ADIA

ADIA - The Appliance for Digital Investigation and Analysis

CentOS 7 Version

This README describes the virtual machine image for ADIA, the Appliance for Digital Investigation and Analysis. These virtual machines are based on CentOS 7.

This version of ADIA supports both VMware and Virtual Box. This version support the x86_64 (64 bit) host computer system architecture.

You should routinely update ADIA to keep it current with package released by Red Hat and packages released by CERT.

Installation - VMware

ADIA has been tested and works on VMware Workstation 14 under Windows 10 Education. We expect that it will work in other configurations but they remain untested. When the virtual machine was packaged for distribution, it was converted to work with VMware Workstation 5 and later.

To install ADIA under VMware, do the following:

  1. Download the VMware-based OVA
  2. Optionally check the PGP/GPG Signature.
  3. Start VMware.
  4. Select File->Import....
  5. Navigate to the downloaded OVA and select it.
  6. Import the virtual machine.
  7. If you get an Import Failed error message, select Retry to continue.
  8. Select the Continue button to continue.
  9. When the import finishes, select the Finish button to continue.
  10. Optionally update the hardware version of the newly created virtual machine.
  11. Start the virtual machine.
  12. The virtual machine will boot and automatically login as examiner (with password forensics).
  13. This version of ADIA uses the the MATE Desktop Environment.

Installing ADIA under VMware requires about 8Gb of disk space.

Installation - Virtual Box

ADIA has been tested and works on Virtual Box 5.2.2 under Windows 10 Education. We expect that it will work in other configurations but they remain untested. Note that you will need to also have the Virtual Box Extension Pack installed to run ADIA.

To install ADIA under Virtual Box, do the following:

  1. Download the Virtual Box-based OVA
  2. Optionally check the PGP/GPG Signature
  3. Start Virtual Box.
  4. Select File->Import Appliance....
  5. Navigate to the downloaded OVA and select it.
  6. Select Continue.
  7. Select Import.
  8. To share folders with the host, you may need to specify a different shared folder. As distributed, ADIA assumes that files are shared with the host at the path C:\Forensics. If this does not match your system and you wish to use shared folders, you will need to adjust this. Select Machine->Settings...->Shared Folders to make this change.
  9. When the virtual machine has been imported, double click on it to boot it.
  10. The virtual machine will boot and automatically login as examiner (with password forensics).
  11. This version of ADIA uses the the MATE Desktop Environment.
  12. You will have to re-install the Virtual Box Additions in the guest when you update the kernel.
  13. To enable cut and paste between the host and the guest, following these directions.

Installing ADIA under Virtual Box requires about 8Gb of disk space.

Network Assumptions - DHCP

ADIA assumes that it is connected to a network that provides configuration information through DHCP. Whether that connection is NATed or bridged is a configuration choice, but as long as DHCP service is provided, the appliance will use it to configure its network connection. You can reconfigure ADIA to use a static address through the Network Manager icon on the desktop. See http://projects.gnome.org/NetworkManager/ for more information.

Network Assumptions - Proxy Server

This appliance also assumes that it is directly connected to the Internet without a proxy server. If that does not match the configuration of your network, then you must configure a proxy server as needed.

For example, if you use a browser, you will need to configure your network's proxy server into that browser. If you wish to load or update the packages installed on this appliance, you will need to configure your network's proxy server in /etc/yum.conf. Other applications will also need to be configured to use your network's proxy server so consult your organization's documentation to determine how to do this.

Sharing Files with the Host Computer System

ADIA is configured to use file systems shared to it by the host. There is an icon on the examiner login desktop named "Shared Folders" that when double clicked starts a file browser that initially contains the names of all of the directories shared to it.

To share folders from the host to this appliance, consult the documentation for your version of VMware or Virtual Box.

By default, ADIA assumes that there is a share named Forensics (typically the folder C:\Forensics) that is shared from the host. Further, if you intend to use the Autopsy tool, create a directory named morgue in this shared folder.

Default Login Session

As distributed, this appliance automatically logs into the examiner account when it is booted. However, should the screen lock or in some other way prompt for the examiner password, it is the string forensics. The password for the root account is also forensics.

The Mate Window system is used for the examiner login. The use of other window systems is untested and may result in unexpected results.

Routine Maintenance

It is recommended that you routinely update packages using:

sudo yum update

Note that if you update the kernel for Virtual Box, you will also need to install the Guest Additions and then reboot. See this web page for the procedure to do that: http://www.virtualbox.org/manual/ch04.html.

From time to time, the packages used to build the examiner login account are updated, primarily when new tool documents are distributed. To update the examiner login with these new files, do the following:

sudo manage-examiner-login -S -v

This will update the examiner login and retain any conflicts as described in the manage-examiner-login man page.

Miscellaneous Comments

  1. The packages for all installed applications reside on a repository located at CERT at http://www.cert.org/forensics/repository.

  2. Automatically mounting file systems such as those on an external USB device is enabled but file systems are mounted read-only by default.
    If you need read-write access to an external file system, you will need to remount it using the mount command and a terminal window.

Updates and New Versions of this Appliance

For updates and new versions of this appliance, visit http://www.cert.org/forensics/repository/#ADIA.

Questions and Bug Reports

Send mail to forensics-linux-repository@cert.org with any questions and bug reports that you may have. We will answer questions as we are able.

ADIA CentOS 7

December, 2017