Within our community, we're often met with smoke screens or 'it depends' answers on how to get started. A quick walkthrough of your base tooling is exceptional, and I hope this video receives multitudes of views from aspiring, junior, mid, and even senior-level DFIR folks. - Thank you for sharing with all of us!
Great video! Definitely a treasure trove of awesome tools! Got any tools for analyzing files found in macOS and iOS such as SQLite databases and Plist files? I like DB Browser for SQLite.
Good question -- the short answer is no. I've used quite a few SQLite database viewers but I always ended up finding something I didn't like about all of them. As for Plists, honestly just Xcode in the past. I have 20+ years of macOS experience and know the OS really well, but from a forensics standpoint I would be a novice at best (Windows/Linux is my jam, so I'm probably not the best to ask about macOS). Maybe others will chime in in the comments here with some recommendations!
Thanks for the thorough explanation! So do you have personal information on this PC such as logged in sessions to your email, microsoft account etc? Are you using this PC for personal use as well? Additionally, where and how do you analyze/run malware? (statically and dynamically)? finally, do you know how can I RDP to malware forensics box without jeopardizing my own personal laptop? Thanks!
Yes, this is my personal rig as well. To be clear, I just use this for 13Cubed, not for "real" DFIR work. For that, I have work-issued computers on a separate network that are completely isolated from this. This setup is just for video production, testing, learning, occasional gaming, etc. For any malware analysis, I have VMware Workstation Pro and use isolated VMs, or VMs within my ESXi environment.
@@13Cubed so the only safe solution is to buy a mini PC for example and working on it locally with little to no access to the Internet? No way you can think of which includes viewing mini PC on personal laptop in a safe way using VNC for example?
@@avihayl7911 You should be able to fairly safely perform analysis in a virtual machine as long as that virtual machine is effectively isolated with no connectivity.
Why such a beefy GPU for a forensics box? The only thing I can think of is password cracking (a single 3090 is not ideal for this outside of some basic NTLMv1 hashing). Do you game on this device? Would you dual boot two instances of Windows 11? Genuinely curious, I have always gone the prebuild HP Z workstation route for the higher core Xeon boxes and then midrange GPUs (2060/3060) for some CUDA stuff that tools like Magnet Axiom can use for image recognition or other light GPU beneficial workloads.
The big thing the gaming PCs have going for them (especially something like a i9 12900ks) is single threaded performance. Back in the old days, a lot of these forensic tools were single threaded (Imageinfo in Volatility 2) and boosting to 5+ Ghz is going to make a HUGE difference.
This is the workstation I use for video editing and 13Cubed production as well, hence the beefy GPU. Actually, this entire system is being replaced today with a Threadripper 5975WX with 256GB of RAM to facilitate running numerous VMs plus the video editing/motion graphics-related stuff. As for gaming -- don't have a lot of time, but definitely some MSFS 2020 when I can.
How about MacBook Pro M1 Chip - using Windows along side as dual boot - would that be good enough for a DFIR Box or a separate Windows laptop is necessary?
Won't work -- you can't virtualize x86/x64 Windows with Apple Silicon -- just Windows on ARM. While the move to that architecture was clearly the right one for Apple, it effectively killed the use of Macs for many InfoSec people. With Intel-based Macs, you could virtualize macOS, Windows, and Linux on one platform. Now, the choice for me is a Windows box with WSL 2. I can run Windows and Linux software on the same platform, and it's fast and efficient. Additionally, I can choose the hardware I want, and build a solution that meets my needs.
It's a great product, but for the price, X-Ways Forensics is a better fit for my needs, and allows me to get a little more "in the weeds", whereas Axiom is more of a "point-and-click" forensics tool.
Aside from WSL2, which is basically a VM of sorts, most of the tools are run directly on this box. I use VMs for sources and targets to generate artifacts and bring the data back to this box for analysis. For example, the upcoming episode on Impacket utilizes a Windows 10 and Server 2019 VM to represent the source (attacker) and target (victim).
Within our community, we're often met with smoke screens or 'it depends' answers on how to get started. A quick walkthrough of your base tooling is exceptional, and I hope this video receives multitudes of views from aspiring, junior, mid, and even senior-level DFIR folks. - Thank you for sharing with all of us!
Please make a video on X-ways using various X-tensions for analysis
I love powertoys, particularly for the FancyZones
Great video! Definitely a treasure trove of awesome tools!
Got any tools for analyzing files found in macOS and iOS such as SQLite databases and Plist files? I like DB Browser for SQLite.
Good question -- the short answer is no. I've used quite a few SQLite database viewers but I always ended up finding something I didn't like about all of them. As for Plists, honestly just Xcode in the past. I have 20+ years of macOS experience and know the OS really well, but from a forensics standpoint I would be a novice at best (Windows/Linux is my jam, so I'm probably not the best to ask about macOS). Maybe others will chime in in the comments here with some recommendations!
really helpful. Thanks for the Video
Great video!
Great info
Any hex editor that you use or recommend? Free or paid.
Yes! 010 Editor -- it's actually featured in this episode: ruclips.net/video/l4IphrAjzeY/видео.html
HxD is a good & Free Hexeditor
Thanks for the thorough explanation!
So do you have personal information on this PC such as logged in sessions to your email, microsoft account etc? Are you using this PC for personal use as well?
Additionally, where and how do you analyze/run malware? (statically and dynamically)?
finally, do you know how can I RDP to malware forensics box without jeopardizing my own personal laptop?
Thanks!
Yes, this is my personal rig as well. To be clear, I just use this for 13Cubed, not for "real" DFIR work. For that, I have work-issued computers on a separate network that are completely isolated from this. This setup is just for video production, testing, learning, occasional gaming, etc. For any malware analysis, I have VMware Workstation Pro and use isolated VMs, or VMs within my ESXi environment.
@@13Cubed so the only safe solution is to buy a mini PC for example and working on it locally with little to no access to the Internet? No way you can think of which includes viewing mini PC on personal laptop in a safe way using VNC for example?
@@avihayl7911 You should be able to fairly safely perform analysis in a virtual machine as long as that virtual machine is effectively isolated with no connectivity.
Have you tried running the 980 pros in RAID 0?- I've been really happy with that with my r9 5950x system.
I have not -- but I'm sure that is blazing fast! The 990 Pros also just got announced.
Why such a beefy GPU for a forensics box? The only thing I can think of is password cracking (a single 3090 is not ideal for this outside of some basic NTLMv1 hashing). Do you game on this device? Would you dual boot two instances of Windows 11?
Genuinely curious, I have always gone the prebuild HP Z workstation route for the higher core Xeon boxes and then midrange GPUs (2060/3060) for some CUDA stuff that tools like Magnet Axiom can use for image recognition or other light GPU beneficial workloads.
The big thing the gaming PCs have going for them (especially something like a i9 12900ks) is single threaded performance. Back in the old days, a lot of these forensic tools were single threaded (Imageinfo in Volatility 2) and boosting to 5+ Ghz is going to make a HUGE difference.
This is the workstation I use for video editing and 13Cubed production as well, hence the beefy GPU. Actually, this entire system is being replaced today with a Threadripper 5975WX with 256GB of RAM to facilitate running numerous VMs plus the video editing/motion graphics-related stuff. As for gaming -- don't have a lot of time, but definitely some MSFS 2020 when I can.
How about MacBook Pro M1 Chip - using Windows along side as dual boot - would that be good enough for a DFIR Box or a separate Windows laptop is necessary?
Won't work -- you can't virtualize x86/x64 Windows with Apple Silicon -- just Windows on ARM. While the move to that architecture was clearly the right one for Apple, it effectively killed the use of Macs for many InfoSec people. With Intel-based Macs, you could virtualize macOS, Windows, and Linux on one platform. Now, the choice for me is a Windows box with WSL 2. I can run Windows and Linux software on the same platform, and it's fast and efficient. Additionally, I can choose the hardware I want, and build a solution that meets my needs.
Quick question! Why not magnet axiom? :O
It's a great product, but for the price, X-Ways Forensics is a better fit for my needs, and allows me to get a little more "in the weeds", whereas Axiom is more of a "point-and-click" forensics tool.
Interesting, so you don't run your tools in a VM?
Aside from WSL2, which is basically a VM of sorts, most of the tools are run directly on this box. I use VMs for sources and targets to generate artifacts and bring the data back to this box for analysis. For example, the upcoming episode on Impacket utilizes a Windows 10 and Server 2019 VM to represent the source (attacker) and target (victim).
*slaps computer case* you wont be able to afford this
P𝐫O𝕞O𝓢m 🤷