2018-01-23

Installing SIFT Workstation under Windows Subsystem for Linux

SIFT

In a recent post I alluded to the fact that I had successfully installed SIFT Workstation under Windows Subsystem for Linux (WSL). A number of people have zeroed in on that and had queries about this setup (and its limitations) so I thought I would follow up with a brief how-to.

For the uninitiated, the SIFT Workstation is a fantastic tool for forensic investigators and incident responders, put together and maintained by a team at SANS and specifically Rob Lee (@RobLee). It is a collection of open source tools for forensic analysis and is available bundled as a virtual machine. In a lot of cases the most appropriate way to use it is exactly like that, as a VM.

There are three common ways in which SIFT is used, under various circumstances I have had reason to employ all three:
  1. On a Type 1 hypervisor. I have an instance running within ESXi which I SSH into for analysis.
  2. Installed as the base OS on physical hardware. On more than one occasion I have installed Ubuntu and then the SIFT Workstation onto an old laptop to use for analysis.
  3. Via a Type 2 hypervisor such as VMWare Workstation or VirtualBox. I assume this is the most common method that people use SIFT, and indeed SANS provide a preinstalled OVA which can be downloaded here.

All of the above solutions have their merits, but with the advent of WSL we have a new option for running the various Linux utilities bundled within SIFT. While researching this post I stumbled across the fact that the SIFT Manual Installation instructions in fact reference the use of SIFT under WSL but I hope to provide a little bit of additional detail and highlight a couple of gotchas.

If you haven't already installed WSL and Bash you will need to start there, however if not you have installed these you can jump to Installing SIFT .

Installing WSL

The SIFT installation process detailed later requires internet access and as such I will focus on the online method of installing WSL, with that said an offline method is detailed in my previous post 'Windows Subsystem for Linux and Forensic Analysis'.

First ensure you are running Windows 10 Anniversary Update or later (build 1607+) on a 64-bit system, if not you will need to upgrade to this version to have WSL available.

The quickest and easiest way to enable WSL is to use PowerShell. Open PowerShell as Administrator and run the command:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Alternatively it can be enabled via the 'Windows Features' dialog. This can be accessed via Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off. Locate the check box for Windows Subsystem for Linux, per the below screenshot, and select it:


Next we need to install the distribution of choice, which for SIFT will want to be Ubuntu. This is available for download via the Microsoft store. Once installed, select launch and you will be prompted to create a UNIX user account. Once the account is created you are good to go.

Installing SIFT

The first point to note is that SIFT cannot be installed from the root account. Depending on how you have configured WSL this may be the default and only user account on your install. If that is the case then you will need to create a new user account, as below:

Create new user account
Launch Bash, either via launching the 'Ubuntu' app or alternatively you can launch it from the Windows Command Line using the 'bash'.

Create a new user account with:

useradd -m sansforensics

Create a password for the account:

passwd sansforensics

When prompted, enter and re-enter a new password for the account.

Add the user account to the sudo group

sudo usermod -aG sudo sansforensics

Switch user to the new account:

su - sansforensics

The following set of commands can then be executed to download, verify and install the sift-cli-linux installer:

Using sift-cli-linux to isntall SIFT

wget https://github.com/sans-dfir/sift-cli/releases/download/v1.5.1/sift-cli-linux

wget https://github.com/sans-dfir/sift-cli/releases/download/v1.5.1/sift-cli-linux.sha256.asc

gpg --keyserver pgp.mit.edu --recv-keys 22598A94

gpg --verify sift-cli-linux.sha256.asc

sha256sum -c sift-cli-linux.sha256.asc

Verify that the output contains 'sift-cli-linux: OK', you will receive an error regarding improperly formatted lines which can be ignored.

sudo mv sift-cli-linux /usr/local/bin/sift

chmod 755 /usr/local/bin/sift

Finally the sift installer can be executed to install the SIFT packages only, with the following command:

sudo sift install --mode=packages-only

This process will take a short while to complete but at the end it should indicate that is has completed with no errors.

Limitations

Image Mounting
Image mounting can be problematic. Due to fuse driver issues, using ewfmount, mountwin or imageMounter.py will result in the following error: 
fuse: device not found, try 'modprobe fuse' first
Unable to create fuse channel.
An alternative solution is to mount the image in windows using a tool such as FTK imager, then to mount the corresponding volume using drvfs within WSL. In the below example FTK imager has been used to mount an E01 image both Physical and Logical:


The notable volume has been mounted as H, and this can be presented to WSL with the following commands:

sudo mkdir /mnt/h

sudo mount -t drvfs H: /mnt/h

I have not performed extensive testing to understand the full implications of the different mount methods however I have found that using the 'File System/ Read Only' option, per the below, can be more reliable albeit slower:


The above method will not be suitable to work with all tools or use cases. 

No GUI Support
The lack of an X Server prevents you from running graphical applications. This isn't a huge issue with SIFT as the overwhelming majority of the tools you will have installed SIFT for are command line. By default attempting to run an GUI application such as firefox will result in the following error:



But fortunately for us, installation of an X Server for Windows will allow you to run GUI applications from WSL. I have tested XMing and found it to be reasonably reliable. Once you download, install and run XMing within Windows configuring WSL to export the display to it is very easy, simply execute the following command:

export DISPLAY=:0

Now running Firefox will result in a new window being created within Windows. This functionality also has interesting implications as to evidence storage. Notably this allows for the installation of a browser where history and internet browsing artifacts will be within the WSL filesystem.

4 comments:

  1. Adam,

    Thanks for sharing this! Great stuff!

    ReplyDelete
    Replies
    1. Thanks Harlan, feedback is always much appreciated.

      Delete
  2. Hey Adam,

    I have a question about the following steps:

    Finally the sift installer can be executed to install the SIFT packages only, with the following command:

    sudo sift install --mode=packages-only

    This process will take a short while to complete but at the end it should indicate that is has completed with no errors.

    What should we do if there were errors when downloading the SIFT package only?

    This is the contents of the saltstack.log file:

    Traceback (most recent call last):
    File "/usr/bin/salt-call", line 11, in
    salt_call()
    File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 395, in salt_call
    import salt.cli.call
    File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 8, in
    import salt.cli.caller
    File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 19, in
    import salt.minion
    File "/usr/lib/python2.7/dist-packages/salt/minion.py", line 81, in
    import salt.pillar
    File "/usr/lib/python2.7/dist-packages/salt/pillar/__init__.py", line 20, in
    import salt.fileclient
    File "/usr/lib/python2.7/dist-packages/salt/fileclient.py", line 31, in
    import salt.utils.http
    File "/usr/lib/python2.7/dist-packages/salt/utils/http.py", line 80, in
    import requests
    File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 84, in
    from urllib3.contrib import pyopenssl
    File "/usr/local/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in
    import OpenSSL.SSL
    File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in
    from OpenSSL import rand, crypto, SSL
    File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 118, in
    SSL_ST_INIT = _lib.SSL_ST_INIT
    AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

    If I find a solution before your response I'll be sure to update the comments with the solution.

    Thank you!

    ReplyDelete
    Replies
    1. So solutions to post:

      AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

      This can be fixed by running:
      sudo pip install pyOpenSSL==16.2.0

      After I resolved that issue I was getting about 40 failed modules.
      The original error was with pip and I did not save the error message.
      But apparently there are issues with the newest version of pip (18.1)
      After downgrading to pip 18.0 I only got one failure but now it's actually installed.

      to downgrade pip run:
      sudo python -m pip install pip==18.0 --upgrade --force-reinstall


      Delete