Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics

10.1: An Overview of Virtual Machine Forensics

• Hypervisor: The software that runs virtual machines.
• Type 1 Hypervisor: Runs on “bare metal,” meaning it loads on physical hardware and doesn’t require a separate OS.
• Type 2 Hypervisor: It rests on top of an existing OS.

Type 2 Hypervisors

• Type 2 hypervisors can be used on a laptop, a desktop, or even a tablet to simulate an OS environment, such as running a Windows Server 2016 VM on a Linux host.

• Before attempting to install a type 2 hypervisor, you need to enable virtualization in the BIOS before attempting to create a VM.

• Intel Virtualization Technology (VT) has responded to the need for security and performance by producing different CPU designs.

• Instruction sets called Virtual Machine Extensions (VMX) are necessary to use virtualization; without these instruction sets, virtualization software doesn’t work.

• Intel has also developed Virtualization Technology for memory virtualization, I/O virtualization, graphics virtualization, and virtualization of network and security functions.

• Parallels Desktop: Was created for MAcintosh users who also use Windows applications. It runs both legacy and current Windows OSs as well as Linux.

• Kernel-based Virtual Machine (KVM): This open-source hypervisor enables you to choose between an Intel and an AMD CPU and to run Linux or Windows VMs. It’s now included as part of most Linux kernels.

• Microsoft Hyper-V: Microsoft began its venture into virtualization with Virtual PC, which allowed you to create VMs that could run non-Windows OSs.

  • Its new hypervisor is built into Windows 10, and unlike most programs, it isn’t downloaded.

• VMware Workstation and Workstation Player:

  • It can be installed on almost any device, including tablets
  • It can install Microsoft Hyper-V server on it.
  • It can create encrypted VMs.
  • It is capable of supporting up to 16 CPUs, 8 TB of storage and 20 virtual networks.

• Oracle VirtualBox: It supports all Windows and Linux OSs as well as Macintosh and Solaris. This shareware can be downloaded and installed on both Windows and Linux host systems.

  </p>

Files associated with VMware

Files associated with VirtualBox

\

Conducting an Investigation with Type 2 Hypervisor

• You begin by acquiring a forensic image of the host computer as well as network logs.
• By linking the VM’s IP address to log files, you might be able to determine what Web sites the VM accessed.
• After acquiring a forensic image of the host, export associated VM files.
• A VM shares the host’s physical devices, such as DVD/CD players and USB drives, and can access files from peripheral devices and shared folders.
• Detecting whether virtual machines are on a host computer can be challenging for digital investigators.
  • On a Windows host, you usually look in the Users or Documents folder.
  • On a Linux host, the files might be in /usr/bin/software-center or another folder in the /usr directory.
• Files associated with VMs, such as log files, should be extracted and examined to determine the crime or incident’s timeline and to find relevant information, which might include testing software or malware.
• Following a consistent procedure when you’re conducting a forensic analysis of VMs is crucial. Here’s an overview:
  • Image the host machine.
  • Locate the virtualization software and VMs, using the information you’ve learned about file extensions and network adapters.
  • Export from the host machine all files associated with VMs, including log files, virtual adapters, and snapshots.
  • Record the hash values of these associated files.
  • Next, you can open a VM as an image file in forensics software and create a forensic image of it or mount the VM as a drive and then image it or do a live search.

\

Working with Type 1 Hypervisors

• The following are some common type 1 hypervisors:
  • VMware vSphere in Standard, Enterprise Plus, and Operations Management Enterprise Plus editions.
  • Microsoft Hyper-V Server 2016
  • XenProject XenServer in a free edition
  • IBM PowerVM
  • Parallels Desktop for Mac

10.2: Performing Live Acquisitions

• Order of Votality (OOV): It determines how long a piece of information lasts on a system.

• The following steps show the general procedure for a live acquisition, although investigators differ on exact steps:

  1. Create or download a bootable forensic CD or USB drive, and test it before using it on a suspect drive. If the suspect system is on your network and you can access it remotely, add the necessary network forensics tools to your workstation. If not, insert the bootable forensics CD/USB drive in the suspect system.
  2. Make sure you keep a log of all your actions; documenting your actions and reasons for these actions is critical.
  3. A network drive is ideal as a place to send the information you collect. If you don’t have one available, connect an external drive to the suspect system for collecting data. Be sure to note this step in your log.
  4. Next, copy the physical memory (RAM).
  5. The next step varies, depending on the incident you’re investigating. You can also access the system’s firmware to see whether it has changed, create an image of the drive over the network, or shut down the system and make a static acquisition later.
  6. Be sure to get a forensically sound digital hash value of all files you recover during the live acquisition to make sure they aren’t altered later.

10.3: Network Forensics Overview

• Network Forensics: The process of collecting and analyzing raw network data and tracking network traffic systematically to ascertain how an attack was carried out or how an event occurred on a network.

Securing a Network

• Layered Network Defense Strategy: Sets up layers of protection to hide the most valuable data at the innermost part of the network. It also ensures that the deeper into the network an attacker gets, the more difficult access becomes and the more safeguards are in place.

Developing Procedures for Network Forensics

• Always use a standard installation image for systems on a network. This image isn’t a bit-stream image but an image containing all the standard applications used. You should also have MD5 and SHA-1 hash values of all application and OS files.
• When an intrusion incident happens, make sure the vulnerability has been fixed to prevent other attacks from taking advantage of the opening.
• Attempt to retrieve all volatile data, such as RAM and running processes, by doing a live acquisition before turning the system off.
• Acquire the compromised drive and make a forensic image of it.
• Compare files on the forensic image with the original installation image
• Packet Analyzers: Devices placed on a network to monitor traffic.

Examining the Honeynet Project

• Honeynet Project: Developed to make information widely available in an attempt to thwart Internet ad network attackers.
• Distributed denial-of-service (DDoS) attacks
  • A trace of a DDoS attack might go through other organizations’ networks, not just yours or your ISP’s.
  • Zombies: Machines used in DDoS attacks.
  • When the first DDoS attacks began, the main concerns were the high monetary impact and the amount of time it took to track down these attacks.
• Zero Day Attacks: Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available.
• Honeypot: A computer set up to look like any other machine on your network; its purpose is to lure attackers to your network, but it contains no information of real value.
• Honeywalls: Are computers set up to monitor what’s happening to honeypots on your network and record what attackers are doing.

\