Hey everyone! A colleague recently referred me here, and I'm hoping to get some help understanding some best practices for analysis server setup.
My question is pretty simple - is it a 'good idea' to run forensic analysis in a virtualized environment?
I'm looking into getting a nice, powerful server and throwing ESXi on it. From there, I would create multiple virtual servers (likely Windows 2k8 64-bit) running EnCase for external (USB or eSATA attached) drive analysis.
My main concern here is the shared resources - running multiple parallel forensic analysis projects on the same physical hardware (CPU, RAM, etc). There have been several proof of concept hacks that show quite clearly that you can access unassigned resources across VMs. Granted, the box would have to be compromised in the first place, but it still feels like a risk to me.
Are any of you running analysis in a similar environment? What is your take on the shared resources? Do you think this could hold up in court given the (very small) risk of cross-contamination? Are there any standards (PCI or otherwise) that state this is approved/not approved? I did quite a bit of research, and came up empty-handed.
USB pass-throughs in VM has always been a bit spotty in my opinion - which can be problematic for a generic server/desktop deployment, but would certainly cause some problems for forensic purposes/hardware dongles/write blockers.
I use an ESXi system for general lab purposes (mostly to demonstrate/prove a use case, and to learn and test new tools in) - It's easy to run an analysis PC, and a dozen different variants of various operating systems and file systems for testing purposes.
For forensic analysis however I would be concerned with disk allocation - there is some potential for unallocated space on the physical disk issued to a VM to contain files from previous VM's (Now I need to fire up the lab server and check).
I'd say it's fine for IR/Malware analysis, but I would be hesitant to recommend it elsewhere.