Notifications
Clear all

virtual servers

3 Posts
3 Users
0 Likes
444 Views
(@error_ntfs)
Posts: 1
New Member
Topic starter
 

Hello , has anyone taken a forensic image of a virtual server ?

If it is off taking the virtual harddrive and hashing it ? Or if on DD ?

Are there any procedural guides ? Tried Google but could not find anything

Not a forensic guy but sys admin just possible responding to an incident at work

Let me know your thoughts

 
Posted : 12/03/2013 7:23 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

I suggest you bring in someone who is familiar with forensics. That will help protect you and your company from future liability.

That said, here's how.

Shut down the VM. It is possible to take the image with a running VM, but it can result in a corrupted image. Go on to the host computer and take an image of the VHD, VMDK, or similar file along with all the support files needed to run the VM.

Use FTK Imager or EnCase Forensic Imager to perform the acquisition–both are free. I suggest you use the EnCase (E01 or L01) file format. This will keep a CRC value for every block and hash the entire file to confirm the integrity of the file.

If the memory of the running VM are important (for instance if there are passwords in memory or malware you wish to analyze) you will need to install EnCase Forensic Imager on the VM and enable physical memory. The important point with this is that installing and running a program on the VM will necessarily modify the memory and the hard drive. If you go this route, document exactly what you do and at what time you did it.

 
Posted : 12/03/2013 8:40 pm
Hwallbanger
(@hwallbanger)
Posts: 32
Eminent Member
 

I suggest you bring in someone who is familiar with forensics. That will help protect you and your company from future liability.

That said, here's how.

Shut down the VM. It is possible to take the image with a running VM, but it can result in a corrupted image. Go on to the host computer and take an image of the VHD, VMDK, or similar file along with all the support files needed to run the VM.

Use FTK Imager or EnCase Forensic Imager to perform the acquisition–both are free. I suggest you use the EnCase (E01 or L01) file format. This will keep a CRC value for every block and hash the entire file to confirm the integrity of the file.

If the memory of the running VM are important (for instance if there are passwords in memory or malware you wish to analyze) you will need to install EnCase Forensic Imager on the VM and enable physical memory. The important point with this is that installing and running a program on the VM will necessarily modify the memory and the hard drive. If you go this route, document exactly what you do and at what time you did it.

Bulldawg is generally correct in his "here's how". I am not an expert, but recently I listened to an expert regarding accomplishing Forensic's in the Cloud. Let me reassure you that I do not gain anything from providing this referral except to help all who are trying to do their job.

You need to listen to Mr. Paul Henry's podcast from this past Feb. 27th on " Incident Response and Forensic's in the Cloud " at the Sans site

Sans Webcasts

Mr. Paul Henry is one of the world's foremost global information security and computer forensic experts with more than 20 years' experience managing security initiatives for Global 2000 enterprises and government organizations worldwide.

He is a VMWare Expert and he is frequently cited by major and trade print publications as an expert in computer forensics, technical security topics, and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC.

Be aware that when I listen to this talk, there was a technical issue around slide 47. He did cover enough information to help you to understand pretty much the whole issue with Cloud and virtual forensics.

I had asked Mr. Henry,

Could you suggest or direct me to resources that could be used to automate forensic process(es) within the virtual environment ?

.

If you are interested in his six point reply, please indicate your interest within this thread and I will post it later. FYI, I will be leaving for some training next Tuesday, the 9th, for ten (10) days. I will check this thread on the weekend.

The Podcast is about an hour long, so happy listening. )

Regards, hwallbanger

 
Posted : 05/04/2013 2:33 am
Share: