|
|
Linux Forensics - Week 4
April 9, 2004
This is the final in a series of Agile Risk Management LLC Linux Forensics articles. We released a total of four articles over the last month. All prior articles are available on our website. Each article outlines Linux forensics techniques, tools, and procedures. We welcome your suggestions and comments, and hope you enjoy the material.
Using Linux VMware Workstation and Raw Disk Images to view the Suspect Workstation
Borrowing from an earlier work by Ernie Baca, available here, and recommendations from VMware power users and support groups, we have documented a process for booting raw disk images through VMware Workstation and maintaining their original content. It is no longer a requirement to partition or re-image an existing hard drive and reboot the investigators workstation. Individual raw disk images can be booted directly from within VMware workstation. More information on VMware Workstation is available at vmware.com.
In this article we will provide an overview of VMware Workstation, cover the process for booting raw disk images properly, and provide suggestions for using this valuable investigation technique.
VMware Workstation 4.5.1 - Overview
VMware Workstation is a virtual machine application developed for software developers and system administrators to assist with software development, testing, and deployment. VMware Workstation provides a complete array of virtual hardware and the capacity to load over twenty different operating system platforms. VMware workstation has also made its mark in the information security industry as professionals are now able to access both Windows and Linux tools during the same session, view and analyze malware without risk of compromise, and test exploit code and security system weaknesses without incurring the overhead and additional cost of multiple physical machines.
Configuring and booting Raw Disk images with VMware Workstation
VMware Workstation provides an exceptional user interface, which is well documented in numerous online and offline manuals, therefore we will concern ourselves primarily with the individual configuration files that need to be modified to accept the raw disk image.
The first step in the process is to obtain raw disk images of both the Master Boot Record (mbr), and any needed partitions. There are multiple ways to accomplish this, the entire disk can be imaged (/dev/hdX, /dev/sdX) and mounted as loopback, each partition then extracted. More information on the NASA Loopback device is available here. In addition, patches for the 2.4.24 Linux kernel are available in our Digital Intelligence Firefly and Ultrablock review here.
In our example, we choose to connect a drive to the physical machine using our Ultrablock device, then "dd" the contents of both the MBR and partition to individual files. We chose to use a bytes value of 512, as the resulting number of records transferred is in the exact form needed for the VMware configuration file.
Once both the image files and VMware Workstation virtual machine have been created, you will need to edit the ".vmdk" and ".vmx" file corresponding to your virtual machine. In our case this was vmware-test.vmdk and vmware-test.vmx. In the vmdk file, under the section labeled "Extent description", modify the first line to point the MBR image, modify the second line to point to the partition image and include the number of 512 byte records copied. Finally, modify the ddb.geometry.cylinders to include the appropriate number of cylinders from the original physical drive. In the vmx file modify the ide device mode to independent-nonpersistent. This will prevent changes performed in the virtual machine environment from being applied to the raw disk image. More information on this process is outlined below.
[mshannon@forensic0 mshannon]$ su
Password:
[root@forensic0 mshannon]# cd vmware-test/
[root@forensic0 vmware-test]# ls
vmware-test.vmdk vmware-test.vmx vmware-test.vmx.WRITELOCK
[root@forensic0 vmware-test]# dd if=/dev/sda of=mbr.img bs=512 count=63
63+0 records in
63+0 records out
[root@forensic0 vmware-test]# dd if=/dev/sda1 of=partition.img bs=512
2491712+0 records in
2491712+0 records out
[root@forensic0 vmware-test]#vi vmware-test.vmdk
# Disk DescriptorFile
version=1
CID=dc92f58c
parentCID=ffffffff
createType="monolithicFlat"
# Extent description
RW 63 FLAT "mbr.img" 0
RW 2491712 FLAT "partition.img" 0
# The Disk Data Base
#DDB
ddb.toolsVersion = "0"
ddb.adapterType = "ide"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "16"
ddb.geometry.cylinders = "1216"
ddb.virtualHWVersion = "3"
scsi0.present = "TRUE"
memsize = "16"
[root@forensic0 vmware-test]#vi vmware-test.vmx
ide0:0.present = "TRUE"
ide0:0.fileName = "vmware-test.vmdk"
ide1:0.present = "TRUE"
ide1:0.fileName = "/dev/cdrom"
ide1:0.deviceType = "cdrom-raw"
floppy0.fileName = "/dev/fd0"
sound.present = "TRUE"
displayName = "vmware-test"
guestOS = "win31"
priority.grabbed = "normal"
priority.ungrabbed = "normal"
uuid.location = "56 4d 03 d8 4f 7f 73 b8-29 78 1d 14 c7 d2 69 8e"
uuid.bios = "56 4d 03 d8 4f 7f 73 b8-29 78 1d 14 c7 d2 69 8e"
tools.remindInstall = "TRUE"
ide0:0.mode = "independent-nonpersistent"
PRE-BOOT
[root@forensic0 vmware-test]#md5sum partition.img
082bf383ad1b85d470c1baeb6db092db partition.img
[root@forensic0 vmware-test]#md5sum mbr.img
0979be7839ceac8e5e944c9ead59971f mbr.img
POST-BOOT with file deletion
[root@forensic0 vmware-test]#md5sum partition.img
082bf383ad1b85d470c1baeb6db092db partition.img
[root@forensic0 vmware-test]#md5sum mbr.img
0979be7839ceac8e5e944c9ead59971f mbr.img
The above commands coupled with a basic virtual machine configuration will allow the investigator to boot the workstation without need to image additional hard disks or reboot the existing host environment, plus changes performed in the virtual machine will not be applied to the raw disk image.
Uses and Recommendations
Booting the suspect workstation through VMware provides a multitude of additional data and opportunities for inquiry to the forensics investigator, such as the following:
Obtaining a look and feel for the machine.
As with Ernie Baca's original paper, being able to view and walk through the workstation or PC can be an invaluable source of additional information.
Determining boot up processes and initial startup parameters.
Although individual boot processes and startup applications can be obtained through registry queries, and a review of the startup folder, access to the live machine may provide additional process information previously unavailable.
Accessing network traffic and broadcasts.
Configuring the virtual machine to allow you access to the network traffic may provide invaluable information as to the activities of malware and trojans that are present on the image.
Bypassing file encryption system.
Windows 2000 file encryption can be disabled and bypassed upon gaining administrator access to the live image.
Gaining access to the live filesystem may prove invaluable to current and future investigations, using the techniques outlined above you can obtain access to the hard drive image without concern of tampering or data modification. This being said, we still recommend creating a second drive image for VMware analysis, in the case that VMware configurations change over time or random application errors modify data accidentally.
The above information, tools, and recommendations can be used as part of a Linux Forensics investigation, providing potentially valuable insight to the case at hand.
Look for prior "Agile Linux Forensics Weekly" articles on our White Papers page.
About the Author:
Matthew Shannon has over five years of professional information security experience in private industry, including KPMG LLP, ExxonMobil, and United Technologies. Mr. Shannon has been the lead investigator on numerous computer forensics engagements, including intellectual property theft and employment law.
Mr. Shannon graduated cum laude from The University of Florida in Decision and Information Sciences (BSBA) in 1999. He is an accomplished speaker having presented at the DEFCON 11 Information Security Conference in Las Vegas, Nevada. He is a member in good standing of ISSA. In addition, Matthew holds numerous professional information technology certifications, and has been a contributor to multiple open source information security projects including "The Sleuthkit" and "The Honeynet Project".
About Agile Risk Management LLC:
Agile Risk Management, LLC is a premium provider of information security consulting services, committed to providing business value with uncompromised integrity. Agile specializes in delivering consulting services not motivated or influenced by vendor products or relationships. Agile provides services that afford reasonable protection for the information assets of our clients in accordance with their business needs.
Agile service offerings include:
- Digital Forensics and Litigation Support
- Security Assessments
- Security Program Development
- Crisis Management
- Business Continuity Planning
|
|
