Join Us!

Forensics virtualiz...
 
Notifications
Clear all

Forensics virtualization  

  RSS
Ibernato
(@ibernato)
Junior Member

Hi,
I'm new to the world of forensics. At university I'm taking a course and I'm passionate about this subject.
We have seen the techniques for analyzing the contents of RAM, hard disk and so on.
Now I'd like to do a project on forensic cloud, in particular on virtualization.
Do you have any guide or do you know any tools to analyze the virtualized environment (Vbox for example)

Quote
Posted : 18/04/2019 2:56 pm
Omnius
(@omnius)
Junior Member

You can quite easily create a VM in VirtualBox with a hard drive image. Found Linux/Windows OS easier to VM than Mac OSX. But they can still be a bit tricky.

Here's a quick little guide for VirtualBox

1. Mount image of the HDD in FTK for example as Block Device/Writable (note the physical disk number).

2. Load up VirtualBox

3. Open Command Prompt, enter "cd C\Program Files\Oracle\VirtualBox" and execute, following that enter

"vboxmanage internalcommands createrawvmdk -filename "C\CHOOSE YOUR PATH\NAME.vmdk" -rawdisk \\.\PhysicalDrive#"

Replace the # with the drive number you noted earlier.

You should now have a VMDK created in your location of choosing. If you have an error about it being unable to create the file, run everything again as Admin.

You can now create a new VM within VirtualBox and selecting the VMDK you created as an existing drive.

Be aware that by default a shared internet connection is created, make sure that this is disabled in settings.

As for your project, maybe take a look at Microsoft OneDrive, it can create some interesting files such as reparse points etc

ReplyQuote
Posted : 18/04/2019 3:16 pm
Ibernato
(@ibernato)
Junior Member

HI,
let's see if I understood correctly.
I now have a virtual machine on which I have installed Windows 10.
Now, to do forensic analysis of the virtual machine, with FTK manager I have to create a copy of the Windows 10 image of the virtual machine.
Quite right?

ReplyQuote
Posted : 18/04/2019 4:56 pm
jaclaz
(@jaclaz)
Community Legend

Now I'd like to do a project on forensic cloud, in particular on virtualization.
Do you have any guide or do you know any tools to analyze the virtualized environment (Vbox for example)

Excuse me, but I don't get it.

VirtualBox in itself is (only) a (local) virtual machine, i.e. a software reproducing (in an as accurate way as possible) a "real" (local) machine, it is analyzed exactly (or in a very, very similar way ) as a "real" (local) machine.

Cloud is an entirely different topic/methodology/etc., and has a number of sub-topics, a virtual machine on the cloud is only one of them, see as a quick reference
https://www.techopedia.com/7/29674/networking/what-is-the-difference-between-cloud-computing-and-virtualization

Starting from Virtualbox 6.0 you can export the VM to Oracle Cloud, and there are Cloud services offering VirtualBox in the cloud, *like*
http//hostedvirtualbox.com/

jaclaz

ReplyQuote
Posted : 18/04/2019 5:12 pm
Rich2005
(@rich2005)
Active Member

I'm not entirely sure about the question, but if you have access to the files that make up the virtualized environment, ie primarily the disk image of the virtualized environment (ie a vmdk for VMWare) then most modern forensic tools, should be able to parse it for you, to examine as you would any other disk. I think they probably will too for virtualbox VDIs too (although less sure about that off the top of my head).

ReplyQuote
Posted : 18/04/2019 5:17 pm
Share: