how to install VMware

Restoring Suspect Physical and Restoring Suspect Physical and Compressed Images with Compressed Images with VMWareVMWare

Brett Shavers

Computer Technology Investigators Network

Topics:Topics:

•• VMWare BriefVMWare Brief•• Capabilities of Capabilities of VMWareVMWare•• VMWare InstallationVMWare Installation•• Guest Operating SystemsGuest Operating Systems•• VMWare NetworkingVMWare Networking•• Restoration of forensic images into VMWareRestoration of forensic images into VMWare

What is VMware?What is VMware?

•• VMWare is application software that VMWare is application software that provides a virtual computer on which you provides a virtual computer on which you can install another operating systemcan install another operating system

•• The virtual computer or virtual machine The virtual computer or virtual machine (VM) runs as if it were a real operating (VM) runs as if it were a real operating system on a real computer with real devicessystem on a real computer with real devices

•• The VM has its own CPU, memory, hard The VM has its own CPU, memory, hard disks, and other I/O devicesdisks, and other I/O devices

Virtual HardwareVirtual Hardware

•• CPU = Host CPUCPU = Host CPU•• Chipset = Intel 440BXChipset = Intel 440BX--based motherboard with based motherboard with

NS338 SIO chip and 82093AA IOAPIC NS338 SIO chip and 82093AA IOAPIC •• BIOS = BIOS = PhoenixBIOSPhoenixBIOS 4.0 Release 6 with VESA 4.0 Release 6 with VESA

BIOS BIOS •• RAM = HostRAM = Host’’s RAMs RAM•• IDE Devices = Up to 4; Virtual HD up to 950 GB; IDE Devices = Up to 4; Virtual HD up to 950 GB;

can also use real disks (2TB limit)can also use real disks (2TB limit)•• SCSI Devices = Up to 7SCSI Devices = Up to 7•• NIC = AMD NIC = AMD PCnetPCnet--PCI II compatible PCI II compatible

VMware Workstation VMware Workstation TerminologyTerminology

•• Host operating system is the one that runs Host operating system is the one that runs VMware WorkstationVMware Workstation

•• Guest operating system is the virtual OSGuest operating system is the virtual OS•• The host OS can be either NTThe host OS can be either NT--based based

Windows or Linux (RedHat, Mandrake, Windows or Linux (RedHat, Mandrake, SuSE)SuSE)

•• The guest OS can be DOS, every flavor of The guest OS can be DOS, every flavor of Windows, Linux, BSD or other OS that runs Windows, Linux, BSD or other OS that runs on an X86 platformon an X86 platform

Forensic Uses of VMwareForensic Uses of VMware

•• VM Workstation allows you to restore a suspectVM Workstation allows you to restore a suspect’’s hard s hard drive into a VMdrive into a VM

•• You can work with the suspectYou can work with the suspect’’s OS and its installed s OS and its installed applications, some of which may be involved in the alleged applications, some of which may be involved in the alleged crimecrime

•• You can network two VMs, one a suspect client and the You can network two VMs, one a suspect client and the other a suspect serverother a suspect server

•• You can also mount a suspectYou can also mount a suspect’’s restored hard drive as a s restored hard drive as a physical or physical or ““rawraw”” diskdisk

•• You can easily drag and drop files from the VM to your You can easily drag and drop files from the VM to your host computerhost computer

Some VM TipsSome VM Tips

•• VMWare can boot VMWare can boot isoiso imagesimages•• Snapshots can be taken (up to 100 per VM Snapshots can be taken (up to 100 per VM

World)World)•• Videos can be taken using VMWare toolsVideos can be taken using VMWare tools•• You can drag and drop between the host of You can drag and drop between the host of

virtual OS easily.virtual OS easily.

Installing VMware WorkstationInstalling VMware Workstation

•• Meet the minimum requirements for the host:Meet the minimum requirements for the host:

Windows 2003, Windows XP Home and Pro Windows 2003, Windows XP Home and Pro (SP1), Windows 2000 (SP3), Windows NT (SP1), Windows 2000 (SP3), Windows NT (SP6A)(SP6A)

Host OSHost OS

Whatever guest Whatever guest recommends + appsrecommends + apps

Whatever guest Whatever guest requires + appsrequires + apps

Hard Disk (for Hard Disk (for guests)guests)

100 MB100 MB100 MB free100 MB freeHard Disk (install)Hard Disk (install)SVGA +SVGA +VGAVGADisplayDisplay256 MB +256 MB +128 MB128 MBMemoryMemory500 MHz +500 MHz +400 MHz400 MHzCPUCPU

RecommendedRecommendedMimimumMimimumComponentComponent

Continued …

Installing VMware WorkstationInstalling VMware Workstation

•• Optional components include:Optional components include:•• Floppy DiskFloppy Disk•• Ethernet adapter for the hostEthernet adapter for the host•• CDCD--ROMROM•• USB portUSB port•• Other hard disksOther hard disks

Installing a Guest OSInstalling a Guest OS

•• Have the installation media available, Have the installation media available, typically a CDtypically a CD

•• Start VM Workstation and select File, New Start VM Workstation and select File, New Virtual MachineVirtual Machine

•• A wizard begins A wizard begins ……..

•• Once the Guest has been configured, you need to Once the Guest has been configured, you need to start the OS, but before you do start the OS, but before you do ……

•• Make sure the installation media for the guest is in Make sure the installation media for the guest is in the CDthe CD--ROM drive or floppy drive of the hostROM drive or floppy drive of the host

•• As soon as the machine starts, you need to click in As soon as the machine starts, you need to click in the window and press F2 to get into the guest the window and press F2 to get into the guest CMOS setup programCMOS setup program

•• Once there, youOnce there, you’’ll need to configure the system to ll need to configure the system to boot from the CDboot from the CD--ROM or floppyROM or floppy


Guest CMOS setupGuest CMOS setup

Guest CMOS SetupGuest CMOS Setup

Set Boot OrderSet Boot Order

Save CMOS settingsSave CMOS settings

Boot Guest from OS CDBoot Guest from OS CD

Install Guest OSInstall Guest OS

SummarySummary

•• VMware Workstation allows you to install a guest VMware Workstation allows you to install a guest OS in a virtual machineOS in a virtual machine

•• The guest OS can interact with the host and utilize The guest OS can interact with the host and utilize the hostthe host’’s s cpucpu, ram, , ram, cdcd--romrom, keyboard, mouse, , keyboard, mouse, floppy disk, and network cardfloppy disk, and network card

•• The host can be practically any NTThe host can be practically any NT--based host or based host or Linux host and the guest can be any Windows OS, Linux host and the guest can be any Windows OS, Linux, Novell, FreeBSD and moreLinux, Novell, FreeBSD and more

•• VMware Workstation provides significant VMware Workstation provides significant forensicforensic--related capabilitiesrelated capabilities

Restore of network and client systemsRestore of network and client systems

ILook will be demonstrated, but Encase, FTK, Winhex, etc… can be used as long as it can restore whatever image format you have. You can also use physical hard drives directly.

Encase has directions on restoration into VMWare on their website. Using a boot disk of any sort is half the work of using FTK or Encase for restores.

Restore Using IRestore Using I--LookLook

•• Scenario with a WIN2003 Scenario with a WIN2003 domain controller and an XP domain controller and an XP Pro clientPro client

•• Before restoring, establish a Before restoring, establish a VM Ware occurrence with VM Ware occurrence with VM Ware DHCP service VM Ware DHCP service disableddisabled

•• Restore the Domain Controller Restore the Domain Controller firstfirst

Create New Virtual MachineCreate New Virtual Machine

Create the Domain ControllerCreate the Domain Controller

You have to know the OS of the image to be restored. Use the same version because VMware emulates hardware for each OS. BUT, XP may be able to handle all the other Windows OS’s. It’ll still boot to the actual OS, but there may be subtle differences in emulations. Stay with the actual OS.

Name and Allocate ResourcesName and Allocate Resources

Name it what you like. If you will be doing multiple restorations of the same image, then you can use dates, LFN, OS, etc… Make the location to a new folder where you can manage. For network restorations, keep the LAN all in one folder otherwise you will lose track. You may have to adjust memory later. The more machines, the more memory needed. Make sure your folder can hold everything you need (if all images total 100GB, you need at least that much to restore as the images expand to original size)

Define Network TypeDefine Network Type

Only use host only to containerize the threat that the potential network system could have with interacting with the ‘real’networking environment that you are connecting to

For forensic restorations, make sure you don’t choose a connection that goes outside! (Bridged and NAT will go outside). The other two are safe. For network restorations, choose HOST ONLY NETWORKING). This allows clients in the virtual world to talk to each other. If you select either of the first two, and the images have a virus, you just exposed your network to that virus.

Defining the BusDefining the Bus

You will go through this process twice for each drive you are restoring to ID the source and destination

Select the Source DiskSelect the Source Disk

Choose the disk that contains the image files. It is possible to have all images on one disk to be used for restorations.

VM Ware Establishes New MachineVM Ware Establishes New Machine

VM Ware treats this as though it is a SCSI system even though it is really an IDE drive, don’t worry about this. It is a SCSI disk because VMware likes SCSI disks for Domain controller OS’s. SCSI and IDE are just interfaces, the data will be the same, so no difference.

0:O is first SCSI disk on the first SCSI controller.

Add the DestinationAdd the Destination

Define Drive Type and Allocate Define Drive Type and Allocate SpaceSpace

Normally choose IDE. Make it the same size as the original hard drive, not size of image. Give a gb for wiggle room. Then name the target drive.

Confirm Both Disks CreatedConfirm Both Disks Created

Restore the Image Using ISO Restore the Image Using ISO II--Look FileLook File

Put an ISO on your desktop of ILook, and point to that. (side note, you can make an iso of a boot floppy and have it point to that as well, always booting to your clean boot as an example.

Point to the CD and Start the Virtual Point to the CD and Start the Virtual II--Look MachineLook Machine

Verify Available DisksVerify Available Disks

Selecting the device to Selecting the device to restore fromrestore from

Continuing to select image fileContinuing to select image file

Restore Target ProcessRestore Target Process

Restore in Process Restore in Process and Completeand Complete

Finish and QuitFinish and Quit

Stop this machineStop this machine

Now remove the drive and reset the CD Now remove the drive and reset the CD back to the actual physical machine deviceback to the actual physical machine device

Reset the CDReset the CD

Start the restored machineStart the restored machine

Machine starting, you will get some services errors

Start Up and LoginStart Up and Login

Go through loginGo through login

Check the Virtual IP settings for the Check the Virtual IP settings for the virtual network connectionsvirtual network connections

You need to know what the original settings were to reconfigure this. Because of the restore, the restored image will revert back to Windows default because a different NIC is being used (albiet virtual). Good to check before imaging if possible.

This appears to be LAN2 (as if there was a 1 at sometime). LAN This appears to be LAN2 (as if there was a 1 at sometime). LAN 1 was the original machine, 1 was the original machine, when restored, LAN2 was created. Look at the Ethernet Adaptor awhen restored, LAN2 was created. Look at the Ethernet Adaptor and that will be different as nd that will be different as

well. Donwell. Don’’t worry about, has to be that wayt worry about, has to be that way

You can get settings here in the registry on IP settingsYou can get settings here in the registry on IP settings

Input this infoInput this info

Select ‘NO’

Check the original DHCP settingsCheck the original DHCP settings

Verify scope makes sense and is active before you restore any client systems

Suspend the Controller MachineSuspend the Controller Machine

Because the domain must be working to install a client, just suspend this VM OS. Suspending a machine doesn’t free up RAM, it uses it just the same. 3 machines at 2gb is about the max for RAM.

Create a new clientCreate a new clientvirtual machinevirtual machine

•• Duplicating the previous process used Duplicating the previous process used during the controller restoreduring the controller restore

•• When you get to the drive type select IDE When you get to the drive type select IDE rather than SCSI (this IDE is the default rather than SCSI (this IDE is the default setting since this is a client machine)setting since this is a client machine)

Resume the Domain Controller and Resume the Domain Controller and start the XP Pro Clientstart the XP Pro Client

Login and Add to DomainLogin and Add to Domain

Encase/FTK/etcEncase/FTK/etc…… ImagesImages

•• You can use Encase, FTK, Linux, Winhex You can use Encase, FTK, Linux, Winhex or any other program that can restore or any other program that can restore images to a physical drive in images to a physical drive in VMWareVMWare..

Forensic IssuesForensic Issues

•• Yes, the data is changed (but only the virtual Yes, the data is changed (but only the virtual world, not the original images)world, not the original images)

•• No, you canNo, you can’’t see unallocated space when fishing t see unallocated space when fishing through the virtual world (itthrough the virtual world (it’’s not a forensic exam s not a forensic exam anyway)anyway)

•• Yes, hashes will match on specific files on both Yes, hashes will match on specific files on both the images and virtual world.the images and virtual world.

•• This process can be used to test viruses, Trojans, This process can be used to test viruses, Trojans, worms, and other actions on a suspect system worms, and other actions on a suspect system (maybe disprove suspect(maybe disprove suspect’’s allegations of virus, s allegations of virus, etcetc……))

5% off purchase5% off purchase

•• If you want 5% off an online purchase, you If you want 5% off an online purchase, you can use my referral code:can use my referral code:

•• VMRCVMRC--BRESHA248 BRESHA248

how to install VMware

Technology

Transcript of how to install VMware