VMware Archives | Forensic Blogs

Introduction

The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM. The end goal for this project is a quad comparison between the both operating system versions and their respective VMs.

VMWare/Physical Machines Used

Three VMs have been set up for this project: a Windows 7 VM; Windows 10 VM; and a SANS SIFT VM running Ubuntu. The SANS SIFT is a free VM built by SANS DFIR (Digital Forensics and Incident Response). It has a variety of Digital Forensics tools, such as Volatility and Bulk Extractor. This VM is being used for memory forensics analysis of the four machines. The VMWare Analysis team is going to be extracting, analyzing, and comparing Windows artifacts. These include Prefetch files, LNK files, Jump Lists, and Windows Memory.

Progress

Thus far, the team has completed datagen and analysis of the Windows 7 machine and Windows 7 VM. Both machines used the same data generation process to keep the results consistent. There are a few specific things that we analyze for the comparisons. One is network information within the registries. Another is what changes VMware tools makes to the virtual machine. And the last is general information on artifacts. This includes where the system stores them and what information they reveal about the system.

VMWare

The team was having troubles generating Prefetch data for Notepad, Notepad ++, and Adobe Reader. After a few minutes of troubleshooting, the team discovered that the Prefetch folder only allows up to 168 “.pf” files at one time. The folder had reached capacity and could not fit files for those applications.

Conclusion

So far, the only identified difference between the VM and the Machine is in the prefetch files. The Windows 7 Machine had 140 prefetch files, while the VM only had 114. It is also noted that the VM image contained a prefetch for VMware (VMTOOLSD.EXE-CD82EC13.pf). The physical machine did not.

VMWare

In the upcoming weeks, the VMware analysis team is planning on starting the Windows 10 physical machine and VM. Once we complete data generation and analysis, we’ll start comparing differences between the virtual machine and physical machine. We’ll also compare Windows 10 and Windows 7.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post VMWare Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

(ok not really, but that stuck with me for a title)

So I’ve finally gotten around to starting up a blog again. I decided (with some pushing from my friend Dave Kovar – who makes a very nice python script called analyzeMFT, you should check it out) to do my first post on using E01 images in the SANS SIFT Workstation VM.

This came about primarily because most of the documentation for SIFT talks about using DD images. Which is fine, I don’t mind DD images at all, however my current “place of employment” requires that I use E01 images in my casework. So I had to do some digging in order to create timelines using SIFT. I prefer creating timelines using the SuperTimeline method because it’s what I’m used to, and for me it’s easier to read.

I’d like to start off by thanking Stephen Venter for writing a blog post on mount_ewf.py which helped get me started.

So here’s my setup, I have all my evidence for my case on a TrueCrypt’d eSATA Desktop Drive, attached to my forensic workstation with an eSATA dock. All the Evidence images are in a folder called Evidence, and any data I’m going to export out of SIFT I’ll put in my Export folder.

So I start up VMware Workstation and fire up SIFT. Once I log in and get to the desktop the first thing I’m going to do is go to VM->Settings (Ctrl-D)->Options and then Shared Folders. I always set this to “Enabled until next power off or Suspend” just so I force myself to “enable” the connection to my eSATA disk. And if I move on to another case/project I can start fresh again. Next I’ll add my Evidence and Export directories as separate folders. The Evidence folder I’ll check the read-only attribute, because there’s really no reason for me to write to that folder.

Once that’s done I can confirm the folders are there by clicking on the VMware-Shared-Drive icon. One note is that the VMware-Shared-Drive shortcut is a soft link to the /mnt/hgfs directory.

For the purposes of this post, we’ll call my image that I’m mounting “foobar_image.E01”….

Ok, first we’re going to start off with the mount_ewf.py script to mount the image on the system. We’re dealing with an image that is split, so the command we’ll use is:

mount_ewf.py /mnt/hgfs/evidence/foobar_image.E* /mnt/ewf

Now there’s already some mount points set up in SIFT, and since we’re only working with one image there’s no need to create additional subdirectories in the /mnt directory.

Next we need to look at the image partition layout to determine where the volume on the disk starts.

fdisk –lu /mnt/ewf/foobar_image

and you’ll get an output that looks something like:

Device Boot Start End Blocks Id System /mnt/ewf/foobar_imagep1 * 63 68281919 34140928+ 7 HPFS/NTFS Partition 1 has different physical/logical endings: phys=(1023, 239, 63) logical=(4515, 239, 63) /mnt/ewf/foobar_imagep2 68281920 78140159 4929120 12 Compaq diagnostics Partition 2 has different physical/logical beginnings (non-Linux?): phys=(1023, 0, 1) logical=(4516, 0, 1) Partition 2 has different physical/logical endings: phys=(1023, 239, 63) logical=(5167, 239, 63)

Ok, so based on this output we have two partitions in this image. One is a diagnostic partition the other is a HPFS/NTFS file system. So foobar_imagep1 is the one we are interested in. What we now need to calculate is the offset in bytes to where that partition starts. To find that we take the “Start” value of foobar_imagep1 and multiply it by 512 (for 512 bytes per sector). Keep in mind that newer drives are starting to use a larger bytes per sector value (3TB and some 2TB drives that I’ve seen).

Ok, so next is to mount the image to a loopback device so we can then mount the partition and work with it:

losetup –o32256 –r /dev/loop0 /mnt/ewf/foobar_image

The –o switch is for the byte offset, and the –r switch is to mount it read only.

Once this part is done, we can go ahead and mount the partition. Keep in mind that we want to mount it so we can see the “hidden” system files associated with the file system ($MFT, etc).

mount /dev/loop0 /mnt/windows_mount –o loop,ro,show_sys_files

Now do an “ls –l” on /mnt/windows_mount and you should see the volume file system (and the hidden system files as well).

At this point, I would start creating my timeline. I use the steps Rob Lee outlined in his SUPER Timeline Analysis and Creation post.

Finally, once we’re done using this image, what is the proper way to unmount it all? Well, it’s actually a three step process.

First we unmount the volume from the /mnt/windows_mount point.

umount /mnt/windows_mount

Next, we remove the link between the loopback device and the image.

losetup –d /dev/loop0

Finally we unmount the E01 image.

umount /mnt/ewf

And we’re done.

Please note you may have to do some tweaking with some of these steps. Most of the time the steps have worked for me, but there will be instances where the offset for the volume is different (for example). Remember that the “man” pages are available for most of the commands used here if you need to fine tune any parts of this process. You can also mount multiple images all at the same time, you just need to change/increment the /dev/loop values (/dev/loop1, /dev/loop2, etc) and add additional directories to mount the images to.

If any of you have suggestions on how to improve this process I’d love to hear about it.

Again I’d like to thank the following for making this blog post possible:

Stephen Venter

Rob Lee