Using Windows Subsystem for Linux on forensic workstations

 

Windows Subsystem for Linux allows Bash scripts to be run on a Windows system. In the same shell, you can now run Linux and Windows programs, which means the best of both worlds and this can be tremendously useful in processing disk images and running forensic investigations.

 

However, many of the forensic workstations we work on are offline systems and need to remain so, to avoid contamination or to prevent malware under investigation communicating with external servers. We've set up WSL on many offline systems and thought it might be worth sharing how we've set this up, in case other investigators find it useful. These instructions include creating and setting up a local Ubuntu mirror so that 'apt-get' commands will still work on the offline system for package installation. Without this, packages will need to be manually downloaded on an online system, copied over and installed and this will not include any required dependencies.

 

Installing WSL offline

 

1. Developer mode must be enabled on Windows before WSL can be installed:

Settings → Update & Security → For developers → Developer mode

 

2. Installing WSL:

Control Panel → Programs & Features → Turn Windows features on or off → Windows Subsystem for Linux

 

3. Reboot the system

 

4. Download LxRunOffline from https://github.com/DDoSolitary/LxRunOffline

 

5. Download an Ubuntu image for WSL from the LxRunOffline Github page or use an Ubuntu Server Cloud distro (must be a tar.gz file)

 

6. Install the Ubuntu distro using using the Windows Command Prompt:

LxRunOffline install -n <name> -f <tar.gz> -d <install path>
NOTE: install path MUST be on same drive that LxRunOffline is run from

 

7. Once installed, WSL can be run via 'bash.exe' in the System32 folder

 

Creating and setting up a local Ubuntu mirror offline

 

1. Create the mirror on an ONLINE system using the following commands:

    * sudo apt-get install apt-mirror
    * nano /etc/apt/mirror.list

      Change the default output location (set base_path) to where you want to write the mirror
      (if using a VM, you will need to have vmware tools installed to write to a shared folder)
    * sudo su - apt-mirror -c apt-mirror

 

2. Copy the mirror folder to your OFFLINE system

 

3. Set up the mirror on the OFFLINE system, to use this by default for software installation using the commands:

    * nano /etc/apt/sources.list

      Comment-out ALL default options & add a new line:
      deb file:/<path to archive.ubuntu.com/ubuntu dir> <dist eg. xenial> <repos eg main restricted universe multiverse>
    * sudo apt-get update
 

4. Reboot the OFFLINE system

 

Print Print | Sitemap
© Khyrenz 2016