Threat Inteliigence / OSINT / NETSEC / NATSEC

RonanVM - Your finished OSINT machine + a handful of notes about VMs

TL; DR - If you need a pre-configured virtual machine for your OSINT investigations look herewhere you will find a finished system image in OVA format that you can import into VirtualBox and have a clean system ready. There you will also find a list of tools and additional information about the project.

And now the longer version ...

There are two main steps in creating a VM for OSINY purposes:

  1. Selection and installation of the tools we need,
  2. Configuring the system so that we can work on it comfortably, and at the same time provide privacy, as I mentioned in the previous post about OPSEC.

At the same time, it is a highly individual activity that must take into account what exactly we want to do, how we like to keep notes, and so on. However, if we are just starting our adventure with OSINT, we may not know too much what we will need or how to adjust the system. Therefore, to make life easier for everyone who would like to deal with OSINT searches, I have prepared RonanVM - a system image that you can simply import into free VirtualBox and have a clean system ready for action. Then he can take a snapshot of it, clone the razor to keep an intact version in stock, and if for some reason all of these options fail, simply start with a new import. This way, you can experiment as much as you want without having to worry that in the event of a failure, it will start completely from scratch.

Moving on to the RonanVM functionality itself, it is an Ubuntu 20 system where I have made some slight modifications to increase privacy and ease of use, and installed software for data collection and analysis. The list of tools and modifications can be found on dedicated page on counterintelligence.pl here. So at this point I would like to present some general comments about virtual machines in OSINT.

The first choice we have to make when creating a virtual machine is a virtualization solution. The two most popular software packages are Oracle VirtualBox and VMware Player / Workstation. The main difference between them is the price - VirtualBox is completely free. VMware Player is also available for free, but in this version we do not have access to the snapshot functionality, which from my perspective actually disqualifies it as a free solution. The ability to quickly return to the machine's initial state, and in the case of malware analysis machines, to the state it was in before the sample was run. However, I must also honestly admit that I use VMware in the paid version myself. In my opinion, VMware Workstation Pro works faster and more stable than VirtualBox, and additionally supports virtualization in created systems - so we can use WSL in virtualized Windows or Docker images. However, these are also not some critical advantages, also the free VirtualBox is an equally sufficient platform. After all, the key feature is the ability to clone and export machines. It is a good habit to colonize the system after initial configuration (as a "clean" system) and then create a new clone for each analysis we are going to run. In this way, the collected materials will be clearly segregated between the machines and we will avoid mistakes such as importing a table on a completely unrelated matter to Maltego.

When creating a virtual machine, we must also decide what "hardware" it will have. Hardware, of course, in quotation marks, because in fact these will be resources of our physical computer allocated for the needs of the virtual work. How much resources we can allocate will depend mainly on how powerful the equipment we have. A reasonable minimum is to allocate two processors to the machine, 4GB of RAM and 20GB for the hard drive. The issue that we will also have to settle is the way the guest system connects to the Internet. Among the many options that virtualization solutions offer, three seem to be worth considering:

  1. NAT (Network Address Translation) - the machine will not have its own IP address, but will use the host's system address - an internal private network is created, the machine gets an address from the DHCP service of the virtualization solution and NAT directs traffic accordingly. It is the simplest, usually the least problematic, and the default solution. In addition, we may be tempted to some kind of emergency protection of the link anomization. If we use a VPN on the host's computer in this configuration, the virtual machine will also be automatically included in it. So we can theoretically have two VPNs running, and if for some reason the one in the virtual machine fails, the traffic will still go through the host's VPN.
  2. Bridged adapter - in this configuration, the machine uses the physical network adapter that we will share with it, so it has its own IP address and is a kind of separate computer that connects "next to" ours.
  3. Internal network - we can also use another device, e.g. another virtual machine, redirecting traffic through it. However, this solution is mainly useful in more specific scenarios - e.g. when we need to capture traffic for analysis during malware analysis.

In terms of a free operating system, Linux is by far the most popular choice due to the multitude of distributions and the complete openness of the system. However, if someone would be determined to use virtual Windows, it is worth noting that you can download such a system legally and for free. Microsoft provides system images to test Edge and IE 11 compatibility. These images work for 90 days, but Microsoft itself suggests taking a snapshot of the machine and, if necessary, restore it to its initial state. Windows is an interesting option because thanks to WSL we can have the functionality of both systems in one virtual device. Aside from this slightly more complex option, Linux is however perfectly adequate for OSINT work. The choice of distribution depends mainly on whether we require any specific functions and how much we want to configure the system ourselves. I admit that, personally, he is not a big fan of configuring all system elements on his own, so I use Ubuntu. Ubuntu is very easy to use, has solid support for its development and security patches, and efficiently combines the convenience of a "Windows" interface with the power of a Linux terminal. The advantage of distribution is also a very large user base, which means that if there is a problem, we are probably not the first to encounter it and we will find help on social forums.

From my perspective, the primary work environment of an OSINT analyst is a web browser. It is with its help that you can get access to all interesting sources from social networks, through all databases, and ending with specialized websites providing, for example, satellite photos. Therefore, the browser must provide functionalities that facilitate data retrieval, and at the same time take care of privacy. In my opinion, the right balance between security, privacy and functionality is Mozilla Firefox. When it comes to functionality, it goes without saying - the number of extensions available for the browser is really impressive and covers almost everything we could need. As for security, I am aware of the controversy surrounding layoffs in the security team as well as a recent report showing the advantage of Chromium (which probably does not include all new solutions), however, I believe that FF provides a sufficient level of security - especially in combination with add-ons such as uBlock blocking unwanted elements. And finally, privacy - Firefox is not related to Google like Chrome, telemetry can be easily turned off, and using the configuration editor, you can also easily turn off, for example, RTC - so it looks very positive compared to others.

As for additional tools, we can divide them into three groups:

  1. Tools for obtaining data, such as Spiderfoot or Instalooter.
  2. Data analysis tools such as Excel / Calc, Sherloq or Bless.
  3. Frameworks that combine both functions. The best example here is Maltej, which both gives access to data gathering transformations and enables graph-based analysis.

What exactly we will need depends largely on what information we will collect and process. When dealing with the analysis of images, we will be interested mainly in search engine extensions that will facilitate the download of photos from the Internet and tools that will allow you to analyze them - show metadata or help detect manipulation. While collecting information about the network infrastructure, we may be interested in the possibility of quickly finding elements connected by a common hosting provider and obtaining detailed information about services on a given server. At this point, I will briefly present the tools that I use most often.

Maltym - by far my favorite and most used tool. Additionally, for home use, free of charge! More precisely, Maltej has four varieties:

  1. CaseFile for more "offline" investigations, allowing only manual mapping of entities and viewing of graphs.
  2. Maltym Community - free version for non-commercial use, limited to 12 results for each transformation and 10,000 objects on the graph.
  3. Maltym Pro - standard paid edition in which we can get 64,000 results for each transformation and have up to 1,000,000 objects on the graph.
  4. Maltym Enterprise - standard edition for business customers.

So what exactly is Maltego? It is a tool that combines two functions - the "transformation" interface, that is searching for information from the entered data (eg ASN by domain) and graphical presentation of results on graphs along with tools for their analysis (such as sorting elements according to the number of outgoing connections with other objects). The great advantage of Malte is its intuitive interface and the ability to collect multiple data sources under one roof. We can connect our access to websites such as PassiveTotal or Censys and have access to all our resources from one place. This greatly speeds up and facilitates the analysis.

Spiderfoot - an open source framework for obtaining data on network traces and elements such as domain names, usernames or IP addresses. Spiderfoot started as a fully open source tool, now its creators also offer a cloud solution, but I did not have the opportunity to use it. Anyway, Spiderfoot allows you to carry out quite comprehensive data acquisition - especially in the domain of domains, we will get a very nice metric including elements such as registration data, outgoing links, usernames or other domains on the same host.

Google Earth Pro - a desktop version of the popular Google tool for virtually exploring the world. Compared to the browser version, it has a lot of tools useful in OSINT investigations, such as the ability to measure distance and area, record the viewed route or import KML files that allows you to map, for example, the route of an airplane.

Google Earth Pro view with imported aircraft route and distance measure.

Excel - and finally perhaps the most versatile tool in the history of office software. Excel is one of the analyst's best friends, enabling sorting, grouping, comparison and visualization of data sets. I can assure you that your arsenal of analytical skills will gain a lot after mastering, for example, creating pivot tables or conditional formatting. To give a simple example, if we observe someone's activity on Twitter, after collecting tweet data, we can, for example, easily determine the hours of the highest user activity. Best of all, Excel, or actually the entire Office365 package, is available in a free version if we use the live version via a web browser.

I hope this collection of tips will help you prepare a comfortable and safe working environment for OSINT searches. And of course, I strongly encourage you to try RonanVM - I hope you will find everything you might need there, and if your opinion is missing something, let me know. The project will surely develop even further, so any comments are welcome!

One thought on “RonanVM – Twoja gotowa OSINT maszyna + garść uwag o VMkach

Leave a Reply

Your email address will not be published. Required fields are marked *

en_USEnglish