Tuesday, April 1, 09:00-10:45, continuing 11:15-13:00
Learning Objectives:
Learn how to automatically generate holistic data sets with the hypervisor-based agentless data synthesis framework ForTrace++
Experience Level:
Beginner
Description:
During this workshop, you will be introduced to the open-source data synthesis framework ForTrace++, originally presented on the DFRWS EU 2024. It is used to synthesize holistic and digital forensic relevant data sets in a semi-automated fashion on Windows and Linux VMs. These data sets can be used for, e.g., training of students or the evaluation of digital forensic tools. Instead of generating the data sets manually, the user writes scenarios or uses community defined scenarios that are configurable via YAML files. The aim is to support further applications that can be combined to create more complex scenarios. In the long term, this will enable users to define scenarios by reusing existing ‘blocks’ and only writing configuration files.
After discussing the general concepts of the ForTrace++, we will explore simple scenarios, involving the software VeraCrypt, which are demonstrating the Python interface, the configuration files, and the component for semi-random interaction offered by the framework. The latter adds more background noise to the generated data set, to increase its realism. Eventually, we start to examine the data sets for the generated traces. Further features of the framework will be discussed live and everyone is invited to create own scenarios.
Preparation Details:
General preparations:
- Install ForTrace++ as described in the project’s README.
- If possible, avoid using the framework inside a VM (nested virtualization may cause instability). If necessary, use a QEMU/KVM machine with CPU host-passthrough enabled.
- All required packages are listed in the README and can be uninstalled afterward.
- The framework is installed in a virtual environment, so it doesn’t affect your main Python setup.
- Set up a Windows 10 VM as described in the Example 1 README.
- To enhance performance and stability, follow the libvirt tuning guide.
- The most impactful sections are: Hypervisor Features, Timers, and CPU. Disk-type settings are optional.
- To enhance performance and stability, follow the libvirt tuning guide.
The different scenarios require different setup steps. You can choose a subset of scenarios you are interested in. All scenarios build upon the installed Windows 10 VM to ease the process.
Scenario I
- Uses Jupyter Notebooks – ensure you have a program to execute them.
- To analyze the created images/RAM dumps, follow the instructions in the Scenario I Notebook.
Scenario II
- In addition to Scenario I, install and configure Wireshark to capture network traffic (or disable this step if not needed).
- More info can be found in the Scenario II Notebook.
Scenario III (Service-VMs)
- Install Docker and Docker Compose.
- Follow the setup guide for service VM networks in the Service VMs documentation.
Scenario IV (Integration of AI tools into ForTrace++)
- Install OmniParser v2 as described in the example’s README.