Image for post
Image for post

Introduction

Howdy, all. In part one of this series on building an IR homelab, we created a Windows Forensics Workstation to use for analysis, and a basic fileshare to store evidence.

Now its time to leverage one of the more powerful features of Autopsy: the Central Repository.

Question — If you found malware or attacker staging scripts during an investigation, how would you know if you had already seen it before? What if a former colleague had worked the case?

And — If you wanted to record a known bad file for your future self, how would you do it? …


Introduction

Howdy all. First of all, a huge shoutout to the team at Basis Technology for offering a $500 Autopsy training course for free! Link here. The course is a great dive into the features of Autopsy, and gives some “under the hood” explanations about how the program approaches carving, ingestion, plugins, prioritization, and much more.

However, the course could really use a practical guide on how to configure a Forensic lab environment to learn Autopsy, Incident Response, and Forensics. I consider this small series a continuation of the Autopsy class, and a use case for a homelab.

Image for post
Image for post
The roadmap network of this series. Subject to change.

Goals for this Series

Over this series, this is the network we will be building. We will be exploring some of Autopsy’s extended functionality and integrations. …


Topics Covered

Proxmox — Framework, Setup

pfSense — Interface Management/Assignment, DHCP, OpenVPN

Security Onion — Proxmox Bridge Traffic Mirroring, Fullscreen on Proxmox

Quick Note upfront

This is not a super detailed step-by-step guide. This is more of an explanation of my proxmox/homelab setup. Where ever I gloss over the details of an install or process I have (hopefully) added a link to a more detailed guide in the references.

Proxmox Framework

Howdy all. Too often I see (and have used) guides that focus a lot on installing and configuring a basic Proxmox setup, with no guidance on how to organize it all. Having used Proxmox for nearly 3 years now, as a homelaber, and for an organization of 20–30 active users, it can become a mess really quickly. Which bridges are for what network, what VMs do what (no “TestVM” does not tell me what its for), or what VMs in which network. Some Proxmox admins lean heavily on standardizing VMIDs, and embedding the purpose, network, lifespan, and ownership right in the number. This works great until you have multiple people, or you just cant be bothered and you want a ubuntu container to watch Starwars via telnet. telnet towel.blinkenlights.nlSo, …

About

Liam Smith

Windows and IR are pretty cool.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store