Forums
Main Category
General (Technical,...
VMware Encryption
 
Notifications
Clear all

VMware Encryption

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Nathan_84 15 years ago
14 Posts
6 Users
0 Reactions
1,560 Views
RSS
 Nathan_84
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
Topic starter 22/08/2010 7:21 pm  

Hi all,

I'm currently researching encryption in Virtual Machines and the challenges they pose to forensic investigations.

I've been playing around with WMware Workstation 7 which provides an encryption option. When selected the virtual machine cannot be turned on without the correct password.

Has anyone been effected by this when conducting a forensic investigation. Just intrigued to find out people's experiences on the matter and how they proceeded to get around it.

Thanks

Nathan


   
Quote
binarybod
 binarybod
(@binarybod)
Reputable Member
Joined: 18 years ago
Posts: 272
23/08/2010 12:56 am  

'.vmem' files hold the key, literally, they hold the key!

Paul


   
ReplyQuote
 Nathan_84
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
Topic starter 23/08/2010 2:01 am  

Thanks very much for the reply binarybod.

I image you would have to use a memory analyser application to view the contents of the .vmem file. Just out of curiosity is there one you prefer?

Thanks again for your time and help binarybod


   
ReplyQuote
binarybod
 binarybod
(@binarybod)
Reputable Member
Joined: 18 years ago
Posts: 272
23/08/2010 1:04 pm  

Actually I misread your question. I was assuming you were talking about encrypted containers WITHIN a guest machine rather than an encrypted virtual machine.

It's just that I had a case where a file was encrypted and the key was in the (virtual) memory for that guest machine.

As for keys to open an encrypted virtual machine I haven't a clue, sorry.

Paul


   
ReplyQuote
Fab4
 Fab4
(@fab4)
Estimable Member
Joined: 18 years ago
Posts: 173
23/08/2010 2:25 pm  

It's just that I had a case where a file was encrypted and the key was in the (virtual) memory for that guest machine.
Paul

Hi Paul, presuming the key was an unknown random-length password, what technique did you employ to establish the key out of memory?

Thanks.


   
ReplyQuote
binarybod
 binarybod
(@binarybod)
Reputable Member
Joined: 18 years ago
Posts: 272
23/08/2010 4:49 pm  

The key and the password are two different entities.

Have a look at this…

https://www.volatilesystems.com/volatility/omfw/Kornblum_OMFW_2008.pdf

Paul


   
ReplyQuote
 Nathan_84
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
Topic starter 23/08/2010 5:36 pm  

Cheers for that Paul.

Defiantly an area I can look into for my research work.

Appreciate your help.

Nathan


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
23/08/2010 8:31 pm  

Should be a good field of research. Be very interested to see the results. VM Ware makes it very easy for the user to encrypt the workstation would be great to have methods and possible tools to de-crypt.

The horror would be to beat that and then find full disk encryption with TruCrypt on the VMDK!


   
ReplyQuote
Fab4
 Fab4
(@fab4)
Estimable Member
Joined: 18 years ago
Posts: 173
23/08/2010 11:16 pm  

The key and the password are two different entities.

Quite right. My bad lol

Have a look at this…

https://www.volatilesystems.com/volatility/omfw/Kornblum_OMFW_2008.pdf

Excellent. Thanks.


   
ReplyQuote
 Nathan_84
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
Topic starter 25/08/2010 4:49 pm  

Douglas I'll defiantly keep you posted. Thanks again for your help.

Sorry I really would appreciate if anyone else could share their experiences of any form of encryption they've encountered on a virtual machine.

Thanks

Nathan


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: