Restoring Suspect Physical and
    Compressed Images with VMWare




Brett Shavers
Computer Technology Investigators Netwo...
Topics:

•   VMWare Brief
•   Capabilities of VMWare
•   VMWare Installation
•   Guest Operating Systems
•   VMWare Networ...
What is VMware?

• VMWare is application software that
  provides a virtual computer on which you
  can install another op...
Virtual Hardware

• CPU = Host CPU
• Chipset = Intel 440BX-based motherboard with
  NS338 SIO chip and 82093AA IOAPIC
• BI...
VMware Workstation
                     Terminology

• Host operating system is the one that runs
  VMware Workstation
• G...
Forensic Uses of VMware

• VM Workstation allows you to restore a suspect’s hard
  drive into a VM
• You can work with the...
Some VM Tips

• VMWare can boot iso images
• Snapshots can be taken (up to 100 per VM
  World)
• Videos can be taken using...
Installing VMware Workstation

• Meet the minimum requirements for the host:
       Component             Mimimum         ...
Installing VMware Workstation

• Optional components include:
  •   Floppy Disk
  •   Ethernet adapter for the host
  •   ...
Installing a Guest OS

• Have the installation media available,
  typically a CD
• Start VM Workstation and select File, N...
Installing a Guest OS
Installing a Guest OS
Installing a Guest OS
Installing a Guest OS
Installing a Guest OS
Installing a Guest OS
Installing a Guest OS
Installing a Guest OS

• Once the Guest has been configured, you need to
  start the OS, but before you do …
• Make sure t...
Guest CMOS setup
Guest CMOS Setup
Set Boot Order
Save CMOS settings
Boot Guest from OS CD
Install Guest OS
Summary

• VMware Workstation allows you to install a guest
  OS in a virtual machine
• The guest OS can interact with the...
Restore of network and client systems



 ILook will be demonstrated, but Encase, FTK, Winhex, etc… can be used as
 long a...
Restore Using I-Look

• Scenario with a WIN2003
  domain controller and an XP
  Pro client
• Before restoring, establish a...
Create New Virtual Machine
Create the Domain Controller




You have to know the OS of the image to be restored. Use the same version because VMware ...
Name and Allocate Resources




Name it what you like. If you will be doing multiple restorations of the same image, then ...
Define Network Type

                                                                         Only use host only to
      ...
Defining the Bus




You will go through this process twice for each drive
you are restoring to ID the source and destinat...
Select the Source Disk




Choose the disk that contains the image files. It is possible to have all images on one disk to...
VM Ware Establishes New Machine


VM Ware treats this as
though it is a SCSI system
even though it is really an
IDE drive,...
Add the Destination
Define Drive Type and Allocate
                                        Space




Normally choose IDE. Make it the same siz...
Confirm Both Disks Created
Restore the Image Using ISO
                                 I-Look File




Put an ISO on your desktop of ILook, and poin...
Point to the CD and Start the Virtual
                    I-Look Machine
Verify Available Disks
Selecting the device to
           restore from
Continuing to select image file
Restore Target Process
Restore in Process
    and Complete
Finish and Quit
Stop this machine
Now remove the drive and reset the CD
back to the actual physical machine device
Reset the CD
Start the restored machine




         Machine starting, you will
         get some services errors
Start Up and Login
Go through login
Check the Virtual IP settings for the
          virtual network connections




You need to know what the original setting...
This appears to be LAN2 (as if there was a 1 at sometime). LAN 1 was the original machine,
when restored, LAN2 was created...
You can get settings here in the registry on IP settings
Input this info




      Select ‘NO’
Check the original DHCP settings

                       Verify scope
                       makes sense
                 ...
Suspend the Controller Machine




Because the domain must be working to install a client, just suspend this VM OS. Suspen...
Create a new client
                        virtual machine

• Duplicating the previous process used
  during the controll...
Resume the Domain Controller and
           start the XP Pro Client
Login and Add to Domain
Encase/FTK/etc… Images

• You can use Encase, FTK, Linux, Winhex
  or any other program that can restore
  images to a phy...
Forensic Issues

• Yes, the data is changed (but only the virtual
  world, not the original images)
• No, you can’t see un...
5% off purchase

• If you want 5% off an online purchase, you
  can use my referral code:
• VMRC-BRESHA248
how to install VMware
Upcoming SlideShare
Loading in...5
×

how to install VMware

5,442

Published on

it displays step-by-step procedure on how to install VMware.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,442
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
235
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

how to install VMware

  1. 1. Restoring Suspect Physical and Compressed Images with VMWare Brett Shavers Computer Technology Investigators Network
  2. 2. Topics: • VMWare Brief • Capabilities of VMWare • VMWare Installation • Guest Operating Systems • VMWare Networking • Restoration of forensic images into VMWare
  3. 3. What is VMware? • VMWare is application software that provides a virtual computer on which you can install another operating system • The virtual computer or virtual machine (VM) runs as if it were a real operating system on a real computer with real devices • The VM has its own CPU, memory, hard disks, and other I/O devices
  4. 4. Virtual Hardware • CPU = Host CPU • Chipset = Intel 440BX-based motherboard with NS338 SIO chip and 82093AA IOAPIC • BIOS = PhoenixBIOS 4.0 Release 6 with VESA BIOS • RAM = Host’s RAM • IDE Devices = Up to 4; Virtual HD up to 950 GB; can also use real disks (2TB limit) • SCSI Devices = Up to 7 • NIC = AMD PCnet-PCI II compatible
  5. 5. VMware Workstation Terminology • Host operating system is the one that runs VMware Workstation • Guest operating system is the virtual OS • The host OS can be either NT-based Windows or Linux (RedHat, Mandrake, SuSE) • The guest OS can be DOS, every flavor of Windows, Linux, BSD or other OS that runs on an X86 platform
  6. 6. Forensic Uses of VMware • VM Workstation allows you to restore a suspect’s hard drive into a VM • You can work with the suspect’s OS and its installed applications, some of which may be involved in the alleged crime • You can network two VMs, one a suspect client and the other a suspect server • You can also mount a suspect’s restored hard drive as a physical or “raw” disk • You can easily drag and drop files from the VM to your host computer
  7. 7. Some VM Tips • VMWare can boot iso images • Snapshots can be taken (up to 100 per VM World) • Videos can be taken using VMWare tools • You can drag and drop between the host of virtual OS easily.
  8. 8. Installing VMware Workstation • Meet the minimum requirements for the host: Component Mimimum Recommended CPU 400 MHz 500 MHz + Memory 128 MB 256 MB + Display VGA SVGA + Hard Disk (install) 100 MB free 100 MB Hard Disk (for Whatever guest Whatever guest guests) requires + apps recommends + apps Host OS Windows 2003, Windows XP Home and Pro (SP1), Windows 2000 (SP3), Windows NT (SP6A) Continued …
  9. 9. Installing VMware Workstation • Optional components include: • Floppy Disk • Ethernet adapter for the host • CD-ROM • USB port • Other hard disks
  10. 10. Installing a Guest OS • Have the installation media available, typically a CD • Start VM Workstation and select File, New Virtual Machine • A wizard begins ….
  11. 11. Installing a Guest OS
  12. 12. Installing a Guest OS
  13. 13. Installing a Guest OS
  14. 14. Installing a Guest OS
  15. 15. Installing a Guest OS
  16. 16. Installing a Guest OS
  17. 17. Installing a Guest OS
  18. 18. Installing a Guest OS • Once the Guest has been configured, you need to start the OS, but before you do … • Make sure the installation media for the guest is in the CD-ROM drive or floppy drive of the host • As soon as the machine starts, you need to click in the window and press F2 to get into the guest CMOS setup program • Once there, you’ll need to configure the system to boot from the CD-ROM or floppy
  19. 19. Guest CMOS setup
  20. 20. Guest CMOS Setup
  21. 21. Set Boot Order
  22. 22. Save CMOS settings
  23. 23. Boot Guest from OS CD
  24. 24. Install Guest OS
  25. 25. Summary • VMware Workstation allows you to install a guest OS in a virtual machine • The guest OS can interact with the host and utilize the host’s cpu, ram, cd-rom, keyboard, mouse, floppy disk, and network card • The host can be practically any NT-based host or Linux host and the guest can be any Windows OS, Linux, Novell, FreeBSD and more • VMware Workstation provides significant forensic-related capabilities
  26. 26. Restore of network and client systems ILook will be demonstrated, but Encase, FTK, Winhex, etc… can be used as long as it can restore whatever image format you have. You can also use physical hard drives directly. Encase has directions on restoration into VMWare on their website. Using a boot disk of any sort is half the work of using FTK or Encase for restores.
  27. 27. Restore Using I-Look • Scenario with a WIN2003 domain controller and an XP Pro client • Before restoring, establish a VM Ware occurrence with VM Ware DHCP service disabled • Restore the Domain Controller first
  28. 28. Create New Virtual Machine
  29. 29. Create the Domain Controller You have to know the OS of the image to be restored. Use the same version because VMware emulates hardware for each OS. BUT, XP may be able to handle all the other Windows OS’s. It’ll still boot to the actual OS, but there may be subtle differences in emulations. Stay with the actual OS.
  30. 30. Name and Allocate Resources Name it what you like. If you will be doing multiple restorations of the same image, then you can use dates, LFN, OS, etc… Make the location to a new folder where you can manage. For network restorations, keep the LAN all in one folder otherwise you will lose track. You may have to adjust memory later. The more machines, the more memory needed. Make sure your folder can hold everything you need (if all images total 100GB, you need at least that much to restore as the images expand to original size)
  31. 31. Define Network Type Only use host only to containerize the threat that the potential network system could have with interacting with the ‘real’ networking environment that you are connecting to For forensic restorations, make sure you don’t choose a connection that goes outside! (Bridged and NAT will go outside). The other two are safe. For network restorations, choose HOST ONLY NETWORKING). This allows clients in the virtual world to talk to each other. If you select either of the first two, and the images have a virus, you just exposed your network to that virus.
  32. 32. Defining the Bus You will go through this process twice for each drive you are restoring to ID the source and destination
  33. 33. Select the Source Disk Choose the disk that contains the image files. It is possible to have all images on one disk to be used for restorations.
  34. 34. VM Ware Establishes New Machine VM Ware treats this as though it is a SCSI system even though it is really an IDE drive, don’t worry about this. It is a SCSI disk because VMware likes SCSI disks for Domain controller OS’s. SCSI and IDE are just interfaces, the data will be the same, so no difference. 0:O is first SCSI disk on the first SCSI controller.
  35. 35. Add the Destination
  36. 36. Define Drive Type and Allocate Space Normally choose IDE. Make it the same size as the original hard drive, not size of image. Give a gb for wiggle room. Then name the target drive.
  37. 37. Confirm Both Disks Created
  38. 38. Restore the Image Using ISO I-Look File Put an ISO on your desktop of ILook, and point to that. (side note, you can make an iso of a boot floppy and have it point to that as well, always booting to your clean boot as an example.
  39. 39. Point to the CD and Start the Virtual I-Look Machine
  40. 40. Verify Available Disks
  41. 41. Selecting the device to restore from
  42. 42. Continuing to select image file
  43. 43. Restore Target Process
  44. 44. Restore in Process and Complete
  45. 45. Finish and Quit
  46. 46. Stop this machine
  47. 47. Now remove the drive and reset the CD back to the actual physical machine device
  48. 48. Reset the CD
  49. 49. Start the restored machine Machine starting, you will get some services errors
  50. 50. Start Up and Login
  51. 51. Go through login
  52. 52. Check the Virtual IP settings for the virtual network connections You need to know what the original settings were to reconfigure this. Because of the restore, the restored image will revert back to Windows default because a different NIC is being used (albiet virtual). Good to check before imaging if possible.
  53. 53. This appears to be LAN2 (as if there was a 1 at sometime). LAN 1 was the original machine, when restored, LAN2 was created. Look at the Ethernet Adaptor and that will be different as well. Don’t worry about, has to be that way
  54. 54. You can get settings here in the registry on IP settings
  55. 55. Input this info Select ‘NO’
  56. 56. Check the original DHCP settings Verify scope makes sense and is active before you restore any client systems
  57. 57. Suspend the Controller Machine Because the domain must be working to install a client, just suspend this VM OS. Suspending a machine doesn’t free up RAM, it uses it just the same. 3 machines at 2gb is about the max for RAM.
  58. 58. Create a new client virtual machine • Duplicating the previous process used during the controller restore • When you get to the drive type select IDE rather than SCSI (this IDE is the default setting since this is a client machine)
  59. 59. Resume the Domain Controller and start the XP Pro Client
  60. 60. Login and Add to Domain
  61. 61. Encase/FTK/etc… Images • You can use Encase, FTK, Linux, Winhex or any other program that can restore images to a physical drive in VMWare.
  62. 62. Forensic Issues • Yes, the data is changed (but only the virtual world, not the original images) • No, you can’t see unallocated space when fishing through the virtual world (it’s not a forensic exam anyway) • Yes, hashes will match on specific files on both the images and virtual world. • This process can be used to test viruses, Trojans, worms, and other actions on a suspect system (maybe disprove suspect’s allegations of virus, etc…)
  63. 63. 5% off purchase • If you want 5% off an online purchase, you can use my referral code: • VMRC-BRESHA248
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×