DEV Community

Cover image for #DAY 1: DFIR Lab Setup
Samuel Adeduntan
Samuel Adeduntan

Posted on

#DAY 1: DFIR Lab Setup

#dfirlab #cybersecuritylab #digitalforensics #incidentresponse

How I prepared my toolkit and mindset for a week-long SOC and Digital Forensics challenge.

The Mindset - Prepare to Perform

  • There is a limit to the usefulness of theory. The real learning happens when you dig into packets, decode log entries, and follow leads through a disk image. I was overjoyed to take part in the week-long SOC and DFIR competition known as HackSecure Secure Track.
  • The Crucial Takeaway: Troubleshooting tool installations on the first day of a competition is the fastest way to lose momentum.
  • My objective for 'Pre-Day 0' is to remove any technical barriers in advance. My lab would be a specialized area where my ability, not my setup, would be the only variable.

Choosing Your SIEM - The SOC's Brain

What is a SIEM?
A contemporary SOC is built around a Security Information and Event Management (SIEM) system. It is the "central pane of glass" where logs from all systems—servers, networks, and endpoints—are combined, compared, and risks are examined.

Splunk Enterprise (Free Version) is what I would choose.
What makes Splunk? SPL, its robust query language, is a standard in the industry. Being proficient in this area is quite beneficial.

What's the Free Version for? It can process up to 500MB of data per day, which is more than sufficient for most challenging situations and a personal lab. Despite having this daily data cap, it is completely functional.

Downloading Splunk Enterprise

Step 1: Navigate to the Splunk Website

Go to the official Splunk website and find the "Download Splunk Enterprise page.

Step 2: Select the Correct Package
Since my host machine is Windows 10/11, I selected the Windows MSI installer.

screenshot1

Creat Account

I need to create an account to download the free version. Simply accept the license agreement and download.

screenshot2

Installing Splunk Enterprise

screenshot3

Run the Installer
Execute the downloaded MSI file. The installation wizard is straightforward.
Accept the license agreement.
Choose the installation directory. The default is usually fine (C:\Program Files\Splunk).

Complete Setup
The installer will set up all necessary services. Once finished, Splunk will be running as a service on your machine.

Accessing the Splunk Enterprise
First Access
Open your web browser and go to http://localhost:8000
The first-time login credentials are:
Username: admin
Password: xxxxxxxx

screenshot4

Recognizing the Data Collector, or Universal Forwarder
What is Universal Forwarder?
One function of the Universal Forwarder (UF), a lightweight, specialized Splunk version, is to dependably gather data from a source machine and forward it to your primary Splunk server (the Indexer).

why do I need it?
The server that generates logs is not where you would examine them in a real lab. They would go to your central SIEM. The agent you install on Windows, Linux, and macOS computers to import their data into Splunk is called the UF.

Is it necessary for a basic lab?
You may monitor files using Splunk's built-in inputs for a simple setup on a single machine. Nonetheless, setting up and designing a UF is advised for a more realistic lab and is an essential professional skill.

The Splunk Enterprise Dashboard

screenshot5

Setting Up and Configuring a Conceptual Universal Forwarder

  • Download the UF first: I downloaded the Splunk Universal Forwarder package for Windows from the same Splunk download page.
  • Install the UF: I launch the installation on the Windows server virtual machine that I wish to watch. I gave it instructions on where to pass the data during installation.

screenshot6

Setting up the Forwarder
First, install on a cloud instance, establish a credential. This is not the same as the setup credentials you use for both cloud and enterprise Splunk.

screenshot7

Server deployment with a universal forwarder

screenshot8

Setting up

screenshot9

Setting up the Windows credentials
UF Configuration (Critical Step)

  • The UF-installed computer's command line interface (CLI) is used for this.
    • A PowerShell or Administrator Command Prompt should open.
    • To access the bin directory of the UF, use cd "C:\Program Files\SplunkUniversalForwarder\bin" for example.

screenshot10

Find the path to the Splunk executable file.
A folder named "splunk universal forwarder" will be created for you after a forwarder has been installed.

screenshot11

Type "dir" into the prompt on the same directory.

screenshot11

Installing Splunk.exe in Powershell
type the following command on the powershell as an admin: splunk.ex app c:\user\samueladeduntan.COTI\Desktop\splunkclouduf.spl

screenshot12

Restart the forwarder
To restart the forwarder use this command:
.\splunk.exe restart

screenshot13

Check the status
To check the status of the forwarder use this command:
.\splunk.exe status

screenshot13

Verifying the Configuration and Next Actions
How to Check if it Worked:

  • On the main Splunk server (localhost:8000), log in.
  • Click on Search & Reporting.
  • Run a basic search: index=* | head 100
  • This searches all data indexes and returns the first 100 events. Which shows Data is flowing.

The lab is now ready for you!
You have a functional core for your SOC. Future planning ought to incorporate:

  • Including practice data as an example.
  • Creating dashboards and notifications.
  • Adding other forensic tools to your workflow, such as Autopsy, Wireshark, and Volatility.

Top comments (0)