Category Archives: Guide

Meltdown and Spectre

I am sure by now you have heard/read/watched about these two security vulnerabilities: Meltdown and Spectre. However, if you have not, here is a good place to start: A Simple Explanation of the Differences Between Meltdown and Spectre

In a nutshell, almost all of the major technologies are affected: Apple, Microsoft, Intel, Amazon, ARM, Google, RedHat, VMware, SUSE and more.

What you need to do:

  • Identify the affected technologies in your environment and if you have not already received advisories from those vendors, contact them for updates and guidance.
    • Start with the anti-virus (AV) vendor. The reason you need to start with them is that due to the special nature of these vulnerabilities, your anti-virus (AV) technology needs to be updated before Microsoft patches can be applied. Microsoft is pushing updates to only those systems that are running a compatible version of anti-virus.
    • You can check the status of your AV using this Google Doc thanks to @GossiTheDog https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true
  • Applying these patches will impact the performance of the CPU. The level of impact varies based on your system configuration and capacity, however, there have been reports of 15-30% performance impact. For this reason, it is important that you accommodate for the performance hit before pushing updates.
    • To limit the performance impact of unplanned patching, Microsoft has added a manual step. After the patch is installed, you need to manually enable a registry key. Without updating the registry key the system remains vulnerable; Reference.
  • Microsoft has released KB4056892 patch for Windows 10. Patches for Windows 7 and 10 are expected to be released on January 9th.
  • All of the commonly used browsers are also affected. However, patches for some of these are already available and are expected to be released for others soon: Firefox, Safari, Chrome.
    • In case of Chrome version 63 (released in Decmber 2017), there is the option to enable Site Isolation feature. This feature can be enabled by entering the following in Chrome: chrome://flags/#enable-site-per-process; Reference.

In summary, here are the steps:

  1. Contact technology vendors and review their advisories
  2. Plan in advance for any performance impact
  3. Apply patches in the development environment first and test!
    • it is important to deploy patches in accordance with your AV’s recommendation. There are public reports of the system crash (BSOD) due to incompatible AV.

As of this writing, following CVE identifications have been assigned: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. These can be used to track remediation efforts.

This is a developing story and it is advised that you closely monitor communications from your technology vendors.

Additional references:

Advertisements
Tagged , ,

Burp and Samurai-Web Testing Framework

The other day I came across a social media post that was about utilizing Burp Suite to identify vulnerabilities in web applications. I had heard of Burp before but never really had the chance to play around with it – until now.

Just like a lot of other security tools, Burp has a community version along with its commercial product. I decided to download the free edition from here in my home lab.  The installation process is straightforward and in no time you have Burp up and running. Here is how the initial interface looks like:

Burp

Right when I finished my installation of  Burp, I realized that I did not have a web application running in my lab that I could use to test Burp against. Bummer! Now I had to decide between setting up a web server myself or finding a commercial distribution that came pre-built with one. This was a no-brainer – and within minutes I found a few distributions that were designed for testing and learning web application security; such as SamuraiWTF, WebGoat and Kali Web Application Metapackages. I decided to go with SamuraiWTF.

SamuraiWTF gives you the option to run from a live disk or install it in a VM. I decided to install the VM. Here is a good guide to the installation process. I give my VM instance 4GB RAM and 3 cores; more than enough horsepower.

This distribution comes pre-installed with Mutillidae, which is a “free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts”. This was perfect for what I was looking for. Setting up the Mutillidae in pretty simple – all I had to do was change my network configurations to NAT and that was it. However, if you need more information on configuration here are some great video guides on Mutillidae; in fact, I used some of these myself while configuring Burp to work with Mutilliade.

After finishing all of the above prep work, I was ready to run Burp!

For those who are not familiar with Burp, it’s an interception proxy which sits between your browser and the web server and by doing so it is able to intercept requests/responses and provides you the ability to manipulate the content. To do so you have to configure Burp as your proxy. On your VM, this would be your localhost (Proxy Tab > Options):

Proxy

Likewise, you would have to configure your browser to that same proxy. Here is my proxy configuration on Firefox:

Firefox Proxy Configuration

Now as you navigate through your Mutilliadae webpage, all your requests should go through Burp. One thing you have to do is turn on the Intercept option in Burp. It’s under Proxy > Intercept.

What this allows you to do is see the request as its made but gives you the control to either forward it to the web server or simply drop the request (like a typical MiTM). For example, on the login page of Mutilliade i used admin name and admin123 password. And as soon as I hit “Login” I saw the request being made from my browser to the web server in Burp:

Burp Intercept

In the screenshot above, you can see the two options: Forward and Drop. If you hit forward, the web server will receive this request from your browser and will respond as it would normally. In this case, the account I used to log in did not exist:

Web Server Respose

Burp has the capability to also capture the responses. It is an option that you can turn on by going to Proxy > Options and towards the middle of the page you will see “Intercept Server Responses”. By turning this on you will be able to see and control both sides of the requests:

Request and Response

If you look at Target > Site Map; on the left pane you will see a list of all the sites that you have visited with the Burp proxy on:

History Map

One advantage of the above feature is that it allows you to go back and revisit requests and responses. The sites that are in grey color are those that are available on the target web page but you have not visited them.

Another neat feature is that if you do not want to visit each page individually you can run the “Spider” feature which will map the whole target page for you.

Spider

If you go under Spider > Control you are able to see the status of the Spider as it runs:

Spider Status

When you intercept request or response, you have the ability to send that to other features of Burp. You are able to view these additional options by right-clicking on the intercept:

Intercept Additional Options

Towards the bottom of the official Burp Suite guide page here you can see a brief description of most of the options shown in the screenshot above. The one I found really neat is the “Repeater” option which allows you to modify and re-transmit requests repeatedly without having the need to perform new intercepts each time.

This concludes my brief journey of getting started with Burp using SamuraiWTF. There is a whole lot more than I had the chance to explore but here is a great reference for advanced topics.

Below  is a quick blurb on some of Burps features:

Spider: crawls the target and saves the numerous web pages that are on the target.

Intruder: automated attack feature which tries to automagically determine which parameters can be targeted i.e. fuzzing.

Fuzzing options: Sniper (fuzz each position one-by-one), Battering Ram (all positions on the target receive one payload), Pitchfork (each target position is fuzzed in parallel) Cluster Bomb (repeats through payloads for multiple positions at once).

Proxy: used to capture requests & responses to either just monitor or manipulate and replay.

Scope: controls what (pages, sites) is in/out of the test “scope”.

Repeater: manually resubmit requests/responses; allows modification.

Sequencer: used to detect predictability of session tokens using various built-in tests i.e. FIPS 140-2.

Decoder: allows encoding/decoding of the target data i.e. BASE64, Hex, Gzip, ASCII, etc.

Comparer: allows side-by-side analysis between two requests/responses.

Cheers!

Tagged , ,

Botnets?

How does it feel to know that your personal computer can be remotely controlled by someone without your knowledge for ill purposes? Or worse, instead of a single individual having this unauthorized access to your system it can be a group of people over the internet that controls what your computer does and how it does it. In the field of Information Security, if your system is involved in such control it is considered a bot: a computer system being controlled by an automated malicious program. In addition, your computer system can be part of a larger group of infected computer systems and these collections of infected computers create botnets. Casually, these bots are also referred to as zombies and the remote controller is called the botmaster. So how are these bots born and grow into botnets?

According to Damballa, an independent security firm’s annual threat report, “at its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of 8 percent per week ”. Originally, these bots are developed by tech-savvy criminals who develop the malicious bot code and then usually release on the open internet. While on the internet, the bot can perform numerous malicious functions based on its code design but it most cases it spreads itself across the internet by searching for vulnerable, unprotected computers to infect. After compromising victims’ computer, these bots quickly hide their presence in difficult to find locations, such as computer’s operating system files. The botmaster’s goal here is to maintain the compromised system behavior as normal as possible so the victim does not become suspicious. Common activities that bots perform at this stage involve registering themselves as the trusted program in any anti-virus program that might be on victim’s computer. Moreover, to maintain persistence, bots add their operations in systems startup functions which results in bots automatically reactivating even after shutdown/restart. Throughout this process, bots continue to report back to botmaster and wait for further instructions.

Below lists some of the common operations that bots can perform on behalf of its botmaster:

Sending
Stealing
DoS (Denial of Service)
Clickfraud
They send
– spam
– viruses
– spyware
They steal personal and private information and communicate it back to the malicious user:
– credit card numbers
– bank credentials
– other sensitive personal information
Launching denial of service (DoS) attacks against a specified target. Cybercriminals extort money from Web site owners, in exchange for regaining control of the compromised sites.
Fraudsters use bots to boost Web advertising billings by automatically clicking on Internet ad

As the chart above states, there are numerous functions that bots can perform. However, recently bots have mainly been used to conduct Distributed Denial of Service (DDoS) attacks: utilizing hundreds or thousands of bots from around the whole world against a single target.  Botmaster’s goal with DDoS is to use thousands of bots with numerous botnets to attempt to access the same resource simultaneously. This overwhelms the resource with thousands of requests per second thus making the resource unreachable. This inaccessibility of the resource has severe effects on legitimate users and requests. According to FBI, “botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major U.S. businesses. They’ve also affected universities, hospitals, defense contractors, law enforcement, and all levels of government”.

A misconception exists that if your system does not hold any valuable information or if you do not use your system to conduct online financial transactions than an adversary is less likely to target your system. Unfortunately, as much as we would like this to be true, it is not the case. For botnets, the most valuable element is your system’s storage and your internet speed. Our personal computers are now capable of storing and processing terabytes of information seamlessly and are able to use our high-speed internet to transfer this information.  As stated by a malware researcher team from Dell SecureWorks, botnets “allows a single person or a group to leverage the power of lots of computers and lots of bandwidth that they wouldn’t be able to afford on their own”.

——————————————————————-

http://www.fbi.gov/news/news_blog/botnets-101

https://www.damballa.com/press/2011_02_15PR.php

http://news.discovery.com/tech/what-are-botnets-110304.htm

http://us.norton.com/botnet/

Tagged ,

Zotero Review

Browser extension: Zotero

The most difficult part of the research process is keeping track of all of your sources. The traditional methods have been that you print all the pages that you visit, or copy and paste the text from the web sources into a Word document. However, the problem with those methods is not only are they troublesome but also the chance of misplacing them is greater. Moreover, when you are done with your paper and you have to create a citation for each of your sources one-by-one is not only time consuming but also increases factor of human error.

Zotero is a free Mozilla Firefox add-on which makes it easy to organize your sources and searches. It does that by saving the snapshot of the pages and saving the links. The best feature of the add-on is that it automatically creates the citation for your saved sources in both APA and MLA format. In addition, since it is fully compatible with both Microsoft Office and Open Office; you can directory copy your citation into that software.

Another great feature that I like is that you are able to sync your files with Zotero’s online server. This provides not only sense of security that your files are backed up, but also if you log-in from an alternative computer you can still view all your saved sources. In addition, Zotero allows you to share your source with other people. For that, all you have to do is create a new group, place the files that you want to share and sync. You can send an invitation to your group to as many people as you want and they can all view and make changes to your document. This makes group collaboration much easier.

Personally, I’ve been just introduced to Zotero and I love all the user-friendly features that it has to offer. Whenever I am surfing the internet and I come across an article of news that I could use later I simply open Zotero add-on and save a snapshot. In addition, Zotero’s highlight feature comes very convenient t as well. It allows me to highlight text right from the snapshot so that when I come back to that article I know exactly why I saved it in the original place.

Zotero is still an underdevelopment project. It has a dedicated link on its homepage which allows enthusiastic individuals to contribute their new ideas or making improvements. For a new user, they have great support page which comprehensively explains all the great features of Zotero.

The only thing that I am on the lookout for is Zotero coming onto different browser platforms. Currently, it is only supported by Mozilla Firefox but that holds a certain disadvantage against it. In addition, I have noticed in occasional events that the sync features take longer than usual. This could be due to their storage or the format that they are using.

Overall, I think Zotero is a great free tool for everyone who wants to efficiently save time and sources. I most favorite feature of Zotero is highlight and share. I am sure that the few glitches that Zotero currently has will soon disappear.

Tagged

Layered Security For Home User – Part 1

Most who work in information security are familiar with the term layered security (also known as layered defense) which in a nutshell mean that you employ multiple solutions/components to protect your assets. This idea has been pushed at the enterprise level for years and has been significantly effective at deterring attacks. And with the latest advancements in the end-point-monitoring (EPM) solutions, enterprises now have the capability to both monitor and control what happens on all of the workstations in the environment.

But if you move away from enterprise security to securing the average home user, most users tend to rely solely on the anti-virus solutions. Now, I am not going to get into the debate over how effective or ineffective anti-virus solutions are – but if you are interested in reading rants over this topic feel free to do so. However, what I will say is that just having anti-virus software (especially now) definitely does not meet the layered security concept.

So, how do we get layered security for home computers? Well, the market is not shy from a variety of different solutions that will promise to compliment your existing anti-virus while providing you the benefit of added security. And in my opinion, some of these products can actually be beneficial such as malware, spyware, and email protection but most of these features are already built-in to latest anti-virus solutions – you may just not know it. So, the question still stands, how do we get layered security for home computers? Well, let me answer this by explaining a recent event where I had the opportunity to test a theory first hand…

Continue with part 2

Tagged , ,

Traditional Threats

Below is my take on the common threats against our systems:

In today’s technological environment, risks to computer information are everywhere. These risks start when you power-on your system and save any information on it. However, the risks exponentially grow when you connect your system to a network and access the internet.

Information security is known as the process of implementing the necessary measurements to not only protect the physical environment but also prevent modification, deletion and unauthorized access to information.

The need for information security is vital more than ever. The numbers of the incident that involve information breaches have dramatically increased in last few years. Most of these computer attacks exploit confidential information from companies’ networks (Tarte). Experts believe that the reason behind this increase is due to open vulnerabilities in corporate networks.  Attackers are able to easily abuse these weaknesses and gain access to confidential information. However, attacks have also grown to be more sophisticated than ever. In most cases, victims do not realize that they are under attack until it is too late. It’s hard to believe but attackers are able to remain “inside a compromised organization for months, gathering information with which they design and build even more sophisticated attacks” (Neal).

 In addition, these cyber attacks are not only aimed at governments and major corporation networks but also to average consumers. A study conducted by Symantec shows that “65% of people globally have experienced some type of cybercrime” (Schwartz). Almost half of these incidents were caused by viruses and malware; while others were caused by phishing and social networking attacks (Schwartz). Moreover, the most common threat to today’s systems is from malicious codes. This category of software threat includes viruses, Trojan horses, logical bombs, and worms.

Malicious code is a threat which is defined to perform unlawfully, the desired function which allows unauthorized access to confidential information.  These codes are capable of bypassing security software and destroy the system. It is very important that the necessary steps are taken to protect systems against these malicious codes. However, it is vital that we first differentiate among varies malicious codes (Computer virus: the types of viruses out there).

Viruses are the most common type of malicious code. This software enters the system using one the following ways: through email, peer-to-peer sites or by using infected removal media, such as flash drive. In some cases viruses simply reside on the victim’s system, however, usually, viruses are designed to destroy the data and operating system as well as spread to other systems. Upon getting infected, viruses usually take complete control of the system; by flashing annoying pop-ups and denying users full access. However, in rare cases, viruses hide their presence from the user. In both cases, the system significantly slows down and free disk space rapidly decreases. In severe instances, the system could mysteriously shut itself down and/or doesn’t reboot with, BSOD (Blue Screen of Death) error (Dulaney).

Moreover, viruses are programmed to conduct two terrible tasks: bring your system to a halt, where it is no longer usable or to use your system as means to spread to other systems. Upon infecting a system, the virus attaches itself to all the data and system files on that particular computer. This makes it easy for the virus to spread to other systems. The most common method of spreading is through Flash drives; however, the more sophisticated viruses could attach themselves to emails without user’s awareness.

Unlike before, the security administrators of today are faced with the difficulty of identifying the exact type and characterizes of the certain virus before taking the necessary removal actions. Following are the most common and challenging virus types. An armored virus is programmed to hide from any anti-virus software. It does that by having a second set of code or a decoy code which protects the actual code from detection.  Companion virus works similar to an armored virus in a sense that it hides from detection; however, it accomplishes such task by associating itself as an extension to a legitimate application. When a user opens that application, companion virus executes instead of the actual application. This type of virus is often used to corrupt Windows systems by manipulating the Registry (Computer virus: the types of viruses out there).

Moreover, the goal of a computer is to make lives of its users easier, and macro offers exactly that. It allows the user to code series of commands which are saved and can be executed automatically and repeatedly. These macros are usually used for Microsoft applications such as Word and Excel. Macro virus exploits the actual function of the macros and spread itself to other systems. “Macro viruses are the fastest growing exploitation today” (Dulaney).  In addition, there is another type of virus which attacks the system in several different ways. Multipartite virus embeds itself in the boot sector of the operating system as well as it attaches to all the executable files in the system. The idea behind this virus is that the user won’t be able to control this virus and meanwhile virus will continue infestation process (Dulaney). Likewise, stealth virus also attaches itself to the boot sector of the hard drive. When a user runs anti-virus software, stealth virus redirects the commands around itself which makes it hard to detect this infection. This virus holds the capabilities of relocating itself from one location to another while the anti-virus software is in process.

Moreover, phage virus attaches itself to programs and databases but it also modifies applications. The only way to successfully remove this infection is by reinstalling the application. The reason for that is because if any file is missed, the infection processes will initiate again and spread throughout the system.  Another powerful infection is polymorphic virus. Unlike all the other infections, this virus encrypts part of itself to avoid detection. This makes it difficult for anti-virus software to detect this infection (Dulaney). Polymorphic viruses’ characteristics are referred to as mutation because it changes itself often to hide from antivirus software. Similarly, retrovirus bypasses itself and gets access to the system. Unlike all other infections that hide from anti-virus software, retrovirus directly attacks the anti-virus software installed on the system. Due to the power of this virus, it destroys the systems anti-virus software where it’s no longer functional. However, the user continues to believe that the installed anti-virus software is fully functional and that the system is protected (Dulaney).

It is important to differentiate additional threats that are often misinterpreted as viruses.

The two most common troublesome non-virus threats are spam and worms.

Spam is defined as “copies of the same message, in an attempt to force the message to people who would not otherwise choose to receive it” (Mueller). Most often spam consists private advertising and “get-rich-quick” schemes (Mueller). The attacker gathers information by stealing mailing lists and retrieving email addresses from the web. Even though most users ignore spam and mark it as junk to prevent receiving it in the future. However, users that open spam ultimately get overwhelmed by the amount of spam they begin to receive. Besides being annoying, spam does cost the Internet Service Provider to transmit which in result costs the end user (Mueller).

On the other hand, a worm is different from a typical virus in a sense that I can reproduce itself without the need of any host. “Many of the so-called viruses that have made the papers and media were, in actuality, worms and not viruses” (Dulaney). The most devastating example of a worm is Melissa, which spread to more than 100,000 systems and one location was attacked with 32,000 copies in 45-minutes (Dulaney). Worms are designed to propagate using TCP/IP, emails, internet services and other means.

Protection:   

Even though it is impossible to completely protect your system, however, if proper procedure is followed the likelihood of becoming a victim decreases. “The best defense against a virus attack is up-to-date antivirus software installed and running” (Dulaney). Usually, the systems that become the victim of attacks don’t have updated anti-virus installed or there wasn’t automatic scan setup. In addition, if you have multiple systems it is recommended that you install anti-virus software from a different vendor on each system. However, the most common mistake that users make is that they install two different anti-virus software on the same system. Doing so makes both software work against each other and ultimately provides no protection to the system. Lastly, it is vital that the user is educated on preventing methods. Regardless of how superior your anti-virus software it; eventually the responsibility comes down to the end user. The user needs to be made aware of the potential threats and how to protect the system from them. “They need to scan every disk, e-mail, and documents they receive before they open them” (Dulaney). Education is the key to protecting information security. In the corporate environment, all the staff members need to be trained on the importance of information security. This training should be followed by consequences for individuals who consistently fail to take information security seriously.

________________________________________________________________________________

References

Computer virus: the types of viruses out there. (n.d.). Retrieved September12, 2010, from http://www.spamlaws.com/virus-types.html
Dulaney, E. (2009). Comptia security+ deluxe. Indianapolis, Indiana: Wiley Publishing, Inc.
McGraw, G, & Morrisett, Greg. (2000). Attacking malicious code: a report to the infosec research council. IEEE Software.
Mueller, S. (n.d.). What is spam?. Retrieved September 27, 2010, from, http://spam.abuse.net/overview/whatisspam.shtml
Neal, D. (2010, September 17). Cyber attacks growing in number and sophistication. Retrieved September 19, 2010, from http://www.v3.co.uk/v3/news/2269980/firms-open-range-security?page=1
Online threats. (n.d.). Retrieved September 18, 2010, from http://www.staysafeonline.org/content/online-threats
Parks, D. (2009, August 28). The common threats to it security. Retrieved September 15, 2010, from, http://www.articlesbase.com/software-articles/the-common-threats-to-it-security-1171518.html
Scwartz, Mathew. (2010, September 08). Symantec finds 65% have been hit by cybercrime. Retrieved September 15, 2010 from, http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=227300362&subSection=Attacks/breaches
Tagged , , , ,

Finding Known Evil With Nessus – Part 2

This post is a continuation of my earlier post about finding a known-bad process with Nessus vulnerability scans. In this post, I will share my experience after I finished running my first scan using this new scan policy.

Unlike the regular vulnerability scans, the duration of this scan was much less. The reason for this was because the scan policy consisted of only selected plugins. However, even with only selected plugins, the scan results were very comprehensive.

First, the scan result shows the MD5 hash of the suspicious process. Now you can take this MD5 hash and search sites like VirusTotal but on the scan results page, you will find a direct link to a Tenable website that will provide additional information about the suspicious process. This information is similar to what you would find on VirusTotal but with little less information. In my case, I still searched VirusTotal for more detailed information.

Second, the scan result shows the path of where the suspicious process is located on the target system. Obviously, this is great because now you don’t have to search the system and locate the executable in question. But what’s even better is that the scan results even show all the instances of that suspicious process that the scan found. For example, in my test scan, the same suspicious process was located under numerous user profiles.

With the above information in hand, you can quickly develop you indicators of compromise (IOCs) and begin your investigation. My initial step was to review all the processes on my target machine and identify the process ID (PID) of the executable that the scanner identified. From here you can look at all the network connections related to this process, the system handles, any additional sub-processes, etc.

Overall, I am satisfied with what I have seen so far. I think that it is great that Tenable has incorporated these checks because in my option it makes perfect sense to check for known bad stuff during the time that you have already allocated for vulnerability scans. However, I would recommend that you separate your suspicious process and vulnerability data because do you not want to alarm the system owners without properly doing your own investigation. The easiest way to do this is by creating two different repositories and then drafting different reports/dashboards from each of those repositories.

My final comment is that if you have Nessus (I used SecurityCenter); please try to run this scan with the new scan policy. You can find the link to download this scan policy in my first post. Let me know what you guys think!

Tagged , ,

Finding Known Evil With Nessus

When it comes to performing vulnerability assessments, Nessus is by far the industry leader.  Nessus is known as “world’s best vulnerability management tool” and I think the reason for this is because of the continuous research the Nessus team does around new vulnerabilities and push them out to their customers in a timely manner. If you are not families with Nessus here is a very high-level overview – Nessus uses “plugins” which simply put are scripts that run on the target hosts to see if it meets the criteria for a certain vulnerability. And as new plugins get pushed to customers the old plugins also get updated daily.

I have been using Nessus for some time now and I have been very pleased with their level of commitment and excellent support. And recently as I was going through their blogs, I came across an interesting post regarding finding malware through Nessus scans. I found this interesting for two reasons: first, because I had not tried this before and second because as a security professional its better if you find evil in your environment before it gets reported to you.

The process for running malware scan is same as running the normal vulnerability scan. You just need to make sure that you select the appropriate plugins in your scan policy and use credentials that have administrative privileges on the target system. The following blog post lists the default plugin you can use to get started with malware scans – a sample scan policy is available for you to download which you can simply upload in your scanner and run the scan. This blog post also contains links to other related posts that talk about additional plugins that you can enable in your scan policy.

I have not had the chance to run this scan however, I plan to give this a try this coming week using the sample scan policy. I will write a follow-up post to share my experience.

Tagged , ,

VMware and Digital Forensic Process

Recently, I have started performing digital forensics on virtual images and wanted to briefly share the process that I am following and the challenges that I am facing:

The Process:

  • Originally, the machines in the environment are virtualized via VMware ESX.
  • To take the forensic image at a given point, the virtual machine is suspended and copied to a forensic workstation.
  • Following the second step, retains the memory in the vmem file and allows for memory analysis.
  • The suspended machines are resumed on the forensic workstation via VMware Workstation.

The Challenge:

  • Usually, the machine coming from the ESX has large resource allocations that are not available on the forensic workstation. For example, the machine in ESX can be allocated 12GB of RAM and 4 processors – however, this cannot be met with what is available on the forensic workstation. This results in the machine being non-responsive when resumed on the VMware Workstation.
  • When you are able to resume the machine in VMware Workstation you are not able to transfer any tools over without first installing the VMware tools – sometimes this requires a restart.
  • If the machine was originally part of a domain and the machine was suspended without someone already logged-in; you do not have a way to get into the system other than resetting the password via some live disk. The other option is to retrieve the password from the memory.
  • If the machine itself does not have enough disk space for you to save the output from all your tools then you have to enable Folder Sharing feature on the VMworktation.

These are some of my immediate experience from performing forensic on virtual images. The reason for this post is to get feedback from the forensic community on how I can improve my process and make sure I minimize the changes made to the evidence.

Tagged ,