Lecture Notes on Virtual Machine Forensics and Network Analysis

Virtual Machine Forensics Overview

• Virtual machines (VMs) are increasingly utilized for personal and business purposes.
• Importance of understanding how to analyze VMs for forensic investigations.
• Hypervisor software is used to manage and run VMs.
  • Two main types of hypervisors:
  • Type 1 Hypervisor:
    • Runs directly on physical hardware without a separate OS.
    • Examples include VMware vSphere, Microsoft Hyper-V 2016, XenProject XenServer.
  • Type 2 Hypervisor:
    • Requires a host operating system to run.
    • Common examples include VMware Workstation, Parallels Desktop, and VirtualBox.

Setting Up Type 2 Hypervisors

• Pre-installation: Enable virtualization in BIOS.
• Popular Type 2 Hypervisors:
  • Parallels Desktop: Designed for Mac users running Windows applications.
  • KVM (Kernel-based Virtual Machine): Suitable for Linux.
  • Microsoft Hyper-V: Integrated into Windows 10.
  • VMware: Allows creation of encrypted VMs and supports multiple CPUs and storage capacities.
  • VirtualBox: Compatible with various operating systems including Windows, Linux, Mac.
• Templates for VMs are available within type 2 hypervisors to simplify setup.

Investigation Procedures with Type 2 Hypervisors

• Initial Steps:
  1. Create a forensic image of the host computer.
  2. Acquire network logs and link IP addresses to gather website access records.
• Identifying VMs on Host:
  • Search in User folders and the Registry for clues.
  • Check for virtual network adapters and any attached USB drives.
  • Nested VMs may also exist.
• Investigation Procedure:
  1. Image the host machine
  2. Locate virtualization software and VMs.
  3. Export files related to the VMs.
  4. Record hash values of all files.
  5. Open the VM using forensics software to create or mount a forensic image.

Working with Type 1 Hypervisors

• Type 1 hypervisors impact forensic investigations significantly since they operate directly on hardware.
• Pros include improved performance but require closer collaboration with network administrators.
• Commonly used Type 1 hypervisors include VMware vSphere and Microsoft Hyper-V 2016.

Live Acquisitions in Forensics

• Importance: Live acquisitions are crucial during active network attacks to retrieve volatile information existing in RAM.
  • Follow the Order of Volatility (OOV) when collecting evidence.
• Steps for Live Acquisition:
  1. Use a bootable forensic USB drive.
  2. Maintain a log of actions taken to establish a chain of custody.
  3. Copy physical memory (RAM) carefully.
  4. Normalize the forensic digital hash of recovered files to ensure integrity.
• Tools for Capturing RAM:
  • Mandiant Memoryze, Belkasoft RamCapturer, Kali Linux, with both GUI and command-line options available.

Network Forensics Overview

• Definition: Involves analyzing network traffic and raw data to investigate attacks or unusual events on the network.
• Establishing Procedures: Network forensic specialists must develop standardized acquisition processes post-attack to ensure all compromised systems are identified.
• Tools for Network Forensics: Include Tcpdump, Wireshark, and various log analyzers to monitor network traffic and identify anomalies.

Developing Procedures for Network Forensics

• Standard Procedures:
  • Utilize a consistent installation image.
  • Conform to successful vulnerability fixes after incidents.
  • Recover volatile data efficiently and analyze original vs forensic images.
• Importance of Network Logs: Records of incoming and outgoing traffic are essential for forensic analysis during investigations.

Tools for Network Monitoring and Analysis

• Packet Analyzers: Tools that monitor traffic at OSI layers 2 and 3, capturing in Pcap format.
  • Examples include Tcpdump and Wireshark, used for identifying traffic patterns and anomalies.
• Honeynet Project: A security initiative aiming to enhance awareness and countermeasures against network attacks by providing insight into tactics used by intruders.