Hello jaclaz,
Thank you for taking the time to respond.
If you do the same in a VM, then delete the virtual disk, the small text file is still there and can be found (in the "free space" of the physical disk), but of course before looking for it you would probably first be looking for the virtual disk backing file, and if you find and can mount the volume you are exactly in the same situation as on the real PC (you know where to look for the file, i.e. know the extents that represent the "free space" in the filesystem on the virtual disk).
1 query to this beautiful explanation
At one point my host OS got corrupted. I then reinstalled the OS on my host, created a VM in VMware Workstation, installed an OS onto this, sent 3 emails within the VM, imaged the host, extracted the VM, imaged the VMDK in FTK Imager + Toolkit and I'm able to find traces of the email I sent in the VM which was active before the corruption occurred - how? Wouldn't a reinstall properly wipe everything? SN I didn't click the option to keep all files + data
1 query to this beautiful explanation
At one point my host OS got corrupted. I then reinstalled the OS on my host, created a VM in VMware Workstation, installed an OS onto this, sent 3 emails within the VM, imaged the host, extracted the VM, imaged the VMDK in FTK Imager + Toolkit and I'm able to find traces of the email I sent in the VM which was active before the corruption occurred - how? Wouldn't a reinstall properly wipe everything? SN I didn't click the option to keep all files + data
Well, unless you wiped the disk (or formatted the volume(s) involved on a OS Vista or later WITHOUT the /q switch) everything that is not overwritten will remain.
Even if you created a new backing file (virtual disk) for the newly installed VM, there is nothing preventing it - by chance (but not improbable as it may seem) - to occupy partially the same extents on disk than the previous one.
You have to understand how data such as an e-mail is just a sequence of bytes written to a given address on disk.
You normally (that is what filesystems are for) access that piece of data through indexing/addressing structures, but the fact that these indexing/addressing structures are removed/deleted/corrupted doesn't in any way change the actual data.
Unless something else is overwritten at that particular address the previous data remains there (on hard disks, SSD's may behave differently).
As a side note what most people use in VM's (and that should NEVER be used, unless in certain given setups when there is a reason for using them ) are "growable" or "dynamic" virtual disks, i.e. files that are not of a fixed size but that can expand automatically in case of need, and in such cases there is an added risk of having a fragmented backing file on the host filesystem (which consequently increases the probability of having traces of the contents of the virtual disk scattered anywhere on the "real" disk).
To give you an example (intentionally extreme), let's say that you are using a "real" machine with - for the sake of the example - 2 Gb of RAM and a 40 Gb hard disk (old, I know) on which you freshly install (on a 00ed or "wiped" disk) as "host" OS Windows 7 32 bit using the "standard" install.
Likely, you will have
100 or 200 Mb occupied by the "boot" volume (what the good MS guys call "system")
39.8 Gb occupied by the "system" volume (what the good MS guys call "boot")
Of this latter, the Windows 7 and a few programs, including the VM software will occupy roughly 18 Gb, lets say to round up numbers 17.8
You have remaining 22 Gb of disk space, from which you have to subtract, let's say, 2 Gb for the pagefile.sys, and 1.5 Gb for hiberfil.sys.
You have remaining roughly 18.5 Gb.
Now you create a 15 Gb virtual disk and install to it - still say - a XP 32 bit.
From this VM you send a number of emails (or do any activity).
Then your Windows 7 gets corrupted and you re-do the same thing from start.
How many probabilities are there that the newly created XP virtual disk overlaps (partially) the same sectors on the real disk as the previously created virtual disk?
I would say pretty high, while I would expect to be pretty low the chances that the newly sent three e-mails (or something else) overwrite the same sectors where the ones sent in the previous VM install were stored to and thus you can find traces of the "previous" e-mails by carving an image of this virtual disk.
jaclaz
A quick question to everyone
BACKGROUND I have a case in which a 3rd party IT consultant created a VMDK virtual machine backup of the computer I am asked to investigate. The IT consultant has zero background in forensics but was trying to "preserve" the computer in case the subject later deleted evidence.
I need to recover usage of 3rd party email accounts and web browsing.
I did not work with the IT consultant to create the VMDK virtual machine so I have no clue how the IT consultant setup the backup process.
QUESTION
Can a VMDK virtual machine be created (and later examined forensically) which includes the equivalent of a full physical forensic image including unallocated space and file slack space?
If yes, then I could point Internet Evidence Finder at the VMDK files and get to work carving the PageFile, HyberFile, etc.
If no, then I need to make a physical forensic image and then use IEF.
Thanks!
QUESTION
Can a VMDK virtual machine be created (and later examined forensically) which includes the equivalent of a full physical forensic image including unallocated space and file slack space?
Yes/No.
Meaning that
1) a VMDK is not a virtual machine it is an image (virtual disk) format (of which there are several types).
2) In theory it can be made BUT anyway it won't be a "proper" image (if it has been booted even once) as the OS (or the operator to have it booting) will have changed quite a lot of things to "adapt itself" to the virtual hardware. One among the various VMDK formats is actually a RAW image with an external "descriptor file", very similar to the "old" .pln format, but - depending on the tools actually used to create it - it is rarely "first choice", as normally "growable" images that include only the actually allocated sectors are used for backup.
2) Creating such a "forensic sound" VMDK would normally (since Vista I believe) imply doing that from a (BTW forensic sound) "external OS", such as a forensic Linux distro or a WinFE, which I doubt the third party IT consultant will have used.
3) Without knowing EXACTLY the steps/method/procedure used by the IT consultant (that 99% probability will NOT be correct from a forensic point of view and will NOT include unallocated space) you simply CANNOT trust the image or its contents, it is of course "better than nothing", but you really should proceed to make a new image through the correct forensic procedures.
The good news are that a lot of artifacts (like - say - internet browsing history and similar) will likely be findable in the VMDK image alright, but you can forget about unallocated space and similar.
You will probably need anyway to make another "proper" image, and analyze both.
jaclaz
Thanks Jaclaz!
I recommended a full physical image be made of the workstation to my client.
At one point my host OS got corrupted. I then reinstalled the OS on my host, created a VM in VMware Workstation, installed an OS onto this, sent 3 emails within the VM, imaged the host, extracted the VM, imaged the VMDK in FTK Imager + Toolkit and I'm able to find traces of the email I sent in the VM which was active before the corruption occurred - how? What could be deemed an 'unfit disk creation procedure/tool' in these scenarios?
During disk creation, the space allocated to the (fixed size) virtual disk file is usually zeroed. VPS and cloud providers had some huge problems otherwise. I don't use VMware Workstation on a regular basis, but doesn't it do the same (even as a desktop, not infrastructure product)? Some third party tools surely create fixed size VM disks without zeroing, which I described as unfit.
Thank you so much for all of your help!
I really appreciate it and I realise that I have a lot to learn…1 step at a time
Thank you again!
During disk creation, the space allocated to the (fixed size) virtual disk file is usually zeroed. VPS and cloud providers had some huge problems otherwise. I don't use VMware Workstation on a regular basis, but doesn't it do the same (even as a desktop, not infrastructure product)? Some third party tools surely create fixed size VM disks without zeroing, which I described as unfit.
Apparently not - but thank you for bringing this to my attention. It's definitely something that I'll look into.
Hello all,
I know the topic was dead but I have good reason to revive it.
As recommended, I wiped the hard drive with DBAN using the Mersenne Twister with 3 passes,
I installed the Windows 10 Home OS, installed VMware Workstation, created VM1, conducted activities within it such as sending emails and saving pictures and then imaged the host.
When analysing it in FTK Toolkit I found hits for only VM1. Fine.
I then wiped the drive again using the Mersenne Twister with 3 passes, I installed the Windows 10 Home OS, installed VMware Workstation, created VM2, conducted activities within it such as sending emails and saving pictures and then imaged the host
I could find emails sent in VM1
My theory was that this happened because I used the same Outlook account to send the emails in both VM1 and VM2, and as Windows downloads emails to the device then it was just FTK Toolkit picking up these downloaded emails. But if that was the case then I'd be able to recover data from VM's created before the DBAN wipe, and I couldn't.
I found this page https://
And the user states that wiped data can be recovered can be recovered from the Mersenne Twister low-level "substraction" (not sure what this is to be honest)
A little guidance would be appreciated
As recommended, I wiped the hard drive with DBAN using the Mersenne Twister with 3 passes …
As recommended by WHOM, WHERE? ?
NO ( that is NO as in NO, NIL, ZERO, ZILCH) data can be recovered after a SINGLE overwrite pass (let alone three).
Sure if you use a program, any program, that re-downloads data after the wipe, you will find the re-downloaded data (but that WON'T be the previous data, that will be a NEW copy of the SAME data).
Whatever is the Mersenne Twister, and whatever you read anywhere, once data is overwritten (if it is overwritten) it STAYS overwritten.
JFYI DBan is a nice tool developed and used mainly by people that are needlessly paranoid about their data and security, some on the border of conspirationism. 😯
All the fuss and discussions about the possibility to recover overwritten data (SINGLE pass of 00's, you don't need any fancy algorithm, you don't need more than one SINGLE pass of simple 0's or 1's if you prefer wink ) are about highly technical (and largely mythical) hardware methods involving Magnetic Force Microscopes, self standing platter mounts with special arms and heads, mega-para-super-nuclear-devices, etc.
NO (that is NO as in NO, NIL, ZERO, ZILCH) software can recover overwritten data, and in your case you didn't even ATTEMPT the recovery.
Follow me please ) .
1) Simply wipe your disk (one SINGLE pass of 00's).
2) Verify that all sectors are 00's,
3) Do whatever you need to do on that disk, install the OS, the vm, etc..
4) Simply wipe your disk again (one SINGLE pass of 00's).
5) Verify that all sectors are 00's.
6) NOW check what FTK can find. (it will find NOTHING)
7) Do whatever you need to do on that disk, install the OS, the vm, etc. again.
8) Check what FTK can find again. IF it finds anything, that will have been created/downloaded/etc. DURING or AFTER step #7
jaclaz