Building Your Forensic Analysis Workstation

VM platform setup

The forensic analysis VM runs on VMware Workstation Pro, which Broadcom made free for personal use in late 2024. VirtualBox is an acceptable alternative if you prefer it — the VM configuration is functionally identical. The host system can be Windows, macOS, or Linux.

Create a new VM with these specifications: 4 vCPU, 8GB RAM (16GB if your host has 32GB+), 120GB virtual disk (thin provisioned), network adapter set to NAT initially (for tool downloads) and then Host-Only or disconnected for analysis. Install Windows 11 Enterprise using the free evaluation ISO from Microsoft's Evaluation Center — the 90-day evaluation is sufficient for training, and you can rearm it or create a new VM when it expires.

During Windows installation: create a local account (not a Microsoft account) named "Analyst" with a known password. Skip all telemetry opt-ins. After installation completes and you reach the desktop, immediately take a snapshot named "Clean Install — Pre-Configuration." This snapshot is your rollback point if the configuration goes wrong.

Disabling interference sources

Windows generates continuous background activity that modifies the filesystem, creates registry entries, and generates Event Log entries. On a daily-use workstation, this is normal operation. On a forensic analysis VM, it is noise that can contaminate evidence and confuse analysis. Disable the following:

Windows Defender real-time protection. Defender will scan evidence files — including malware samples in KAPE collections, malicious executables in forensic images, and Amcache entries containing known-malicious SHA1 hashes. Scanning can quarantine evidence files, modify the MFT (by moving files to quarantine), and generate false-positive alerts. Open Windows Security → Virus & threat protection → Manage settings → disable Real-time protection. On Windows 11, this will re-enable after a period — for a persistent disable, use Group Policy: Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Turn off Microsoft Defender Antivirus → Enabled.

Windows Update automatic downloads. Updates modify system files, create Prefetch entries, generate Event Log entries, and may reboot the VM mid-analysis. Open Settings → Windows Update → Pause updates for the maximum period. For persistent control: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Windows Update → Configure Automatic Updates → Disabled.

OneDrive and cloud sync. OneDrive syncs files in the user profile to Microsoft's cloud — if evidence files are placed in a synced folder, they are uploaded. Uninstall OneDrive or at minimum sign out and disable startup.

Windows Search indexing. The indexing service scans file contents and creates database entries — this activity modifies the MFT and generates USN Journal entries for the index database files. Open Services (services.msc) → Windows Search → Stop → set Startup type to Disabled.

SysMain (Superfetch/Prefetch service). On the analysis VM, you don't need Prefetch optimization — and the service generates its own artifacts that could be confused with evidence artifacts. Open Services → SysMain → Stop → Disabled.

Diagnostic data and telemetry. Settings → Privacy & Security → Diagnostics & feedback → set Diagnostic data to Required (minimum). Group Policy → Computer Configuration → Administrative Templates → Windows Components → Data Collection and Preview Builds → Allow Diagnostic Data → Disabled or Diagnostic data off.

Tool installation

All tools used in this course are free. Create a C:\Tools\ directory and install each tool suite in its own subdirectory.

KAPE — download from kape.sh (requires a free account). Extract to C:\Tools\KAPE\. Run kape.exe --help to verify. KAPE includes both targets (what to collect) and modules (how to process). Update targets and modules with C:\Tools\KAPE\Get-KAPEUpdate.ps1.

Eric Zimmerman's Tools — download from ericzimmerman.github.io/#!index.md. Use the "Download All" batch file or download individually. Extract to C:\Tools\EZTools\. The suite includes: MFTECmd, PECmd, AmcacheParser, ShimCacheParser, AppCompatCacheParser, JLECmd, LECmd, SBECmd, RECmd, EvtxECmd, SrumECmd, RBCmd, WxTCmd, bstrings, and more. Verify each tool runs with --help.

Arsenal Image Mounter — download from arsenalrecon.com. The free version mounts forensic images (E01, raw, VMDK) as read-only Windows drives. This is how you access evidence from forensic images without modifying the image.

FTK Imager — download from exterro.com (free registration required). Used for creating forensic images and extracting files from images. Install with default settings.

Registry Explorer and RECmd — included in the EZ Tools download. Registry Explorer provides GUI-based registry hive analysis with deleted key recovery and transaction log application. RECmd provides command-line batch processing.

Timeline Explorer — included in the EZ Tools download. A specialized CSV viewer designed for forensic timeline data — handles millions of rows, provides conditional formatting, column filtering, and bookmarking.

HxD — download from mh-nexus.de/en/hxd/. A free hex editor used for raw artifact examination throughout this course.

Python 3.12 — download from python.org. Install with "Add to PATH" checked. After installation, install forensic libraries: pip install python-registry yara-python pefile construct.

Evidence handling procedures

Evidence integrity depends on consistent handling procedures. The analysis VM uses this structure:

C:\Cases\{CaseID}\ — one directory per investigation. Under each case directory: evidence\ (original evidence files — KAPE collections, forensic images, copied artifacts), output\ (tool processing output — MFTECmd CSVs, parsed registry data, timeline files), notes\ (examination notes, screenshots, working documentation), and report\ (final deliverables).

When mounting a forensic image: always use Arsenal Image Mounter in read-only mode. Verify the image hash before mounting (compare against the hash recorded at acquisition). After mounting, the image appears as a Windows drive letter — you can browse the filesystem and extract files, but you cannot modify the image contents.

When processing with KAPE or EZ Tools: output always goes to the output\ directory within the case folder, never to the evidence directory. This separation ensures that tool output (which is generated by the analysis process) is physically separated from original evidence (which must remain unmodified).

Troubleshooting

"The Windows 11 evaluation expires after 90 days." You have several options: rearm the evaluation with slmgr /rearm (available 1-2 times, extending by 90 days each), create a new VM from a fresh evaluation ISO, or purchase a Windows 11 Pro license (approximately $30 from authorized resellers). For training purposes, the evaluation is sufficient — you can complete this course well within the evaluation period.

"I don't have enough disk space for a 120GB VM plus evidence files." The 120GB VM disk is thin-provisioned — it only uses actual space as data is written, starting around 25-30GB after OS installation and tools. Evidence files are the larger concern: a single KAPE triage collection is typically 2-10GB, and a full disk image is 100GB+. Store evidence files on an external drive connected to the host, accessible to the VM via a shared folder or USB passthrough. This keeps the VM disk lean while providing abundant evidence storage.

"Should I use a physical forensic workstation instead of a VM?" For production forensic work (real investigations), many practitioners use dedicated physical workstations for performance and to avoid virtualization-related complications. For training and learning, a VM is preferable: snapshots provide case isolation, the environment is disposable and reproducible, and you can run the VM alongside your notes and browser on the host. The artifact analysis techniques are identical regardless of whether you run the tools in a VM or on bare metal.