BlackhatEU : Virtual Forensics
From isfullofcrap Flickr photo stream. Creative Commons License
BlackhatEU : Virtual Forensics
By Christiaan Beek
What are the challenges when you have to do forensics on a virtual environment?
• What are the tools available?
• Are the tools forensically sound?
• Where is the data?
• Who owns the data?
• What forensic techniques do we use?
• How to acquire data from the cloud?
Citrix is a nightmare for forensics investigators. There is no personal hard disk to investigate, only a personal profile which does not have very much data in it.
Information sources for Citrix are:
• Last login logfile
• User profile (NTUser.dat;registry;temp files)
• Citrix Access Gateway logs
• Radius log
VMWare need different approach and tools for static of live forensics. If you are making a disk image of a VMWare server, you better bring some big disks.
VM’s are used by criminals to perform illegal transactions and then destroying the VM to cover their tracks.
In his slides Christiaan had a list of useful files for VMWare forensics:
Useful software is:
• FTK Imager
• Liveview
• Encase
• MMLS & DD
• Mounting and carving tools like Foremost and Photorec
There is also a VMWare snapshot comparison tool made by Zairon
In Windows 7 virtualization is a part of the OS: VHD, XP mode and Virtual PC. On the positive side you can mount a VHD read-only to do investigations. However being able to boot from a VHD gives entire different opportunities for abuse. Also system backups are made in VHD format.
Contrary to VMDK files VHD files can be investigated with FTK.
Even though XP Mode creates a virtual machine, this machine shares all media between the host and the guest OS.
If Windows 7 creates a VHD file for XP mode, it does not format it, but just leaves the old data that was there when it was created.
XP mode also has a undo mode the is not enabled by default. The VUD files that get created are like VMware snapshots. VUD cannot be read by tools like FTK. VUD and VHD headers are very similar. If you rename a VUD file to a VHD file you can investigate it normally.