Guide to Computer Forensics
and Investigations
Sixth Edition
Chapter 10
Virtual Machine Forensics, Live Acquisitions, and
Network Forensics
1
� An Overview of Virtual Machine Forensics
• Virtual machines are common for both personal and business use
• Investigators need to know how to analyze them and use them to analyze other
suspect drives
• The software that runs virtual machines is called a “hypervisor”
• Two types of hypervisor:
• Type 1 - loads on physical hardware and doesn’t require a separate OS
- Type 1 hypervisors are typically loaded on servers or workstations with a lot of RAM
and storage
• Type 2 - rests on top of an existing OS
- Type 2 hypervisors are usually the ones you find loaded on a suspect machine
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 2
classroom use.
� Type 2 Hypervisors (1 of 2)
• Before installing a type 2 hypervisor, enable virtualization in the BIOS before
attempting to create a VM
• Virtualization Technology (VT) - Intel’s CPU design for security and performance
enhancements that enable the BIOS to support virtualization
• Virtualization Machine Extensions (VMX) - instruction sets created for Intel
processors to handle virtualization
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 3
classroom use.
� Type 2 Hypervisors (2 of 2)
• Most widely used type 2 hypervisors:
• Parallels Desktop - created for Macintosh users who also use Windows applications
• KVM (Kernel-based Virtual Machine) - for Linux OS
• Microsoft Hyper-V - new hypervisor built into Windows 10
• VMware Workstation and Player - can be installed on almost any device, including
tablets
- Can install Microsoft Hyper-V Server on it
- Can create encrypted VMs
- Can support up to 16 CPUs, 8 TB storage, and 20 VM
• VirtualBox - supports all Windows and Linux OSs as well as Macintosh and Solaris
- Allows selecting types associated with other applications, such as VMware VMDK
type or the Parallels HDD type
• Type 2 hypervisors come with templates for different OSs
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 4
classroom use.
� Conducting an Investigation with Type 2
Hypervisors (1 of 7)
• Begin by acquiring a forensic image of the host computer as well as network
logs
• By linking the VM’s IP address to log files, you may determine what Web sites the VM
accessed
• To detect whether a VM is on a host computer:
• Look in the Users or Documents folder (in Windows) or user directories (in Linux)
• Check the host’s Registry for clues that VMs have been installed or uninstalled
• Existence of a virtual network adapter
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 5
classroom use.
�Conducting an Investigation with Type 2
Hypervisors (2 of 7)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 6
classroom use.
� Conducting an Investigation with Type 2
Hypervisors (3 of 7)
• In addition to searching for network adapters, you need to determine whether
USB drives have been attached to the host
• They could have live VMs running on them
• A VM can also be nested inside other VMs on the host machine or a USB drive
• Some newer Windows systems log when USB drives are attached
• Search the Windows Registry or the system log files
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 7
classroom use.
�Conducting an Investigation with Type 2
Hypervisors (4 of 7)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 8
classroom use.
� Conducting an Investigation with Type 2
Hypervisors (5 of 7)
• Follow a consistent procedure:
• 1. Image the host machine
• 2. Locate the virtualization software and VMs, using information learned about file
extensions and network adapters
• 3. Export from the host machine all files associated with VMs
• 4. Record the hash values of associated files
• 5. Open a VM as an image file in forensics software and create a forensic image or
mount the VM as a drive
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 9
classroom use.
� Conducting an Investigation with Type 2
Hypervisors (6 of 7)
• Live acquisitions of VMs are often necessary
• They include all snapshots, which records the state of a VM at a particular moment
(records only changes in state, not a complete backup)
• When acquiring an image of a VM file, snapshots might not be included
• In this case, you have only the original VM
• Doing live acquisitions of VMs is important to make sure snapshots are
incorporated
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 10
classroom use.
� Conducting an Investigation with Type 2
Hypervisors (7 of 7)
• Other VM Examination Methods
• FTK Imager, Magnet AXIOM and OSForensics can mount VMs as an external drive
- By mounting a VM as a drive, you can make it behave more like a physical computer
- Allows you to use the same standard examination procedures for a static hard drive
• Make a copy of a VM’s forensic image and open the copy while it’s running
- Start it as a live VM so that forensics software can be used to search for clues
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 11
classroom use.
� Working with Type 1 Hypervisors (1 of 2)
• Having a good working relationship with network administrators and lead
technicians can be helpful
• Type 1 hypervisors are installed directly on hardware
• Can be installed on a VM for testing purposes
• Capability is limited only by the amount of available RAM, storage, and throughput
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 12
classroom use.
� Working with Type 1 Hypervisors (2 of 2)
• Common type 1 hypervisors:
• VMware vSphere
• Microsoft Hyper-V 2016
• XenProject XenServer
• IBM PowerVM
• Parallels Desktop for Mac
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 13
classroom use.
� Performing Live Acquisitions (1 of 2)
• Live acquisitions are especially useful when you’re dealing with active network
intrusions or attacks
• Live acquisitions done before taking a system offline are also becoming a
necessity
• Attacks might leave footprints only in running processes or RAM
• Live acquisitions don’t follow typical forensics procedures
• Order of volatility (OOV)
• How long a piece of information lasts on a system
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 14
classroom use.
� Performing Live Acquisitions (2 of 2)
• Steps
• Create or download a bootable forensic CD or USB drive
• Make sure you keep a log of all your actions
• A network drive is ideal as a place to send the information you collect
• Copy the physical memory (RAM)
• The next step varies, depending on the incident you’re investigating
• Be sure to get a forensic digital hash value of all files you recover during the live
acquisition
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 15
classroom use.
� Performing a Live Acquisition in Windows
• Several tools are available to capture the RAM.
• Mandiant Memoryze
• Belkasoft RamCapturer
• Kali Linux (updated version of BackTrack)
• GUI tools are easy to use
• But they often require a lot of system resources
• Might get false readings in Windows OSs
• Command-line tools give you more control
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 16
classroom use.
� Network Forensics Overview
• Network forensics
• Process of collecting and analyzing raw network data and tracking network traffic
- To ascertain how an attack was carried out or how an event occurred on a network
• Intruders leave a trail behind
• Knowing your network’s typical traffic patterns is important in spotting variations in
network traffic
• Can also help you determine whether a network is truly under attack
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 17
classroom use.
� The Need for Established Procedures
• Network forensics examiners must establish standard procedures for how to
acquire data after an attack or intrusion
• Essential to ensure that all compromised systems have been found
• Procedures must be based on an organization’s needs and complement
network infrastructure
• NIST created “Guide to Integrating Forensic Techniques into Incident Response”
to address these needs
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 18
classroom use.
� Securing a Network (1 of 2)
• Layered network defense strategy
• Sets up layers of protection to hide the most valuable data at the innermost part of
the network
• Defense in depth (DiD)
• Similar approach developed by the NSA
• Modes of protection
- People
- Technology
- Operations
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 19
classroom use.
� Securing a Network (2 of 2)
• Testing networks is as important as testing servers
• You need to be up to date on the latest methods intruders use to infiltrate
networks
• As well as methods internal employees use to sabotage networks
• Small companies of fewer than 10 employees often don’t consider security
precautions against internal threats necessary
• Can be more susceptible to problems caused by employees revealing proprietary
information
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 20
classroom use.
� Developing Procedures for Network
Forensics (1 of 2)
• Network forensics can be a long, tedious process
• Standard procedure that is often used:
• Always use a standard installation image for systems on a network
• Fix any vulnerability after an attack
• Attempt to retrieve all volatile data
• Acquire all compromised drives
• Compare files on the forensic image to the original installation image
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 21
classroom use.
� Developing Procedures for Network
Forensics (2 of 2)
• In digital forensics
• You can work from the image to find most of the deleted or hidden files and partitions
• In network forensics
• You have to restore drives to understand attack
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 22
classroom use.
� Reviewing Network Logs
• Network logs record ingoing and outgoing traffic
• Network servers
• Routers
• Firewalls
• Tcpdump and Wireshark - tools for examining network traffic
• Can generate top 10 lists
• Can identify patterns
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 23
classroom use.
� Using Network Tools
• Variety of tools
• Splunk
• Spiceworks
• Nagios
• Cacti
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 24
classroom use.
� Using Packet Analyzers
• Packet analyzers
• Devices or software that monitor network traffic
• Most work at layer 2 or 3 of the OSI model
• Most tools follow the Pcap (packet capture) format
• Some packets can be identified by examining the flags in their TCP headers
• Tools
• Tcpdump
• Tethereal
• Tcpslice
• Tcpreplay
• Etherape
• Netdude
• Argus
• Wireshark
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 25
classroom use.
�TCP Header
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 26
classroom use.
�IP Header
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 27
classroom use.
� Investigating Virtual Networks
• Virtual switch is a little different from a physical switch
• There’s no spanning tree between virtual switches
• Additional complications
• Hypervisors can assign MAC addresses to virtual devices
• Devices can have the same MAC address on different virtual networks
• Cloud service providers host networks for several to hundreds of companies
• Tools
• Wireshark
• Network Miner
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 28
classroom use.
� Examining the Honeynet Project (1 of 2)
• The Honeynet Project was developed to make information widely available in
an attempt to thwart Internet and network attackers
• Provides information about attacks, methods and how to protect against them
• Objectives are awareness, information, and tools
• Distributed denial-of-service (DDoS) attacks
• A major threat that may go through other organizations’ networks, not just yours
• Hundreds or even thousands of machines (zombies) can be used
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 29
classroom use.
� Examining the Honeynet Project (2 of 2)
• Zero day attacks
• Another major threat
• Attackers look for holes in networks and OSs and exploit these weaknesses before
patches are available
• Honeypot
• Normal looking computer that lures attackers to it
• Honeywalls
• Monitor what’s happening to honeypots on your network and record what attackers
are doing
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 30
classroom use.
