Using a virtual mac...
 
Notifications
Clear all

Using a virtual machine for an investigation

15 Posts
9 Users
0 Likes
1,412 Views
(@pdo08)
Posts: 2
New Member
Topic starter
 

I was wondering if there are any members on here that conduct investigations within a virtual machine? So not digital forensics on virtual machines, but using a virtual environment for conducting investigations. At the moment I use a standalone HP Z840 machine to conduct these investigations. We don't have a network available for this purpose.

I'm trying to find more information about working in local virtual environments (VMWare Workstation 12 Pro for example) and whether or not this is any good for digital forensics. My main concern is loosing much of the physical systems performance when processing an image with EnCase for example. But I'm also interested to hear the pros and cons about this virtual method.

I'm looking forward to hear about how others use their system and whether or not you're using a virtual environment for your investigations.

Thanks!

 
Posted : 14/09/2015 5:25 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I have use them this way to get a "feel" for what the user have been doing. Logfiles and artifacts alone does not give you an "over the shoulder" like booting up a live system in VMWare.

https://irhowto.wordpress.com/2010/07/05/booting-a-dd-image-with-vmware/

Obviously you make a workcopy of the DD image first before messing with it in VMWare and you probably want to run a password recovery CD on the copied DD image to allow access.

 
Posted : 15/09/2015 12:09 am
(@bithead)
Posts: 1206
Noble Member
 

If you run a server chassis with say four Intel® Xeon® E7-8893 processors, ninety-six 16GB RDIMMs, six FusionIO cards, and some other tricked up components you would have a much more powerful platform for VMs than you would ever have in your typical workstation.

 
Posted : 15/09/2015 7:58 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If you run a server chassis with say four Intel® Xeon® E7-8893 processors, ninety-six 16GB RDIMMs, six FusionIO cards, and some other tricked up components you would have a much more powerful platform for VMs than you would ever have in your typical workstation.

I may add unsurprisingly 😯 .

jaclaz

 
Posted : 15/09/2015 1:42 pm
(@pdo08)
Posts: 2
New Member
Topic starter
 

Thanks for the replies.

I understand that having a high-end server will provide a much more powerful platform. But I'll have to do it with a standalone workstation.

I think I have to rephrase my situation and question. My situation is as follows;
- I use a standalone HP Z840 workstation with Win7. On that machine I have installed programs like EnCase, FTK, IEF, etc.
- I currently conduct investigations on the workstation "itself". For example, making images of hard drives, adding these to EnCase or FTK, starting processing jobs in both programs and analyzing everything. Again, all on my local machine.

Now my idea was as follows;
- Instead of working on my local machine, doing everything mentioned before in a virtual environment, hosted on the physical HP Z840. This way I can use a 'clean' virtual machine for every investigation, installing EnCase and all that software on the virtual machine and doing all it's processing jobs within that virtual machine.

- What is the best way to use a stand-alone system for digital investigations?
== example, working every case in a virtual machine?
== example, re-installing a system after every investigation to ensure it's integrity?
- Can this method, of conducting investigations within a virtual machine, be an improvement or better way to do investigations on a stand-alone machine?

I hope my question makes any sense. Thanks.

I'm hoping to hear what others think about using a stand-alone system the most efficient and effective for digital investigations where data integrity is important.

 
Posted : 16/09/2015 8:12 pm
(@bithead)
Posts: 1206
Noble Member
 

That is a completely different question.

You can easily create a baseline image of your drive with all patches, copy it off to a USB drive or network share, and write it back to disk from a Linux boot CD in about 15 minutes.

As far as the hardware, yes I was being a bit facetious in my original response, but you can easily setup a ESX or Hyper-V, both no cost, and run VMs with very little resources given up to the hypervisor. A few years ago that would have been a bit more daunting but today it is quite simple.

 
Posted : 17/09/2015 6:02 am
(@creativestorm)
Posts: 2
New Member
 

Hi,

Could create a base vm with all software installed then duplicate that vm when needed just remember to keep records of original hash so can tell if any changes have happened.

Or what about a snapshot which you can create in vm once all software has been installed. Do the investigation until you are happy then boot back to the snapshot. That way its a clean install

I am just a 3rd year computer forensics thats the way I would do it if I wanted a clean install each time

 
Posted : 07/11/2015 4:40 am
(@mark_adp)
Posts: 63
Trusted Member
 

You could also look at DeepFreeze, which freezes the state of your machines and resets it each time you restart. The advantage of this is not having to go through the often lengthy process of creating and restoring baseline builds each time but the downside is that if you save anything on the frozen disk and the machine reboots, it will be lost.

 
Posted : 08/11/2015 12:45 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You could also look at DeepFreeze, which freezes the state of your machines and resets it each time you restart. The advantage of this is not having to go through the often lengthy process of creating and restoring baseline builds each time but the downside is that if you save anything on the frozen disk and the machine reboots, it will be lost.

JFYI, this seemingly unconnected topic is actually related
http//www.forensicfocus.com/Forums/viewtopic/p=6579046/

jaclaz

 
Posted : 08/11/2015 6:59 pm
(@codyf)
Posts: 7
Active Member
 

Hey,

I designed and built the VM forensic environment for my previous employer, nearly all of the investigations were conducted within a virtual environment.

What I did was create a baseline image (using Windows Server 2008R2) that I fully patched and installed all the forensic tools into, then converted it to a template. Whenever a new investigation was started we spun up a new VM from the template. I updated the templates every month or so (or as necessary) and usually did a ground-up rebuild two or three times a year, so the versions were fairly recent. We had a DCE license for W2K8 so licensing wasn't a problem -this is an issue you'll have with using virtual machines. Make sure your OS licensing supports what you're doing.

Don't use VM snapshots to "revert" to a clean image. They weren't designed to be used that way and relying on them to do so can cause other problems. VMWare recommends not using them for more than a day or two in a production system. Ideally you don't want the snapshot to exceed the size of the base VMDK. A snapshot should be used in the same way you'd use System Restore on Windows to recover from a bad driver installation.

While we ran an ESX environment for forensics, I can offer a few suggestions even for local stuff

-You can never have enough RAM. Depending on what software you're running you'll want anywhere from 8GB to 32GB allocated to the virtual machine. Most of ours had 12-16. The beauty with VMs is that you can change the RAM allocation, so if you're doing a lightweight case you can lower the RAM requirements.

-Make sure the VM is set to use cache/temp space on a solid state or other high-speed drive, just like you'd do on a hardware machine.

-Your speed is highly dependent on two factors How fast your storage access is, and what forensic software you're running.

On the first point above I highly recommend having only the operating system and software on the VMDK. Keep all other information on separate physical storage. This makes backing up, archiving, and future access much easier, among other reasons.

On the second point. Based on my experience FTK -forget it. Don't even try running that in a VM. It's far, FAR to heavy with too many moving pieces to get satisfactory performance in a VM. EnCase, overall, works Ok, if a little slow. When I left we were in the process of using distributed processing modules for EnCase, so we were offloading the evidence processor and other tasks to a separate hardware server. Cut processing time down in the VM by more than 50%. IEF runs fairly well, but processing in it will chew up whatever VM resources are available. X-Ways by far ran the best out of all the "main" tools in a virtual environment. I never got C4ALL to run in a VM.

That's it off the top of my head. Any questions or if you want more details let me know.

 
Posted : 12/11/2015 7:19 pm
Page 1 / 2
Share: