Creating A Lubuntu Virtual Machine For Computer Forensics Teaching

[ This is a reposting of my teaching blog post previously hosted on http://users.ox.ac.uk/~coml0454.
NOTE: I no longer teach at University of Oxford and this is a description of how I used to teach the course.]

Summary

This post describes how to create a Lubuntu-based virtual machine (VM) to be used when teaching of computer forensic analysis and investigation. The post discusses the background to the use of the VM, how the VM is created in VMware Fusion, and how Sleuthkit and other Linux-based utilities are installed. The post finishes with some suggestions on how the VM issued in class can be configured for the classroom teaching computers. This post assumes the reader is familiar with Linux and a virtualization application such as VMware. [While the applications and utilities used are appropriate for a computer forensics investigation, the use of a VM is most probably not an appropriate approach for setting up a production system to undertake computer forensic analysis and investigation because of the overhead the VM adds.]

Background

The FOR module on the Software and Systems Security programme includes a number of classroom exercises associated with the extraction and analysis of computer system artifacts. The assignments may also involve the extraction and analysis of computer system artifacts. To encourgage understanding of the extraction and analysis process the exercises use Linux and Sleuthkit utilities which are run from the command line. To allow the transfer of understanding and skills from the classroom exercises to the assignment, the students use a Linux-based VM for the classroom exercises and receive a copy of that VM for use when undertaking the assignment.

Linux and Sleuthkit have been choosen as there are no licensing issues associated with their distribution. Ubuntu distributions have been used for previous VMs used during the FOR module. The VM needs to be kept reasonbly up to date while at the same time keeping the size of the virtual machine reasonably small as well. Using the latest main Ubuntu distributions has resulted in the size of the virtual machine increasing. As a consequence I have choosen the Lubuntu 15.04 distribution to build the “Investigator” virtual machine. Lubuntu is a light(er) weight Ubuntu distribution.

VM Creation

In this instance, the Investigator VM is created in VMware Fusion 7 using Lubuntu 15.04. The lubuntu-15.04-desktop-amd64.iso can be downloaded from Ubuntu here.

The VM is created using the standard VMware Fusion method, with the type of operating system set to Ubuntu 64-bit. The VM is configured with the following settings:

  • VM name = Investigator
  • Memory = 1GB
  • Hard Disk = 20GB in 2GB blocks
  • Network adapater host = NAT
  • Compatibility = VMware Fusion 5 / VMware Workstation 9 (Hardware Version 9)

In order to enable the compatibility with VMware Fusion 5 I had to remove the camera and the SATA devices in the VM’s settings, and configure the CD to use an IDE device.
VM Operating System Selection VM Guest Settings

Once the VM is ready to go, start the VM. (I ignore the VMware Fusion request to upgrade as I want the VM to be able to run on earlier versions of the VMware applications.) The Lubuntu installer will ask you to select a language. Next, select “Install Lubuntu” from the menu.
Lubuntu Installer Language Selection Lubuntu Installer Menu

The installer will then ask you to choose a language for the guest operating system installation. Next you select the prepartion settings.
Lubuntu Installation Language Selection Lubuntu Installation Preparation Selections

Next set the type of installation. Followed by confirming the disk partition arrangements.
Lubuntu Installation Type Selections Lubuntu Installation Partitioning Confirmation

Next set the timezone. Followed by setting the keyboard layout. (Note If you cannot see Continue button. You can grab the menu bar to move the pane to see the Continue button.)
Lubuntu Installation Timezone Setting Lubuntu Installation Keyboard Setting

Then set the user account details.
Lubuntu Installation User Account Settings

At this point the Lubuntu installation is configured with the following parameters:

  • TZ = Washington, DC
  • Keyboard = US
  • Hostname = investigator
  • Username = Forensic Investigator (forensic)
  • Password = oucl2015
  • Login = automatic

The installation will continue and download the necessary files. Once the Lubuntu installation is complete, restart the VM.
Lubuntu Installation File Download Lubuntu Installation Restart

On reboot, Software Updater will start running. Select it and open the Settings tab. At this point I disable automatic updates. I also ignore the request to update as I do it using the command line later.
Software Sources Software Updater

Now open LXTerminal (Terminal) and add it to the Desktop.
LXTerminal Desktop

To add LXTerminal to the Panel, right click on the Panel to open the Panel Preferences. Then select the Panel Applets tab.
LXTerminal Panel 1 LXTerminal Panel 2

Select the Application Launch Bar and click the Preferences button. Then select LXTerminal in the System Tools list in the Installed Applications pane and click Add to include it in the list of Launchers.
LXTerminal Panel 3 LXTerminal Panel 4

Install Updates

Open LXTerminal and using the command line, install the lastest Lubuntu distribution updates before we build the tools.

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade    
sudo apt-get clean  
sudo apt-get reboot  

Edit .bashrc

I like to have a colour prompt in the terminal so I edit .bashrc and enable the colour prompt.

nano .bashrc  

Remove the # so this line now reads as:

force_color_prompt=yes

Edit the colours and prompt layout as you please. This is my prefered prompt - green user and host name, blue working directory and prompt on a new line so you have the maximum space to type a command before the line wraps around:

PS1=‘${debian_chroot:+($debian_chroot)}[\033[01;32m]\u@\h[\033[00m]:[\033[01;34m]\w\n[\033[00m]\$ ‘

Once .bashrc is edited the changes can be implimented immediately by issueing the following command in the terminal:

source .bashrc  

Install Build Essential Tools & Headers

sudo apt-get install git  
sudo apt-get install build-essential  
sudo apt-get install linux-headers-$(uname -r)  
sudo apt-get autoremove  

Install VMware Tools

At present VMware Tools does not build correctly on a number of the Linux distributions. The consequence here is that host folders cannot be shared with the guest VM. Fortunately Rasa and his collaborators have developed a solution that can be found at https://github.com/rasa/vmware-tools-patches.

cd /tmp  
git clone https://github.com/rasa/vmware-tools-patches.git  
cd vmware-tools-patches/  
./download-tools.sh 7.1.2  
./untar-and-patch.sh  
./compile.sh  
sudo reboot  

The 7.1.2 above in the command ./download-tools.sh 7.1.2 corresponds to the version number of VMware Fusionthat I am using.

Once this has compiled you will be able to share host folders with the guest VM.

Install Sleuthkit and its Dependencies

cd ~  
sudo apt-get install sleuthkit autopsy  

Install Additional Applications

In addition to using Sleuthkit the exercises involve the analysis of network and Internet artifacts, which requires the installation of additional applications in the VM.

sudo apt-get install gparted wireshark net-tools tcpstat geeqie tcptrace tcpflow imagemagick etherape  
sudo apt-get install feh firefox sqlite sqlite3  
sudo apt-get install foremost whois  
sudo apt-get install libimage-exiftool-perl  

Add SQLite Manager To Firefox

SQLite Manager is a useful extension to Firefox for looking at SQLite databases, such as those used to store the browser history on later versions of Firefox. To install SQLite Manager, launch Firefox and add SQLite Manager via Firefox’s Add-ons Manager. (You may have to make the Menu Bar visible.) SQLite Manager will appear in the Tools Menu after restarting Firefox.

  • Firefox > Tools > Add-ons Manager
  • Search for SQLite Manager and install it
  • Restart Firefox

Firefox Tools Menu Add SQLite Manager SQLite Manager In Tools Menu

Add Firefox to the Panel.

And To Clean Up

sudo apt-get autoremove  
sudo apt-get clean  

Clean .bash_history

rm .bash_history && touch .bash_history  
sudo reboot  

To Configure The VM For Your Use

Set The Keyboard Type

Select Preferences > Keyboard Input Methods to launch the IBus Preferences application and select the Input Method tab to set the keyboard type.
Preferences Menu Set Keyboard Type

Set Display Size

The default VM has a display size of 800 x 600 pixels. Launch the Monitor Settings application in the Preferences menu to set the display size.
Set Display Size

Set The Timezone

Launch the Date and Time application in the System Tools menu to set the timezone. Remember to Unlock the panel in order to make the changes.
System Tool Menu Set Time and Date

Set The Directory Sharing Between The Guest and The Host

When the VM is opened in VMware Fusion, open the Settings panel and select the Sharing tab. Click the + button and select the host folder you want to share with the VM. The folder will appear in the VM guest filesystem under the path /mnt/hgfs/{name}, e.g. /mnt/hgfs/Workspace, for the example shown. You can rename the guest folder in the VM by clicking on the name in the Shared Folders panel.
Share Host Folder