±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32340
New Yesterday: 0 Visitors: 97

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Recoverability of data from virtual machine - advice needed

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Recoverability of data from virtual machine - advice needed

Post Posted: Tue Feb 21, 2017 7:55 am

Hello all,

I'm a university student writing my dissertation on virtual machines; specifically what can be recovered from a VM (using VMware Workstation 12.5)

My dissertation will be in 3 parts:

1 - Incorrectly and correctly turning off a VM and analysing the data which can be retrieved from both using FTK Toolkit 6.0 (inspired by a paper conducted by Richard Bares - Hiding in a Virtual World Using Unconventionally Installed Operating Systems)

2 -

3 - Creating a framework for investigators who encounter VM's at an investigation

I have left number 2 blank as this is where I'm stuck.
I know that I would like to conduct certain activities in the VM (such as downloading pictures, using the internet, sending money, changing date/time on files etc) but I'm not sure what to do with this information.

My supervisor suggested using predictive coding to extract data from the VM.
I'm thinking about creating a script to either detect the presence of a VM on a Windows machine or to extract data from a VM.

I'd just like some thoughts/inputs about these 3 ideas and anything else I could possibly do to improve this.

Thank you in advance  

StudentofLife
Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Tue Feb 21, 2017 2:51 pm

I am not entirely following you.

A virtual machine doesn't exist (it is virtual Wink ) but is composed of:
1) a virtual hardware (that doesn't as well exist) which is the program that makes the machine virtually exist, the VmWare Workstation
2) some settings for it (usually in the form of a "real" settings file, like a .ini or a .xml, etc.)
3) one or more virtual disk(s) and other virtual devices, such as a virtual floppy drive or a virtual CD drive (that also do not really exist if not within the realms of the VM) where the OS is installed or however runs, but that do exist in the form of backing file(s), typically a .ima for floppy, .iso for CD/DVD, .vdk for disk (in VmWare).

The sheer moment the VM is off, all you have remaining is these "backing files", which can however be mounted (or accessed) by using a number of dedicated existing tools or drivers, as they are (or can be converted to) RAW images of the corresponding virtual device.

Once you can access these files, they are RAW images exactly like the ones you can take out of "real" devices, and the way they can be analyzed/information retrieved is not in any way different from the way you would analyze an image of a "real" disk (or floppy, or CD) coming from a "real" machine/PC (which is BTW the only thing you can get once the machine/PC is off).

Can you expand on what you believe would be different from analyzing a "real" machine disk?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Recoverability of data from virtual machine - advice needed

Post Posted: Tue Feb 21, 2017 3:21 pm

Dissertation ... what kind of dissertation?

- StudentofLife
I have left number 2 blank as this is where I'm stuck.
I know that I would like to conduct certain activities in the VM (such as downloading pictures, using the internet, sending money, changing date/time on files etc) but I'm not sure what to do with this information.


Well, is that of any interest? It seems it would be the same kind of traces found on non-virtual machines -- and it's not obvious that the added layer of virtuality provides anything interesting, at least not at first look.

I mean, I'd just mount the virtual disk, and then treat it as a normal disk. If anything prevents me from doing so, it would be interesting. Or if there's anything that I wouldn't 'see' ...

The virtual disk itself might be interesting: especially if it's 'expand at need' disk, where blocks aren't 'present' until they're written to, and then remain. (Or do they remain? Perhaps the VM is TRIMming?) What does go on on the virtual disk level?)

Perhaps the virtual disks does something interesting with blocks: they could in theory be moved around and remapped, and I wouldn't notice ... but that requires either analyzing the file format of a virtual disk, as well as analyzing the run-time handling of blocks.

[/quote]My supervisor suggested using predictive coding to extract data from the VM.
I'm thinking about creating a script to either detect the presence of a VM on a Windows machine or to extract data from a VM.[/quote]

Predictive coding I associate with ediscovery: a method for discovering important documents. But it seems that it is just as well done by mounting the virtual disk using normal tools, and then do it as if it was a physical disk. The VM layer is just a mild inconvenience, if even it is that.  

athulin
Senior Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Wed Feb 22, 2017 2:43 pm

Hello jaclaz,

First of all, thank you for taking the time out to respond.

My motivation for writing this paper came from a few articles which said that crimes committed using VM's are on the increase. Suspects think that they can simply delete the VM's files and all trace of their activities are deleted with it. I wanted to see how true this is.

- jaclaz
Can you expand on what you believe would be different from analyzing a "real" machine disk?


The difference is that a VM’s disk doesn’t really exist whereas a real machine’s…does. Whereas a physical drive requires a connection to another physical drive, a VM’s disk is a bunch of files. So if these are deleted, are all traces of activities conducted in the VM deleted along with it? What exactly can/cannot be recovered?

When you delete a file on a physical disk, Windows removes the pointer and marks the sectors containing the file’s data as available, this can then be overwritten as you continue to use the machine. My experiments involved me creating a VM, installing an OS, conducting activities within it, imaging it, deleting the VM from disk, then creating a new VM with the above steps. So in theory, the data from the previous VM’s should’ve been overwritten – just like it is from a Windows hard disk. However, during my analysis of each VM I have been able to find information in a VM, linked to its predecessor(s).

Therefore, it would seem that the data from VM’s are even more recoverable than from a physical hard drive (I’m not yet in a position to say this with complete conviction)

I hope this answers your question. I understand that a VM is a virtual computer and therefore there won’t be very different to an actual, physical PC. But there are people who believe that the contents of a VM are unrecoverable – I hope to dispel the myth

P.S. Based upon this advice I will no longer be creating a framework for approaching a VM at a crime scene. Thank you.  

StudentofLife
Member
 
 
  

Re: Recoverability of data from virtual machine - advice needed

Post Posted: Wed Feb 22, 2017 2:45 pm

Hello athulin,

First of all, thank you for taking the time out to respond.

It is a dissertation for my third year undergraduate degree of Computer Forensics.

- athulin
I mean, I'd just mount the virtual disk, and then treat it as a normal disk. If anything prevents me from doing so, it would be interesting.


I’ve had a few issues doing this. I’ve copied the VM files from my testing drive and proceeded to open the VM on a different drive, using the same version of VMWare Workstation. All is well for 6 – 8 minutes then the VM shuts down with an error message telling me that 1 of the VMDK’s is missing, even though I’ve copied the whole folder and double checked that the contents are the same.

- athulin
Or if there's anything that I wouldn't 'see' ...


I’ve not tried to see whether there is any difference between the data that you get when you mount the virtual disk and image it live and when you process the dead VMDK through FTK Toolkit. But it is an idea and I thank you.

- athulin
The virtual disk itself might be interesting: especially if it's 'expand at need' disk, where blocks aren't 'present' until they're written to, and then remain. (Or do they remain? Perhaps the VM is TRIMming?) What does go on on the virtual disk level?)


Can I assume that this is what you mean by TRIM?
searchsolidstatestorag...ition/TRIM

Finally, do you think that a script to either extract data from a VM/detect a VM would be helpful at all?

Thank you.  

StudentofLife
Member
 
 
  

Re: Recoverability of data from virtual machine - advice needed

Post Posted: Thu Feb 23, 2017 11:38 am

- StudentofLife
It is a dissertation for my third year undergraduate degree of Computer Forensics.


Thanks -- that helps put it into perspective.

- athulin
I’ve had a few issues doing this. I’ve copied the VM files from my testing drive and proceeded to open the VM on a different drive, using the same version of VMWare Workstation. All is well for 6 – 8 minutes then the VM shuts down with an error message telling me that 1 of the VMDK’s is missing, even though I’ve copied the whole folder and double checked that the contents are the same.


Did you figure out what the problem was? In the cases I've seen this, it has always involved confusion in the minder of the FA: confusing the folder with the virtual machine. To lessen the risk of that kind of confusion, help would be useful, admittedly. But then, it could just be something that parses the main VM file to say: 'these files constitute the VM'.

[Quote]Can I assume that this is what you mean by TRIM?[/quoye]

Yes. A VM might benefit from an operating system issuing TRIM commands, and use those to deallocate blocks. That's one of those things that seem to be technically possible, but I have no idea if it actually happens or not. But if it happens, it is important to know.

Finally, do you think that a script to either extract data from a VM/detect a VM would be helpful at all?


In the right context. By which I mean something on the line of:

1. What files constitute parts of VMs? (All VMs, current as well as obsolete, workstation VMs as well as server VMs. Could be just the top 10 VMs, based on good statistics, but preferably as many as possible.)

2. What tools already exist to find those files? (In forensic toolkits, as well as stand-alone products. Or closely-related products, such as the file(1) command and its database. In normal file systems as well as in sectors from deleted files.)

3. How well does those tools do? Do they reach 100%? Or are there significant omissions in coverage?

If the last question has 'yes' for an answer, then I would think additional tool/tools are called for.

First, to identify all files belonging to one VM.

To extract those files is a slightly different question: In a normal file system, just getting the files identified is often enough help -- extracting the files can be done by any suitable method, as long as the output from the 'identifier' can be reused. To extract them by other means ... probably needs careful thinking over.  

athulin
Senior Member
 
 
  

Re: Recoverability of data from virtual machine - advice nee

Post Posted: Thu Feb 23, 2017 3:30 pm

- StudentofLife

My motivation for writing this paper came from a few articles which said that crimes committed using VM's are on the increase. Suspects think that they can simply delete the VM's files and all trace of their activities are deleted with it. I wanted to see how true this is.


Sorry, if I'm wrong, but it seems to me that you're not fully aware of the known limitations of VM storage isolation.

Basic "hacking manuals" advise perpetrators to use an encrypted VM. This is because the virtual disk abstraction layer itself doesn't hide anything. From the perspective of examining a host file system, virtual disks on this file system impose two main issues: relativity of file system specification and block addressing.

Therefore, a file carving process will regularly penetrate most (monolithic, unencrypted) virtual disk structures residing on the volume which it is applied to. This is maybe a point to focus on, since you're obviously at risk to mix up the findings, if you miss the existence of (deleted) VM storage in a carving scenario.

You see, my recommendation basically is to leave aside the examination of an intact VM image, because it is not structurally different from a physical volume. It becomes interesting when you try to, are forced to or simply unwittingly analyse the VM storage contents together with the host file system.

The reason you give for examining a VM image (if I get it correctly), is that you'd like to find remains of other/previous VMs in that image, and you already did. Strange things happen, and I don't want to deny that this may be the case in some situations. Indeed, it would be very interesting, if you encountered such one. But generally speaking, this is impossible under the provision of a "proper" VM storage setup and not injecting data into the VM storage with host permissions. It probably indicates the use of an unfit disk creation procedure/tool and, due to the massive security implications, can't be expected to be the default behaviour of a vendor supported configuration or tool.  

C.R.S.
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 3
Go to page 1, 2, 3  Next