(HEADACHE) Anyone d...
 
Notifications
Clear all

(HEADACHE) Anyone deal with this before?

15 Posts
5 Users
0 Likes
616 Views
(@daman)
Posts: 13
Active Member
Topic starter
 

Before I jump in knee deep into this investigation that just landed on my desk I was hoping someone has come across this before.

It appears that our suspect has used a combination of VMWARE and MS VIRTUAL Server to try and hide thier tracks.

We don't know yet but we are thinking the process was
OS ->VM->VR->VM->target

I need to brush up on these technolgies and how they operate so I can trace it all out.

Has anyone delt with a muli-layer enviorment like this?

 
Posted : 01/10/2005 1:20 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

So, if I understand you correctly, this guy installed VMWare, then installed a guest OS…within that guest os, they installed Virtual PC, and then inside VP, they installed VMWare again?

Or are you saying that they fired up a VMWare session, and a VP session, and connected to the virtual "systems", in a stepping-stone fashion?

Either way, what are your concerns?

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 01/10/2005 3:34 am
(@daman)
Posts: 13
Active Member
Topic starter
 

As you understood it the first time. OS inside of OS.

The concearn is in actaully proving that this is what occured. Event corelation between OS is the challenge.

We are setting up a lab this week to play with the concept and see how and where OS reside intercects.

The fact that it is Windows to Linux to Windows is a bit of a pain as well.

Our first stab will be looking at each OS on an indiviual basis and then manually map it all out.

Timezones and dates are also all over the place.

Do you see where my headache is coming from? )

I was wondering if anyone in the community has an experience in this so we can streamline. We have a high caseload right now and this is going to bog it all down.

 
Posted : 03/10/2005 8:27 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Do you see where my headache is coming from?

Not especially. Don't get me wrong…I do see this as a challenge, but as long as you follow a documented, meticulous methodology, I would see this more as a battle of wits and skill, not a headache.

However, I do see this possibly being a headache for you, given how you've presented this information from the beginning. Your original post presented an overview and asked if anyone had "delt[sic] with a muli-layer[sic] enviorment[sic] like this" and the picture was pretty vague at that point. In your most recent post, you're more specific…"The fact that it is Windows to Linux to Windows is a bit of a pain as well."

As you said, you've got a high case load right now, but if you want to do this one right, your boss is going to have to make the time for it. The fact that this is not only a Chinese box-VM session puzzle, with a VM session inside a VM session, etc., but that you've got mixed operating systems…well, I'm sure you know where to look in each platform, so it's simply a matter of being methodical and precise.

Will it take time? Yes. Do I envy you? Oh, most definitely! To have the opportunity to address a situation like this is truly aware, and you've got a great opportunity to do it right. Sure, the time zone information, as you say, is all over the place…which tells me that you've already looked at things…but that simply forces you to be more exact.

Remember, the bad guys have technical ability and ease/speed of communications over the good guys. The one thing the good guys have in our favor is being methodical, following exacting processes, and taking the time to be thorough. Do that, and base your decisions on demonstrable, verifiable facts, and you're golden!

Good luck, my friend! Please feel free to post any questions you may have along the way.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 03/10/2005 11:02 pm
(@daman)
Posts: 13
Active Member
Topic starter
 

I know, its just as if there are 4 boxes I need to look at, but the VOS does present extra challenges.

The info I know so far has not been gained from looking at the box but from the clients inital assesment from their security team. I dont no what I will have to play with, or how much has been trampled over.

In any case, as you pointed out, it will be a learning oppertunity. I have never worked with the virtual OS before.

 
Posted : 04/10/2005 1:16 am
(@auger)
Posts: 1
New Member
 

Working with a virtual OS isn't that hard. What may be hard is undoing any measures taken to cover tracks. It is very easy to create a master image with all your favorite hacking tools and then clone it for each session. Once the session ends, run your favorite disk wipe tool and all local evidence is gone.

The extra nesting is a bit excessive, but if your suspect used a disk wipe tool inside each virtual session, I wish you the best of luck.

 
Posted : 04/10/2005 5:01 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I have never worked with the virtual OS before.

Well, there's very little difference (for the most part) between the real Windows/Linux, and one loaded into a virtual session. Everything plays the same way.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 04/10/2005 7:18 am
(@daman)
Posts: 13
Active Member
Topic starter
 

Yeah, we now have a lab setup. I can now see what you two have told me, there is no visual difference. It's kinda cool actually.

 
Posted : 04/10/2005 6:33 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

there is no visual difference

Well, yeah, but it's more than that…file and Registry key writes still occur using the same APIs, etc. Everything's pretty much the same. One difference is, however, that some malware can detect the fact that it's running in a VM rather than on a standalone machine. Other than that, though, there really isn't much difference.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 04/10/2005 7:32 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Found a resource for Virtual Machine forensics.

http//www.thetrainingco.com/agenda/agenda.cgi?c=TF-2005

Toward the middle of the page on Nov 28th there is a reference / lab for Virtual machine Forensics

"Virtual Machine Forensics—Dealing with Irregular Data by Tomas Castrejon - Deloitte & Touche"

Didn't get a chance to Google 'Tomas Castrejon", but seems like he would be a good resource for the challenge you are encountering.

 
Posted : 05/10/2005 6:39 pm
Page 1 / 2
Share: