Re: Input on setting up a digital forensics lab

[Alex Keller <axkeller () STANFORD EDU>]

Hi Robert,

If your forensics focus includes malware analysis and reversing, check out the open-source Cuckoo Sandbox:
https://cuckoosandbox.org

Cuckoo is fairly easy to setup, but bear in mind that in order to get more sophisticated malware to unpack and run, you 
will need to give the sandboxed VMs a network connection to the public Internet (which should NOT have access to your 
internal VLANs)…that may take some networking expertise and experimentation.

For static analysis IDA (https://www.hex-rays.com/products/ida) is arguably the best, but it is expensive and I’ve 
heard from trusted sources that Binary Ninja (https://binary.ninja) is an emerging alternative for a fraction of the 
cost.

Good luck!

Cheers,
Alex

Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu<mailto:axkeller () stanford edu>
(650)736-6421

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roshan 
Harneker
Sent: Thursday, May 11, 2017 6:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Input on setting up a digital forensics lab

Hi Robert,

You could try setting up a lab that makes use of open source forensic tools if you’re unable to find a partnership with 
a large corporate. There are some really good open source alternatives to the well-known proprietary products (FTK / 
EnCase etc.). Some examples include:


·         Sleuth Kit Autopsy - https://www.sleuthkit.org/autopsy/ - (runs on OS X, Windows and Linux)

·         Paladin - https://sumuri.com/software/paladin/ - Linux-based

·         SANS SIFT - https://digital-forensics.sans.org/community/downloads - Linux-based

·         Kali Linux Forensics Mode - http://docs.kali.org/general-use/kali-linux-forensics-mode

·         FTK Imager (http://www.accessdata.com/support/product-downloads) – only allows imaging and data preview etc., 
so do not confuse it with the full FTK suite)

·         Oxygen Forensics (for mobile forensics) - https://www.oxygen-forensic.com/en/. This one is paid-for but 
allows for educational discounts

Using open source software means your cost overheads would be reduced as long as you had staff or tutors who are 
proficient in the products you choose and can assist other students with queries and/or basic training.

Regards,
Roshan


Roshan Harneker
Senior Manager: Educational Technology Services
Information & Communication Technology Services (ICTS)
University of Cape Town
Phone: 021 650 3658
Email: roshan.harneker () uct ac za<mailto:roshan.harneker () uct ac za>
Map: http://www.icts.uct.ac.za/directions-to-icts



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert 
Shoniwa
Sent: 11 May 2017 04:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Input on setting up a digital forensics lab

Good day all,

I'm with a university in Zimbabwe that is offering a degree programme related to Cybersecurity and we're looking to set 
up a digital forensics lab (the first in our country) to supplement forensics related courses in the curriculum. As a 
relatively young institute, I think we could benefit from the institutes with experience regarding this.  My question 
is, are there any possible suggestions as to ways (e.g. potential partnerships with international commercial companies 
like Cellebrite) that can help reduce the total cost of setting such a lab up at a public university?

Kind regards,

Robert Shoniwa
Head of Information Security and Assurance
Harare Institute of Technology
Disclaimer - University of Cape Town This e-mail is subject to UCT policies and e-mail disclaimer published on our 
website at http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from +27 21 650 9111. If this e-mail is 
not related to the business of UCT, it is sent by the sender in an individual capacity. Please report security 
incidents or abuse via csirt () uct ac za<mailto:csirt () uct ac za>