Presentation is loading. Please wait.

Presentation is loading. Please wait.

Teaching Digital Forensics w/Virtuals By Amelia Phillips.

Published byDwight Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "Teaching Digital Forensics w/Virtuals By Amelia Phillips."— Presentation transcript:

1 Teaching Digital Forensics w/Virtuals By Amelia Phillips

2 Teaching Digital Forensics – Incorporating Virtualization

3 Agenda  Overview of VMs  Finding a VM  Proper Procedure  Imaging a VM  Analysis of a VM  Restoring an image to a VM

4 Overview of VMs  “Oh, use a virtual!”  What does this really mean?  Why is it so popular?

5 Use of Virtual Machines  VMs allow you to run multiple operating systems on the same physical box  With high capacity servers  High RAM  Quad-core or higher  20 or more OS can run on the same box

6 Use of Virtual Machines(2)  Cut down on equipment cost  Ease of maintenance  Easy to backup, clone and restore  Easy to delete  Easy to create  Have legacy systems and modern systems on same network

7 Use of VMs in Class  Easy to teach legacy systems  Relatively easy to assemble networks  Cut down on the number of physical machines

8 Most Popular VM Software  VMWare  Server  Workstation  Player  Virtual Box  Virtual PC  Many others listed on wikipedia

9 Criminal or Covert Use of VMs  Attack networks  Insider access to sensitive files  Erase evidence  Hard to track

10 Proper Procedure  Forensically sound approach  Document everything  New technology produces new challenges  Live acquisitions  VMs

11 Proper Procedure (2)  VMs are located on other physical boxes  Your search begins with someone’s  Office computer  Personal laptop  Mobile device  USB or other portable drive

12 Proper Procedure (3)  Seize the evidence  Perform a forensic image of the physical drive  Begin the analysis

13 Find the VM  Check the MRU  Examine the Registry  HKEY_CLASSES_ROOT see if the vmdk extension (or similar) has an association  Check the My Virtual Machines folder  Look for.lnk files that point to a VM

14 Find the VM (2)  Examine the Network logs  Look for a VMWare network adaptor  ipconfig or ifconfig  See what has been connected to the machine such as a USB

15 Find the VM (3)  The VM may have been deleted  Be sure to examine the host drive to see if the file(s) can be retrieved  Export any relevant files

16 Examining the VM  Note there may be shared files or folders on the host machine  Examine the Log files  Open the Cengage2010VM folder  Note how many machines this VM was opened on and their names

17

18

19 VMWare files  *.vmdk – the actual hard drive for the VM  *.nvram – the BIOS info  *.vmx – the configuration file

20 Preview VM

21 Note Files of interest

22 Imaging a VM  The easiest tool is FTK Imager  Very similar to imaging a standard physical drive  Launch FTK Imager  Click, File, Create Disk Image

23

24 Select the vmdk file

25 Click Add Select Raw(dd)

26 Fill in the prior dialog box with your information. Select the destination folder and indicate a filename. Be sure to put in 0 for no fragmentation

27

28 Verify Results

29 Analyzing the VM  Load the forensic image into the software of your choice  For ease of demonstration, launch the Forensic Toolkit  Click through any messages regarding KFF and dongle not found

30 Using FTK  Start a new case  Use all the defaults, plus data carving and fill in your information  At the add evidence, select the file we just created

31

32

33 Analyzing the VM  Click Next and Finish  Once the drive has been processed, proceed as normal with your analysis  Be sure to look at the registry

34 USING THE VM AS YOUR FORENSIC TOOL

35 Examining Malware, etc  Many times software on a drive is not readily available for download  Malware may be present that you want to test  You, as the investigator, want to test it  Forensic procedure must dictate what you do next

36 Launch a VM  Use the forensic image of the vmdk (or equivalent), not the original file  Some forensic tools such as EnCase require mounting the drive  Other tools, such as ProDiscover, will prepare the files for you

37 Using ProDiscover

38 Creating VM files

39 Procedure  Be sure to record the hash values of all files created  Be sure to document everything that you do  This is new territory – not proven by case law

40 Advantages of using VM  “clean box” every time  Erase changes made to drive  Can load a verified image every time

41 Conclusion  Virtual machines do offer some challenges  Knowledge of how to mount them for examination in a VM application is needed  Quirks when doing the actual drive image

42 References  Virtual Forensics, by Shavers, Brett, 2009, white paper  Guide to Computer Forensics and Investigations, by Nelson, Bill; Phillips, Amelia; and Steuart, Chris, 2010, Course Technology

Download ppt "Teaching Digital Forensics w/Virtuals By Amelia Phillips."

Similar presentations

Intro to Virtualization

Intro to Virtualization
Creating a Virtual Machine Researched and Created by Bryan Bankhead.

Creating a Virtual Machine Researched and Created by Bryan Bankhead.
Computer Forensics Infosec Pro Guide

Computer Forensics Infosec Pro Guide
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.

No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
1 VMWare Networking CSC 486/586. 2 Overview VMWare Networking Features –VMNet0 (Bridged), VMNet1 (Host-Only), VMNet8 (NAT) –DHCP Server settings Disabling.

1 VMWare Networking CSC 486/ Overview VMWare Networking Features –VMNet0 (Bridged), VMNet1 (Host-Only), VMNet8 (NAT) –DHCP Server settings Disabling.
Princeton Collaborative Research Resources Feb. 18, 2011 Todd Hines Linda Oppenheim.

Princeton Collaborative Research Resources Feb. 18, 2011 Todd Hines Linda Oppenheim.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Offering your Windows Server Class Online. Tony Basilico Community College of Rhode Island

Offering your Windows Server Class Online. Tony Basilico Community College of Rhode Island
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.

Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Space Science and Engineering Center University of Wisconsin-Madison Virtual Machines: A method for distributing DB processing software Liam Gumley.

Space Science and Engineering Center University of Wisconsin-Madison Virtual Machines: A method for distributing DB processing software Liam Gumley.
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.

Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.

VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.

Similar presentations

Ads by Google