• Labs for analysis
  • Preparing Labs
  • Forensic Lab
  • Example of Hardware for the task
    • Can less do it?
  • Labs in general
  • Linux
• A pair of virtual machines for the purpose
  • Security Onion
  • Malware lab
  • Log lab
  • Extending Hard Disk Space on Virtualbox and Vmware
    • VmWare
    • Extra space on an additional disk drive

Preparing Labs

Something that can be a really good idea. It is to have labs ready to use when analyzing or examining something in depth. There are many different labs, each with their own purpose out there, which may be worth spending some time on.

Below is my bid on some of them as we also get to look at it in class. I have aimed for us to be able to use older hardware and not the latest.

It is my experience that it is often the reality that one gets something laid off instead of investing in "latest and greatest", which costs so Elvis comes back. :)

Forensic Lab

A forensic lab requires its machine, as it is a big heavy task to analyze and process data for a digital investigation. The requirements are disk write and read speed, RAM and processor power.

Digital forensic tools compile an index / database of artifacts on a system which requires a lot of RAM available. like 16 gb or more. During that, you will experience being hampered in the speed of the analysis.

The processor is also put under pressure if it is to analyze and traverse through a lot of data. You will find that when forensic programs start analyzing, it takes between 80 - 100 percent of the processor power. Here it can be an advantage with more cores as it increases the speed considerably.

Last thing one must have is disk speed. This is probably the most important point to be able to make a faster review of data. A pile of data often needs to be read, which must then be analyzed. So the faster disk speed you have available, the faster you can analyze. However, this does not mean that you do not have to spend many hours waiting. Forensic tools use a lot of filters and search criteria for analysis. Which by their very nature will take time.

Do you have an eg x number of GB SATA 7200RPM older hard drive versus a new X number of GB NVME PCI-E hard drive. Then you will speed up the speed considerably as the newer hard drive is up to 20 times faster. In practice, this means that you can save many hours in the analysis work.

I have not tested what the difference is, but I assume it is more than double the speed of analysis.

Example of Hardware for the task

RAM -128 GB memory Hard disks - 1 pc 1 TB NVME PCI-E for OS / 2 pcs 2 TB for image analysis and storage of Index / 1 8TB + hard disk for storage in case of large images or temporary storage of data. Processor - Intel I9 Extreme or Ryzen threadripper Graphics - GTX 3080 or AMD XT 6900 must support CUDA technology.

[Sumuri Talino workstations] (https://sumuri.com/hardware/forensic-workstations/) are some of the ones on the market that specialize in building such machines. They focus on cooling and stability. Their position is that if the above is in place. Then the machine lasts 2-3 times longer than a cheaper workstation.

Can less do it?

Yes, it can easily do that. If you have an older computer standing, it can easily be used. Do you have e.g.

• 16 gb ram
• I7 processor (also of older date)
• SATA SSD hard drive with storage space for the task. graphics card at best

Then you will be able to do a survey. It just takes a little longer than with the machine above. It is up to you how much to invest. Personally, I would start with the latter example the first year or 2. Then you can build knowledge around how to use your forensic hardware for research.

Autopsy - See the Autopsy page

Labs in general

Just a few thoughts on the environment for virtualization.

I have kept in mind that you have some older hardware that has been brought to life for the purpose.

Need to make a PC for the purpose new as well as old. Would it be my recommendation to start with VMware or Virtualbox installed on a Linux machine. Ubuntu or Linux mint (It's a bit 2 pages of the same thing) . Linux does not require as much ground resources to run, so you have more juice and power available for the virtual machines.

Linux

Kali https://www.kali.org/ ubuntu https://ubuntu.com/

A pair of virtual machines for the purpose

Security Onion

Is a cool project that is worth having a look at.

Security Onion is a complete setup of SIEM (Bridge, zeek), analysis, capture and incident response management and much more. It is an ISO you download and can install in a virtual machine or as a hardware installation.

Link to main page for Security Onion

Malware lab

Being able to do an analysis of a piece of unknown malware can make a big difference. Finding out how it spreads, what it creates of new files and processes, what it contacts on the Internet is to name a few. It can give the company a head start on how we can block further proliferation.

You can see the specifications under hardware for the task. The same is true here as well. It is important that you have enough RAM as you may have to run multiple machines at the same time. processor and disk speed also have something to say. If you use virtual Linux computers, then they are often a little easier to run as they do not require as much.

Remnux https://remnux.org/ Flare vm https://github.com/mandiant/flare-vm

Log lab

Sof elk https://github.com/philhagen/sof-elk/blob/main/VM_README.md Splunk https://www.splunk.com/

Extending Hard Disk Space on Virtualbox and Vmware

Sometimes hard disk space needs to be expanded in the virtual lab. It is relatively easy if you know where to look. Here is just a sketch of how to expand the existing space. This may be necessary on eg FlareVM, as there is not much space allocated on the VM you download from Microsoft.

Filer -> håndtering af virtuelle medier -> vælg din VM og juster hvor meget plads du skal bruge på slideren. 
Klik anvend og luk

VmWare

Click settings -> hard drive - > expand and select your size and click OK

Start up your FlareVM and type computer administration and click under disk management

After selecting disk management , right-click on the hard disk you want to expand and select expand disk drive . Then there is a small guide where you click next and next , then you select the space to be expanded with and click OK.

This way you can expand your C: \ drive with more space. It can come in handy if you have slightly larger data to load. Note After installing FlareVM, there is by definition not much space on the system, so it is recommended that you perform this operation.

Extra space on an additional disk drive

It is also another easy methodology you can use. If you have set up a lab for analyzing logs or network traffic, then it might be nice to have an extra hard drive on your virtual device. It can be done quite easily for both virtual box and Vmware.

VMware click on edit virtual machine and click on hard drive and select add and follow the wizard. Then you create an additional storage file for your device, with the size you want (and have room for)

Virtualbox you can select settings and storage units and select add (On plus)

Startyour virtual machine and select disk management and add the hard disk as an additional logical drive in Windows. Now you can use the disk as a disk 2.