Forensics Workstation/Lab (pt 3. Hypervisor Installation)

Part 1: Overview
Part 2: pfSense

For the hypervisor, I am using the following configuration:

  • Arch Linux (with default kernel)
  • i3wm - improved tiling wm - Arch Wiki
    • rofi - generic popup menu
    • i3status - notifications
    • i3bar - status bar
  • Oracle VirtualBox - type 2 hypervisor
  • aura (optional) - 3rd party package manager

I have been using Arch Linux for years and due to its small size, I am using it as the base operating system for the hypervisor. Also, I am installing the bare minimum software and customization for it because I do not need much to run in the base system (that's what the VM's are doing).

Oracle VirtualBox is the best choice for an open source virtual machine manager. It is a type-2 hypervisor--meaning it runs within an operating system instead of directly on the machine (think VMWare eSXI or ZEN). The problem with type-1 hypervisors is the management of the VMs. You really need a second computer to setup, configure, and manage the VMs where as type-2, you can manage them directly on the system they are running.

The i3wm desktop is interesting piece of software. I usually stuck to XFCE4 (though, I have been using gnome a bit as well lately) and i3wm is completely different. i3wm takes little resources to run and provides a text based configuration files for whatever configuration you need. Also, it can be ran completely through shortcuts. One word of caution, dragging windows around does not work, you have to use the shortcut keys to arrange and management your application windows.

Aura has been my go-to package manager for a while now. Although, not required, I usually have it installed anyway. It provides more ways to manage packages from official repos and Arch Linux User Repo (AUR).

Installation

Installing Arch Linux is not hard but will take a while to get everything up and running. I am not going to go through a whole base installation for Arch Linux here. There are two good resources for installing Arch Linux:

  1. Installation Guide
  2. General Recommendations (post install)

Encryption

I plan to do encryption on the computer at some point. I just need to find something usable for Arch. I do not think LUKS will work in this scenario.

Partitioning

Here is the partition that I used. It's using LVM (no encryption -- yet). Most of the space is given to the /data partition and I attempted to minimize the space for each mount location.

Arch Linux Disk Partitioning

For the partition format types, see this screenshot:

Arch Linux Disk Partition Formatting

This how I choose to setup the partition based on how xfs and reiserfs work; of course, the default ext4 would work if you wanted to simplify the partitioning.

Software

For software packages, remember KISS. I installed the following packages:

  • Package Groups
    • base
    • i3
  • Official Packages
    • rofi
    • networkmanager
    • network-manager-applet
    • iwd (replaces wpa_supplicant for NetworkManager)
    • firefox
    • nano
    • refind-efi
    • reflector
    • termite
    • virtualbox
    • virtualbox-ext-oracle
    • virtualbox-guest-iso
    • virtual-box-host-modules-arch
  • AUR Packages (optional)
    • aura-bin
      • This provides access to AUR packages as well as extra features not in Pacman. Read more on the Github Project page here.
    • reflector-timer
      • This creates a timer and service files to run reflector once per week automatically with a simple configuration file.
      • before you build this package, you will need the following packages installed:
    • binutils
    • fakeroot
    • rofi-dmenu
      • Provides automatically symlinking rofi to /usr/bin/dmenu.

For the package groups and official packages, those can be installed when doing pacstrap during the install stage of the Installation Guide.

For the AUR packages, you need to first install the aura-bin package. To install this package perform the following setups:

  • From a terminal run the command: git clone https://aur.archlinux.org/aura-bin.git
  • Change directory into the 'aura-bin' folder.
  • Run the command: makepkg -irs --clean
  • This will package up the application and install it in one setup.
  • You may remove the folder after installation.

Installation of AUR packages uses the '-A' flag instead of the normal pacman '-S' flag for official packages. You can read about aura options from Aura Readme on github.

Services

Enable and start the following services:

  • iwd.service
  • NetworkManager.service
  • reflector.timer

Networking

I am use the newer iwd service instead of wpa_supplicant. To enable NetworkManager to work with iwd, you need to create the file /etc/NetworkManager/conf.d/wifi_backend.conf with the following configuration:

[device]
wifi.backend=iwd

Note: "device" must be replaced with the name of your device, where in my case it is "wlp1s0". If you do not replace "device", NetworkManager will appear to not see your wifi card and give the status of "device not ready" when looking at the NM Applet.

Virtualbox

After you install the virtualbox packages, ensure the computer is restarted at least once or load the virtualbox modules manually (see Virtualbox Documentation).

File Storage

To better organize the files on the system, all of the VM files are located within the '/data' folder/partition. I have the following layout.

/data
|-- ISOs
|-- VMs
    |
    |-- Arch Linux
    |
    |-- Kali Linux (Live CD)
    |
    |-- Sift Workstation
    |
    |-- paladin (Live CD)
    |
    |-- pfSense
|-- share
    |
    |-- forensics
    |
    |-- personal
    |
    |-- pfsense

The folders are self explanatory. For the /data/share, these are used to seperate each different type of VM. This can be loaded either Read Only or Read/Write while providing a method to pass information between different VMs.

Update (2019/7/5): Fixed the reflector.timer service name. I incorrectly stated it was 'reflector-timer.timer'

Jesse Spangenberger

Jesse Spangenberger