August 1, 2023
For the last three years the Trace Labs team has been hacking away on the OSINT VM. It continues to improve and hopefully shows newcomers the benefits of using a virtual environment to conduct an investigation. The team wanted to take a few minutes here to explain the "how" and "why" behind our current design and development and to ask the community at large to help us keep making it better.
For the entire month of August, we're reaching out to the community as a whole to help us make the VM better.
Do I need to be able to code to work on the VM?
Nope. Not only do we need help with the code that generates the VM, we also need help with documentation and build testing. Most importantly, we need feedback, suggestions and ideas. Without input from the community we're just making a VM that's good for us (the devs) but not the community at large.
Where are we doing this?
The Github repo will be the best place to track the work:
This is a relatively new repo compared to the old one. Further down this post we'll get in to the decisions behind the change. This repo will be where we can log issues and suggestions around the VM. We can also accept PRs or even add people directly to the development team if interested. Conversation is still welcome in the #osint-vm channel of Discord but everything will be tracked in Github.
Cool story, how do I start?
Go to the repo and start creating issues. Please use the appropriate label to describe the issue you are logging.
If you'd like to get started actually hacking away at the code you can either reach out to @humanDecoded or @5nacks in the Discord.
Virtual Machines are awesome. Anyone that works with malware or needs to do something else in isolation already know this. We wanted a way to set up new people in an isolated environment that came pre-loaded with OSINT resources. Not only giving them a "safe" environment to work in isolated from their host OS but also one that came stocked with useful tools and resources that could aid their investigation. The intent was for this VM to be a constantly evolving thing fueled by community feedback. Ideally, those that initially started with our VM would "outgrow" it in a sense and go on to customize their own work environment suited to the type of investigations they were a part of.
The VM itself is a stripped down variant of Kali. Imagine Kali Linux without the usual loadout of pentest tools. Leveraging Kali repos, PyPi, bash scripting and Github we then add in OSINT tools and other resources so the end result not only contains tools but also has web browsers preloaded with OSINT focused bookmarks. We've taken great efforts to make all of this happen "in code". This way, anyone could run our build scripts on their own and not just trust the OVA or ISO we were putting out there.
To expand on this:
It would be much easier for us if we just did everything inside of our own version of Virtual Box or VMware, got it where we wanted it and then exported that appliance for the community to install. We wanted a solution that didn't require the community to "just trust us" and something they could build out on their own if they wanted to.
That all depends on what the community wants. Personally (humanDecoded) I'd like us to migrate away from tools and lean more in to bookmarks in the web browser and useful documentation within the VM. I say this because tools can become outdated quickly and I feel it's important to understand the underlying technique where possible. I'd like the VM to be a great starting point for people new to the field. But as mentioned above, this isn't just my VM, it's all of yours. The only way we can give you the product you want is if you tell us what you want.
The new repo:
Represents a shift in the way we want to build the VM. Previously our build pipeline would look like:
The new repo and build scripts allow much more of this to happen in code. So the end result of the build process is actually an image you can either import to Virtual Box or VMware. Changes still have to be made in the code and they still have to be tested in the hypervisor but the release process is now so much easier. Additionally, the releases are built and hosted on Github. This will allow us to push releases out more frequently and not rely on update scripts within the VM itself.
We hope this post was informative. I'm looking forward to the Hackathon. See you all in the repo....