±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32077
New Yesterday: 1 Visitors: 105

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Recoverability of data from virtual machine - advice needed

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Mon Mar 06, 2017 12:48 pm

Thanks Jaclaz!

I recommended a full physical image be made of the workstation to my client.  

UnallocatedClusters
Senior Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Mon Mar 13, 2017 9:51 pm

- StudentofLife

At one point my host OS got corrupted. I then reinstalled the OS on my host, created a VM in VMware Workstation, installed an OS onto this, sent 3 emails within the VM, imaged the host, extracted the VM, imaged the VMDK in FTK Imager + Toolkit and I'm able to find traces of the email I sent in the VM which was active before the corruption occurred - how? What could be deemed an 'unfit disk creation procedure/tool' in these scenarios?


During disk creation, the space allocated to the (fixed size) virtual disk file is usually zeroed. VPS and cloud providers had some huge problems otherwise. I don't use VMware Workstation on a regular basis, but doesn't it do the same (even as a desktop, not infrastructure product)? Some third party tools surely create fixed size VM disks without zeroing, which I described as unfit.  

C.R.S.
Senior Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Tue Mar 14, 2017 1:06 pm

Thank you so much for all of your help!
I really appreciate it and I realise that I have a lot to learn...1 step at a time
Thank you again!  

StudentofLife
Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Tue Mar 14, 2017 1:09 pm

During disk creation, the space allocated to the (fixed size) virtual disk file is usually zeroed. VPS and cloud providers had some huge problems otherwise. I don't use VMware Workstation on a regular basis, but doesn't it do the same (even as a desktop, not infrastructure product)? Some third party tools surely create fixed size VM disks without zeroing, which I described as unfit.



Apparently not - but thank you for bringing this to my attention. It's definitely something that I'll look into.  

StudentofLife
Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Sun Apr 02, 2017 2:32 pm

Hello all,

I know the topic was dead but I have good reason to revive it.
As recommended, I wiped the hard drive with DBAN using the Mersenne Twister with 3 passes,
I installed the Windows 10 Home OS, installed VMware Workstation, created VM1, conducted activities within it such as sending emails and saving pictures and then imaged the host.
When analysing it in FTK Toolkit I found hits for only VM1. Fine.

I then wiped the drive again using the Mersenne Twister with 3 passes, I installed the Windows 10 Home OS, installed VMware Workstation, created VM2, conducted activities within it such as sending emails and saving pictures and then imaged the host
I could find emails sent in VM1

My theory was that this happened because I used the same Outlook account to send the emails in both VM1 and VM2, and as Windows downloads emails to the device then it was just FTK Toolkit picking up these downloaded emails. But if that was the case then I'd be able to recover data from VM's created before the DBAN wipe, and I couldn't.

I found this page: sourceforge.net/p/dban...quests/19/
And the user states that wiped data can be recovered can be recovered from the Mersenne Twister low-level "substraction" (not sure what this is to be honest)

A little guidance would be appreciated  

StudentofLife
Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Mon Apr 03, 2017 2:07 am

- StudentofLife

As recommended, I wiped the hard drive with DBAN using the Mersenne Twister with 3 passes ...

As recommended by WHOM, WHERE? Question


NO ( that is NO as in NO, NIL, ZERO, ZILCH) data can be recovered after a SINGLE overwrite pass (let alone three).

Sure if you use a program, any program, that re-downloads data after the wipe, you will find the re-downloaded data (but that WON'T be the previous data, that will be a NEW copy of the SAME data).

Whatever is the Mersenne Twister, and whatever you read anywhere, once data is overwritten (if it is overwritten) it STAYS overwritten.

JFYI DBan is a nice tool developed and used mainly by people that are needlessly paranoid about their data and security, some on the border of conspirationism. Shocked

All the fuss and discussions about the possibility to recover overwritten data (SINGLE pass of 00's, you don't need any fancy algorithm, you don't need more than one SINGLE pass of simple 0's or 1's if you prefer Wink ) are about highly technical (and largely mythical) hardware methods involving Magnetic Force Microscopes, self standing platter mounts with special arms and heads, mega-para-super-nuclear-devices, etc.

NO (that is NO as in NO, NIL, ZERO, ZILCH) software can recover overwritten data, and in your case you didn't even ATTEMPT the recovery.

Follow me please Smile .
1) Simply wipe your disk (one SINGLE pass of 00's).
2) Verify that all sectors are 00's,
3) Do whatever you need to do on that disk, install the OS, the vm, etc..
4) Simply wipe your disk again (one SINGLE pass of 00's).
5) Verify that all sectors are 00's.
6) NOW check what FTK can find. (it will find NOTHING)
7) Do whatever you need to do on that disk, install the OS, the vm, etc. again.
Cool Check what FTK can find again. IF it finds anything, that will have been created/downloaded/etc. DURING or AFTER step #7

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Tue Apr 04, 2017 1:48 pm

I misinterpreted the results
I was still able to retrieve email data from an FTK keyword search but not any data which was saved on the hard drive

There is something about the download method used by Microsoft that allows me to see the last 2-5 emails sent on the Windows Outlook app, with a matching keyword to the one I searched e.g.

On the 20th of December 2016 I created 3 VMs and emailed from within each one:
" Today is Monday, no longer the holidays, Today is Tuesday, no longer the holidays, Today is Wednesday, no longer the holidays"

After a DBAN wipe I created a VM and emailed
" Today is Saturday, no longer the holidays"

After another DBAN wipe I created a VM and emailed
"Today is Sunday, no longer the holidays"

When the last VM created after the DBAN wipe was put into FTK Toolkit with the keyword search 'no longer the holidays' I was able to see the email sent post wipe (Saturday/Sunday) but not pre-wipe

This is just my observation Smile  

StudentofLife
Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 3 of 3
Go to page Previous  1, 2, 3