One late evening when my eyes were so difficult to keep open, I’ve decided to setup a Windows Lab on my M1 Mac. Long story short, I couldn’t make Autopsy work as expected and that’s why I had to waste my time on this task…
First, I had to sign up to Microsoft Insider Program here. It was free and I signed up. Then, I’ve installed Parallels from here using “Try technical preview” option that was available at this point in time. Also, at this point of time a free activation key 🔑 was available for Parallels (thank you 🙏 so much, guys, for this) here. During installation process I was a little bewildered by the question about the use purpose of this software… Gaming or ordinary use (text editing, web-browsing etc). I’ve chosen “Gaming” since I presume Autopsy and software alike do consume much power. However, I’m not sure if this option changes the performance or it’s rather some survey. Anyway. After all that everything worked like a charm. But I still have not tried installing autopsy… So, let’s… .
Downloading Autopsy from here. Waiting… 🕰 …. . Done :+1.
Launching 🚀 and keeping my fingers crossed 🤞 …
It’s alive! It’s alive…🧟 Kidding. It works. I’m happy, it was an awesome evening, time not wasted too much thanks to Windows and Parallels. Some sleep deserved 😆. Good night! 🛌 😴 🌙
21:21 Free time and time to check my Autopsy setup on Windows VM. Ta-da-da-dam… 🥁. I have only chosen ‘Data integrity’ module but the time it is taking to load makes me a little 😬 nervous.
21:35 I had to copy the data source from external drive and restart Autopsy it in order to make it run.
21:36 I’ll try to run it against data source on the external HDD, because keeping these huge files on Mac is not a very good idea. Had to press Enter multiple times to make it work.
21:42 12% loaded already.
21:00 I’ve been building a lab on AWS (read here about how I got started with AWS and here for my GCFA prep plan). Here are the questiong that I’ve been asking myself and answering. The idea was to make a small lab with two different DC servers and several user machines. Since AWS doesn’t have Windows Machines for free tier other than servers, my user machines are actually servers themselves but used as user machines.
❓ Can I upload images in ova or vmdk formats to AWS to run some custom instance?
👌 Answer: Yes, you can upload own images in ova, vmdk, vhd formats but not all. Most of them gave me kernel version errors (
"StatusMessage": "ClientError: Unsupported kernel version 4.18.0-15-generic",). The only one I’ve managed to upload and import was Ubuntu Desktop 16.04. But failed with Hacking the Art of Exploitation CD and official SIFT-Workstation.ova. Besides, I got charged for keeping a snapshot of this machine.
❓ How to install and configure AD?
👌 Answer: Read here.
❓ How to convert convert
❓ How to connect a machine to the server?
👌 Answer: Create a user on DC and change settings as follows - https://www.edureka.co/community/51996/how-to-connect-an-ec2-linux-instance-another-linux-instance and follows https://www.youtube.com/watch?v=z6NbfYT7oaw.
Since Amazon is charging too much for my almost unexistent activity, I’ve decided to set up the same lab locally on a Intel-based MacBook Pro. But how to connect two PCs? For that I’ve rewatched the video above.
On the DC install Active Directory and add users. Set the network settings as follows:
- IP addess: 192.168.1.82
- Mask: 255.255.255.0
- Default Gateway 192.168.1.1
- DNS: 127.0.0.1 (since the DNS Server is configured on the same machine)
On another VM which is playing the role of a user:
- IP address: 192.168.1.84
- Mask: 255.255.255.0
- Default Gateway 192.168.1.82 (the IP of the Domain Controller configured above)
- DNS: 192.168.1.82 (the IP of the Domain Controller configured above)
On restart, the user PC is now having two sign in options. You might need to press “Back” to see them. Using the regostered credentials, log into the server.
I’ve recently run into a great online lessons (Specialization) by IBM on Coursera. In one of the modules about Incident Response they provided a link to a SANS paper in which a very thorough example of security issue investigation is provided both from the point of Blue and Red Teams.
I’ve decided to build myself a lab to replicate this attack to be able to abalyse it myself and utilise it in future for exercises (expoliting and then observing the footprints).
My network architecture was a little different though. In the original example there were three subnets. The first subnet 1 was the attackers one and had two machines running: one for the payload delivery and another serving as a metasploit listener. The second subnet was for DMZ, consisting of a mail server and a DNS server. The last subnet was an intranet of desktop PCs running Win7 SP1. Between all the three a firewall resided.
In my network I have only one attacking PC (my main laptop), using WiFi interface of a Mikrotik router. Mikrotik router itsels had two vlans configured + 1 wifi interface with different address range. All the three can reach each other. The second subnet consisted only of a mail server (hMailServer) running on a Windows 10 host (Dell Insipron), since DNS was running on Mikrotik. Firewall was also configured on Mikrotik only and turned off for all the other machines. The
For Mikrotik I’ve followed the instructions outlined in this video (How to run multiple networks from a Mikrotik), with a little change: I did not delete any default bridges or interfaces. When I did - I could not connect to the router any more.
Several VMs running on the same Intel MacBook Pro 13. Bridge Adapter, Name Ethernet (en0).
hMailServer for the mail server in a separate VLAN, following these instructions.