Announcing Evanole Virtual Machine
Over the years, we’ve given forensic training to thousands of students spanning all levels of expertise, from beginners just getting their start in forensics, to seasoned professionals looking to sharpen their skillset. Through the course of all this, a key insight stood out to us: The difficulty of installing and setting up open-source software is creating a barrier to entry in our field and is preventing people from making full use of the rapidly growing variety of tools available today.
While we made attempts to address this by releasing videos and how-to resource guides for installing common open-source software – in the classroom setting we realized that with all the unique environments requiring unique troubleshooting that this is not a long-term solution for folks to bring back to their lab.
To address these concerns, and to make getting started with our classes easier than ever before, we created Evanole Virtual Machine (VM). Evanole VM is a modified version of Tsurugi Linux, which is a popular DFIR-focused Linux distribution that has countless tools already installed and set up. We add to this in three main ways:
Certain Windows-only apps and forensic tools are installed and work great by running under WINE, a compatibility layer that allows for desktop and CLI apps alike to run inside Linux environments. Evanole VM incorporates these Windows only applications.
Evanole VM configures shared folders to provide an accessible location to operate on evidence. This allows you to easily run tools from the VM and tools on your host machine at the same time, on the same data. No need to worry about making giant copies and transferring them over to your virtual machine. One of the shared folders is write-protected as well, ensuring that you can use non-forensic tools in the VM without worrying about accidentally making changes to your data.
All the tools used in Hexordia courses are organized per-folder. This means that you can simply open the VM, open the folder corresponding to the class you are taking, and just double click any of the tools to launch them. CLI tools open a terminal window and display their help menu to assist you in writing out the command. Some tools don’t have help menus normally, in these cases we have added custom help text. When outside of class, this provides a level of organization for tools, i.e. Mac analysis in a separate folder that mobile analysis tools.
To get started, download the Virtual Machine and check out our free course on using the VM.
In this course, we go through the entire process of installing VirtualBox, to configuring the VM, to actually using it. We hope this VM will prove useful to you in training and in your investigations. If you have any questions, or ideas for adding other Free and Open Source Software (FOSS) forensic tools, be sure to reach out to us at evanolevm@hexordia.com.