1 / 42

Teaching Digital Forensics w/Virtuals

Teaching Digital Forensics w/Virtuals. By Amelia Phillips. Teaching Digital Forensics – Incorporating Virtualization. Agenda. Overview of VMs Finding a VM Proper Procedure Imaging a VM Analysis of a VM Restoring an image to a VM. Overview of VMs. “Oh, use a virtual!”

baruch
Download Presentation

Teaching Digital Forensics w/Virtuals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Teaching Digital Forensics w/Virtuals By Amelia Phillips

  2. Teaching Digital Forensics – Incorporating Virtualization

  3. Agenda • Overview of VMs • Finding a VM • Proper Procedure • Imaging a VM • Analysis of a VM • Restoring an image to a VM

  4. Overview of VMs • “Oh, use a virtual!” • What does this really mean? • Why is it so popular?

  5. Use of Virtual Machines • VMs allow you to run multiple operating systems on the same physical box • With high capacity servers • High RAM • Quad-core or higher • 20 or more OS can run on the same box

  6. Use of Virtual Machines(2) • Cut down on equipment cost • Ease of maintenance • Easy to backup, clone and restore • Easy to delete • Easy to create • Have legacy systems and modern systems on same network

  7. Use of VMs in Class • Easy to teach legacy systems • Relatively easy to assemble networks • Cut down on the number of physical machines

  8. Most Popular VM Software • VMWare • Server • Workstation • Player • Virtual Box • Virtual PC • Many others listed on wikipedia

  9. Criminal or Covert Use of VMs • Attack networks • Insider access to sensitive files • Erase evidence • Hard to track

  10. Proper Procedure • Forensically sound approach • Document everything • New technology produces new challenges • Live acquisitions • VMs

  11. Proper Procedure (2) • VMs are located on other physical boxes • Your search begins with someone’s • Office computer • Personal laptop • Mobile device • USB or other portable drive

  12. Proper Procedure (3) • Seize the evidence • Perform a forensic image of the physical drive • Begin the analysis

  13. Find the VM • Check the MRU • Examine the Registry • HKEY_CLASSES_ROOT see if the vmdk extension (or similar) has an association • Check the My Virtual Machines folder • Look for .lnk files that point to a VM

  14. Find the VM (2) • Examine the Network logs • Look for a VMWare network adaptor • ipconfig or ifconfig • See what has been connected to the machine such as a USB

  15. Find the VM (3) • The VM may have been deleted • Be sure to examine the host drive to see if the file(s) can be retrieved • Export any relevant files

  16. Examining the VM • Note there may be shared files or folders on the host machine • Examine the Log files • Open the Cengage2010VM folder • Note how many machines this VM was opened on and their names

  17. VMWare files • *.vmdk – the actual hard drive for the VM • *.nvram – the BIOS info • *.vmx – the configuration file

  18. Preview VM

  19. Note Files of interest

  20. Imaging a VM • The easiest tool is FTK Imager • Very similar to imaging a standard physical drive • Launch FTK Imager • Click, File, Create Disk Image

  21. Select the vmdk file

  22. Click Add Select Raw(dd)

  23. Fill in the prior dialog box with your information. Select the destination folder and indicate a filename. Be sure to put in 0 for no fragmentation

  24. Verify Results

  25. Analyzing the VM • Load the forensic image into the software of your choice • For ease of demonstration, launch the Forensic Toolkit • Click through any messages regarding KFF and dongle not found

  26. Using FTK • Start a new case • Use all the defaults, plus data carving and fill in your information • At the add evidence, select the file we just created

  27. Analyzing the VM • Click Next and Finish • Once the drive has been processed, proceed as normal with your analysis • Be sure to look at the registry

  28. Using the VM as your forensic tool

  29. Examining Malware, etc • Many times software on a drive is not readily available for download • Malware may be present that you want to test • You, as the investigator, want to test it • Forensic procedure must dictate what you do next

  30. Launch a VM • Use the forensic image of the vmdk (or equivalent), not the original file • Some forensic tools such as EnCase require mounting the drive • Other tools, such as ProDiscover, will prepare the files for you

  31. Using ProDiscover

  32. Creating VM files

  33. Procedure • Be sure to record the hash values of all files created • Be sure to document everything that you do • This is new territory – not proven by case law

  34. Advantages of using VM • “clean box” every time • Erase changes made to drive • Can load a verified image every time

  35. Conclusion • Virtual machines do offer some challenges • Knowledge of how to mount them for examination in a VM application is needed • Quirks when doing the actual drive image

  36. References • Virtual Forensics, by Shavers, Brett, 2009, white paper • Guide to Computer Forensics and Investigations, by Nelson, Bill; Phillips, Amelia; and Steuart, Chris, 2010, Course Technology

More Related