540 likes | 581 Views
Basic Computer Skills. `When you say "I wrote a program that crashed Windows", people just stare at you blankly and say "Hey, I got those with the system, *for free*".' ~Linus Torvalds. Overview. Hypervisors and Virtual Machines Basic Linux Commands Ubuntu Package Manager
E N D
Basic Computer Skills `When you say "I wrote a program that crashed Windows", people just stare at you blankly and say "Hey, I got those with the system, *for free*".' ~Linus Torvalds
Overview • Hypervisors and Virtual Machines • Basic Linux Commands • Ubuntu Package Manager • Interpreters (Scripting Languages) • Installing from source • SIFT
Hypervisors and Virtual Machines A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. Hypervisor Types - • Type 1 - (bare metal) run directly on the host's hardware (Hyper-V, ESXi, Xen, etc.) • Type 2 - (hosted) run on conventional operating systems (Virtualbox, Vmware Player, Parallels, etc.)
Hypervisors and Virtual Machines • Required for this class • Ubuntu 16.04 VM or SIFT workstation • We will go over the basics of using VirtualBox, a free type-2 hypervisor. • We will also support Vmware Pro workstation but will not cover the details of how to use it in class. • You are on your own if you use Hyper-V (Limited support), or any other hypervisor. • The guides for installing virtualbox were created on a windows 10 host machine.
Virtualbox Installation • Download VirtualBox from https://www.virtualbox.org/wiki/Downloads for your particular OS • On windows run the download exe file and follow the prompts and leave the default settings unless you know what you are doing. • On linux you will download a .deb package. We will cover package managers later but you can install this package using the Ubuntu Software Center or by running ‘sudo dpkg -i [package]’ with the name of the downloaded file as the package name • For details on installation and settings read http://download.virtualbox.org/virtualbox/5.2.4/UserManual.pdf
Virtualbox Creating a VM • VDI - Virtualbox container format • VHD - Microsoft container format • VMDK - Used by many different hypervisors including Vmware
Virtualbox Creating a VM Click Create
VirtualBox Settings • Usually the default settings are fine • If you install Ubuntu instead of the SIFT virtual appliance • You will want to go into Storage->Controller: IDE Empty -> Check Live CD -> browse to the path of the Ubuntu Live CD • Some settings you might want to change if your computer will allow it • Increase RAM (System->Motherboard->Base Memory) • Increase number of CPUs (System->Processor->Processor(s)) • Increase Video Memory (Display->Screen->Video Memory) • 9 times out of ten VirtualBox is freezing or running slow because something needs to change in the display settings
VirtualBox Networks (Important) • Your VM will need an internet connection. It is up to you to decide if you want to have a connection on always or only when needed. For most everyone you should choose network settings that will allow you to always have an internet connection.
VirtualBox Networks (Important) • Network Adapters - Maximum of 8 only 4 configurable from GUI • AMD PCNet PCI II (Am79C970A); • AMD PCNet FAST III (Am79C973, the default); • Intel PRO/1000 MT Desktop (82540EM); (Supports Jumbo Frames in Bridged Mode) • Intel PRO/1000 T Server (82543GC); (Supports Jumbo Frames in Bridged Mode) • Intel PRO/1000 MT Server (82545EM); (Supports Jumbo Frames in Bridged Mode) • Paravirtualized network adapter (virtio-net). • Modes (see page 96 of user manual) • Not Attached • NAT • Bridged • Internal • Host-only
VirtualBox Network Modes (Important) Not attached - In this mode, VirtualBox reports to the guest that a network card is present, but that there is no connection – as if no Ethernet cable was plugged into the card. This way it is possible to “pull” the virtual Ethernet cable and disrupt the connection, which can be useful to inform a guest operating system that no network connection is available and enforce a reconfiguration. Network Address Translation (NAT) - If all you want is to browse the Web, download files and view e-mail inside the guest, then this default mode should be sufficient for you, and you can safely skip the rest of this section. Please note that there are certain limitations when using Windows file sharing
VirtualBox Network Modes (Important) Bridged networking - This is for more advanced networking needs such as network simulations and running servers in a guest. When enabled, VirtualBox connects to one of your installed network cards and exchanges network packets directly, circumventing your host operating system’s network stack. Your IP address with be within the range configured by the local network your host adapter is connected to. Please note on linux machines, this mode may not function if you are using a wireless card. Internal networking - This can be used to create a different kind of software-based network which is visible to selected virtual machines, but not to applications running on the host or to the outside world.
VirtualBox Network Modes (Important) Host-only networking - This can be used to create a network containing the host and a set of virtual machines, without the need for the host’s physical network interface. Instead, a virtual network interface (similar to a loopback interface) is created on the host, providing connectivity among virtual machines and the host.
VirtualBox Shared Folders • Share a folder with the host machine • Soon we will talk about VirtualBox Guest additions. Unfortunately, the ability to drag and drop file into and from VirtualBox is very buggy so we recommend using a shared folder • To use a shared folder • Install VirtualBox guest additions • Create a folder you wish to share on your host machine • Navigate to your VM’s Settings and then Shared Folders • Click on • Browse to the folder you wish to share • Boot or reboot your VM • Run mkdir ~/share and then, sudo usermod -G vboxsf -a $USER; sudo mount -t vboxsf [vmshare] ~/share/ • [vmshare] is the name of the shared folder within your shared folder settings (see next slide)
VirtualBox Guest Additions • Software installed on your guest to provide additional functionality • Resizing display • Shared Folders • Drag and Drop • Copy paste • And more… • To install • Your VM must have an optical drive • While the guest is running go to Devices on the file menu then select Insert Guest Additions CD image (See image on right) • Your VM should auto recognize a CD was inserted and ask if you would like to install the software on the disk. Say yes and enter your sudo password
VirtualBox Finished Congratulations you now know enough to build your own VM! Instructions on installing a SIFT workstation will be discussed later in the slides.
Linux Basics • In this class you will learn how to use tools and write reports but you will also understand how the tools work and how to build your own tools when necessary • Knowing linux basics is essential to this field. • More than likely if something is routine and annoying there is a command/shortcut to make it easier for yourself. Take the time now to automate things and save yourself time later • DISCLOSURE: We will give you a basic introduction to some useful commands you will need to know how to operate in a Linux environment. You will probably have to teach yourself additional tools and shortcuts to do well in this class.
Linux Basics • Terminal • There are many different kinds of terminals by default on Ubuntu you are probably using the gnome-terminal this is the GUI interface and program that runs the shell you are using. • If you are using gnome-terminal here are some useful commands/suggestions • You can create tabs within the terminal using ctrl-shift-T, you can select one of the tabs using alt-num where num is the number tab you wish to switch to • Do yourself a favor and go into the terminal settings to change the colors and transparency of the terminal to something that won't hurt your eyes
Linux Basics • Shell • There are many different kinds of shells. This is the programm interpreting your input and providing basic commands • By default you are probably using GNU Bash. This gives you things like tab completion and by default shows your current directory username and computer name for the prompt
Linux Basics • Shell special chars • & • Run preceding command as a background process • >> • Output from preceding command is written to a specified file • << • Output from a file on the right is used as input to the command preceding this char sequence • | • The pipe operator takes the output from the preceding command and uses it as input to the next command • && • The AND operator execute the preceding command and the following command • ; • Execute the preceding statement and then execute the next statement
Linux Commands Refresher • Shell special chars • cdChanges directories. “cd ..” goes up a level, “cd ~” goes to your home directory, “cd /” goes to root • ls Lists directory contents. “ls –l” provides verbose listing • pwd Prints directory you are in. • mkdirMakes a new directory • cpCopy a file. “cp –r” recursively copies a directory and all items inside • mvRenames or moves a file or directory • rm delete a file. “rm –r” deletes a directory and all items inside (required to delete directories) • cat dumps contents of file to screen. Longer files can be viewed page at a time with less or more. • man get command usage information (sometimes can/must use info instead)
Linux Basics • Aliases and Environmental Variables • Within bash you can create Aliases for certain commands • For example you may just want to type rdph instead of a very long command to remote into your home PC • Bash allows you to edit and view environmental variables that are set for your user • For example cat $PATH with show the directories that are searched when you are attempting to run a command. These are also searched when you attempt to tab complete a command • Editing the PATH variable is something you may need to do in this class. Each entry is separated by a semicolon • ~/.bashrc • Bash provides a default init file that will run every time bash is loaded (when you open a new terminal). This is usually where you will put your Aliases and will have something that looks like the following:
Linux Basics • Linux uses a single large tree-structured file system where the root of the tree is at /. • At the root directory there are several very important folders you will eventually become acquainted with but for now you should know you default user directory is within the /home folder. An alias for your home folder is ‘~’ and the environmental variable $HOME will also contain that directory • Every file and folder has a list of permissions and other metadata associated with it.
Linux Basics • Users and Groups • Linux is a multiuser system. Everyone belongs to at least one group • The command ‘id’ will show you what groups you are in • Every file has one owner and one group associated with it • ‘ls -l’ will allow you to see who is the owner of a particular file Permissions Owner Group
Linux Basics • Permissions • File • Read (r) • Write (w) • Execute (x) • Directory • Read - list contents of directory • Write - permission to create or delete files in the directory • Execute - allows the user to enter the directory and access any subdirectories
Linux Basics • Permissions • ls -l • Example: drwxr-xr-x • First spot gives a hint of what type of file this is ‘d’ for directory or - for file • The next three spots are the permissions of the owner • The following three spots are the permissions of the group • The last three spots are the permissions for everyone else
Extracting Software • Extensions: tgz, tar.gz (GZipped tarballs) • tar xzf [filename] • Extensions: tbz, tbz2, tar.bz2, tar.bz (BZipped tarballs) • tar xjf [filename]
Build From Source • Before you can build from source you need to install the necessary dependencies. The documentation may contain information about which dependencies you will need and it may not. When you have compilation errors or something similar you may have to figure out yourself what dependencies are missing. • There are several packages you will definitely need during this course and for many build from source scenarios • Basic Packages (Everything except pip comes with SIFT workstation) • sudo apt install build-essential libc6:i386 libncurses5:i386 libstdc++6:i386 git python-pip
Build From Source • Most of the tools we use in class we will be building uses GNU Autotools to prepare and execute a build. • Generally you will have to run the following commands • ./configure • Usually ‘./configure --help’ will list configuration options • make • sudo make install
Ubuntu Package Manager • apt update/upgrade • update - Download package information from all configured sources • upgrade - download upgrades for all packages currently installed from sources configured in the repo source list • apt install (apt-get install) • apt remove/purge • remove - leaves configuration files behind • purge - completely removes package and files • apt search (apt-cache search) • Search for package using given regex terms • apt list • --installed. --upgradeable, --all-versions • apt show • Show information about the given package (dependencies, install/download size, description, etc.)
Interpreters and Scripting Languages • Many tools are written in scripting languages such as Perl, Python, and Ruby. Since you will likely be using tools in all three of these languages you will at least need to know how to run a program written in these languages • You will need to know how to install packages for each of these languages • You do not necessarily need to understand all three languages but you should choose one to learn for scripting purposes in this class
Interpreters and Scripting Languages • Perl • This should be installed by default (Run perl -v to see which version you have) • Naming convention suggests script files end with .pl but that is not necessary • Perl packages (archives) are mostly in the core repo know as CPAN(the Comprehensive Perl Archive Network) • Packages are installed using the perl -MCPAN option • To run a script: perl [script_file.pl]
Interpreters and Scripting Languages • Python • This should be installed by default (Run python -V to see which version you have) • You will need a parallel installation of python3 and python 2.7 • sudo apt-get install python3-minimal • Python packages are installed using the OS’s package manager by default. For example: • sudo apt install python-setuptools python3-setuptools (this installs the setuptools packages for python 2.* and 3) • You may wish to use python-pip to install python packages • sudo apt install python-pip python3-pip • You can now use pip or pip3 on the command line to install a specific package or update a package for python 3 or python 2.* • Convention is to use *.py extension for python scripts but it is not necessary • To run a script: python[3] [script_file.py]
Interpreters and Scripting Languages • Ruby • This is probably not installed by default (Run ruby -v to see which version you have) • To install: sudo apt install ruby rubygems • The package manager is rubygems you can run it with the ‘gem’ command • Default extension is *.rb but again is not necessary • To run a ruby script: ruby [script_file.rb]
Linux Basics • Working with images • losetup - Creates a loop device associated with a disk image • mmls (part of sleuthkit) - list partitions of a particular image file
Linux Basics • The previous mmls command told us the NTFS file system was at sector 16065. Each sector is 512 bytes so we can mount the disk image at offset 8225280
Linux Basics • FUSE - is a Linux kernel module that allows for “File Systems In User Space.” In addition to interpreting file systems, various FUSE modules will also interpret volumes or containers and allow for access to their contents. There are many FUSE modules implementing everything from cloud-based file systems to encrypted local file systems to Wikipedia as a file system. • sudo apt install zfs-fuse python-fuse fuse-zip sshfs • ZFS-Fuse—a driver for Sun’s ZFS file system • Python-Fuse—a python API for implementing FUSE file systems • Fuse-Zip—a FUSE module that presents ZIP archives as file systems • SSHFS—a FUSE module that transparently presents remote file systems as local
Linux Basics • MountEWF - is a program that presents an Expert Witness Format forensic image as a raw image. It does this by leveraging the FUSE system via Python. • sudo apt install libewf • Download https://sourceforge.net/projects/libewf/files/mount_ewf/mount_ewf-20090113/ • Save that file in a place you can remember or Alias python mount_ewf-20090113.py to mewf or something similar
Linux Basics • AFFuse - is a FUSE-based program that gives the examiner access to Advanced Forensic Format containers. From an examiner’s perspective, AFFuse operates in much the same manner as MountEWF—the forensic container is “mounted” to a directory provided by the examiner. This directory will have a file for each stream inside the AFF container, which can then be accessed as “raw” images via losetup. AFFuse is part of the AFF library, available at https://github.com/sshock/AFFLIBv3 . AFFuse requires the FUSE development library, and AFF itself requires the expat library for signature verification. • sudo apt install libfuse-dev libexpat1-dev git • git clone https://github.com/sshock/AFFLIBv3.git • Follow the instruction in README_linux.txt • Run libtoolize, aclocal, autoconf, autoheader, automake --add-missing • ./configure && make && make install
Linux Basics • XMount - offers similar functionality to Mount EWF and AFFuse . XMount also can present the contents of the container as a VirtualBox or VMWare format disk image. It converts using FUSE. This allows an examiner to boot a virtual instance of an imaged system. XMount uses a cache file to prevent writes to the original image. • sudo apt install xmount
What is SIFT? The SIFT Workstation is a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite. SIFT demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
Installing SIFT Workstation • Three options • Import virtual appliance *RECOMMENDED • https://digital-forensics.sans.org/community/downloads • Install on existing Ubuntu 16.04 VM • https://github.com/sans-dfir/sift-cli#installation • Don’t download SIFT • Download and install tools as we use them in class • Don’t complain when stuff doesn’t work for you in class if you choose this option
Installing SIFT Workstation • Import virtual appliance • https://digital-forensics.sans.org/community/downloads • Create an account with SANS • Log in and go to the link above and download the .ova (4.6GB) file • You will also need a hypervisor. Virtualbox or Vmware. I highly recommend VMware pro but it is not necessary • The OVA file was tested using virtualbox and Vmware Pro • Login = sansforensics, Password = forensics • Go ahead and run the following • sudo apt update • sudo apt upgrade
Recommended Changes • Enable bidirectional clipboard and “Drag and Drop” • If using Virtualbox Drag and Drop does not work well so you will want to go ahead and use a shared folder to move files • By default the VM does not have much video memory so you may want to give it 40 MB or so else switching to full screen mode might be a problem • By default the VM does not have an optical drive • Go in to Settings->Storage-> Controller: SATA -> • Leave blank for now • Install Guest Additions