1

• Using VMWare in Digital Forensic Investigations

S/A Daniel Dickerman IRS Criminal Investigation,
Electronic Crimes Program daniel.dickerman_at_ci.irs.
gov
2
You will learn

• What is VMware??? and what it can do for you???
• How to create a new guest operating system
• How to restore an image of a seized computer
  into a new VMware world
• Understanding common boot problems with restored
  images and repair steps

3
What is VMware?

• VMware is application software that allows you to
  create and operate virtual computers which run
  on top of your actual physical computer and
  Operating System.
• The virtual computer (or virtual machine (VM))
  runs as if it were a real operating system on a
  real computer with real devices
• Each VM has its own BIOS settings, virtual CPU,
  memory, hard disks, and other I/O devices

4
(No Transcript)
5
What can you do with VMware?

• Restore images of seized hard drives and boot
  the seized system as if you were sitting at the
  subjects actual computer, which
• Allows you to run his/her software apps,
  especially proprietary software you dont have
  and cant get.
• Allows you to see the subjects desktop,
  shortcuts, favorites, etc, as they saw their
  machine..(may be great for jury appeal to show
  desktop shortcuts to KP or Hacker sites, or
  incriminating wallpaper, etc.)
• Allows you to network multiple seized virtual
  machines and run network apps between the
  restored servers and workstations.

6
What can you do with VMware?

• Use as a safe testing environment for running
  unknown apps, working with virus infected files,
  or as a software development testing environment.
• Have the ability to run those Linux/Unix
  applications in a Linux VM on top of your Windows
  machineand more.

7
What can you do with VMware?

• Recording online content/sessions in an .avi
  video.
• Reduce the workload of a Computer Forensic
  Examiner, by providing restored running version
  of a seized computer to the case agent.allowing
  them to do some of the analysis.
• Your own install of Vista Ultimate/Enterprise to
  interact with BitLocker encrypted drives.
• ..and just about anything you can think of!

8
But why VMware instead of a physical machine???

• Restore of that image of a 6GB HD usually doesnt
  take up your whole 120GB HD.
• The restoration of a 20GB HD image may only take
  up 2-3GB of drive space on your 120GB drive, if
  most of the seized drive was/is empty. (virtual
  disk file grows and shrinks as needed)
• You can restore multiple images of different
  computers and have them all running on one
  physical analysis computer (provided enough RAM
  and HD space) at a time and all be networked with
  each other.
• If something gets messed up and/or infected, just
  delete the world and start over (or use
  snapshots).

9
VMwareArchitecture
10
Virtual Hardware

• CPU Same processor as that on host computer
• Chipset Intel 440BX-based motherboard with
  NS338 SIO chip and 82093AA IOAPIC
• BIOS Phoenix BIOS 4.0 Release 6 with VESA BIOS
• RAM Up to 8GB, depending on host memory
• Graphics VGA and SVGA support
• IDE Devices Up to 4 Virtual HD up to 950 GB
  can also use real raw disks
• SCSI Devices Up to 60 devices, virtual HD up to
  950GB
• NIC AMD PCnet-PCI II compatible
• USB USB 2.0 UHCI controller, up to 6 devices
• Floppy, CD, Serial, Parallel, Audio
• VMWare Workstation Version 6.0

11
VMware Workstation Terminology

• Host operating system is the one that is
  installed on your physical machine and runs
  VMware Workstation.
• Guest operating system is the virtual OS that
  gets installed on top of the Host OS.
• The host OS can be either NT-based Windows or
  Linux (RedHat, Mandrake, SuSE)
• The guest OS can be DOS, every flavor of Windows,
  Linux, BSD or other OS that runs on an X86
  platform

12
VMware Workstation Networking

• 3 networking options
• Bridged networking (uses host NIC and VM gets
  its own IP address from hosts DHCP server)
• NAT networking (uses host NIC and shares ip
  address with host)
• Host-Only networking (VMware acts as a DHCP
  server and provides IP addresses to VMs.VMs can
  only communicate with each other and the host)
• For restorations of seized HD images, you should
  always select host-only networking.

13
VMware Workstation Networking

• Issues relating to restored images and
  networking
• If restoring a server that was/is a DHCP server,
  it will conflict with VMware DHCP server and
  VMware DHCP should be turned off.
• If ip address of restored computers your are
  trying to network does not matter (remember
  mapped drives, etc.), then just use VMware DHCP
  service.
• TCP/IP only, cant use IPX/SPX for Novell worlds.

14
Installing VMware Workstation

• Meet the minimum requirements for the host

Continued
15
Installing VMware Workstation

• Optional components include
• Floppy Disk
• Ethernet adapter
• CD-ROM
• USB port
• Other hard disks
• Serial or parallel ports

16
Installing a Guest OS

• Start VMWare Workstation and select File, New
  Virtual Machine
• A wizard beginsjust select the custom
  configuration option and follow through the
  wizard, adding desired options...

17
Installing a Guest OS

• Once the Guest has been configured, you need to
  start the OS, but before you do
• Make sure the installation media for the guest OS
  is in the CD-ROM drive or floppy drive of the
  host ( VMware can use .iso and .flp files in
  place of actual physical CDs and floppies)
• As soon as the machine starts, you need to click
  in the window and press F2 to get into the guest
  CMOS setup program
• Once there, youll want to configure the BIOS of
  this virtual world to boot from the CD-ROM or
  floppy before the hard drive.

18
Guest CMOS setup
19
Guest CMOS Setup
20
Set Boot Order
21
Save CMOS settings
22
Remember..every Virtual Machine has its own
BIOS, so any changes you make to your VM BIOS
only affect that specific virtual world. You can
also hit the ESC key at startup to select a
specific boot device, each and every time you
boot the virtual machine.
23
Installing a Guest OScont.

• At this point your VM should boot to your install
  CD or Floppy.
• The rest of the process is no different than
  installing an OS on a physical machine.

24
Restoring images into VMware

• Create VM to match hardware of real seized
  machine as close as possible.
• Try to identify the OS you are restoring prior to
  creation of the VM (i.e. look at the boot.ini of
  the seized image via ILook/FTK/Encase, or other
  method)
• Make virtual HD at least .1 GB larger than
  original HD
• Configure VM with a second raw HD, which will
  be the attached physical HD containing your image
  file(s)
• Boot new VM with boot media for performing
  restore
• For Safeback, boot with the VM control boot
  floppy
• For ILook IXImager, boot with IXImager CD.
• For Encase, either create Windows VM with Encase
  installed in the VM, or use SMART boot CD.

25
Restoring images into VMware
26
Restoring images into VMware(cont.)

• Restore image from attached raw drive to your
  new blank Virtual HD in the same manner you would
  do the restore on a physical machine.
• Once completed, shut down VM, remove boot CD or
  floppy and remove the second raw HD from the VM
  configuration, leaving only the HD containing the
  freshly restored image and take a snapshot of the
  fresh restored drive prior to first boot attempt.
• Attempt to boot the OS.
• May need to correct common boot problems by
  repair installation or other method. (covered
  next)
• New restoration will need to run through Add New
  Hardware Wizard while it reconfigures self for
  new virtual hardware.

27
Restoring images into VMware(cont.)

• Install VMware Tools.
• You may need to break logon passwords using your
  normal tools/methods.
• Take additional snapshot of bootable VM so you
  can always revert back to the bootable state,
  just in case a user makes unwanted changes to
  files on the restored system.
• Run applications and/or network with other
  restored workstations and servers as you wish.

28
Repairing common boot problems

• If it starts to boot but fails (blue screen),
  perform a repair/installation using install CD
  for guest OS. (should be slipstreamed w/ latest
  service pack)
• If original seized computer was a Compaq or other
  computer installed with hardware specific
  proprietary software (ATI video software), boot
  to safe mode and uninstall hardware specific
  apps.
• If cant boot to safe mode, use ERD Commander to
  disable drivers, services and/or startup apps
  causing crash/blue screen.
• On some systems, boot info not recognized and
  requires the creation of an empty shell of a
  duplicate bootable OS (that you create with the
  OS install CD), then the deletion of everything
  out of that install (hence the name empty
  shell. Then simply copy all files from the
  non-bootable restored system into the empty
  shell you just created.
• Recommend using ERD Commander from Winternals to
  do the file deletion and copy processes.
• Recommend restoring Linux systems as an IDE
  drive, even if they were SCSI originally. Will
  require slight modification of /etc/fstab and
  GRUB or LILO config files.

29
Questions???