Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics

Hypervisor

The software that runs virtual machines.

Type 1 Hypervisor

Runs on “bare metal,” meaning it loads on physical hardware and doesn’t require a separate OS.

Virtual Machine Extensions (VMX)

Instruction sets called _____ are necessary to use virtualization; without these instruction sets, virtualization software doesn’t work.

Parallels Desktop

Was created for MAcintosh users who also use Windows applications. It runs both legacy and current Windows OSs as well as Linux.

Kernel-based Virtual Machine (KVM)

This open-source hypervisor enables you to choose between an Intel and an AMD CPU and to run Linux or Windows VMs. It’s now included as part of most Linux kernels.

Microsoft Hyper-V

Microsoft began its venture into virtualization with Virtual PC, which allowed you to create VMs that could run non-Windows OSs. Its new hypervisor is built into Windows 10, and unlike most programs, it isn’t downloaded.

Oracle VirtualBox:

It supports all Windows and Linux OSs as well as Macintosh and Solaris. This shareware can be downloaded and installed on both Windows and Linux host systems.

.vmx

Stores configuration files

.log

Contains logs of information such as when a VM was powered off, virtual appliances added, and so on

.nvram

Keeps track of the state of a VM’s BIOS

.vmdk

Stores the virtual hard drive’s contents

.vmem

Stores VM paging files, which serve as RAM

.vmsd

Contains information about snapshots

.ova or .ovf

File used to create a virtual machine; OVF stands for “Open Virtualization Format”

.vdi

Disk image file

.r0

Default libraries

.vbox

Saved settings of virtual hard drives

.xml-prev

Backups of XML settings

Order of Votality (OOV)

It determines how long a piece of information lasts on a system.

Network Forensics

The process of collecting and analyzing raw network data and tracking network traffic systematically to ascertain how an attack was carried out or how an event occurred on a network.

Layered Network Defense Strategy

Sets up layers of protection to hide the most valuable data at the innermost part of the network. It also ensures that the deeper into the network an attacker gets, the more difficult access becomes and the more safeguards are in place.

Honeynet Project

Developed to make information widely available in an attempt to thwart Internet ad network attackers.

Zombies

Machines used in DDoS attacks.

Zero Day Attacks

Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available.

Honeypot

A computer set up to look like any other machine on your network; its purpose is to lure attackers to your network, but it contains no information of real value.

Honeywalls

Are computers set up to monitor what’s happening to honeypots on your network and record what attackers are doing.