Skip to content

Latest commit

 

History

History
102 lines (80 loc) · 3.29 KB

README.md

File metadata and controls

102 lines (80 loc) · 3.29 KB

Had issues with APT updates breaking and I don't feel like messing with APT problems. Therefore I am attempting to move to a Docker based forensics VM. See the docker directory for more information.
The below may still work but I don't feel like troubleshooting the APT conflicts.

Ultimate-Forensics-VM

Evolving directions on building the best Open Source Forensics VM

VM minimum config recommendations:

  • 2 procs
  • 4GB RAM
  • 30GB disk space
  • 2 NICs
    • One shared or direct connect
    • One host only
      • Use this NIC for the SO monitor interface
      • Replay your PCAPs on this interface

Install Ubuntu 14.04 LTS and run:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

Install SIFT Workstation:
wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo bash -s -- -i
sudo apt-get update
sudo apt-get upgrade
sudo reboot

Install Remnux Tools:
wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash
sudo apt-get update
sudo apt-get upgrade
sudo reboot

(above three steps sourced from: https://digital-forensics.sans.org/blog/2015/06/13/how-to-install-sift-workstation-and-remnux-on-the-same-forensics-system)

Install JSDetox Docker:
- Awesome JavaScript forensic tool: http://www.relentless-coding.com/projects/jsdetox/
sudo apt-get install docker
sudo apt-get update
sudo apt-get upgrade
Run JSDetox:
docker run
sudo docker run --rm -p 3000:3000 remnux/jsdetox
To stop JSDetox --> use "sudo docker ps -l" to obtain the container ID, then use the "sudo docker stop container-id" and wait about a minute.
Source: https://hub.docker.com/r/remnux/jsdetox/

Install SecurityOnion:
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
sudo apt-get -y install securityonion-all syslog-ng-core
Now setup SecurityOnion as a standalone server.
- You can now run PCAPs against the monitor interface and have Bro and Suricata run against them.
- Install all of your custom Bro scripts
- View the results of the PCAP replay in Sguil and ELSA.
Source: https://github.com/Security-Onion-Solutions/security-onion/wiki/InstallingOnUbuntu

Install Libemu:
sudo apt-get install python-libemu

Install YARA rules: https://github.com/Yara-Rules/rules
mkdir yara
cd yara
git clone https://github.com/Yara-Rules/rules.git
Update to latest YARA version and enable various support:
Download latest version of Yara
tar -xzf yara-3.X.0.tar.gz
cd yara-3.4.0/
./bootstrap.sh
sudo apt-get install libjansson-dev
./configure --with-crypto --enable-cuckoo --enable-magic
make
sudo make install
cd yara-python/
python setup.py build
sudo python setup.py install
yara -v
**more work to do here, not sure if this is the best way forward

Update SIFT and Remnux:
update-sift
update-remnux

If you have any APT keys that need added run the below command.
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEY

Reset ELSA DB
(good to do before starting a new investigation)
securityonion-elsa-reset