If your forensics lab employs Kali Linux as its primary security based Linux distro, this document describes how to build, augment, patch and export an OVA image for use in the lab where you have no internet access.
Software needed to complete this task include:
1) The latest Kali Linux release. As of this writing, its 2020.1b.
https://cdimage.kali.org/kali-2020.1b/kali-linux-2020.1b-installer-amd64.iso
2) VirtualBox 6.1.6 and Extensions (or the most recent version).
https://download.virtualbox.org/virtualbox/6.1.6/VirtualBox-6.1.6-137129-Win.exe
https://download.virtualbox.org/virtualbox/6.1.6/Oracle_VM_VirtualBox_Extension_Pack-6.1.6.vbox-extpack
3) PuTTY terminal emulator for Windows.
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.73-installer.msi
5) A Windows 10 PC or laptop with at least 8 Gigs of memory. 16 is better but 8 will do. You also need at least 200 Gigs of available hard drive space for the image and the exported OVA.
6) Once built, you will export the VM as an OVA and import it to the lab after it has been through your QA process.
IMPORTANT: A Special Note Regarding Word, PDF and Text Character Formatting
1) In some cases, Word and PDF character formatting gets mangled when you copy/paste into a Linux terminal. Before you press enter on a pasted command, make sure it looks the same.
2) If it looks the same and doesn’t run, its typically a broken “-“ as in the –v, or any other switch. The double dash “ – -“ can be merged as a single “–“ when the document is converted. Also, even if the “-“ looks normal and the command doesn’t run or has errors, simply paste the command into the terminal, then using the left-arrow key, roll back and place the cursor behind the “-“ dash, press the backspace key to remove and then enter a new single dash or double dash as needed. This will create them in the native terminal character font. I know, it can be a hassle.
3) Since some of these commands are quite long, you might consider pasting them into Notepad first, and then copy from Notepad into the Linux terminal.
STEP 1 – Obtain the Software and Install on your PC or Laptop
1) Download the software mentioned above.
2) Install PuTTY and VirtualBox first and then install the Extension pack. Defaults are fine unless you have reasons to choose otherwise.
STEP 2 – Build the VM
1) Building the VM must be done offsite if you have restrictions due to access limitations and/or security requirements that prevent you from installing software, accessing the repos, or your destination system is air-gapped.
2) Create a folder on your c:\ drive named vboxshare.
3) Launch VirtualBox Manager and select Machine > New.
a. Name it kali01 or whatever you like).
b. Choose your machine folder location.
c. Type: Linux.
d. Version: Debian x64.
e. Memory size: minimum 4096 MB but 8192 is preferred if you have it.
f. Select Create the virtual disk now and click create.
g. Change the File size to 80.00 GB.
h. Hard disk file type: VDI.
i. Storage on physical disk: select Fixed size and click Create to create the VM.
j. Right-click the new VM profile and select settings.
k. Under System > Processors you can change this to 2 if you have the horsepower on your PC or laptop. If not, 1 should be fine. Both memory and CPU can be changed after being imported on the FAS.
l. Select Display, change Video memory to 128 MB and make sure graphics controller is VMSVGA.
m. Select Storage, under Controller IDE, select the Empty disc icon. On the right, under Attributes, across from Optical Driver select the Disc icon and then Choose/Create a virtual optical disk. If not listed, click +Add and browse out to the Kali ISO you downloaded, select it and click Choose > OK.
n. Select Network. Change Attached to: Bridged Adapter, expand Advanced and change Promiscuous mode to Allow All.
o. Select Shared Folders and click the green + folder icon in the upper right.
i. Folder path: C:\vboxshare.
ii. Folder name: vboxshare and select Auto-mount.
iii. Mount point: /vboxshare (note the forward slash, not backslash).
iv. Click OK > OK. Right-click the VM and select Start. If prompted, select the Kali ISO.
4) On the Kali Installation process:
a. Select Graphical installation, English as the language, United States as location, American English for Keyboard.
b. If you have DHCP your network should autoconfig. If not, click Continue on the Network screen, select Configure Network Manually, enter an IP, netmask, gateway, name servers or DNS.
c. Enter the hostname, leave the domain name blank, create the user account (such as kaliadm), add a password, set the clock to Eastern.
d. For partition, select Guided – use entire disk, select the vbox harddisk, select all files in one partition and click Continue on Finish partitioning and write changes to disk, select Yes to write changes to disk.
e. Enter the proxy information if you need one, otherwise leave it blank,
f. On the Software selection page, make sure Desktop, Xfce, Collection of Tools, top 10, default and large are selected. The system will begin to install the packages.
g. Select Yes on Grub boot loader, select the vbox hardisk as the boot loader device, click Continue on Installation complete to reboot the VM.
5) Enable SSH. It’s off by default.
> sudo systemctl start ssh
> sudo systemctl enable ssh
a. Test your access using PuTTY to login as the kaliadm user. Check the new OS release.
> cat /etc/os-release
> lsb_release -a
6) Install the official “everything” metapackage set (even though it really isn’t all of them) and few utilities. Login as the kaliadm user.
> sudo apt update
> sudo apt install kali-linux-everything
> sudo reboot
> sudo apt upgrade (if noting installs, skip the next reboot)
> sudo reboot
7) Login as kaliadm and install the VirtualBox Guest Additions. First, make sure the prerequisites are installed (they should be by now).
> sudo apt install dkms linux-headers-$(uname -r) build-essential
a. On the VM frame across the top select Devices > Insert Guest Additions CD Image.
> sudo mount /dev/cdrom /mnt
> cd /mnt
> sudo ./VBoxLinuxAdditions.run
> sudo reboot
8) List installed apps. Grep for stuff if you need to.
> sudo apt-cache search ” | sort -d | awk ‘{print $1}’
> sudo apt-cache search ” | sort -d | awk ‘{print $1}’ | grep <app name>
9) List installed apps with some detail. Grep for stuff if you need to.
> sudo apt-cache policy $(apt-cache search ” | sort -d | awk ‘{print $1}’)
> sudo apt-cache policy $(apt-cache search ” | sort -d | awk ‘{print $1}’) | grep <app name>
10) Create the /cases folder. This is where case data is localized.
> sudo mkdir -pv /cases
STEP 3 – Install Additional Tools
1) Use PuTTY on your PC to SSH as the kaliadm user into the VM or login to the GUI.
2) Install ClamAV AntiVirus and verify. From this point forward, it’s your choice to either via SSH or right-click the Desktop and open a terminal.
> sudo apt install clamav clamav-freshclam clamav-base clamav-docs clamav-daemon clamtk
> sudo mkdir -pv /clamav_quarantine
> sudo clamscan –v –r –log=/home/kaliadm/clav.log –copy=/clamav_quarantine /etc/*
> sudo cat /var/log/clamav/freshclam.log
> sudo cat /home/kaliadm/clav.log
3) Install additional tools and utilities for the lab.
a. Python Steganography Tools.
> sudo /usr/bin/pip3 install Stegano
> sudo pip3 install stegoveritas_binwalk
> sudo pip3 install stegoveritas
b. Install stego-lsb.
> sudo git clone https://github.com/ragibson/Steganography
> cd Steganography
> sudo python3 setup.py install
> sudo stegolsb test
c. Install OpenStego
> sudo wget -v -S https://github.com/syvaidya/openstego/releases/download/openstego-0.7.3/openstego_0.7.3-1_amd64.deb
> sudo apt install ./openstego_0.7.3-1_amd64.deb
d. Python Rekall Forensic Framework:
> sudo pip3 install rekall
e. Windows Event Carving:
> sudo pip3 install evtxtract
f. Steganography Tools:
> sudo apt install stegosuite
> sudo apt install exiftool
> sudo apt install pngcheck
> sudo apt install stepic
g. Network tools:
> sudo apt install iftop
> sudo apt install iptraf-ng
> sudo apt install etherape
h. Office and File Transfer Tools:
> sudo apt install filezilla
> sudo apt install libreoffice
> sudo apt install thunderbird
> sudo apt install tree
> sudo apt install putty
> sudo apt install glogg
> sudo apt install xpdf
> sudo apt install evince
> sudo apt install qpdfview
> sudo apt install xtail
i. Multimedia, Audio, Video, Images/Graphics:
> sudo apt install vlc
> sudo apt install xpaint
> sudo apt install mplayer
> sudo apt install smplayer
> sudo apt install audacious
> sudo apt install audacity
> sudo apt install calibre
> sudo apt install libdvd-pkg
Note: if you get an error at the end of this install
run sudo dpkg-reconfigure libdvd-pkg and select yes.
> sudo apt install rhythmbox
> sudo apt install lsdvd
> sudo apt install libavcodec-extra
> sudo apt install cdparanoia
> sudo apt install brasero
> sudo apt install ripperx
> sudo apt install xcfa
> sudo apt install cdda2wav
> sudo apt install pacpl
> sudo apt install abcde
> sudo apt install vobcopy
> sudo apt install dvdbackup
> sudo apt install sound-juicer
> sudo apt install grip
> sudo apt-get install libspeex*
> sudo apt-get install libopus*
> sudo apt-get install libaacs*
> sudo apt-get install libbluray*
j. Google Chrome and cli browsers:
> sudo wget -v https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
> sudo apt install ./google-chrome-stable_current_amd64.deb
> sudo apt install w3m
> sudo apt install lynx
> sudo apt install links2
> sudo apt install elinks
k. Additional Shells:
> sudo apt install golang
> sudo apt install csh
> sudo apt install ksh
> sudo apt install fish
> sudo apt install tcsh
> sudo apt install scanssh
STEP 4 – Export the VM as an OVA and Import Onsite
1) Once the new Kali VM is functioning and updated with the latest versions, it must be exported as an OVA and moved to the Lab. This step should be done as new versions are released to keep the Lab images updated.
2) In VirtualBox Manager, select the Kali VM. Click File > Export Appliance and fill out the following details under Virtual System Settings.
a. Name: should already list kali01.
b. Product: Kali Linux 2020.1b OVA
c. Product-URL: NA
d. Vendor: Kali, but built by <your name here>.
e. Version: 1.0, 06 May 2020 (rev the version for each OVA export, and use today’s date)
f. Description (click edit): Kali Linux 2020.1b, Everything Metapackage group, additional tools and Utils, VirtualBox 6.1.6 additions.
g. License: leave blank.
h. Under appliance settings, change format to Open Virtualization Format 2.0.
i. File: choose the location where you want to write the file.
j. Click Export.
k. When done, burn the OVA file to a Blu-ray disc or removable media.
3) Move the OVA Blu-ray to the internal host with VirtualBox installed.
a. Launch VirtualBox Manager and select File > Import Appliance.
b. Source: select Local File System.
c. File: on the right, click the folder with green arrow icon, browse to and select the kali01.ova file and click Open > Next.
d. Machine Base Folder: accept the default location or change this path to fit your installation.
e. Click Import to import the VM. When done, edit Settings as needed (more CPU, Memory, etc).
f. Boot the VM, login and set the IP address for the internal network and change the hostname if needed.
g. Manually reboot to seat the network changes or shutdown.
STEP 5 – What a Monthly (or as needed) Update Task Looks Like
1) Check to see if there is a new release for VirtualBox. If so, upgrade and make sure the Lab is upgraded as well.
https://www.virtualbox.org/wiki/Downloads
2) Update the Kali image.
a. Boot the public facing VM. Login to the VM as kaliadm.
b. Get the latest ClamAV updates for the VM and test a quick scan of /etc.
> sudo systemctl stop clamav-daemon
> sudo systemctl stop clamav-freshclam
> sudo freshclam
> sudo systemctl start clamav-daemon
> sudo systemctl start clamav-freshclam
> sudo clamscan –log=/home/kaliadm/clav.log –copy=/clamav_quarantine /etc/*
c. Update Google Chrome and the Python tools.
> sudo wget -v https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
> sudo apt install ./google-chrome-stable_current_amd64.deb
> sudo /usr/bin/pip3 install Stegano
> sudo pip3 install stegoveritas_binwalk
> sudo pip3 install stegoveritas
> sudo git clone https://github.com/ragibson/Steganography
> cd Steganography
> sudo python3 setup.py install
> sudo stegolsb test
> sudo pip3 install rekall
> sudo pip3 install evtxtract
d. Update the OS and tools.
> sudo apt update
> sudo apt upgrade (if noting installs, skip the next reboot)
> sudo reboot
> sudo apt list –upgradable –a (if nothing else to patch, proceed)
e. Export and Import the VM as described in STEP 4.
