Requirements
- VMWare and a virtual machine of a Windows system with the .NET 2.0 Framework installed (if you want to do some testing)
- A little programming experience with VB.NET (C++, C# or x86 ASM if you want to mess with the original source code)
Terminology
- Forensic image: A bit for bit copy of an entire storage medium like a hard disk drive that can be split into segments or multiple images to fit on file systems with file size restrictions (i.e., FAT32 at 4GB).
- Virtual machine: In the context of this article it is a system that has been booted from either forensic images or a physical disk into a virtualized environment using LiveView and VMWare.
What exactly does “Breaking Forensic Images Booted as a Virtual Machine” mean?
Forensic images and physical storage media such as a hard drive can be virtualized and booted as a virtual machine in VMWare with no modification to the actual images themselves. This allows an examiner to interact with their evidence. They can boot the DD or raw format images through software such as LiveView and interact with the system as if they were actually standing in front of it.
This technique of virtualizing the images is becoming very common in investigations. It not only gives an examiner a view of what the system was like the last time it was turned off but it allows them to better present findings to clients or even in court giving everyone a view they will probably recognize.
What I’ve done…
I’ve dug around a bit and found some older examples of software that will detect whether or not the current system is being run in a virtual environment. According to the author of the original software, VMWare creates a special “port” which interfaces between the virtual machine and VMWare itself which allows it to be detected.
So what I’ve done is compiled his detection library (it’s a .dll) and written a very tiny program in VB.NET which uses the library to determine whether or not the system is running in VMWare. If the software determines that it is in fact running in a virtual environment it calls a shutdown command which then powers off the operating system which happens to be Windows XP with the .NET 2.0 Framework installed.
If you were to have a small program like this run at Windows startup, it would rein all sorts of difficulty down on an examiner who wishes to virtualize the images. Now they can’t boot the forensic images in VMWare and to do this they now need to figure out what is happening to the system to cause it to shutdown. If they figure out that you’ve a small program running then they’ll need some way of removing it.
An examiner will have to reverse or restore (in EnCase terminology) the images back to a physical hard disk and modify the new disk copy disabling the software. Then they can successfully boot the physical disk with software like LiveView into a virtual environment with VMWare. This creates a lot of extra hassel and adds time to an investigation if they decide they want to spend those hours figuring out why the system shuts down, then take the time to restore the images and finally disable the software.
Purpose and Ideas
Since all of the detection functions and routines are in the detection library (the .dll file) you should be able to easily code a bit of software that utilizes it in your own language of choice. I believe in the original source code the C++ example is all contained in one executable as well.
I’ve not added any routines that add this program to any startup registry keys or directories and adding this functionality would not be difficult at all. Currently all it does is run and perform an extremely simple check (if/else) to determine if the system is virtualized. If it is, it executes a shutdown command. If it is not it promptly kills itself in under a second.Â
To help avoid detection it may be wise to compress the executable and library and make sure their filenames are not all that suspicious much like in this article.
It may also be wise to add some sort of check that determines if the software is being run from the same machine. This is because an examiner may find it and decide to copy it out and run it to see what it does. If you could devise a routine that checks for say… some file buried in a directory in the Windows folder then it would trip up most examiners even more. Many will probably not break out a debugger to see what is really happening but some probably would.
The main purpose here is to trip up the examiners. Make them waste their time, their client’s time and everyone else’s. Make the costs of a computer forensics examination even more expensive.
Issues
Well, obviously if it is discovered that someone is running software like this by an examiner, it probably won’t look all that great when that person is then being questioned in court.
This also does not stop a forensic examination. Examiners have lived without this technology and there have been countless examinations that have never involved using LiveView and virtualizing evidence.
The fact remains that virtualizing evidence is becoming very common and convenient in investigations and I can only see this technology and software increasing in use. This is definitely another method I would add to my anti-forensics arsenal.
The Goods
The author of the original code is named Elias aka lallous. I found the original source code on CodeProject and this programmer definitely deserves a shoutout for his work. He has also credited a Ken Kato for work that had been done in reversing VMWare.
My download below includes the binaries for the program I created as well as the library created by lallous. It also contains the source code for the program. You can find the original source code in the link one paragraph up.
If you have suggestions, comments or want to share your own modifications then please comment below!
Other Downloads
I use FTK imager for my own copies, but how do I convert an image file into a functioning os on vmware? Can you point me in the right direction. Love your site, keep up the good work.
Hey PC646, thanks for the encouragement :]
If you are using the free FTK imager to image your drives then they’ll be in DD or raw format. This is what LiveView requires in conjunction with an installation of VMWare.
You can use the free VMWare server or Workstation. I have used the free server version but prefer workstation with live view as it seems to be less buggy.
LiveView is free and can be downloaded here: http://liveview.sourceforge.net/
It supports:
Windows 2008, Vista, 2003, XP, 2000, NT, Me, 98
Linux (limited support)
There are other products, one being Mount Image Pro which works great and supports EnCase format disk images as well (.E0*) that you would get using Linen or Encase to do your acquisition.
LiveView is very easy to use once you mess around with it a bit. It’s basically just:
1. Add all images to path
2. Create directory for VMWare and LiveView temp files
3. Set RAM to desired level
4. Start it
I’ve used both LiveView and MountImagePro a lot and I have to say I love both.
Nice article! Thanks for the source, will play around with it a bit
Currently looking into anti-vm techniques. Here an interesting document:
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
Can anyone suggest where I can download a copy of the Encase LinEn iso for free? Just for research, I’m not a forensics man after tools on the cheap!
Sure Bob. LinEn is the free Linux acquisition tool from Guidance. The HELIX3 distribution does contain it but I believe HELIX3 has just gone to a paid monthly subscription.
You can download LinEn itself from here: http://www.guidancesoftware.com/support/LinEn_LicenseAgreement.aspx
Then you can run it from a terminal in a Linux environment.
Wouldn’t this also mess up the chain of evidence?
If they decided to remove the program so they could look around and they got evidence from their “edited” copy, couldn’t a good lawyer say they added what ever they found themself’s because of the modified hash?
But it probably wouldn’t be that hard for them to explain them selfs; all it takes is one juror.