Teaching Digital Forensics w/Virtuals

By Amelia Phillips

Teaching Digital Forensics – Incorporating Virtualization

AgendaOverview of VMsFinding a VMProper ProcedureImaging a VMAnalysis of a VMRestoring an image to a VM

Overview of VMs

“Oh, use a virtual!”What does this really mean?Why is it so popular?

Use of Virtual Machines

VMs allow you to run multiple operating systems on the same physical box

With high capacity servers High RAMQuad-core or higher20 or more OS can run on the same box

Use of Virtual Machines(2)

Cut down on equipment costEase of maintenanceEasy to backup, clone and restoreEasy to deleteEasy to createHave legacy systems and modern

systems on same network

Use of VMs in Class

Easy to teach legacy systemsRelatively easy to assemble

networksCut down on the number of physical

machines

Most Popular VM Software

VMWareServerWorkstationPlayer

Virtual BoxVirtual PCMany others listed on wikipedia

Criminal or Covert Use of VMs

Attack networksInsider access to sensitive filesErase evidenceHard to track

Proper Procedure

Forensically sound approachDocument everythingNew technology produces new

challengesLive acquisitionsVMs

Proper Procedure (2)

VMs are located on other physical boxes

Your search begins with someone’sOffice computerPersonal laptopMobile deviceUSB or other portable drive

Proper Procedure (3)

Seize the evidencePerform a forensic image of the

physical driveBegin the analysis

Find the VM

Check the MRUExamine the Registry

HKEY_CLASSES_ROOT see if the vmdk extension (or similar) has an association

Check the My Virtual Machines folderLook for .lnk files that point to a VM

Find the VM (2)

Examine the Network logsLook for a VMWare network adaptor

ipconfig or ifconfig

See what has been connected to the machine such as a USB

Find the VM (3)

The VM may have been deletedBe sure to examine the host drive to

see if the file(s) can be retrievedExport any relevant files

Examining the VM

Note there may be shared files or folders on the host machine

Examine the Log filesOpen the Cengage2010VM folderNote how many machines this VM

was opened on and their names

VMWare files

*.vmdk – the actual hard drive for the VM

*.nvram – the BIOS info *.vmx – the configuration file

Preview VM

Note Files of interest

Imaging a VM

The easiest tool is FTK ImagerVery similar to imaging a standard

physical driveLaunch FTK ImagerClick, File, Create Disk Image

Select the vmdk file

Click Add

Select Raw(dd)

Fill in the prior dialog box with your information.

Select the destination folder and indicate a filename. Be sure to put in 0 for no fragmentation

Verify Results

Analyzing the VM

Load the forensic image into the software of your choice

For ease of demonstration, launch the Forensic Toolkit

Click through any messages regarding KFF and dongle not found

Using FTK

Start a new caseUse all the defaults, plus data

carving and fill in your informationAt the add evidence, select the file

we just created

Analyzing the VM

Click Next and FinishOnce the drive has been processed,

proceed as normal with your analysis

Be sure to look at the registry

USING THE VM AS YOUR FORENSIC TOOL

Examining Malware, etcMany times software on a drive is not

readily available for downloadMalware may be present that you

want to testYou, as the investigator, want to test

itForensic procedure must dictate what

you do next

Launch a VM

Use the forensic image of the vmdk (or equivalent), not the original file

Some forensic tools such as EnCase require mounting the drive

Other tools, such as ProDiscover, will prepare the files for you

Using ProDiscover

Creating VM files

Procedure

Be sure to record the hash values of all files created

Be sure to document everything that you do

This is new territory – not proven by case law

Advantages of using VM

“clean box” every timeErase changes made to driveCan load a verified image every time

Conclusion

Virtual machines do offer some challenges

Knowledge of how to mount them for examination in a VM application is needed

Quirks when doing the actual drive image

References

Virtual Forensics, by Shavers, Brett, 2009, white paper

Guide to Computer Forensics and Investigations, by Nelson, Bill; Phillips, Amelia; and Steuart, Chris, 2010, Course Technology