Everything Felt Wrong
Everything felt wrong, who books a plane trip on the same day? The next two hours were a mad rush, preparing for the chaos ahead. This wasn’t the usual day-to-day; in fact, it’s quite rare to head onsite for an engagement. I was heading onsite to assist with recovery for a ransomware attack that had brought a business to a standstill. The entire organization’s network had been encrypted, along with virtual disk encryption. The task was to rebuild the entire environment. As all this raced through my mind, a nagging doubt lingered - I had never built a server for an organisation before.
I worked tirelessly, rebuilding the environment. It was an intense, exhausting process, but all this reminded me of something incredibly important: the value of home labs. As I neared the end of building the environment, I realized just how crucial all those hours I spent tinkering and building out my different home labs were. The many hours had given me not only the skills but also the confidence to handle this high-stakes situation effectively. Never underestimate the value of home labs.
Freedom to Experiment
Home labs are discussed a lot across the industry! They appear in YouTube videos, blogs and even all the way to interview questions. A home lab is an environment where you can safely practice and grow your skills without the worry of causing damage to a production corporate environment. In most cases, the consequence of a major mistake may just involve rebuilding the system, which would be a nightmare in a rare-world scenario.
A home lab offers the freedom to experiment and make mistakes without real-world consequences.
In the earlier days of my career, home labs came across as something complex and expensive. I was watching videos and hearing about other labs that involved full servers and networking setups. I’ve learnt that a home lab doesn’t need to be this and can be practical and straightforward without a significant financial investment. Of course, dreaming about an advanced setup is always fun. This is a reminder that it does not need to be fancy to be effective. The goal is to solve a specific problem and learn along the way.
A home lab does not need to be fancy to be effective.
The main thing to stress here is there is no one right way to run a home lab. It is all about what works for you. This is what is currently working for me and it has taken me a while to get here. Your setup will always be changing so there is no rush to get it right straight away. There is no rush start with what you need now learn and build upon it.
Objectives
My home lab aims to simulate a typical corporate environment with the main components you’d find in such a setting, plus a few forensic-focused systems. At a high level, this is what I currently look for my home lab to achieve?
- Be able to run on a single computer.
- Support isolation and network segmentation.
- Easy enough that if I need to rebuild a system it will not take hours.
- Tooling and case files centrally stored.
Software and Tools
I’ve opted to use VirtualBox which has provided me with everything I need. While it doesn’t have all the features of other solutions it offers a straightforward setup. I’ve enjoyed the shared folders feature, in which I’ve mounted a drive containing most forensic tools and a folder for case data. This comes in handy when using snapshots, allowing you to revert to a previous state if something goes wrong without losing work or tools.
Virtual Machines
Here’s a breakdown of the machines in my current setup. All the machines are not powered at the same time. Each machine serves a purpose and can be powered on as needed.
Here’s the updated table with the specified changes:
Virtual Machine | Operating System | Notes |
---|---|---|
Firewall | pfSense | Segments and applies restrictions to network traffic. This is achieved through several interfaces for groups of virtual machines. For example, there is an interface for workstations and servers with relevant rules applied. |
Domain Controller | Windows Server 2022 | Manages domain services including Active Directory, DHCP, and DNS. Incredibly useful when playing around with domain services and simulating various scenarios against a Domain Controller. |
Windows Workstation 1 | Windows 10 | A generic user workstation for testing scripts and tools. This is useful for simulating various actions that may be performed by a Threat Actor on a workstation. |
Windows Workstation 2 | Windows 11 | A second user workstation for testing scripts and tools. Similar to the above being useful to simulate actions typically performed by a Threat Actor however, with Windows 11 or cross workstation. |
Linux Workstation | Ubuntu | A generic Linux workstation for testing scripts and tools. |
Kali Linux | Kali Linux | A Linux distribution used for pen testing. This machine comes in handy when simulating a Threat Actor or simply testing out red team tools. |
Forensic Workstation | Windows 11 | This is the main machine that I work through dedicated to forensic analysis and investigations. |
Flare VM | Flare VM / Windows 11 | A Windows-based virtual machine for malware analysis built by Mandiant. This machine does not have any network attached and can be used for basic malware analysis. |
Use Case Example
A recent example of the home lab’s value was writing out the recent blog post on prefetch files. I used Windows Workstation 2 to run 7-zip and Rclone, simulating data staging and exfiltration. After that, I copied the prefetch file over to the forensic workstation and used EZ’s PECmd. This setup allowed me to have a clean system to simulate an end-user device and collect the relevant artifacts.
Conclusion
A home lab doesn’t need to be perfect. Focus on your objectives, start small, and gradually build a setup that works for you. The overarching goal is to learn and enjoy the process. Embrace the journey!
Recommended Resources
- Highly recommend checking out Blue Cape Security’s build your lab posts which guides through the process of creating a basic, medium and advanced lab.
- 13Cubed: What’s on My DFIR Box?