10 Replies Latest reply: Aug 9, 2009 12:59 PM by continuum RSS

    VMware as a tool for forensic investigations ....

    continuum Guru User Moderators vExpert

      Anybody using Live View ?

      If yes - you maybe interesting in this discussion we just have at sanbarrow.com.

       

      Interested ? - suggestions ? - then join the discussion

       

      Ulli

       

       

       

       

       

       

       

      ___________________________________

       

      description of vmx-parameters: http://sanbarrow.com/vmx.html

      VMware-liveCD: http://sanbarrow.com/moa.html

        • 1. Re: VMware as a tool for forensic investigations ....
          Texiwill Guru User Moderators vExpert

          Hello,

           

          Not sure you can use the VDDK for forensics, as you are injecting drivers into the media to which you are supposed to be examining. This is not a forensically sound approach to the problem. Instead you should use a helper VMDK, that can then mount the other VMDK... Or use something like FTK whcih understands VMDKs and mounts them without modification.

           

          Workstation VMDKs are very well known and understood within the forensics communities, it is the VMFS that is not so well known....

           


          Best regards,

          Edward L. Haletky

          VMware Communities User Moderator

          ====

          Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

          Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

          Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

          • 2. Re: VMware as a tool for forensic investigations ....
            continuum Guru User Moderators vExpert

            Not sure you can use the VDDK for forensics, as you are injecting

            drivers into the media to which you are supposed to be examining.

             

            I first create the snapshot - then I mount the snapshot and  so I never write to the media I want to examine.

             

            Also this  is not about examining vmdks - this is about examining physical disks without changing them.

             

            With FTK you first create a diskimage and then examine it in a second step.

            The procedure described here skips the image-creation so that you can directly start examination.

            Something which usually is a no-go in forensics - now you can do it.

             

             

             

             

             

             

             

            ___________________________________

             

            description of vmx-parameters: http://sanbarrow.com/vmx.html

            VMware-liveCD: http://sanbarrow.com/moa.html

            • 3. Re: VMware as a tool for forensic investigations ....
              Texiwill Guru User Moderators vExpert

              Hello,

               

              That depends on how the 'snapshot' works. If it is a VM snapshot then when you examine the VMDK you are still examining through the snapshot, so the data you are looking at is not really 'image' data and is still 'changed' data.  Since it is still changed data, the forensics is suspect. Hence the need to capture the image first.

               

              However for a quick analysis to determine if 'real' forensics is required it may be sufficient. THat depends on whether the physical disk or VMDK can only be accessed in a read only mode. Which I am not sure happens yet.

               

              Each forensics lab has their own procedures for capture and analysis. The capture is one of the more important aspects of forensics and unfortunately skipping steps is not allowed, or using what appears to be a shortcut.....

               


              Best regards,

              Edward L. Haletky

              VMware Communities User Moderator

              ====

              Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

              Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

              Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

              • 4. Re: VMware as a tool for forensic investigations ....
                continuum Guru User Moderators vExpert

                THat depends on whether the physical disk or VMDK can only be accessed in a read only mode. Which I am not sure happens yet.

                 

                MOA build with automount switched off does NOT mount any local disks.

                A snapshot per definition sets the basedisk into a readonly state.

                So no matter if you mount the snapshot and read it with MOA or run the snapshot with a VM - in no case the basedisk will be used other than readonly.

                 

                That means that even if you inject drivers to the snapshot and then start the "in-place-p2ved" system you will not touch the physical disk at all.

                 

                 

                 

                 

                ___________________________________

                 

                description of vmx-parameters: http://sanbarrow.com/vmx.html

                VMware-liveCD: http://sanbarrow.com/moa.html

                • 5. Re: VMware as a tool for forensic investigations ....
                  Texiwill Guru User Moderators vExpert

                  Hello,

                   

                  However while you did not change the base disk and its R/O, the read through from within VMware is not read only and the driver injection does change blocks, so it is good enough for a quick analysis to determine if you need to use pure forensics further or not.

                   

                  However not that the process of doing a P2V has also not be determined to be forensically sound either as it also injects drivers, can resize partitions/volumes/filesystems and do other things to make sure the P2V boots......

                   


                  Best regards,

                  Edward L. Haletky

                  VMware Communities User Moderator

                  ====

                  Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                  Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

                  Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

                  • 6. Re: VMware as a tool for forensic investigations ....
                    continuum Guru User Moderators vExpert

                    the read through from within VMware is not read only ...

                     

                    Thats the first time I hear that - care to explain a little bit ? Sounds like I have to review everything I learned about how snapshots work.

                    A snapshot MUST set the basedisk into a readonly state - otherwise every snapshot-chain would be corrupted at first usage.

                     

                    However not that the process of doing a P2V has also not be determined to be forensically sound either as it also injects drivers, can resize partitions/volumes/filesystems and do other things to make sure the P2V boots......

                     

                    Edward - would you also say that the procedure used by LiveView is questionable ?

                    I do pretty much the same thing - I just add the feature to directly work on the target. Live View MUST create an image first - thats the only difference.

                    Why would I want to change partitions or filesystems ? Thats absolutely not necessary.

                     

                    At this point in time I am not interested in checking wether this procedure produces evidence that can be used in court.

                    New procedures never can be used in court at once.

                     

                    Maybe I picked the wrong topic title ...

                     

                    well - so far you had this options for disk-access in LiveCDs

                    - hardware write blockers

                    - software write blockers

                    - direct access

                    - no access because nothing is mounted

                    - no access because drivers for the diskcontrollers are missing

                     

                    Let me add: read/write into a snapshot of the harddisk

                     

                    So far we had this options to P2V a physical system:

                    - standard   like Converter, P2V-assistant, ghost + manual patch

                    - patch the original - which obviously makes the system unusable

                     

                    Let me add: ad hoc P2V with a snapshotted system so that the original is not changed

                     

                    So if you have ideas on how to use this stuff - fine - lets talk

                     

                     

                     

                     

                     

                     

                     

                     

                    ___________________________________

                     

                    description of vmx-parameters: http://sanbarrow.com/vmx.html

                    VMware-liveCD: http://sanbarrow.com/moa.html

                    • 7. Re: VMware as a tool for forensic investigations ....
                      Texiwill Guru User Moderators vExpert

                      Hello,

                       

                      Perhaps you should state this is more for Data Recovery than for Forensics, Forensics is all about the Law and should be done as if you were going to Court. Digital Forensics is all about find out who did what when and how using well defined procedures that will stand up in a court of law.

                       

                      A new procedure such as you describe still changes 'data' when you do reads so that would not work for the acquisition component of digital forensics but it would work as a method to determine if you need to do that acquisition.....

                       

                      the read through from within VMware is not read only ...

                       

                      Thats the first time I hear that - care to explain a little bit ? Sounds like I have to review everything I learned about how snapshots work.

                      A snapshot MUST set the basedisk into a readonly state - otherwise every snapshot-chain would be corrupted at first usage.

                       

                       

                      I will start with this one first.....

                       

                      Snapshot Delta File is all the changed blocks from the main VMDK/RDM. Granted the main VMDK/RDM is unchanged, but the process of using a snapshot is:

                       

                      Read a file, first go to the delta file and get any changes to the blocks of that file, then back fill all unchanged blocks from the VMDK.

                       

                      Because the 'delta' is still read/write and you have made changes to the blocks within the delta, any read 'through' the delta is not forensically sound. However you are correct the base VMDK/RDM will not change.

                       

                      This method, if you only inject drivers into the delta and everything else is read-only could be used for a quick analysis to determine IF you really need to do full data acquisition. However, the delta file in the case of a workstation, etc. could not change the underlying filesystem on which the VMDK resides, so it would need to either reside on a ramdisk or on some form of external storage. Remember, a forensic study may be looking at the entire disk upon which a VMDK resides or all disks within a physical box and if you are only 'viewing' one in this mode as an RDM then you  you can not write to any of them within the workstation/server just the external device you have used for MOA or a RAMDISK... However if you are using MOA on a live running system (which would be of interest) then a Ramdisk should not be used either, and the device should really have its own memory so that you can also capture any memory image currently in use.....

                       


                      Best regards,

                      Edward L. Haletky

                      VMware Communities User Moderator

                      ====

                      Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                      Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

                      Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

                      • 8. Re: VMware as a tool for forensic investigations ....
                        continuum Guru User Moderators vExpert

                        >However if you are using MOA on a live running system (which would be

                        >of interest) then a Ramdisk should not be used either ...

                         

                        Obviously that will never happen ....

                         

                         

                        ___________________________________

                         

                        description of vmx-parameters: http://sanbarrow.com/vmx.html

                        VMware-liveCD: http://sanbarrow.com/moa.html

                        • 9. Re: VMware as a tool for forensic investigations ....
                          bshavers Lurker

                           

                          Here is a write up that might give some additional information on Vmware use in forensics:

                           

                           

                          http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf

                           

                           

                          Brett

                           

                           

                          • 10. Re: VMware as a tool for forensic investigations ....
                            continuum Guru User Moderators vExpert

                            Looks interesting but then i stopped reading here ...

                             

                            .VMEM - A backup of the virtual machine's paging file which only exists if the VM is running or has crashed

                             

                            .VMSN - These are VMware snapshot files, named by the name of a snapshot. A VMSN file stores the state of the virtual machine when the snapshot was created.

                             

                             

                             

                            ___________________________________

                             

                            VMX-parameters- VMware-liveCD - VM-Sickbay