A Little Homelab and Life Update

I'm going to start writing more on my blog. No! Really! You do believe me, right? Ok, can't blame you if you don't. I come back to this from time to time and think this time I'm really going to dive into it, only to get sidetracked in some other direction. I promise I have a good excuse this time.

Since I last posted, I have gone back to school on a part-time basis while continuing to work full-time. I decided it was high time to finally get that Associate's Degree I started on decades ago. My days have consisted of going to work in the morning and going home in the evening to do homework. I just completed the Fall semester which included a Technical Mathematics class and a Speech class. I enjoyed both classes quite a bit, but I must say I'm glad for some down time of an evening for a while. We're on Winter break now and I'll only have one class left to take in the Spring semester which will allow me to finally graduate in May.

I haven't completely ignored my home-lab efforts during this time, however. I've re-done most of what I talked about in my last post, lo those many months ago. Now there is no domain controller, though it may return someday when I have more time to really learn it. It was an interesting exercise and not hard to get setup initially, but I found I really needed focus on other things first.

I finally added a home built pfSense firewall/router as the gateway for my network. It is connected to my ISP fiber modem and then everything else goes from there. I've been learning about vlan's and have setup a couple in pfSense and my old MikroTik RB260GS switch.

I've been learning about Cisco as well and am fortunate to have a couple old Cisco switches friend gave me. I can hook up when I need to, though they're both a little too noisy and power hungry to use them all the time on my little home network. Those fans really get to going at times, so I only power them up if I plan to spend some time in Cisco training.

I still have my Proxmox virtual machine server running and I've been trying out several different things using VM's on it. Most recently I set up a NextCloud server, a Guacamole server and a Cloudflare Argo tunnel so I can reach the NextCloud and Guacamole from anywhere. Finally, the VM I was using as a file server was getting a little unstable for some reason, so I created a new one to replace it and then removed the old one after migrating all the stored files off it.

I'm off for a couple weeks now since the college is closed for break, so I'm sure I'll work on some more of this stuff soon. I'll try to do a more timely job of posting about it, but I make no promises I can't keep.

Setting up My Learning Environment

First, welcome to my renamed blog. I couldn't think of a good name for the blog years ago when I first started so I just settled for the most boring name I could think of, "Digital Forensics Blog". Granted, that was the main focus but it was just boring. A while back, I tweeted that I was looking for a better name. Phill Moore suggested Pryor Knowledge which I liked, but I decided to change it to No Pryor Knowledge. As I said in my last post, the focus will be a little wider here now but I'll still talk about forensics sometimes while other topics will also be featured as well. So, on with the post.

Not sure if this is a good thing or a bad thing, but I have many different interests when it comes to tech. My first love was just learning anything I could about repairing computers. Later I deeply fell for digital forensics and was fortunate to have the opportunity to learn from people like Mark McKinnon, Luby Novitovic, Harlan Carvey, Rob Lee, Jimmie Weg, Ali Hadi and so many others. Forensics held my full attention for a good while and is still a great interest. I still do forensic CTF's from time to time and always enjoy learning from them.

Later, I got really interested in security and blue team ops. I've watched countless security related videos and worked through online training environments like TryHackMe and Rangeforce. These things too are still of great interest to me.

I eventually worked my around full circle to my my enjoyment of just doing builds and repairs with the addition of servers and networking. I recently got a job that allows me to work in those areas every day and I'm loving it.

While I'm not over the servers or network, I am frequently involved in work related to those things. I wanted to learn more about networking, servers, Active Directory and Group Policy. I've watched videos, but I learn a lot more from watching the videos, reading books or blog posts and then doing hands on. This led me to set up a new learning environment at home.

I set up a Proxmox Virtual Environment (PVE) server on an old computer and connected it to my home network. I then set up a Proxmox Backup Server (PBS) on a separate computer. I wanted a separate device maintaining all the backups I knew I'd be making of my virtual machines.

Once that was all in place, it was time to set up my own local domain. I certainly didn't "need" a domain for my home network but it's nice having it as a learning environment that I can restore from backup anytime I mess it up.

 I decided to build a domain controller with the Zentyal Linux distribution. Zentyal allows you to set up a controller compatible with Microsoft Windows Active Directory and that allows you to administer your Active Directory environment using Windows tools in Windows instead of having to use Linux. I thought this was my best option because Zentyal is free to use (there are paid subscription plans as well) and I could still administer it with the tools available from Microsoft.

I decided my domain controller would exist as a virtual machine instead of running yet another computer. I downloaded the Zentyal ISO to Proxmox storage and then created the new machine. I gave it 6 gigabytes of RAM and a 250 gigabyte virtual hard disk. That was more than enough disk space, but I'd really like to have a little more RAM available for it. Still, it works pretty well for my home network. It would need a lot more RAM if it were a production network for a business. I'll go over the setup of my domain in greater detail in a future post.

In addition to the domain controller, I also set up another virtual machine on PVE to use as a file server. This VM is an Ubuntu Linux Server and I use it for simple file storage as well as using it for a DNS server for my network with Pi-Hole. I have a second install of Pi-Hole running on a Raspberry Pi and duplicate my settings between the two. I have both of them set up as DNS forwarders in my domain controller and they take care of that mission plus blocking ads too.

I still have very much to learn. I've just barely scratched the surface of working with AD and Group Policy. It's fun learning new stuff and getting a better understanding of what our admins are doing at work. My future plans include adding a pfSense or OPNSense router/firewall to my network to learn more about networking and vlans's.

I'll end this here for now. I have a lot of ideas for future posts and will hopefully be back with another one soon.

Ch Ch Ch Changes

I came back to this blog a little over a year ago or so thinking I'd really get back into writing. I was missing talking, thinking, doing and writing about forensics. I still do miss all those things but it seemed like I just couldn't find the time to really do anything about it. My job consumed so much of my time and energy that there just wasn't much left for anything else. My last post here was nearly a year ago.

Since then, life has taken a very positive turn. I enjoyed the work I was doing in the home improvement store electrical department but it wasn't really where my heart was. I knew I still wanted to be working in some type of tech related job but I didn't see much chance for that. That changed back in February when I fell into a job I absolutely love. My daughter texted me about an IT technician job for our local community college she'd seen posted. I taught an introductory computer forensics course there a few years back and knew it was a great place to work.

My first thought upon receiving the text from my daughter was "I've got to apply for this now!" The second thought came from my ever present self doubt saying "they'll never want to hire me" and I proceeded to forget about the job for a while. A few days, maybe a week later I decided to go ahead and take a chance and apply. Much to my surprise and delight I was called for an interview. A few hours later I got a call offering me the job and I immediately accepted.

I had no experience working with IT on this level before, so it's been a fun learning experience so far. While I ran my own part-time IT business for many years, my clientele was largely home based with just one or two computers or other devices. In this new job I'm enjoying learning about working with computers and other devices on a large network. To help me learn about things like Active Directory and Group Policy I decided to set up a domain on my home network. I've got that up and running now and will be doing a new post about that "soon".

My plan at this time is to start blogging more but broaden the subject range. While I will still write about digital forensic topics from time to time, I'm also going to write about other tech stuff that I'm learning and doing.

So I'm wondering if my blog needs a different name. It currently has the most boring name I could think of and it would be nice to change it. Someone suggested I change it to "Pryor Knowledge" a while back (EDIT: It was Phill Moore who suggested Pryor Knowledge...thanks Phill!)

"Pryor knowledge"

— Phill Moore (@phillmoore) October 16, 2020

I considered that but came to the conclusion that "No Pryor Knowledge" might be more appropriate. If you've got a good name for the blog, make a comment below and let me know!

Training! Cyber5W, CyberDefenders and more

Hello all, thanks for looking in.

As I continue trying to figure out what I want to be if/when I grow up, I'm finding so many awesome learning resources, including websites that offer basic introductions to DFIR and other infosec topics along with sites that have challenges to work through. I mentioned in an earlier post that I was considering a move toward learning to be a SOC analyst and that is still a possibility, though not my final goal. I hope one day to qualify for a digital forensic role with some company and I'm trying to learn all I can to make that happen. While I've been working on blue team training and exercises, I keep seeing amazing DFIR training opportunities and find I'm spending a lot more time on them than anything else at the moment.

I've recently started working on challenges at CyberDefenders. They have a variety of challenges for disk and memory forensics, malware, network traffic analysis and more. I completed a memory forensics challenge there a couple days ago called DumpMe. I had forgotten how much fun it was to work with Volatility. I learned a lot doing the challenge.

As has usually been the case for me, my training budget is mostly non-existent so I'm always on the lookout for low cost/no cost learning opportunities. I saw mention of a new training site while viewing my Twitter feed a couple weeks ago and I'm excited to see this site develop.

The Cyber5W Academy has multiple low cost and no cost training courses available. The 5W part of the name alludes to "who, what, where, when and why. The site is run by Professor Ali Hadi, Ph.d, who also teaches forensics and security courses at Champlain College. Cyber5W offers digital forensic consulting and on-site training as well.

The courses are broken down into three categories: Intro to Forensics, Windows Forensics and Linux Forensics. Quite a few courses are already available and many more are under development. All courses at the time of this post are either free or $50. The courses are online PDF based and include instruction, hands on exercises and the occasional quiz. Each course provides a certificate of completion as well.

I've been working my way through the Intro courses as I try to find my way to a DFIR role somewhere. They are helping me remember so much of what I've forgotten over the 5 years since I last did any forensic work. They are also introducing new ideas and helping me get up to speed on what is the current norm for forensic investigations. I especially liked the digital forensic reporting course, as reporting has always been something I enjoy. I intend to work my way through the available courses in all three categories.

I contacted Ali Hadi to thank him for this great learning opportunity and asked if he would tell me about his motivation for creating the Cyber5W Academy. He kindly replied and allowed me to share his thoughts here on the blog.

The Nobel Prize for an educator, is seeing his students being successful. There is literally nothing better than that and those success stories are prizes I love to collect. Now, currently teaching at Champlain College, allows me to engage with how many students per year? A hundred, two hundred, triple that number? It's good, I'm grateful, but still not much! But what if I am be able to teach and engage with thousands around the world? That's a great motivation! This is not the first educational organization that I have established, there are others, and they all share the same core goal "helping others".

Ali has created courses on other sites as well, including Hacking Techniques and Intrusion Detection, Digital Forensics Professional and Malware Analysis. He also has Offensive Software Exploitation and other great material on his YouTube channel.

I've received so many positive feedback, thank you and appreciation messages, network connection requests, etc, which I'm very happy that I was able to help those students advance in their careers, but also grateful for the opportunity. I thought now is the time in my career to start my own path and focus on something that I really love, which is teaching Digital Forensics.

He views Cyber5W as a way for him to help others, notably including those with little money to spend on quality training.

I do not want money to be a barrier for those who want to learn; I want to help as much as I can. Another important aspect, is the world is now so dependable on technology, and this means more abuse/crime/incidents/etc are going to happen. Unfortunately, that's true, so we need more investigators/fighters, we need more people to make this world a better place for our beloved ones. Therefore, I hope C5W will be able to encourage new people to start their DFIR journey, raise more awareness to DFIR, increase the DFIR community members, and also be a resource they can all depend on!

I'm looking very forward to seeing what all Ali has in store for Cyber5W. I'm having fun learning from his courses and can't wait to see what's next.

One other course I just purchased yesterday and plan to start working on soon is Cyber Security Incident Response: Wannacry Ransomware. The course is on Udemy and was authored by Balazs Lendvay.

The course is designed to teach the following (list taken from the Udemy course page):

Investigate and understand the behavior of the Wannacry ransomware in a lab environment using your own computer if you will.
Triage and identify indicators of compromise.
Live-analysis of the infected lab machine for windows artifacts
Static-analysis of the identified executable and artifacts
Sandbox analysis of the malicious activity, including network activity, processes, services, autoruns
Create a summary report of the incident and identify remediation recommendations

I've always liked learning about malware analysis, so it should be a lot of fun working through this course.

By the way, have you noticed how I keep mentioning the word "fun"? That's because learning is fun and it's my hope that more people will come to realize that. I'm very grateful to the people behind all these low cost and no cost courses for making this kind of fun available.

And with that, I will end this post. Hope to be back soon with some more cool stuff.

Running Remnux on a Proxmox Server

One of techy things I really enjoy is working with virtual machines. I decided to set up a VM server a while back. There are several to pick from, but just for the sake of learning something new I set up a Proxmox Virtual Environment. While the computer I installed it on is ancient (AMD Phenom X4 965 with 8GB RAM), it still seems to run pretty well. I've been running two different Ubuntu server VM's on it since then. One is a Minecraft server for the grandkids and friends (and maybe me too) while the other is a simple file server. I also have one Windows virtual machine on there, but rarely use it.

Today, I started the Performing Malware Analysis on Malicious Documents course by Tyler Hudak on Pluralsight. The course makes use of the great Remnux Linux virtual machine by Lenny Zeltser. For those unfamiliar (if any such person exists), Remnux is a distro dedicated to malware analysis and comes with tons of malware analysis tools. Instead of adding Remnux to my nearly full laptop hard drive (too many other VM's taking up space), I decided to run it from my Proxmox server instead.

Remnux is available for download as a .ova file. The ova file is simply a compressed file containing other files. The files within the ova can be extracted with tar or 7zip (I used the 7z command line version). The only file within that we care about for this situation is the .vmdk virtual hard drive file. I went on to the next step while waiting for the vmdk to be extracted. I should note that what I describe below should apply for most any ova file. I just happened to be using Remnux.

Importing a virtual machine from an ova file to Proxmox isn't exactly a straightforward thing to do, but if you don't mind spending just a bit getting it ready it will work just fine. I'll talk about one issue I encountered later in this post.

The first step over on the Proxmox server is creating a new virtual machine. I won't go through the entire process of doing this, as there are plenty of other guides out there explaining it. However, during the creation process you are asked to create a new hard drive. Go ahead and do it, although we'll delete it later. I created the machine with a virtual dual-core processor, 4GB of RAM, a 10GB hard drive and accepted default setting for everything else.

Upon creating the VM, it was assigned an ID of 103. This meant that the temporary hard drive I mentioned above was created at /var/lib/vz/images/103 on the server. This temporary hard drive was just created so that the above directory would be created. This is where the Remnux vmdk we extracted earlier needs to be placed for the next step.

To get it there, I uploaded the vmdk from my laptop to the Proxmox server using the scp (Secure Copy) command. The syntax for the upload looks like this: scp <file-to-upload> <user@ipaddress:/path-to-folder>. In my case, it looked like scp remnux-v7-focal-disk1.vmdk root@192.168.x.x:/var/lib/vz/images/103. With that done, it's time to switch over to the Proxmox server view page located at <server-IP-address> port 8006 and start working in a shell (see pic).

Remember, you're logged in here as root so be careful if you're not really up on working at the Linux command line.

Upon logging in to the Promox page and going to the shell, we need to navigate to the directory mentioned above where our hard drive was uploaded to. Once there, we can just delete that temporary hard drive we created with a simple rm <filename>. In this case, it was rm vm-103-disk-0.qcow2. That leaves us with only the vmdk file still in the directory. Now, we have to convert it for use with Proxmox.

Still working from the command line, we need to type the following command: qm importdisk 103 remnux-v7-focal-disk1.vmdk local -format qcow2. The 103 in all of that of course is our machine ID. The command will convert our disk file from a vmdk to a qcow2. Qcow2 is a file format for QEMU virtual machines. Upon completion of the conversion, we are left with the original vmdk file and the newly created vm-103-disk-0.qcow2. We can now safely delete the vmdk as we won't be needing it anymore.

Now we go to the hardware settings for our new VM. We'll need to add our new hard drive to the machine. You'll see it listed as an unused hard drive. Double click it and check your settings. Once satisfied, you can click Add and it will be attached to your VM. In my case, I set the drive as a SCSI device and clicked Add. My hardware settings are picture below.

Next I clicked options (see pic) and double clicked the boot order setting. I clicked the check box to enable the hard drive and then dragged it to the top of the boot order.

We're done! Well, almost. After getting the boot order set, I switched to console view and clicked Start to boot the VM. In the console I was greeted with...a black screen. That's it. A little troubleshooting led me to change the display settings in the VM hardware from default to VMWare compatible and finally I got to the Remnux desktop.

Finally, once on the Remnux desktop, we need to enable networking so we can update. At the Bash prompt in the terminal, we type sudo ifconfig ens18 up. Actually, type sudo ifconfig -a to make sure yours shows up at ens18 as well and adjust accordingly. It didn't pick up an IP address at first in my case, so I typed sudo dhclient ens18 and the IP was set. After that, it was just a matter of running sudo apt update and sudo apt upgrade to get things updated.

If you have any questions or if I got something wrong or left something out, please comment below and I'll take care of it. Have a great day!

Feeling kinda blue (team)

Hello all! It took me much longer than I had planned to post again, but life has a way of keeping one busy. Between extra crazy hours at work, spending two weeks in bed "enjoying" the Covid-19 experience and otherwise just being busy as heck, I'm finally back to write a little.

In my last post, I said that I felt like it was unlikely I'd work in a digital forensics or any other security role ever again. I just didn't feel like I had a real chance to do anything in the field again. However, thanks to a lot of encouragement from a good friend, I'm studying and hoping to land a job as a entry level SOC analyst. The work seems very interesting to me and I believe it's something I would love.

Just like my earlier days getting into digital forensics, the ol' budget is pretty much nothing, so I'm actively searching out free and low cost training opportunities. The best source I've found for information on free and low cost training is on the DFIR Diva site. Along with her training information pages, Elan has so much more on the site that helps security noobs and veterans as well. I nominated her site for the DFIR Resource of the Year Forensic 4:cast Award and I hope you will too. There are so many great resources out there, but I think this one deserves recognition for it's fantastic wealth of information for those new or returning to the field.

One fantastic training I attended last month was the SOC Core Skills course taught by John Strand. This is a 16 hour (4 hours per day, 4 days) class that teaches entry level folks the basics they need to work in a SOC. It includes both lecture and labs. From the course info page, here's what the class teaches:

1. Core networking skills
2. Live Windows Forensics
3. Live Linux Forensics
4. Memory Forensics
5. Active Directory Analysis
6. Network Threat Hunting
7. Basics of Vulnerability Management
8. The Incident Response Process

The class is "pay what you can", so there is no reason for anyone to say they can't afford it. I was very impressed with the quality of the training. A Windows virtual machine is used in the course and it has all the lab materials. The lab materials are frequently updated.

Another opportunity I'm taking advantage of is the community version of Rangeforce. This free version of the site includes 20 course modules covering such things as Splunk, Docker, regular expressions, Kubernetes and so much more. This is an incredible resource and I'm learning a lot from it. The modules are taught in virtual machines so you can do hands on learning. I absolutely love this site and encourage you to give it a look.

I'm also training on the TryHackMe site. Like Rangeforce, there is free and paid training available and it too uses virtual machines in the browser to perform the labs. I'm having a lot of fun with this site too. I'm enrolled in the free Cyber Defense path which includes modules like Intro to Networking, Network Services, Active Directory Basics and more.

I've spent a little time on LetsDefend.IO This site simulates working in a SOC environment and does it pretty well. I've worked through the free exercises and plan to subscribe soon so that I can do more.

Finally, a great video resource I've found is the YouTube channel of Gerald Auger called Simply Cyber. He does a lot of great videos on getting into Cyber Security.

So that's all I've got for now. My progress through all of this is pretty slow, given my work schedule. When I have free time, I spend a lot of it working through this excellent training and look forward to finding more. Hope you all are well and thanks for reading!

Where the heck have I been?

In the unlikely chance that someone will read this, I thought I'd just say hello and talk about what I've been doing since my last post nearly two years ago. Since then, I've disappeared from and then reappeared on social media and got a new job.

I'm currently in a job completely unrelated to anything I've ever done before. I'm working for a national home improvement store chain in the electrical department. I've learned so much about home electrical wiring and everything that goes with it and I'm really enjoying it. The hours are pretty crazy, but the work is usually enjoyable. After almost 4 years of retirement, I needed to get off my butt and do something productive again.

With all that said, I've recently started re-engaging with the DFIR world. This is because I missed learning cool new things and then experimenting with them on my own. From the first time I ever learned about digital forensics, I've been fascinated by it and all the different things that fall under the DFIR umbrella.

More importantly, I've missed the people. I made a lot of good friends over the years and I've lost touch with them for the most part, which I truly hate. So I've started trying to get back in touch with old friends and hope they're interested in being back in touch with me.

While I don't know if it's likely I'll ever work in any DFIR related job again, I still want to stay engaged with it. I love it and it's good for the brain to keep learning. That's why I've signed up for some free training courses and am working through them at the moment.

The courses I'm currently taking are both from Basis Technology. One is an introductory course called Intro to DFIR: The Divide and Conquer Process. The other Basis Tech course I'm taking is Autopsy Basics and Hands On. Both courses are online. I'm learning new investigative concepts, as well as being reminded of things I used to know and had forgotten about. I'm grateful to Basis for making these courses available.

My current plan, such as it is, is to continue these courses just to get my mind active on the subject(s) of DFIR. I've already started realizing just how much I've forgotten and how much has changed over the last few years. I'm excited to be thinking about these topics again. 

I reopened this blog in hopes it will prompt me to continue learning and writing about what I've learned. I always enjoyed writing and have missed doing it on a regular basis.

Be well and I'll be back with another post soon.