Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics

When intruders break into a network, they rarely leave a trail behind.
a. True
b. False

False

Network forensics is a fast, easy process.
a. True
b. False

False

Virtual machines are now common for both personal and business use.
a. True
b. False

True

Virtual machines (VMs) help offset hardware costs for companies.
a. True
b. False

True

Type 2 hypervisors cannot be used on laptops.
a. True
b. False

False

Type 1 hypervisors are usually the ones you find loaded on a suspect machine.
a. True
b. False

False

Before attempting to install a type 2 hypervisor, you need to enable virtualization in the BIOS before attempting to create a VM.
a. True
b. False

True

In network forensics, you have to restore the drive to see how malware that attackers have installed on the system works.
a. True
b. False

True

A honeywall is a computer set up to look like any other machine on your network, but it lures the attacker to it.

False

Network logs record traffic in and out of a network.
a. True
b. False

True

Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program?
a. Intrusion forensics b. Network forensics
c. DDoS forensics d. Traffic forensics

b. Network forensics

Which type of strategy hides the most valuable data at the innermost part of the network?
a. Layered network defense b. Firewalls
c. Intrusion deflection d. Operations mode

a. Layered network defense

What type of software runs virtual machines?
a. A hypervisor b. A digital simulator
c. A virtual server d. A systems mirror

a. A hypervisor

Which type of virtual machine software is typically, but not exclusively, loaded on servers or workstations with a lot of RAM and storage?
a. Type 1 b. Type 2
c. Type 3 d. Type 4

a. Type 1

Which product responded to the need for security and performance by producing different CPU designs?
a. Parallels Virtualization b. Hyper-V
c. KVM d. Virtualization Technology (VT)

d. Virtualization Technology (VT)

Which program can be used to examine network traffic?
a. Netdump b. Slackdump
c. Coredump d. Tcpdump

d. Tcpdump

Which tool lists all open network sockets, including those hidden by rootkits?
a. EnCase b. Memoryze
c. R-Tools d. Knoppix

b. Memoryze

What determines how long a piece of information lasts on a system?
a. Continuity level b. Longevity
c. Order of volatility d. Liveness

c. Order of volatility

Which network defense strategy, developed by the National Security Agency (NSA), has three modes of protection?
a. Anti-Rootkit b. Layered Defense
c. Defense in Depth d. PsShutdown

c. Defense in Depth

Which tool allows network traffic to be viewed graphically?
a. Ethereal b. Etherape
c. Tcpdump d. john

b. Etherape

Which network protocol analyzer can be programmed to examine TCP headers to find the SYN flag?
a. Memorizer b. John
c. Memfetch d. Tethereal

d. Tethereal

Which tool is useful for extracting information from large Libpcap files?
a. Tcpslice b. John
c. Oinkmaster d. Memfetch

a. Tcpslice

What are packet analyzers?
a. Devices or software placed on a network to monitor traffic b. Devices or software used to generate lists of incoming IP addresses for each network port
c. Software placed on a network to identify open sockets hidden by rootkits d. Devices placed on a network to entice attackers and then record their activities

a. Devices or software placed on a network to monitor traffic

On which OSI model layers do most packet analyzers operate?
a. Layers 1 or 2 b. Layers 2 or 3
c. Layers 3 or 4 d. Layers 4 or 5

b. Layers 2 or 3

Which format can be read by most packet analyzer tools?
a. SYN b. DOPI
c. Pcap d. AIATP

c. Pcap

In which type of attack does the attacker keep asking the server to establish a connection?
a. SYN flood b. ACK flood
c. Brute-force attack d. PCAP attack

a. SYN flood

Which tool was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files?
a. Tcpread b. Ethertext
c. Etherape d. Netdude

d. Netdude

Which tool probes, collects, and analyzes session data?
a. Nmap b. Argus
c. Pcap d. TCPcap

b. Argus

Which project was developed to make information widely available in an attempt to thwart Internet and network hackers?
a. Honeynet b. Honeypot
c. Honeywall d. Honeyweb

a. Honeynet

What term is used for the machines used in a DDoS attack?
a. Dupes b. Soldiers
c. Zombies d. Pawns

c. Zombies

Match each item with a statement below
a. Type 1 hypervisor
b. Tethereal
c. Tripwire
d. Layered network defense strategy
e. Wireshark
f. Virtual Machine Extensions (VMX)
g. Type 2 hypervisor
h. Parallels Desktop
i. KVM
j. Kali Linux

1) Can be used in a real-time environment to open saved trace files from packet captures
2) Sets up layers of protection to hide the most valuable data at the innermost part of the network
3) An audit control program that detects anomalies in traffic and sends an alert automatically
4) Runs on "bare metal" and doesn't require a separate OS
5) Rests on top of an existing OS
6) Created for Macintosh users who also use Windows applications
7) Hypervisor for the Linux OS
8) A network protocol analyzer
9) Instruction sets necessary to use virtualization
10) The updated version of BackTrack

Match each item with a statement below
a. Type 1 hypervisor
b. Tethereal
c. Tripwire
d. Layered network defense strategy
e. Wireshark
f. Virtual Machine Extensions (VMX)
g. Type 2 hypervisor
h. Parallels Desktop
i. KVM
j. Kali Linux

1) Can be used in a real-time environment to open saved trace files from packet captures - e
2) Sets up layers of protection to hide the most valuable data at the innermost part of the network - d
3) An audit control program that detects anomalies in traffic and sends an alert automatically - c
4) Runs on "bare metal" and doesn't require a separate OS - a
5) Rests on top of an existing OS - g
6) Created for Macintosh users who also use Windows applications - h
7) Hypervisor for the Linux OS - i
8) A network protocol analyzer - b
9) Instruction sets necessary to use virtualization - f
10) The updated version of BackTrack - j

Why is testing networks as important as testing servers?

Testing networks is as important as testing servers. You need to be up to date on the latest methods intruders use to infiltrate networks as well as methods internal employees use to sabotage networks. In the early and mid-1990s, approximately 70% of network attacks were caused by employees. Since then, this problem has been compounded by contract employees, who often have the same level of network privileges as full-time employees.
In addition, small companies of fewer than 10 employees often don't consider security precautions against internal threats necessary, so they can be more susceptible to problems caused by employees revealing proprietary information to competitors. However, increasing use of the Internet has caused a rise in external threats, so internal and external threats are currently about 50-50.

When are live acquisitions useful?

Live acquisitions are especially useful when you're dealing with active network intrusions or attacks or if you suspect employees are accessing network areas they shouldn't. Live acquisitions done before taking a system offline are also becoming a necessity because attacks might leave footprints only in running processes or RAM; for example, some malware disappears after a system is restarted. In addition, information in RAM is lost after you turn off a suspect system. However, after you do a live acquisition, information on the system has changed because your actions affect RAM and running processes, which also means the information can't be reproduced. Therefore, live acquisitions don't follow typical forensics procedures.

What is the general procedure for a live acquisition?

The following steps show the general procedure for a live acquisition, although investigators differ on exact steps:
1. Create or download a bootable forensic CD or USB drive, and test it before using it on a suspect drive. If the suspect system is on your network and you can access it remotely, add the necessary network forensics tools to your workstation. If not, insert the bootable forensics CD/USB in the suspect system.
2. Make sure you keep a log of all your actions; documenting your actions and reasons for those actions is critical.
3. A network drive is ideal as a place to send the information you collect. If you don't have one available, connect an external drive to the suspect system for collecting data. Be sure to note this step in your log.
4. Next, copy the physical memory (RAM). WindowsScope (www.windowsscope.com), Magnet AXIOM, OSForensics, FTK Imager, and similar tools can copy the RAM for you.
5. The next step varies, depending on the incident you're investigating. With an intrusion, for example, you might want to see whether a rootkit exists by using a tool such as Malwarebytes Anti-RootKit or PC Hunter. You can also access the system's firmware to see whether it has changed, create an image of the drive over the network, or shut down the system and make a static acquisition later.
6. Be sure to get a forensically sound digital hash value of all files you recover during the live acquisition to make sure they aren't altered later

Detail some of the tools for performing a live acquisition in Windows

Several tools are available for capturing RAM. For example, Mandiant Memoryze (www.fireeye.com/services/freeware/memoryze.html) lists all open network sockets, including those hidden by rootkits. It also works on both 32-bit and 64-bit systems. Belkasoft RamCapturer (https://belkasoft.com/ram-capturer) is available in 32-bit and 64-bit versions and can run from a USB drive. Another tool is Kali Linux, the updated version of BackTrack (covered in more detail in Chapter 7). It still has more than 300 tools, but outdated or obsolete ones have been eliminated. Kali Linux contains password crackers, network sniffers, and freeware forensics tools. For more details, go to www.kali.org/official-documentation/.

How should you proceed if your network forensic investigation involves other companies?

As with all investigations, keep preservation of evidence in mind. Your investigation might turn up other companies that have been compromised. In much the same way you wouldn't turn over proprietary company information to become public record, you shouldn't reveal information discovered about other companies. In these situations, the best course of action is to contact the companies and enlist their aid in tracking down network intruders. Depending on the situation, at some point you might have to report the incident to federal authorities.

How do cloud service providers complicate investigating virtual networks?

Say you're dealing with a cloud service provider (CSP) that hosts networks for several to hundreds of companies. As stated in the Journal of Cybersecurity article, network forensics investigations in the cloud are hampered by the very qualities that make the cloud appealing—elasticity and flexibility. If needed (and it's allowed in the service level agreement), a new server can come online to deal with load balancing. In addition, automatic failovers are in place, which may or may not be in the same physical location as the server. Add to that hundreds or even thousands of NICs with the same IP address and MAC address, and you can see that traditional physical network forensics can't handle these arrangements.

. Briefly describe Intel's Virtualization Technology (VT).

Before attempting to install a type 2 hypervisor, you need to enable virtualization in the BIOS before attempting to create a VM. Intel Virtualization Technology (VT) has responded to the need for security and performance by producing different CPU designs. With one design, you must go into the BIOS to enable virtualization (which is a hardware function, not an OS function). The other CPU design doesn't support virtualization. To determine whether your CPU supports virtualization, first look in Control Panel to find out what type of CPU your device has, and then do a search on this particular CPU at http://ark.intel.com/Products/VirtualizationTechnology.

What are some of the steps for conducting a forensic analysis of virtual machines?

Following a consistent procedure when you're conducting a forensic analysis of VMs is crucial. Here's an overview:
1. Image the host machine.
2. Locate the virtualization software and VMs, using the information you've learned about file extensions and network adapters.
3. Export from the host machine all files associated with VMs, including log files, virtual adapters, and snapshots.
4. Record the hash values of these associated files. Typically, forensics software can perform this task as part of the export function.
5. Next, you can open a VM as an image file in forensics software and create a forensic image of it or mount the VM as a drive and then image it or do a live search.

Describe type 1 and type 2 hypervisors

There are two types of hypervisors: type 1 and type 2. A type 1 hypervisor runs on "bare metal," meaning it loads on physical hardware and doesn't require a separate OS, although many type 1 hypervisors incorporate Linux-based operating systems. Literally thousands of VMs can be hosted on a single type 1 hypervisor and many more on a cluster of these hosts. A type 2 hypervisor rests on top of an existing OS, such as Windows, Linux, or macOS.

What are the differences between a honeypot and a honeywall?

A honeypot is a computer set up to look like any other machine on your network; its purpose is to lure attackers to your network, but it contains no information of real value. You can take the honeypot offline to analyze it and not affect the running of your network. Honeywalls are computers set up to monitor what's happening to honeypots on your network and record what attackers are doing (see www.honeynet.org/papers/cdrom/). Honeypots and honeywalls are commonly used to attract intruders and see what they're attempting to do on a network.