how to install VMware
Upcoming SlideShare
Loading in...5
×
 

how to install VMware

on

  • 8,177 views

it displays step-by-step procedure on how to install VMware.

it displays step-by-step procedure on how to install VMware.

Statistics

Views

Total Views
8,177
Views on SlideShare
8,146
Embed Views
31

Actions

Likes
3
Downloads
217
Comments
0

3 Embeds 31

http://www.slideshare.net 25
http://presentacion.org 4
http://static.slidesharecdn.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

how to install VMware how to install VMware Presentation Transcript

  • Restoring Suspect Physical and Compressed Images with VMWare Brett Shavers Computer Technology Investigators Network
  • Topics: • VMWare Brief • Capabilities of VMWare • VMWare Installation • Guest Operating Systems • VMWare Networking • Restoration of forensic images into VMWare
  • What is VMware? • VMWare is application software that provides a virtual computer on which you can install another operating system • The virtual computer or virtual machine (VM) runs as if it were a real operating system on a real computer with real devices • The VM has its own CPU, memory, hard disks, and other I/O devices
  • Virtual Hardware • CPU = Host CPU • Chipset = Intel 440BX-based motherboard with NS338 SIO chip and 82093AA IOAPIC • BIOS = PhoenixBIOS 4.0 Release 6 with VESA BIOS • RAM = Host’s RAM • IDE Devices = Up to 4; Virtual HD up to 950 GB; can also use real disks (2TB limit) • SCSI Devices = Up to 7 • NIC = AMD PCnet-PCI II compatible
  • VMware Workstation Terminology • Host operating system is the one that runs VMware Workstation • Guest operating system is the virtual OS • The host OS can be either NT-based Windows or Linux (RedHat, Mandrake, SuSE) • The guest OS can be DOS, every flavor of Windows, Linux, BSD or other OS that runs on an X86 platform
  • Forensic Uses of VMware • VM Workstation allows you to restore a suspect’s hard drive into a VM • You can work with the suspect’s OS and its installed applications, some of which may be involved in the alleged crime • You can network two VMs, one a suspect client and the other a suspect server • You can also mount a suspect’s restored hard drive as a physical or “raw” disk • You can easily drag and drop files from the VM to your host computer
  • Some VM Tips • VMWare can boot iso images • Snapshots can be taken (up to 100 per VM World) • Videos can be taken using VMWare tools • You can drag and drop between the host of virtual OS easily.
  • Installing VMware Workstation • Meet the minimum requirements for the host: Component Mimimum Recommended CPU 400 MHz 500 MHz + Memory 128 MB 256 MB + Display VGA SVGA + Hard Disk (install) 100 MB free 100 MB Hard Disk (for Whatever guest Whatever guest guests) requires + apps recommends + apps Host OS Windows 2003, Windows XP Home and Pro (SP1), Windows 2000 (SP3), Windows NT (SP6A) Continued …
  • Installing VMware Workstation • Optional components include: • Floppy Disk • Ethernet adapter for the host • CD-ROM • USB port • Other hard disks
  • Installing a Guest OS • Have the installation media available, typically a CD • Start VM Workstation and select File, New Virtual Machine • A wizard begins ….
  • Installing a Guest OS
  • Installing a Guest OS
  • Installing a Guest OS
  • Installing a Guest OS
  • Installing a Guest OS
  • Installing a Guest OS
  • Installing a Guest OS
  • Installing a Guest OS • Once the Guest has been configured, you need to start the OS, but before you do … • Make sure the installation media for the guest is in the CD-ROM drive or floppy drive of the host • As soon as the machine starts, you need to click in the window and press F2 to get into the guest CMOS setup program • Once there, you’ll need to configure the system to boot from the CD-ROM or floppy
  • Guest CMOS setup
  • Guest CMOS Setup
  • Set Boot Order
  • Save CMOS settings
  • Boot Guest from OS CD
  • Install Guest OS
  • Summary • VMware Workstation allows you to install a guest OS in a virtual machine • The guest OS can interact with the host and utilize the host’s cpu, ram, cd-rom, keyboard, mouse, floppy disk, and network card • The host can be practically any NT-based host or Linux host and the guest can be any Windows OS, Linux, Novell, FreeBSD and more • VMware Workstation provides significant forensic-related capabilities
  • Restore of network and client systems ILook will be demonstrated, but Encase, FTK, Winhex, etc… can be used as long as it can restore whatever image format you have. You can also use physical hard drives directly. Encase has directions on restoration into VMWare on their website. Using a boot disk of any sort is half the work of using FTK or Encase for restores.
  • Restore Using I-Look • Scenario with a WIN2003 domain controller and an XP Pro client • Before restoring, establish a VM Ware occurrence with VM Ware DHCP service disabled • Restore the Domain Controller first
  • Create New Virtual Machine
  • Create the Domain Controller You have to know the OS of the image to be restored. Use the same version because VMware emulates hardware for each OS. BUT, XP may be able to handle all the other Windows OS’s. It’ll still boot to the actual OS, but there may be subtle differences in emulations. Stay with the actual OS.
  • Name and Allocate Resources Name it what you like. If you will be doing multiple restorations of the same image, then you can use dates, LFN, OS, etc… Make the location to a new folder where you can manage. For network restorations, keep the LAN all in one folder otherwise you will lose track. You may have to adjust memory later. The more machines, the more memory needed. Make sure your folder can hold everything you need (if all images total 100GB, you need at least that much to restore as the images expand to original size)
  • Define Network Type Only use host only to containerize the threat that the potential network system could have with interacting with the ‘real’ networking environment that you are connecting to For forensic restorations, make sure you don’t choose a connection that goes outside! (Bridged and NAT will go outside). The other two are safe. For network restorations, choose HOST ONLY NETWORKING). This allows clients in the virtual world to talk to each other. If you select either of the first two, and the images have a virus, you just exposed your network to that virus.
  • Defining the Bus You will go through this process twice for each drive you are restoring to ID the source and destination
  • Select the Source Disk Choose the disk that contains the image files. It is possible to have all images on one disk to be used for restorations.
  • VM Ware Establishes New Machine VM Ware treats this as though it is a SCSI system even though it is really an IDE drive, don’t worry about this. It is a SCSI disk because VMware likes SCSI disks for Domain controller OS’s. SCSI and IDE are just interfaces, the data will be the same, so no difference. 0:O is first SCSI disk on the first SCSI controller.
  • Add the Destination
  • Define Drive Type and Allocate Space Normally choose IDE. Make it the same size as the original hard drive, not size of image. Give a gb for wiggle room. Then name the target drive.
  • Confirm Both Disks Created
  • Restore the Image Using ISO I-Look File Put an ISO on your desktop of ILook, and point to that. (side note, you can make an iso of a boot floppy and have it point to that as well, always booting to your clean boot as an example.
  • Point to the CD and Start the Virtual I-Look Machine
  • Verify Available Disks
  • Selecting the device to restore from
  • Continuing to select image file
  • Restore Target Process
  • Restore in Process and Complete
  • Finish and Quit
  • Stop this machine
  • Now remove the drive and reset the CD back to the actual physical machine device
  • Reset the CD
  • Start the restored machine Machine starting, you will get some services errors
  • Start Up and Login
  • Go through login
  • Check the Virtual IP settings for the virtual network connections You need to know what the original settings were to reconfigure this. Because of the restore, the restored image will revert back to Windows default because a different NIC is being used (albiet virtual). Good to check before imaging if possible.
  • This appears to be LAN2 (as if there was a 1 at sometime). LAN 1 was the original machine, when restored, LAN2 was created. Look at the Ethernet Adaptor and that will be different as well. Don’t worry about, has to be that way
  • You can get settings here in the registry on IP settings
  • Input this info Select ‘NO’
  • Check the original DHCP settings Verify scope makes sense and is active before you restore any client systems
  • Suspend the Controller Machine Because the domain must be working to install a client, just suspend this VM OS. Suspending a machine doesn’t free up RAM, it uses it just the same. 3 machines at 2gb is about the max for RAM.
  • Create a new client virtual machine • Duplicating the previous process used during the controller restore • When you get to the drive type select IDE rather than SCSI (this IDE is the default setting since this is a client machine)
  • Resume the Domain Controller and start the XP Pro Client
  • Login and Add to Domain
  • Encase/FTK/etc… Images • You can use Encase, FTK, Linux, Winhex or any other program that can restore images to a physical drive in VMWare.
  • Forensic Issues • Yes, the data is changed (but only the virtual world, not the original images) • No, you can’t see unallocated space when fishing through the virtual world (it’s not a forensic exam anyway) • Yes, hashes will match on specific files on both the images and virtual world. • This process can be used to test viruses, Trojans, worms, and other actions on a suspect system (maybe disprove suspect’s allegations of virus, etc…)
  • 5% off purchase • If you want 5% off an online purchase, you can use my referral code: • VMRC-BRESHA248