blackhat usa 2010 beek virtual forensics slides
TRANSCRIPT
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
1/44
Virtual Forensics 2.0
Investigating virtual environments
Christiaan Beek
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
2/44
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
3/44
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
4/44
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
5/44
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
6/44
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
7/44
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
8/44
This session is NOT:
A negative talk about virtualization
Sponsored by any of the vendors of VMproducts
About using VM as a forensic researchplatform
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
9/44
Ok ?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
10/44
Traditional vs:
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
11/44
Virtual:
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
12/44
Challenges:
What to expect?
What tools to use?
Where is the data? Who owns the data?
Which Forensic techniques to use?
How to acquire data from a Cloud? Jurisdiction?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
13/44
What must be acquired?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
14/44
Moooh, where is my data?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
15/44
Statement MS Azure:
We have four datacenters in the US, two inEurope and two in Asia. Even though you
choose to store your data in Europe instead ofWorldwide, your data will be stored at leastthree times. Two times on your main location
and one time at a secondary data center
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
16/44
Where is my evidence?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
17/44
Disposable VMs Qubes OS
Joanna Rutkowska E.g. opening a P(enetration)DF file
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
18/44
Portable VMs
Mojopac
Portable Virtualbox
Qemu
Mokafive
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
19/44
Jurisdiction
A pedophile is using cloud resources tofacilitate his crimes.
The data is located over several jurisdictionalprecincts
Do you know your limits?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
20/44
We need to:
Understand the technology
Understand implementations of the products
Which files are interesting for research Understand which tools to use
How tools are acting in Virtual Environments
Develop an approach
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
21/44
Decision vs Impact:
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
22/44
Next:
Citrix
VMware
Windows 7
Which files are interesting for research
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
23/44
Citrix: Many ways to implement/use:
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
24/44
Citrix:
scenario:
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
25/44
Citrix:
Last logon logfile
%appdata%\icaclient (or citrix\icaclient)
Configuration log (default not enabled)
User profile (NTUser.dat;registry;temp files)
Citrix Access Gateway logs
Radius logs
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
26/44
Citrix tools:
To retrieve data: normal tools like FTK-imager,Encase.
Volatile data extraction:
VIX tools
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
27/44
VMware:
VMWare workstation & ESX server are popular
Static or live need different tools and approach
Many used as testing platform
Suspect deletes VM after activity or return to previousSnapshot
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
28/44
Example IRL
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
29/44
Example IRL
Portable virtual private machine
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
30/44
Vmware files of interest:
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
31/44
Vmware tools:
FTK imager
Liveview
Encase MMLS & DD (getting partitions)
Raw2vmdk
Mount & Carve with Foremost or Photorec
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
32/44
Vmware tools: Compare Snapshots
Tool by Zairon
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
33/44
Vmware tools:
Analyzing Vmem with Memparser by Chris Betz
C:\Somedir>memparser EvilBert-Snapshot2.vmemProcess List:
Proc# PPID PID InProcList Name: Threads: 10
0 0 0 Yes Idle
1 5 8 Yes System
2 9 120 Yes EvilBertNotepad.EXE
3 110 134 Yes CSRSS.EXE
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
34/44
Openvmfs drivers
#>java -jar fvmfs.jar /mnt/mnt/e1/vmfs_part_esx.dd info
VMFS label = Datavault1VMFS creation date = Mon Jun 21 14:13:25 GMT-05:00 2010VMFS capacity = 155.45 GBVMFS UUID = 2b4ac011-3228e765-7bcd-00125436b14a
VMFS block size = 1.00 MBVMFS version = 3.33VMFS # of FD/PB/SB = 30720 / 61440 / 3968VMFS volume type =VMFS volume UUID = 2b4ac012-213736ba-3c5b-00125436b14aVMFS volume size = 155.45 GBVMFS volume ver = 4
Example other option: filecopy path size position
Restoration of: vmdk, vmsn, metadata, or log files
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
35/44
Windows 7:
Virtualization technique included:
VHD
XP mode Virtual PC
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
36/44
Windows 7:
VHD mount (read-only)
Boot from VHD
System backup is made in VHD format
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
37/44
Windows 7:
Mount & investigate VHD with FTK:
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
38/44
Windows 7:XP mode:
Used for old applications
1. a VHD file is created
2. Installation of Virtual PC
3. Windows XP with SP 3
4. Application published in Win7
Note: automatic updates / everything shared
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
39/44
Windows 7 files of interest:
Default location:
C:\Users\\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines
File Extention DescriptionVHD Contains virtual Operating system and dataVMC VM's configuration file: disks, memory, network, undo functionVSV Saved state file - information about last running programsVUD Undo disk file - stored separate from VHD file
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
40/44
Windows 7 VUD:
Undo disk: temporary file
Is it enabled ?
Investigate VMC file:
C:\Users\Christiaan\AppData\Local\Microsoft\WindowsVirtual PC\Virtuele machines\VirtualPCUndo_Windows XP
Mode_0_0_18563103292010.vud.\VirtualPCUndo_Windows XPMode_0_0_18563103292010.vud
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
41/44
Summary:
Virtualized environments can make forensicresearch a tough job
Virtualization of hosts, applications andoperating systems will scatter the evidence
understand the rapidly improving techniques,differences between the products and what
files are interesting to acquire
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
42/44
For the future:
We need more research on VM
Community, please SHARE !
Forensic proof tools for VM research Next topic for DFRWS /Blackhat?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
43/44
Questions?
-
8/9/2019 BlackHat USA 2010 Beek Virtual Forensics Slides
44/44
Thanks for staying !
Name: Christiaan BeekEmail: Christiaan dot Beek@ tenict dot nl / dot comTwitter: @ChristiaanBeekBlog: http://securitybananas.com