By Andrew Hoog
While virtualization is a key technology in the infrastructure of many enterprises, it is essential in the operation of a digital forensic organization. Virtualization can be used in number ways, include:
– Return analyst workstation to validated state for each investigation
– Data recovery by attaching dd image of a drive as a secondary drive on a VM and running recovery software
– Booting a dd image (similar to liveview)
– Application and system profiling/footprinting essentially to the scientific method
– Develop virtual appliances for specific functions (i.e. Android forensics appliance)
And these are just a few examples. I’m sure many of you have additional uses you can share. This brief article will share with you our experiences in this area.
Selecting a virtualization solution
There are many virtualization solutions available, including both commercial and non-commercial ones. One of the best known is VMWare which offer a full suite of products ranging for their free VMWare Player to fully redundant enterprise solutions. Another software giant in the virtualization game is Microsoft which offers desktop (Virtual PC) through enterprise (Hyper-V) solutions (and many in between). On the Apple platform, there are two primary options are VMWare’ Fusion product and Parallels suite of products. And on the Linux side, there are a number of options include KVM, Xen and VirtualBox.
After much testing, we ultimately chose VirtualBox by Oracle/Sun. There were a number of reasons why we chose Virtual Box:
- KVM had serious performance issues on our computers…did not identify root cause
- Xen was a more significant commitment in time and energy
- VirtualBox has a nice GUI, performed great and has both an open source version and a commercial one. It also provided a “headless” option allowing us to forego monitors.
Some folks could take issue with Virtual Box or at least have their own favorite and that’s fine. But, we chose VirtualBox, are quite happy and so that’s what the rest of this article covers. Our forensics workstations run a modified version of Ubuntu 10.04 service. They have 8GB of RAM and a couple of multi-core processors.
VirtualBox just released an update on June 7, 2010. The 3.2.4 release is a maintenance release but I like to see projects which are actively maintained and updated. Additional details are available on the http://www.virtualbox.org/ website.
Step by step guide
For a test project we had, we needed a Windows 2008 Server R2 64-bit. Below are the steps you would follow on a computer running Ubuntu 10.04 Server 64-bit server (the .iso for that platform is ubuntu-10.04-server-amd64.iso):
Create blank VM
VBoxManage createvm –name Win2008SvrR2 –ostype Windows2008_64 –register
Add options, including full h/w visualization support (the online VirtualBox manual at http://www.virtualbox.org/manual/ch08.html is indispensable)
VBoxManage modifyvm Win2008SvrR2 –memory 4096 –acpi on –boot1 dvd –nic1 bridged –usb on –usbehci on –vrdp on –vrdpport 3390 –clipboard bidirectional –pae on –hwvirtex on –hwvirtexexcl on –vtxvpid on –nestedpaging on –largepages on
Setup bridged network using first Ethernet card (eth0)
VBoxManage modifyvm Win2008SvrR2 –bridgeadapter1 eth0
Add IDE controller (other options exist such as SCSI and SATA…IDE seems be the most used)
VBoxManage storagectl Win2008SvrR2 –name “IDE Controller” –add ide
Create and register hard drive (vdi)
VBoxManage createvdi -filename “/opt/vbox/HardDisks/win2008svrR2.vdi” -size 20000 -register
Attach hdd to VM
VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 0 –device 0 –type hdd –medium /opt/vbox/HardDisks/win2008svrR2.vdi
Attach DVD to VM (upload your OS installation .iso to the host machine first)
VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/win2008svr.iso
Start VM and install OS (recommend using screen to prevent killed session on detach)
VBoxHeadless -startvm Win2008SvrR2 -p 3390 &
Connect to new VM
Now that the new VM is booting up (and running the OS install), you need to connect to it. To do so, you need an application which support Remote Desktop Protocol (RDP). In Windows computers, you can run the Remote Desktop Connection/Terminal Services client but going to Start -> Run, type in mstsc and press OK. In the Computer: section, you could type the IP address of your Ubuntu server. The Linux and Apple platforms have similar RDP applications and the process is the same. Complete the install of the operating system and reboot as needed.
Install VBox Additions
To enable shared folder, better video, usb support (if you downloaded/bought the PUEL edition), you need to install VBox Additions.
wget http://download.virtualbox.org/virtualbox/3.2.0/VBoxGuestAdditions_3.2.0.iso
VBoxManage registerimage dvd ~/VBoxGuestAdditions_3.2.0.iso
VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/VBoxGuestAdditions_3.2.0.iso
DVD should now be mapped on the VM. You can remote into the VM with the direction above or determine what the IP address of the VM itself is, ensure RDP is enabled and remote into the computer directly. From there, double click the DVD, perform the VBox Additions install and reboot.
Add shared folders
Make sure Windows guest OS is shutdown and type the following in the Ubuntu server:
VBoxManage sharedfolder add Win2008SvrR2 –name “mnt” –hostpath “/mnt” –readonly
VBoxManage sharedfolder add Win2008SvrR2 –name “ahoog” –hostpath “/home/ahoog”
Restart the VM with the following command:
VBoxHeadless -startvm Win2008SvrR2 -p 3390 &
And then connect to the VM directly as described above. To access the new shared drives, you use UNC. Essentially, go to Start -> Run, type \\VBoxSvr and press OK. You will then see a list of shared folders.
Connect USB devices
If you purchased the enterprise version or are simply evaluating for PUEL (Personal Use and Evaluation License) version, you can connect USB devices. The documentation was not clear but we determined the necessary steps.
Add usbusers group
sudo addgroup usbusers
Add each user
Then, you need to add each local user that might run VirtualBox to the userusers group:
sudo usermod -a -G usbusers ahoog
Conclusion
There is much more to say about forensics and virtualization. But, alas, cases are piling up and it will have to wait until the next install of this article that will begin to cover how to use your shiny new VBox virtual machine for some of the tasks I outlined at the start of this article. If you are interested in additional how to articles or information, check out my own blog at http://viaforensics.com/blog/ or feel free to contact me directly.
Andrew Hoog is a computer scientist, computer/mobile forensic researcher and Chief Investigative Officer at viaForensics. His company assists and trains law enforcement and provides innovative digital forensics solutions to corporations and attorneys. He is currently writing a book about Android Forensics and maintains the Android Forensics Wiki at http://viaforensics.com/wiki.
(5625)
