1. 5 th Annual Workshop on the Teaching Computer Forensics Virtualising Computer Forensics Dr. Jianming Cai (j.cai@londonmet.ac.uk) Mr. Ayoola Afonja (AYA0230@londonmet.ac.uk) Faculty of Computing London Metropolitan University

2. 5 th Annual Workshop on the Teaching Computer ForensicsTopics Problems with Teaching Computer Forensics Introduction to Virtualisation Technology Moving towards the Virtual Environment A Case Study Summary

3. 5 th Annual Workshop on the Teaching Computer Forensics Problems with Teaching Computer Forensics Digital evidence from different hard/software platforms University labs normally equipped with PCs and Ms Windows O.S. Specialised Computer Forensic Labs needed What kind of labs we can afford?

4. 5 th Annual Workshop on the Teaching Computer Forensics Introduction to Virtualisation Technology Virtualisation - the current trend reshaping the software technology industry Multiple Virtual Machines (VMs) run concurrently on a physical machine. Supported by the powerful processors and very large storages VMware – the leading software, 100% Fortune companies deployed its software

5. 5 th Annual Workshop on the Teaching Computer Forensics The VM Layer Structure

6. 5 th Annual Workshop on the Teaching Computer Forensics Moving towards the Virtual Environment The desktop VMware installed on each PC Both virtual Windows XP and virtual Linux then installed on top of this VMware layer Students have admin access to each virtual machine. Both Windows-based and Linux-based Computer Forensics toolkits are running concurrently.

7. 5 th Annual Workshop on the Teaching Computer Forensics The Virtual Windows XP Running EnCase

8. 5 th Annual Workshop on the Teaching Computer Forensics The Virtual Linux Running Autopsy

9. 5 th Annual Workshop on the Teaching Computer Forensics A Case Study A network incident investigation Evidence collected from Linux O.S. Not intended to show Network Forensics techniques Rather to demonstrate the viability of Forensic Analysis based on VMs

10. 5 th Annual Workshop on the Teaching Computer Forensics Snort HTTP Packet Inspection Results

11. 5 th Annual Workshop on the Teaching Computer Forensics Nmap Attack Identification

12. 5 th Annual Workshop on the Teaching Computer Forensics Inspecting Grouped Snort Log

13. 5 th Annual Workshop on the Teaching Computer ForensicsSummary Teaching Computer Forensics is not only demanding but also expensive. The Virtual Environment is one of the low cost and efficient solutions. Its full benefit is being exploited as the Virtualisation Technology advances. Are we prepared for the Virtualisation era?

14. 5 th Annual Workshop on the Teaching Computer ForensicsReference [1] Virtualize Your Business Infrastructure, http://www.vmware.com/, viewed on 10/11/2009 [2] http://www.vmware.com/technology/virtualisation.html viewed on 27/10/09 [3] http://en.wikipedia.org/wiki/Computer_forensics, viewed on 05/05/2009 [4] http://www.guidancesoftware.com/, viewed on 10/11/2009 [5] http://www.sleuthkit.org/autopsy/, viewed on 10/11/2009 [6] Keith J. Jones et al (2006), Real Digital Forensics Computer Security and Incident response, Addison-Wesley, USA. [7] http://www.remote-exploit.org/backtrack.html, viewed on 10/11/2009 [8] Dan Farmer and Wietse Venema (2005) Forensic Discovery, Addison-Wesley, ISBN 0-201-63497-X [9] Intrusion Detection Level Analysis of Nmap and Queso, http://www.securityfocus.com/infocus/1225, viewed on 28-08-09 [10] http://en.wikipedia.org/wiki/Nikto_Web_Scanner, viewed on 10/11/2009