resources/magnet-ram-capture/
Virtualization Software
Virtualbox (free) = https://www.virtualbox.org/

Images for virtual machines

Windows 7 and 10 (free / 90 day trial license for VMware and Virtualbox) = https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Remnux Linux (free) = https://remnux.org/

Log analysis

Splunk (free and requires registration) = https://www.splunk.com/

Netmon freemium (free and requires registration) = https://logrhythm.com/products/logrhythm-netmon-freemium/

Backup Image software (No requirement, nice to have) If something should go wrong, it is a good idea to have ongoing backups of your data. It will make a re-establishment easier

There are more options. I use terabytes for windows which cost a bit but are worth it all. Link = https://www.terabyteunlimited.com/image-for-windows.htm

Registrations

It is a good idea to have an alternative email to register software with. So you do not use your work email.

We will use software that requires registration, such as Splunk, FTK imager, VMware and Paladin

Network

At the school, a wireless network is set up which the students can use to go on when malware is used.

The network I bring with me is 2 options below (It is absolutely not a requirement as I set up equipment for the purpose)

https://www.gl-inet.com/products/gl-ar150/

https://www.gl-inet.com/products/gl-ar750s/ (For information, both routers can be purchased at amazon.co.uk if you so desire.)

Both routers can connect to an existing network and from there make an encapsulation of the network we are working on. We connect to a VPN outside the school network. In this way, we minimize the risk of infecting our own network.

Should the above give rise to questions, you are welcome to contact the e-mail below

You can download a PDF here with what it requires.

SIR krav til udstyr (PDF, 134.93 KB)