Hello again )
I dunno if this topic was discussed before, i couldn't find documentations and such, but maybe you already had experience on the field for such situation, so i hope you can help me out suggesting me of a good workflow.
It's a sort of forensic game, so nothing business related, but it's a pretty funny challange i was proposed to solve at my CF course, let's say.. a homework )
The scenario is the following
I have to deal with a windows 2003 domain controller wich is supposed to be compromised running on a vmware ESX infrastructure.
i have to determine if the machine has been compromised for real, and eventually understand how the machine was compromised and what have been stolen etc..
here is how i was thinking to procede
i had the idea to hibernate (pause) the virtual machine and acquire it in a running state, then make several copies of it and hash them in each part.
then due to the order of volatility i thought that maybe, having an hibernated VM in a running state would be a really good point, since i could analyze the memory of the virtual machine without even booting it up, since vmware, when hibernating a machine, creates a file that contains the "running state informations" of the VM (ram included).
so, the question is is anyone aware of the format in wich vmware stores such running state informations? and, is there any tool around like volatility or such, capable of analyzing/converting/extracting the ram data to a flat raw file compatible with volatility/memoryze/x-ways?
any help is really apreciated, also comment on how you would procede, what's the best practice in your opinion to procede in a similar scenario…
post your experience ), i think this would be a good argument to discuss about.
thnx in advice
Look at Kurt Seifried's work on Honeypots.
i'll let you know for sure.. thnx very much for the support )
that file should be stored with the other VM files right?
my thesis was on this kind of thing
Vmware software and host os share a common boundary, the host can store some information on vmware as an app
you will need to image the virtual machine in a live state as in its storage folder on the host. as you get the vmdk, virtual ram, log files and config files, disk geometry etc and possible to get info on the computer that actually created the virtual machine. then to capture the host os. i would often do the whole drive that vmware is running from but depends on the circumstances.
once imaged extract the vmdk and mount with write block then image the drive and proceed like any other imaged drive.
you will also like to know vmware has a back door allowing access without guest knowledge.
ESX stores the machines running state in a .vmss file, which contains the ram info, as well as some device / bios info (judging from the strings, when I looked I was unable to find a proper writeup for the format)
There's a utility called "vmss2core.exe" which is included with VMWare Player 7 (free trial download) that can convert/extract the memory portion of the vmss file into a core dump file, that can be processed by Volatility or other memory forensics tools.
