Building a lab on MacBook

09/06/2020

Environment: MacBook 1278, macOS Catalina 10.15.6 (19G2021)

Tools: VBox Version 6.1.12 r139181 (Qt5.6.3), pyenv 1.2.20,CDQR-20191226, plaso-20200430, autopsy-4.15.0  

As any newbie would have done (or almoust any), I’ve started with tutorials and information streams setups (courses to watch, books and articles to read, podcasts to listen and even some tools to try). I’ve also created a list of preferable skills I’m planning to acquire, to what extent and a list of topics to cover.

As for the forensic field I’ve chosen SDF series on Udemy as my primary source of fundamental information and also this book and this podcast. For my forensic lab - MacBook Pro 1278 with OSX Catalina (although at the beginning it was Windows machine but ... that’s another story - read “How I Broke My Husband’s MacBook”). 

I have also confured pyenv virtual environments for different versions of python (for these chap messing around with each other are causing too much pain...). For more detail on how it all works - https://github.com/pyenv/pyenv#how-it-works. 


In SDF series the first course that I watched was about Windows prefetch files. Therefore the tools for it were the first ones to try: Winprefetch, CDQR. How much pain I’ve come though to install CDQR when in the end it was very embarassing to find out, how simple it actually was... Immediately after first trying to launch the cdqr.py I was drawn into the vortex of “pip install something”, “pyenv install 3.X.X”, "brew install something evenmorecrazy" then subsiquent unistalls and configure's and make’s and all to realize in the end that simple "pip install -r requirements.txt" of the right version was sufficient. 

To be fair to myself, I've almost installed it all manually, but I stumbled upon "pyfwsi" which I couldn't find with pip and which I then tried to build from sourced (and failed). But it turned out that now it's called libfwsi-python (apparently).

CDQR needs Plaso is a python tool for creating timelines from a large amount of logs and other data (see https://plaso.readthedocs.io/en/latest/#:~:text=Plaso%20(Plaso%20Langar%20A%C3%B0%20Safna,supports%20creating%20more%20targeted%20timelines). 

For installing on Mac OSX visit https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html. 

Free Virtual Machines with Windows (7, 8.1 and 10) with different versions of IE and MSEdge for free. Even though these machines have a trial period, you can make a snapshot of Win and rollback when it expires (the developers advise that themselves, so it's not like pirating or cheating :) ) - https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Download and install VirtualBox. And create a shared folder for all the forensic VMs. There you can put the .exe that are run on Win or drop samples or create samples and share with the host.

I found that very useful to create two shared folders: one for all VMs (Linux, Windows, Android) for samples and other temporary files and another with all forensic tools (in case some of them do not work on OSX). 
Also, I’ve created a bootable USB with Santoku Linux (using Rufus - How I Managed To Create Santoku USB) and other one with several other distros (santoku, Kali and cain). I might not use all of them, but I want to try which one is the best for me. 

I would also like my favourite debugger and disassembler installed (IDA Pro and xdbg). I sometimes used OllyDbg, but I personally find x64dbg nicer and comfy).

Share
Russian Federation, somewhere in Moscow
Powered by Webnode
Create your website for free! This website was made with Webnode. Create your own for free today! Get started