430 likes | 608 Views
Teaching Digital Forensics w/Virtuals. By Amelia Phillips. Teaching Digital Forensics – Incorporating Virtualization. Agenda. Overview of VMs Finding a VM Proper Procedure Imaging a VM Analysis of a VM Restoring an image to a VM. Overview of VMs. “Oh, use a virtual!”
E N D
Teaching Digital Forensics w/Virtuals By Amelia Phillips
Agenda • Overview of VMs • Finding a VM • Proper Procedure • Imaging a VM • Analysis of a VM • Restoring an image to a VM
Overview of VMs • “Oh, use a virtual!” • What does this really mean? • Why is it so popular?
Use of Virtual Machines • VMs allow you to run multiple operating systems on the same physical box • With high capacity servers • High RAM • Quad-core or higher • 20 or more OS can run on the same box
Use of Virtual Machines(2) • Cut down on equipment cost • Ease of maintenance • Easy to backup, clone and restore • Easy to delete • Easy to create • Have legacy systems and modern systems on same network
Use of VMs in Class • Easy to teach legacy systems • Relatively easy to assemble networks • Cut down on the number of physical machines
Most Popular VM Software • VMWare • Server • Workstation • Player • Virtual Box • Virtual PC • Many others listed on wikipedia
Criminal or Covert Use of VMs • Attack networks • Insider access to sensitive files • Erase evidence • Hard to track
Proper Procedure • Forensically sound approach • Document everything • New technology produces new challenges • Live acquisitions • VMs
Proper Procedure (2) • VMs are located on other physical boxes • Your search begins with someone’s • Office computer • Personal laptop • Mobile device • USB or other portable drive
Proper Procedure (3) • Seize the evidence • Perform a forensic image of the physical drive • Begin the analysis
Find the VM • Check the MRU • Examine the Registry • HKEY_CLASSES_ROOT see if the vmdk extension (or similar) has an association • Check the My Virtual Machines folder • Look for .lnk files that point to a VM
Find the VM (2) • Examine the Network logs • Look for a VMWare network adaptor • ipconfig or ifconfig • See what has been connected to the machine such as a USB
Find the VM (3) • The VM may have been deleted • Be sure to examine the host drive to see if the file(s) can be retrieved • Export any relevant files
Examining the VM • Note there may be shared files or folders on the host machine • Examine the Log files • Open the Cengage2010VM folder • Note how many machines this VM was opened on and their names
VMWare files • *.vmdk – the actual hard drive for the VM • *.nvram – the BIOS info • *.vmx – the configuration file
Imaging a VM • The easiest tool is FTK Imager • Very similar to imaging a standard physical drive • Launch FTK Imager • Click, File, Create Disk Image
Click Add Select Raw(dd)
Fill in the prior dialog box with your information. Select the destination folder and indicate a filename. Be sure to put in 0 for no fragmentation
Analyzing the VM • Load the forensic image into the software of your choice • For ease of demonstration, launch the Forensic Toolkit • Click through any messages regarding KFF and dongle not found
Using FTK • Start a new case • Use all the defaults, plus data carving and fill in your information • At the add evidence, select the file we just created
Analyzing the VM • Click Next and Finish • Once the drive has been processed, proceed as normal with your analysis • Be sure to look at the registry
Examining Malware, etc • Many times software on a drive is not readily available for download • Malware may be present that you want to test • You, as the investigator, want to test it • Forensic procedure must dictate what you do next
Launch a VM • Use the forensic image of the vmdk (or equivalent), not the original file • Some forensic tools such as EnCase require mounting the drive • Other tools, such as ProDiscover, will prepare the files for you
Procedure • Be sure to record the hash values of all files created • Be sure to document everything that you do • This is new territory – not proven by case law
Advantages of using VM • “clean box” every time • Erase changes made to drive • Can load a verified image every time
Conclusion • Virtual machines do offer some challenges • Knowledge of how to mount them for examination in a VM application is needed • Quirks when doing the actual drive image
References • Virtual Forensics, by Shavers, Brett, 2009, white paper • Guide to Computer Forensics and Investigations, by Nelson, Bill; Phillips, Amelia; and Steuart, Chris, 2010, Course Technology