Download
teaching digital forensics w virtuals n.
Skip this Video
Loading SlideShow in 5 Seconds..
Teaching Digital Forensics w/Virtuals PowerPoint Presentation
Download Presentation
Teaching Digital Forensics w/Virtuals

Teaching Digital Forensics w/Virtuals

144 Views Download Presentation
Download Presentation

Teaching Digital Forensics w/Virtuals

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Teaching Digital Forensics w/Virtuals By Amelia Phillips

  2. Teaching Digital Forensics – Incorporating Virtualization

  3. Agenda • Overview of VMs • Finding a VM • Proper Procedure • Imaging a VM • Analysis of a VM • Restoring an image to a VM

  4. Overview of VMs • “Oh, use a virtual!” • What does this really mean? • Why is it so popular?

  5. Use of Virtual Machines • VMs allow you to run multiple operating systems on the same physical box • With high capacity servers • High RAM • Quad-core or higher • 20 or more OS can run on the same box

  6. Use of Virtual Machines(2) • Cut down on equipment cost • Ease of maintenance • Easy to backup, clone and restore • Easy to delete • Easy to create • Have legacy systems and modern systems on same network

  7. Use of VMs in Class • Easy to teach legacy systems • Relatively easy to assemble networks • Cut down on the number of physical machines

  8. Most Popular VM Software • VMWare • Server • Workstation • Player • Virtual Box • Virtual PC • Many others listed on wikipedia

  9. Criminal or Covert Use of VMs • Attack networks • Insider access to sensitive files • Erase evidence • Hard to track

  10. Proper Procedure • Forensically sound approach • Document everything • New technology produces new challenges • Live acquisitions • VMs

  11. Proper Procedure (2) • VMs are located on other physical boxes • Your search begins with someone’s • Office computer • Personal laptop • Mobile device • USB or other portable drive

  12. Proper Procedure (3) • Seize the evidence • Perform a forensic image of the physical drive • Begin the analysis

  13. Find the VM • Check the MRU • Examine the Registry • HKEY_CLASSES_ROOT see if the vmdk extension (or similar) has an association • Check the My Virtual Machines folder • Look for .lnk files that point to a VM

  14. Find the VM (2) • Examine the Network logs • Look for a VMWare network adaptor • ipconfig or ifconfig • See what has been connected to the machine such as a USB

  15. Find the VM (3) • The VM may have been deleted • Be sure to examine the host drive to see if the file(s) can be retrieved • Export any relevant files

  16. Examining the VM • Note there may be shared files or folders on the host machine • Examine the Log files • Open the Cengage2010VM folder • Note how many machines this VM was opened on and their names

  17. VMWare files • *.vmdk – the actual hard drive for the VM • *.nvram – the BIOS info • *.vmx – the configuration file

  18. Preview VM

  19. Note Files of interest

  20. Imaging a VM • The easiest tool is FTK Imager • Very similar to imaging a standard physical drive • Launch FTK Imager • Click, File, Create Disk Image

  21. Select the vmdk file

  22. Click Add Select Raw(dd)

  23. Fill in the prior dialog box with your information. Select the destination folder and indicate a filename. Be sure to put in 0 for no fragmentation

  24. Verify Results

  25. Analyzing the VM • Load the forensic image into the software of your choice • For ease of demonstration, launch the Forensic Toolkit • Click through any messages regarding KFF and dongle not found

  26. Using FTK • Start a new case • Use all the defaults, plus data carving and fill in your information • At the add evidence, select the file we just created

  27. Analyzing the VM • Click Next and Finish • Once the drive has been processed, proceed as normal with your analysis • Be sure to look at the registry

  28. Using the VM as your forensic tool

  29. Examining Malware, etc • Many times software on a drive is not readily available for download • Malware may be present that you want to test • You, as the investigator, want to test it • Forensic procedure must dictate what you do next

  30. Launch a VM • Use the forensic image of the vmdk (or equivalent), not the original file • Some forensic tools such as EnCase require mounting the drive • Other tools, such as ProDiscover, will prepare the files for you

  31. Using ProDiscover

  32. Creating VM files

  33. Procedure • Be sure to record the hash values of all files created • Be sure to document everything that you do • This is new territory – not proven by case law

  34. Advantages of using VM • “clean box” every time • Erase changes made to drive • Can load a verified image every time

  35. Conclusion • Virtual machines do offer some challenges • Knowledge of how to mount them for examination in a VM application is needed • Quirks when doing the actual drive image

  36. References • Virtual Forensics, by Shavers, Brett, 2009, white paper • Guide to Computer Forensics and Investigations, by Nelson, Bill; Phillips, Amelia; and Steuart, Chris, 2010, Course Technology