Forums
Main Category
General (Technical,...
Live VM server fore...
 
Notifications
Clear all

Live VM server forensic acquisition

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by MDCR 7 years ago
5 Posts
3 Users
0 Reactions
1,162 Views
RSS
 thecableguy
(@thecableguy)
Active Member
Joined: 11 years ago
Posts: 12
Topic starter 05/03/2018 9:47 pm  

Hi everyone,

I've read quite a few topics on this site as well as on other but didn't actually get a clear answer.

Scenario Company ABCD calls because their webserver got compromised. They run the webserver in the cloud as a VM (managed by vSphere). The system is currently running.

I am confused on the process of the forensic acquisition. I read that by suspending the machine its memory is being dumped into a file and all the VM files can be considered as forensically sound.

Is that true?

Also, do you disconnect the network before doing so? Do you do anything on the server before the acquisition?

Thanks in advance,

Any help appreciated.


   
Quote
 C.R.S.
(@c-r-s)
Estimable Member
Joined: 14 years ago
Posts: 170
05/03/2018 10:02 pm  

My experience with vSphere is superficial, but I think only a snapshot will create dedicated RAM dumps (VMSN and VMEM files), not a suspend operation.

I'd avoid doing anything on the machine in general. The network connection should definitely not be interrupted (if not absolutely necessary for network security).


   
ReplyQuote
 thecableguy
(@thecableguy)
Active Member
Joined: 11 years ago
Posts: 12
Topic starter 05/03/2018 10:19 pm  

Thanks for your reply.

Regarding the network, you cannot know if the attacker is exfiltrating data at the very moment you discover it. Based on this, wouldn't it make more sense to take a snapshot of the memory asap and then drop the connection? This way you will have the memory dump to investigate the active connections at the moment of acquisition and also minimize damage by blocking further access to the server.


   
ReplyQuote
 C.R.S.
(@c-r-s)
Estimable Member
Joined: 14 years ago
Posts: 170
05/03/2018 11:44 pm  

Thanks for your reply.

Regarding the network, you cannot know if the attacker is exfiltrating data at the very moment you discover it. Based on this, wouldn't it make more sense to take a snapshot of the memory asap and then drop the connection?

Yes, that's what I meant to say. Exfiltration is not a network security concern in this sense (only danger for other machines). The active connections are usually known from network monitoring, but RAM can help, of course. What I had in mind non-persistent malware will often blot out its traces, if you cut the connection.


   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
06/03/2018 9:38 am  

A side note on provisioning and how it changes procedures

While a full VMDK can be mounted and explored, i'm not sure that one that uses provisioning can be explored with forensic tools, only way to do that then is to fire it up on a separate host, then mount the drive(s) over the network and explore through that.

https://pubs.vmware.com/vsphere-4-esx-vcenter/topic/com.vmware.vsphere.server_configclassic.doc_41/esx_server_config/managing_storage/c_vstorage_thin_provisioning.html

Some malware will still beacon out if it is designed to do that, so you can capture and identify that over the network.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: