Building a Home Lab to Learn Digital Forensics
If you read our previous article, Starting a Career in Digital Forensics, you should have a good idea about resources to help you build foundational knowledge in various areas of digital forensics. This article is going to focus more on the experience needed to land a first job in digital forensics — and how to build a home lab to practice the techniques currently used in the field.
Gaining hands-on experience will aid you in speaking intelligently on topics during an interview, as well as help you understand why certain data is critical during digital forensics investigations. So, let's get started on the set up of a home lab environment.
Setting Up a Home Lab Environment
There are various ways to set up a home lab, however, we're going to go over the most reasonable and cost-effective way to accomplish it. You can use tools that are all open source, meaning you really don't have to invest any money in the software and virtual machines needed for the lab. The only investment that may be necessary is to have a computer with at least 12GB of RAM and an up to date i5 processor, if you don't already.
To begin, you will need a hypervisor to host your VM's such as Oracle VM VirtualBox or VMWare Workstation Player. If you don't mind dropping a little cash, you can go for VMWare Workstation Pro. Keep in mind, you cannot take snapshots of your VMs if you use VMWare Workstation Player (which is free). VirtualBox is also free but will allow you to take snapshots. This is what I use and have not had any issues using it, so VirtualBox is my recommendation for a free hypervisor. Below are the links where each of them can be found:
The next step to building a lab environment is acquiring the virtual machines needed to conduct your work. We recommend that you get a Windows 10 machine. These machines are developer versions for Edge, so they do have a limited life span. However, they are great for practicing the acquisition of Windows images and pulling volatile data from a Windows system. These can be found here:
You will also need a Linux VM that you can conduct forensic tasks from. We recommend SIFT Workstation because it comes pre-loaded with various tools that are very useful. This can be found here:
You can either load up the pre-built .ova that SANS provides or you can install it on top of an existing Ubuntu desktop. Instructions for both methods are provided in the link above.
In addition to the already mentioned machines, we also encourage you to download and install a Skadi Server. This will greatly aid in the collection and analysis of volatile data on a system because it provides a collection executable (CyLR.exe), as well as a Kabana instance to analyze the data.
As far as the actual virtual machines go, the Windows 10 and Linux VM are pretty much all you will need to get started. However, you should set the VMs up so that they can communicate with each other. That way you can acquire the information needed from each VM without having to use your host as a middleman. Instructions on setting them up in VirtualBox can be found here.
What Do You Gain From a Lab Environment?
The answer to this question is quite simple: you practice digital forensic techniques and gain the ability to speak intelligently about them through practical application.
We're going to go over some of the simpler techniques that can be practiced in a lab environment, along with where you can acquire files to analyze — and what tools you can use.
To start off, you will want to learn the tools needed to conduct various digital forensic techniques. As stated previously, there are many tools already installed on the SIFT Workstation. However, there are also some Windows tools that can be used to extract information useful during an investigation.
What Techniques You Can Learn in a Lab?
As with any digital forensic investigation, you always need to know what data you are looking for prior to starting your analysis. This is determined by the client or principle and is usually general in nature such as "I need to know if this person executed this program, opened this file, changed this configuration, etc.".
Then from that point, it will be up to you to determine the places to look in order to provide them with the data that they need. As a forensics analyst, it is never your job to make a final decision, it is your job to present unbiased factual data. So, we're going to provide a few Windows artifacts, what information they can provide, and situations in which they can be of great value.
You can use the lab to change certain variables (such as installing an application, adding/removing/modifying a file, executing an application, etc.) and see how these artifacts change to provide you with accurate information.
What are Useful Windows Artifacts?
Windows artifacts are a key element to a digital forensics investigation that involves, well, a Windows system(s). Below are the most useful Windows artifacts to practice with in your lab environment along with a brief description:
- Registry. Contains information that Windows continually references during operation such as profiles, software and hardware configurations, and property sheets.
- MFT (Master File Table). A database in which information about every file and directory on an NT File System (NTFS) volume is stored.
- Shimcache. Used by the operating system to identify application compatibility issues.
- Amcache.hve. A registry file that stores the information of executed applications.
- Prefetch. Stores specific data about the applications you run in order to help them start faster.
- Shell Bags. Helps track views, sizes and positions of a folder window when viewed through Windows Explorer. This includes network folders and removable devices.
- Shortcut (LNK) files. A file extension for a shortcut file used by Microsoft Windows to point to an executable file.
- Browser cache. Temporary storage area on your computer or laptop for the files downloaded by your web browser to display sites.
- Account usage (security logs and logon types). Records events as defined by the audit policies set on each object and how a user logged on or off of a device.
There is a lot more information that goes along with each of these artifacts, so we strongly encourage you to research these further and develop a strong understanding of them. All of these artifacts will be included within a full disk image of a host (i.e. using a tool such as FTK Imager, dd, or EnCase) to collect an image of the entire drive.
Analyzing the above artifacts and being able to intelligently speak to each one will provide an employer assurance that you know what to look for when conducting forensic analysis — and that you have put for the effort to learn on your own. Many employers understand that you may not have had the option to conduct investigations on a professional level.
It can be frustrating trying to get your foot in the door of digital forensics. But with a little perseverance and practice, you can build the right skill set and give yourself a fighting chance to land that first job.