Teaching Digital Forensics w/Virtuals By Amelia Phillips.
-
Upload
dwight-tate -
Category
Documents
-
view
221 -
download
4
Transcript of Teaching Digital Forensics w/Virtuals By Amelia Phillips.
![Page 1: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/1.jpg)
Teaching Digital Forensics w/Virtuals
By Amelia Phillips
![Page 2: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/2.jpg)
Teaching Digital Forensics – Incorporating Virtualization
![Page 3: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/3.jpg)
AgendaOverview of VMsFinding a VMProper ProcedureImaging a VMAnalysis of a VMRestoring an image to a VM
![Page 4: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/4.jpg)
Overview of VMs
“Oh, use a virtual!”What does this really mean?Why is it so popular?
![Page 5: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/5.jpg)
Use of Virtual Machines
VMs allow you to run multiple operating systems on the same physical box
With high capacity servers High RAMQuad-core or higher20 or more OS can run on the same box
![Page 6: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/6.jpg)
Use of Virtual Machines(2)
Cut down on equipment costEase of maintenanceEasy to backup, clone and restoreEasy to deleteEasy to createHave legacy systems and modern
systems on same network
![Page 7: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/7.jpg)
Use of VMs in Class
Easy to teach legacy systemsRelatively easy to assemble
networksCut down on the number of physical
machines
![Page 8: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/8.jpg)
Most Popular VM Software
VMWareServerWorkstationPlayer
Virtual BoxVirtual PCMany others listed on wikipedia
![Page 9: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/9.jpg)
Criminal or Covert Use of VMs
Attack networksInsider access to sensitive filesErase evidenceHard to track
![Page 10: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/10.jpg)
Proper Procedure
Forensically sound approachDocument everythingNew technology produces new
challengesLive acquisitionsVMs
![Page 11: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/11.jpg)
Proper Procedure (2)
VMs are located on other physical boxes
Your search begins with someone’sOffice computerPersonal laptopMobile deviceUSB or other portable drive
![Page 12: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/12.jpg)
Proper Procedure (3)
Seize the evidencePerform a forensic image of the
physical driveBegin the analysis
![Page 13: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/13.jpg)
Find the VM
Check the MRUExamine the Registry
HKEY_CLASSES_ROOT see if the vmdk extension (or similar) has an association
Check the My Virtual Machines folderLook for .lnk files that point to a VM
![Page 14: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/14.jpg)
Find the VM (2)
Examine the Network logsLook for a VMWare network adaptor
ipconfig or ifconfig
See what has been connected to the machine such as a USB
![Page 15: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/15.jpg)
Find the VM (3)
The VM may have been deletedBe sure to examine the host drive to
see if the file(s) can be retrievedExport any relevant files
![Page 16: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/16.jpg)
Examining the VM
Note there may be shared files or folders on the host machine
Examine the Log filesOpen the Cengage2010VM folderNote how many machines this VM
was opened on and their names
![Page 17: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/17.jpg)
![Page 18: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/18.jpg)
![Page 19: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/19.jpg)
VMWare files
*.vmdk – the actual hard drive for the VM
*.nvram – the BIOS info *.vmx – the configuration file
![Page 20: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/20.jpg)
Preview VM
![Page 21: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/21.jpg)
Note Files of interest
![Page 22: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/22.jpg)
Imaging a VM
The easiest tool is FTK ImagerVery similar to imaging a standard
physical driveLaunch FTK ImagerClick, File, Create Disk Image
![Page 23: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/23.jpg)
![Page 24: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/24.jpg)
Select the vmdk file
![Page 25: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/25.jpg)
Click Add
Select Raw(dd)
![Page 26: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/26.jpg)
Fill in the prior dialog box with your information.
Select the destination folder and indicate a filename. Be sure to put in 0 for no fragmentation
![Page 27: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/27.jpg)
![Page 28: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/28.jpg)
Verify Results
![Page 29: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/29.jpg)
Analyzing the VM
Load the forensic image into the software of your choice
For ease of demonstration, launch the Forensic Toolkit
Click through any messages regarding KFF and dongle not found
![Page 30: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/30.jpg)
Using FTK
Start a new caseUse all the defaults, plus data
carving and fill in your informationAt the add evidence, select the file
we just created
![Page 31: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/31.jpg)
![Page 32: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/32.jpg)
![Page 33: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/33.jpg)
Analyzing the VM
Click Next and FinishOnce the drive has been processed,
proceed as normal with your analysis
Be sure to look at the registry
![Page 34: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/34.jpg)
USING THE VM AS YOUR FORENSIC TOOL
![Page 35: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/35.jpg)
Examining Malware, etcMany times software on a drive is not
readily available for downloadMalware may be present that you
want to testYou, as the investigator, want to test
itForensic procedure must dictate what
you do next
![Page 36: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/36.jpg)
Launch a VM
Use the forensic image of the vmdk (or equivalent), not the original file
Some forensic tools such as EnCase require mounting the drive
Other tools, such as ProDiscover, will prepare the files for you
![Page 37: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/37.jpg)
Using ProDiscover
![Page 38: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/38.jpg)
Creating VM files
![Page 39: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/39.jpg)
Procedure
Be sure to record the hash values of all files created
Be sure to document everything that you do
This is new territory – not proven by case law
![Page 40: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/40.jpg)
Advantages of using VM
“clean box” every timeErase changes made to driveCan load a verified image every time
![Page 41: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/41.jpg)
Conclusion
Virtual machines do offer some challenges
Knowledge of how to mount them for examination in a VM application is needed
Quirks when doing the actual drive image
![Page 42: Teaching Digital Forensics w/Virtuals By Amelia Phillips.](https://reader031.fdocuments.us/reader031/viewer/2022032313/56649e415503460f94b332d9/html5/thumbnails/42.jpg)
References
Virtual Forensics, by Shavers, Brett, 2009, white paper
Guide to Computer Forensics and Investigations, by Nelson, Bill; Phillips, Amelia; and Steuart, Chris, 2010, Course Technology