Embed Size (px)
Citation preview
5th Annual Workshop on the Teaching Computer Forensics
Virtualising Computer ForensicsVirtualising Computer Forensics
Dr. Jianming Cai Dr. Jianming Cai (([email protected]@londonmet.ac.uk))
Mr. Mr. Ayoola Afonja (Ayoola Afonja ([email protected]@londonmet.ac.uk))
Faculty of ComputingFaculty of Computing
London Metropolitan UniversityLondon Metropolitan University
5th Annual Workshop on the Teaching Computer Forensics
TopicsTopics
• Problems with Teaching Computer Forensics
• Introduction to Virtualisation Technology
• Moving towards the Virtual Environment
• A Case Study
• Summary
5th Annual Workshop on the Teaching Computer Forensics
Problems with Teaching Computer Problems with Teaching Computer ForensicsForensics
• Digital evidence from different hard/software platforms
• University labs normally equipped with PCs and Ms
Windows O.S.
• Specialised Computer Forensic Labs needed
• What kind of labs we can afford?
5th Annual Workshop on the Teaching Computer Forensics
Introduction to Virtualisation Introduction to Virtualisation TechnologyTechnology
• Virtualisation - the current trend reshaping the software technology industry
• Multiple Virtual Machines (VMs) run concurrently on a physical machine.
• Supported by the powerful processors and very large storages
• VMware – the leading software, 100% Fortune companies deployed its software
5th Annual Workshop on the Teaching Computer Forensics
The VM Layer StructureThe VM Layer Structure
5th Annual Workshop on the Teaching Computer Forensics
Moving towards the Virtual Moving towards the Virtual EnvironmentEnvironment
• The desktop VMware installed on each PC
• Both virtual Windows XP and virtual Linux then installed on top of this VMware layer
• Students have admin access to each virtual machine.
• Both Windows-based and Linux-based Computer Forensics toolkits are running concurrently.
5th Annual Workshop on the Teaching Computer Forensics
The Virtual Windows XP Running EnCase
5th Annual Workshop on the Teaching Computer Forensics
The Virtual Linux Running Autopsy
5th Annual Workshop on the Teaching Computer Forensics
A Case StudyA Case Study
• A network incident investigation
• Evidence collected from Linux O.S.
• Not intended to show Network Forensics techniques
• Rather to demonstrate the viability of Forensic Analysis based on VMs
5th Annual Workshop on the Teaching Computer Forensics
Snort HTTP Packet Inspection Results
5th Annual Workshop on the Teaching Computer Forensics
Nmap Attack Identification
5th Annual Workshop on the Teaching Computer Forensics
Inspecting Grouped Snort Log
5th Annual Workshop on the Teaching Computer Forensics
SummarySummary
• Teaching Computer Forensics is not only demanding but also expensive.
• The Virtual Environment is one of the low cost and efficient solutions.
• Its full benefit is being exploited as the Virtualisation Technology advances.
• Are we prepared for the Virtualisation era?
5th Annual Workshop on the Teaching Computer Forensics
ReferenceReference[1] Virtualize Your Business Infrastructure, http://www.vmware.com/, viewed on
10/11/2009
[2] http://www.vmware.com/technology/virtualisation.html viewed on 27/10/09
[3] http://en.wikipedia.org/wiki/Computer_forensics , viewed on 05/05/2009
[4] http://www.guidancesoftware.com/, viewed on 10/11/2009
[5] http://www.sleuthkit.org/autopsy/, viewed on 10/11/2009
[6] Keith J. Jones et al (2006), Real Digital Forensics Computer Security and
Incident response, Addison-Wesley, USA.
[7] http://www.remote-exploit.org/backtrack.html, viewed on 10/11/2009
[8] Dan Farmer and Wietse Venema (2005) Forensic Discovery, Addison-Wesley,
ISBN 0-201-63497-X
[9] Intrusion Detection Level Analysis of Nmap and Queso,
http://www.securityfocus.com/infocus/1225, viewed on 28-08-09
[10] http://en.wikipedia.org/wiki/Nikto_Web_Scanner, viewed on 10/11/2009
