Comments on: Breaking Forensic Images Booted as a Virtual Machine http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine Rendering computer investigations irrelevant Sat, 05 Nov 2011 19:36:26 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Brandon http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-471 Brandon Wed, 08 Jun 2011 09:16:31 +0000 http://www.anti-forensics.com/?p=228#comment-471 Not every Windows file is protected, and you could make things really confusing if you recompiled your check routines into a program that's expected to run in all Windows systems instead of adding a non-standard file that starts up on bootup. Another way would be to add your check routines into a function stored within an unprotected dll that's called by a protected part of the OS. Basically you would want to modify the function so that it does your check routines and still have it do all its intended things afterwards. For example, a standard component has a function called DrawTextOnScreen() calls a function TextToPixels() which is in VideoCardDriver.dll. Modify TextToPixels() so that it does your check routines, then does everything else it's supposed to do as normal. Any time that standard component wants to draw text on the screen, it will check to make sure it's not running in a VM. I think very few examiners would be able to figure that out. If you added your checks to lots of functions, they could spend a LONG time banging their heads against the wall trying to figure out why the virtualized system randomly shuts down. Not every Windows file is protected, and you could make things really confusing if you recompiled your check routines into a program that’s expected to run in all Windows systems instead of adding a non-standard file that starts up on bootup.

Another way would be to add your check routines into a function stored within an unprotected dll that’s called by a protected part of the OS. Basically you would want to modify the function so that it does your check routines and still have it do all its intended things afterwards. For example, a standard component has a function called DrawTextOnScreen() calls a function TextToPixels() which is in VideoCardDriver.dll. Modify TextToPixels() so that it does your check routines, then does everything else it’s supposed to do as normal. Any time that standard component wants to draw text on the screen, it will check to make sure it’s not running in a VM.

I think very few examiners would be able to figure that out. If you added your checks to lots of functions, they could spend a LONG time banging their heads against the wall trying to figure out why the virtualized system randomly shuts down.

]]> By: Joe http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-388 Joe Tue, 21 Dec 2010 11:20:59 +0000 http://www.anti-forensics.com/?p=228#comment-388 Regarding the chain of evidence: Changes to images are OK as long as you don't mess around with your original forensic image - just use a copy. The only thing you need to do is to document the changes and show to someone else that they are necessary for the work to procees but not relevant to the things/files actually investigated. If you want to observe the network traffic the system generates you need to change things anyway, unless the system has a driver for the network cards your VM-solution offers. When working with virtual images, setting the new virtual disk to "immutable" also helps. Also, Qemu might as well be sufficient to start an image, virtualbox is another alternative as well. Regarding the chain of evidence: Changes to images are OK as long as you don’t mess around with your original forensic image – just use a copy. The only thing you need to do is to document the changes and show to someone else that they are necessary for the work to procees but not relevant to the things/files actually investigated. If you want to
observe the network traffic the system generates you need to change things anyway,
unless the system has a driver for the network cards your VM-solution offers.

When working with virtual images, setting the new virtual disk to “immutable” also helps.
Also, Qemu might as well be sufficient to start an image, virtualbox is another alternative
as well.

]]> By: Max (Admin) http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-372 Max (Admin) Fri, 12 Nov 2010 09:28:43 +0000 http://www.anti-forensics.com/?p=228#comment-372 I have to agree with you. VFC is great and I recommend it as well if you've the bones to drop on it. I have to agree with you. VFC is great and I recommend it as well if you’ve the bones to drop on it.

]]> By: ccvish http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-371 ccvish Thu, 11 Nov 2010 06:19:32 +0000 http://www.anti-forensics.com/?p=228#comment-371 i have worked on Live View but dont have that much success rate compared to GetData's VFC,( Virtual Forensic Computing). Live View I have come across gives areas during the snapshot process. VFC has given me errors only when the OS is not been able to be detected which is understandable due to various reasons. But Verdict VFC overall winner although it is not a open tool purely commercial. i have worked on Live View but dont have that much success rate compared to GetData’s VFC,( Virtual Forensic Computing). Live View I have come across gives areas during the snapshot process. VFC has given me errors only when the OS is not been able to be detected which is understandable due to various reasons. But Verdict VFC overall winner although it is not a open tool purely commercial.

]]> By: KenTheFurry http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-218 KenTheFurry Wed, 14 Apr 2010 12:24:25 +0000 http://www.anti-forensics.com/?p=228#comment-218 Wouldn't this also mess up the chain of evidence? If they decided to remove the program so they could look around and they got evidence from their "edited" copy, couldn't a good lawyer say they added what ever they found themself's because of the modified hash? But it probably wouldn't be that hard for them to explain them selfs; all it takes is one juror. Wouldn’t this also mess up the chain of evidence?
If they decided to remove the program so they could look around and they got evidence from their “edited” copy, couldn’t a good lawyer say they added what ever they found themself’s because of the modified hash?

But it probably wouldn’t be that hard for them to explain them selfs; all it takes is one juror.

]]> By: Yar http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-41 Yar Fri, 20 Mar 2009 03:12:07 +0000 http://www.anti-forensics.com/?p=228#comment-41 Sure Bob. LinEn is the free Linux acquisition tool from Guidance. The HELIX3 distribution does contain it but I believe HELIX3 has just gone to a paid monthly subscription. You can download LinEn itself from here: http://www.guidancesoftware.com/support/LinEn_LicenseAgreement.aspx Then you can run it from a terminal in a Linux environment. Sure Bob. LinEn is the free Linux acquisition tool from Guidance. The HELIX3 distribution does contain it but I believe HELIX3 has just gone to a paid monthly subscription.

You can download LinEn itself from here: http://www.guidancesoftware.com/support/LinEn_LicenseAgreement.aspx

Then you can run it from a terminal in a Linux environment.

]]> By: Bob Bolin http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-38 Bob Bolin Fri, 20 Mar 2009 00:45:37 +0000 http://www.anti-forensics.com/?p=228#comment-38 Can anyone suggest where I can download a copy of the Encase LinEn iso for free? Just for research, I'm not a forensics man after tools on the cheap! :D Can anyone suggest where I can download a copy of the Encase LinEn iso for free? Just for research, I’m not a forensics man after tools on the cheap! :D

]]> By: John Doe http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-29 John Doe Tue, 17 Mar 2009 20:28:48 +0000 http://www.anti-forensics.com/?p=228#comment-29 Nice article! Thanks for the source, will play around with it a bit :) Currently looking into anti-vm techniques. Here an interesting document: http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf Nice article! Thanks for the source, will play around with it a bit :)

Currently looking into anti-vm techniques. Here an interesting document:
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

]]> By: Yar http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-15 Yar Tue, 10 Mar 2009 23:45:21 +0000 http://www.anti-forensics.com/?p=228#comment-15 Hey PC646, thanks for the encouragement :] If you are using the free FTK imager to image your drives then they'll be in DD or raw format. This is what LiveView requires in conjunction with an installation of VMWare. You can use the free VMWare server or Workstation. I have used the free server version but prefer workstation with live view as it seems to be less buggy. LiveView is free and can be downloaded here: http://liveview.sourceforge.net/ It supports: Windows 2008, Vista, 2003, XP, 2000, NT, Me, 98 Linux (limited support) There are other products, one being Mount Image Pro which works great and supports EnCase format disk images as well (.E0*) that you would get using Linen or Encase to do your acquisition. LiveView is very easy to use once you mess around with it a bit. It's basically just: 1. Add all images to path 2. Create directory for VMWare and LiveView temp files 3. Set RAM to desired level 4. Start it I've used both LiveView and MountImagePro a lot and I have to say I love both. Hey PC646, thanks for the encouragement :]

If you are using the free FTK imager to image your drives then they’ll be in DD or raw format. This is what LiveView requires in conjunction with an installation of VMWare.

You can use the free VMWare server or Workstation. I have used the free server version but prefer workstation with live view as it seems to be less buggy.

LiveView is free and can be downloaded here: http://liveview.sourceforge.net/

It supports:
Windows 2008, Vista, 2003, XP, 2000, NT, Me, 98
Linux (limited support)

There are other products, one being Mount Image Pro which works great and supports EnCase format disk images as well (.E0*) that you would get using Linen or Encase to do your acquisition.

LiveView is very easy to use once you mess around with it a bit. It’s basically just:
1. Add all images to path
2. Create directory for VMWare and LiveView temp files
3. Set RAM to desired level
4. Start it

I’ve used both LiveView and MountImagePro a lot and I have to say I love both.

]]> By: PC646 http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-14 PC646 Tue, 10 Mar 2009 22:21:04 +0000 http://www.anti-forensics.com/?p=228#comment-14 I use FTK imager for my own copies, but how do I convert an image file into a functioning os on vmware? Can you point me in the right direction. Love your site, keep up the good work. I use FTK imager for my own copies, but how do I convert an image file into a functioning os on vmware? Can you point me in the right direction. Love your site, keep up the good work.

]]>