For some time, my primary analysis machine was a Fedora OS with the CERT repo installed. I went with the CERT Repo after leveraging the SANS SIFT work station primarily due to the fact that the tools in the CERT Repo are on a more frequent update cycle. By the time I read about and decide I want to play around with a new tool, it always seems to be part of the CERT Repo already. However, with the introduction of Windows Subsystem for Linux, I find myself more frequently conducting investigations with Windows as my Primary OS.

Fedora CERT Repo Figure 1: Fedora CERT Repo Installing On Windows Subsystem

First and foremost, why Fedora in the first place? This is largely due to trial and error when I was first swapping between operating systems on my analysis machine. In almost everything outside of a forensic investigation, I am leveraging a Ubuntu or CentOS host. However, when it comes to tooling related to digital forensic investigations, a Fedora host appears to have more success with executing these tools error-free. In short, I seem to find myself troubleshooting less with a Fedora Host to get tools to run when compared to other hosts.

This is entirely subjective and not backed by any sort of data — just my personal experience. At the end of the day, it all comes down to personal preference.

With this in mind, why bother with Windows at all then during an investigation? A few reasons, but in short, it all comes down to your personal work flow. For me, taking notes on a windows host is much easier - primarily due to the fact that at the end of the day, I am in a Word Document generating some sort of final forensic report. Note taking related to DFIR deserves its own novel, but in short, taking notes as I go along, in a format that allows me to copy and paste the vast majority of data directly into a final report is a massive time saver. There are other reasons for a windows host as well, such as tools like X-Ways, or the easier interaction with encrypted forensic images through tools like Arsenal Image Mounter.

All of this to say, blending forensic tools leveraged through the CERT Repo directly into Windows without the use of a virtual machine seemed like a natural choice.

Install Process

The install process is extremely simple and makes for a fairly boring blog post. However, for one reason or another, the idea to leverage Subsystem for Linux did not click with me until a recent work project.

First, you must be running an up to date Windows 10 host. Launch PowerShell as Administrator and enable Subsystem for Linux by entering the following:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

You will be asked to reboot after the above command. Do so and continue with the remaining steps.

After Reboot

As of writing, the CERT Repo currently supports up to Fedora 30. The Fedora Remix for WSL project provides us a way to bring Fedora 30 to our windows host. I am currently running version 1.30.1 Final. As far as I can tell, the second set of numbers in the version corresponds to the Fedora version. So in my case, I am downloading Fedora 30.

To do this, navigate to https://github.com/WhitewaterFoundry/Fedora-Remix-for-WSL/releases where I downloaded the Latest version that corresponds to a supported version of the CERT Repo. 1.30.1 Final fit the bill in my case. Simply download DistroLauncher-Appx_1.30.1.0_*.appx (in my case, I downloaded the x64 version).

Shortly after launching the .appx file and clicking Install, you will be greeted with a window which will prompt you to enter a new set of credentials. These credentials do not need to match your host machine and are only used for interacting with your Fedora OS. After the install process is completed, you will be greeted with a Installation successful! message, which will then throw you immediately into your shell.

Fedora WSL Install Completed Figure 2: Fedora WSL Install Complete

At this point, we can begin immediately installing the CERT repo. For Fedora 30, we need to install the corresponding rpm and to enter a privileged session. You can find the list of supported rpm repositories and their supported versions at https://forensics.cert.org/#repository. In my example, I am using Fedora 30

> sudo su
> rpm -ivh https://forensics.cert.org/cert-forensics-tools-release-30.rpm

On a success, you will see output similar to what is seen in Figure 3

Fedora RPM Installed Figure 3: RPM Install Successful

At this point, you can selectively search for tools you commonly leverage by running dnf search <tool> for example:

> dnf search volatility

Last metadata expiration check: 0:01:52 ago on Sat 15 Jun 2019 04:30:47 PM DST.
========================================== Name & Summary Matched: volatility ==========================================
Volatility-community-plugins.noarch : Volatility-community-plugins
Volatility-community-plugins.noarch : Volatility-community-plugins
=============================================== Name Matched: volatility ===============================================
Volatility.x86_64 : Tools for the extraction of digital artifacts from volatile memory (RAM) images
Volatility.x86_64 : Tools for the extraction of digital artifacts from volatile memory (RAM) images
python2-volatility.noarch : Volatile memory extraction utility framework

And install by running dnf install <tool>. The example above would be dnf install volatility

However, what I do personally is install all the tools available in the repository all at once. This will take some time, however I normally do not have access to a strong internet connection while on a remote site conducting an investigation - this, or the network available to download from is infected, so connecting to it would be ill-advised.

To do this, all that is required is running the following:

> dnf install CERT-Forensics-Tools