Join Us!

Notifications
Clear all

Odd question  

  RSS
MrNereus
(@mrnereus)
New Member

I'm writing a twenty-page paper on virtual forensics and the absence of the virtual hard disk file; What data to look for to continue an investigation if the user destroyed the virtual image, or used a bootable environment. I'm having difficulties finding information around forensic analysis of bootable environments. I'm only finding information around bootable forensic environments.
Would you happened to know of any resources that could help me?

Quote
Posted : 13/03/2016 8:25 pm
jaclaz
(@jaclaz)
Community Legend

I'm writing a twenty-page paper on virtual forensics and the absence of the virtual hard disk file; What data to look for to continue an investigation if the user destroyed the virtual image, or used a bootable environment. I'm having difficulties finding information around forensic analysis of bootable environments. I'm only finding information around bootable forensic environments.
Would you happened to know of any resources that could help me?

The usual steps are
1) find the bootable environment
2) use forensic tools on it
3) profit

Now, the difficult part is #1, seriously, if the suspect used a LiveCD or other "RAM only" environment or a USB stick that wasn't found/seized (and he/she did it "properly") you won't really find *anything* on the internal hard disk/mass storage device.
And - even if you actually find this "bootable environment" - it may be tough to prove that it has been actually used and when.

After all, a forensic bootable environment is something that is designed to NOT leave traces on the internal hard disk/mass storage device but - due to its characteristics - can well be used as an anti-forensics environment, as an example a WinFE is a "normal" PE with a few specific Registry settings that can be used to carry on "normal" computer activities on a daily basis, but in a "volatile" mode.

jaclaz

ReplyQuote
Posted : 14/03/2016 12:30 am
keydet89
(@keydet89)
Community Legend

i'm having a bit of trouble following what you're attempting to do…

I'm writing a twenty-page paper on virtual forensics and the absence of the virtual hard disk file; What data to look for to continue an investigation if the user destroyed the virtual image, or used a bootable environment.

Okay, here's where I'm having difficulty…what, exactly, are you trying to determine? The use of a virtual image (.vmdk, .vhd), or of a bootable environment (presumably something akin to a bootable CD)? Or are you simply using the terminology to refer to the same thing…a .vmdk or .vhd?

I'm having difficulties finding information around forensic analysis of bootable environments.

This may be because it's already been covered in detail.

Let's look at an example…say, you're looking specifically at a Windows environment, and you want to know if a user booted their Windows system, logged in, and launched a .vhd. At that point, the .vhd is likely itself a Windows environment, so there's no difference in analyzing this environment; it's just a Windows system in a different "container".

The same thing is true if what you're looking at is a .vmdk file (launched via VMWare or Virtual Box).

If the virtual environment that was booted is destroyed, it's no different from "destroying" the hard drive of a bare metal "environment".

ReplyQuote
Posted : 14/03/2016 7:19 pm
Share: