Requirements
- VMWare and a virtual machine of a Windows system with the .NET 2.0 Framework installed (if you want to do some testing)
- A little programming experience with VB.NET (C++, C# or x86 ASM if you want to mess with the original source code)
Terminology
- Forensic image: A bit for bit copy of an entire storage medium like a hard disk drive that can be split into segments or multiple images to fit on file systems with file size restrictions (i.e., FAT32 at 4GB).
- Virtual machine: In the context of this article it is a system that has been booted from either forensic images or a physical disk into a virtualized environment using LiveView and VMWare.
What exactly does “Breaking Forensic Images Booted as a Virtual Machine” mean?
Forensic images and physical storage media such as a hard drive can be virtualized and booted as a virtual machine in VMWare with no modification to the actual images themselves. This allows an examiner to interact with their evidence. They can boot the DD or raw format images through software such as LiveView and interact with the system as if they were actually standing in front of it.
This technique of virtualizing the images is becoming very common in investigations. It not only gives an examiner a view of what the system was like the last time it was turned off but it allows them to better present findings to clients or even in court giving everyone a view they will probably recognize.
What I’ve done…
I’ve dug around a bit and found some older examples of software that will detect whether or not the current system is being run in a virtual environment. According to the author of the original software, VMWare creates a special “port” which interfaces between the virtual machine and VMWare itself which allows it to be detected.
So what I’ve done is compiled his detection library (it’s a .dll) and written a very tiny program in VB.NET which uses the library to determine whether or not the system is running in VMWare. If the software determines that it is in fact running in a virtual environment it calls a shutdown command which then powers off the operating system which happens to be Windows XP with the .NET 2.0 Framework installed.
If you were to have a small program like this run at Windows startup, it would rein all sorts of difficulty down on an examiner who wishes to virtualize the images. Now they can’t boot the forensic images in VMWare and to do this they now need to figure out what is happening to the system to cause it to shutdown. If they figure out that you’ve a small program running then they’ll need some way of removing it.
An examiner will have to reverse or restore (in EnCase terminology) the images back to a physical hard disk and modify the new disk copy disabling the software. Then they can successfully boot the physical disk with software like LiveView into a virtual environment with VMWare. This creates a lot of extra hassel and adds time to an investigation if they decide they want to spend those hours figuring out why the system shuts down, then take the time to restore the images and finally disable the software.
Purpose and Ideas
Since all of the detection functions and routines are in the detection library (the .dll file) you should be able to easily code a bit of software that utilizes it in your own language of choice. I believe in the original source code the C++ example is all contained in one executable as well.
I’ve not added any routines that add this program to any startup registry keys or directories and adding this functionality would not be difficult at all. Currently all it does is run and perform an extremely simple check (if/else) to determine if the system is virtualized. If it is, it executes a shutdown command. If it is not it promptly kills itself in under a second.Â
To help avoid detection it may be wise to compress the executable and library and make sure their filenames are not all that suspicious much like in this article.
It may also be wise to add some sort of check that determines if the software is being run from the same machine. This is because an examiner may find it and decide to copy it out and run it to see what it does. If you could devise a routine that checks for say… some file buried in a directory in the Windows folder then it would trip up most examiners even more. Many will probably not break out a debugger to see what is really happening but some probably would.
The main purpose here is to trip up the examiners. Make them waste their time, their client’s time and everyone else’s. Make the costs of a computer forensics examination even more expensive.
Issues
Well, obviously if it is discovered that someone is running software like this by an examiner, it probably won’t look all that great when that person is then being questioned in court.
This also does not stop a forensic examination. Examiners have lived without this technology and there have been countless examinations that have never involved using LiveView and virtualizing evidence.
The fact remains that virtualizing evidence is becoming very common and convenient in investigations and I can only see this technology and software increasing in use. This is definitely another method I would add to my anti-forensics arsenal.
The Goods
The author of the original code is named Elias aka lallous. I found the original source code on CodeProject and this programmer definitely deserves a shoutout for his work. He has also credited a Ken Kato for work that had been done in reversing VMWare.
My download below includes the binaries for the program I created as well as the library created by lallous. It also contains the source code for the program. You can find the original source code in the link one paragraph up.
If you have suggestions, comments or want to share your own modifications then please comment below!
Other Downloads
VB.NET 2008 Express Edition from Microsoft
Related posts:
- The Art of Defiling: Defeating Forensic Analysis on Unix Filesystems (Conference talk by The Grugq) The Grugq has contributed greatly to the anti-forensics community during...
10 Comments
Trackbacks
Leave a Reply
Related Posts
Using Just Full Disk Encryption is Not Enough
So you've installed full disk encryption using TrueCrypt. You also remembered from a previous article on here that contained in the TrueCrypt boot loader is the string "TrueCrypt Boot Loader" which is a dead giveaway to the fact that you are using encryption software. In response to this you have also performed the simple disk modification to get rid of the identifiable string with a hex editor like in this article. Now your hard drive is free from unwanted tampering and access without your permission, right? more
I use FTK imager for my own copies, but how do I convert an image file into a functioning os on vmware? Can you point me in the right direction. Love your site, keep up the good work.
Hey PC646, thanks for the encouragement :]
If you are using the free FTK imager to image your drives then they’ll be in DD or raw format. This is what LiveView requires in conjunction with an installation of VMWare.
You can use the free VMWare server or Workstation. I have used the free server version but prefer workstation with live view as it seems to be less buggy.
LiveView is free and can be downloaded here: http://liveview.sourceforge.net/
It supports:
Windows 2008, Vista, 2003, XP, 2000, NT, Me, 98
Linux (limited support)
There are other products, one being Mount Image Pro which works great and supports EnCase format disk images as well (.E0*) that you would get using Linen or Encase to do your acquisition.
LiveView is very easy to use once you mess around with it a bit. It’s basically just:
1. Add all images to path
2. Create directory for VMWare and LiveView temp files
3. Set RAM to desired level
4. Start it
I’ve used both LiveView and MountImagePro a lot and I have to say I love both.
Nice article! Thanks for the source, will play around with it a bit
Currently looking into anti-vm techniques. Here an interesting document:
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
Can anyone suggest where I can download a copy of the Encase LinEn iso for free? Just for research, I’m not a forensics man after tools on the cheap!
Sure Bob. LinEn is the free Linux acquisition tool from Guidance. The HELIX3 distribution does contain it but I believe HELIX3 has just gone to a paid monthly subscription.
You can download LinEn itself from here: http://www.guidancesoftware.com/support/LinEn_LicenseAgreement.aspx
Then you can run it from a terminal in a Linux environment.
Wouldn’t this also mess up the chain of evidence?
If they decided to remove the program so they could look around and they got evidence from their “edited” copy, couldn’t a good lawyer say they added what ever they found themself’s because of the modified hash?
But it probably wouldn’t be that hard for them to explain them selfs; all it takes is one juror.
i have worked on Live View but dont have that much success rate compared to GetData’s VFC,( Virtual Forensic Computing). Live View I have come across gives areas during the snapshot process. VFC has given me errors only when the OS is not been able to be detected which is understandable due to various reasons. But Verdict VFC overall winner although it is not a open tool purely commercial.
I have to agree with you. VFC is great and I recommend it as well if you’ve the bones to drop on it.
Regarding the chain of evidence: Changes to images are OK as long as you don’t mess around with your original forensic image – just use a copy. The only thing you need to do is to document the changes and show to someone else that they are necessary for the work to procees but not relevant to the things/files actually investigated. If you want to
observe the network traffic the system generates you need to change things anyway,
unless the system has a driver for the network cards your VM-solution offers.
When working with virtual images, setting the new virtual disk to “immutable” also helps.
Also, Qemu might as well be sufficient to start an image, virtualbox is another alternative
as well.
Not every Windows file is protected, and you could make things really confusing if you recompiled your check routines into a program that’s expected to run in all Windows systems instead of adding a non-standard file that starts up on bootup.
Another way would be to add your check routines into a function stored within an unprotected dll that’s called by a protected part of the OS. Basically you would want to modify the function so that it does your check routines and still have it do all its intended things afterwards. For example, a standard component has a function called DrawTextOnScreen() calls a function TextToPixels() which is in VideoCardDriver.dll. Modify TextToPixels() so that it does your check routines, then does everything else it’s supposed to do as normal. Any time that standard component wants to draw text on the screen, it will check to make sure it’s not running in a VM.
I think very few examiners would be able to figure that out. If you added your checks to lots of functions, they could spend a LONG time banging their heads against the wall trying to figure out why the virtualized system randomly shuts down.