Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers



Similar documents
IOS110. Virtualization 5/27/2014 1

Installing & Using KVM with Virtual Machine Manager COSC 495

Virtualization and Forensics

Anh Quach, Matthew Rajman, Bienvenido Rodriguez, Brian Rodriguez, Michael Roefs, Ahmed Shaikh

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

Definitions. Hardware Full virtualization Para virtualization Hosted hypervisor Type I hypervisor. Native (bare metal) hypervisor Type II hypervisor

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

A cure for Virtual Insanity: A vendor-neutral introduction to virtualization without the hype

The Do s and Don ts of Server Virtualization Back to basics tips for Australian IT professionals

Virtualization with Windows

Comparing Free Virtualization Products

Virtualization & Cloud Computing (2W-VnCC)

Wishful Thinking vs. Reality in Regards to Virtual Backup and Restore Environments

2) Xen Hypervisor 3) UEC

Implementing and Managing Windows Server 2008 Hyper-V

6422: Implementing and Managing Windows Server 2008 Hyper-V (3 Days)

AN INTRODUCTION TO SERVER VIRTUALIZATION

In addition to their professional experience, students who attend this training should have technical knowledge in the following areas.

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Introduction to Virtualization

2010 Virtualization and Cloud Computing Survey

Virtualization for Cloud Computing

Virtualization Technologies. Embrace the new world of healthcare

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Virtual Computing and VMWare. Module 4

RUNNING vtvax FOR WINDOWS

Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««;

Virtualization and Disaster Recovery

Trusteer Rapport Virtual Implementation Scenarios

Outline. Introduction Virtualization Platform - Hypervisor High-level NAS Functions Applications Supported NAS models

Installing Windows On A Macintosh Or Linux Using A Virtual Machine

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

Download Virtualization Software Download a Linux-based OS Creating a Virtual Machine using VirtualBox: VM name

Acronis Backup Product Line

Onboarding VMs to Cisco OpenStack Private Cloud

MS-6422A - Implement and Manage Microsoft Windows Server Hyper-V

RED HAT ENTERPRISE VIRTUALIZATION

Virtualization and Other Tricks.

Vocera Voice 4.3 and 4.4 Server Sizing Matrix

CSE 501 Monday, September 09, 2013 Kevin Cleary

Course Syllabus. Implementing and Managing Windows Server 2008 Hyper-V. Key Data. Audience. At Course Completion. Prerequisites

SCO Virtualization Presentation to Customers

Comparing Virtualization Technologies

TechTarget Windows Media

Open Source Mainframe Backup with Hercules

Setting up Windows Phone 8 environment in VMWare

Server and Storage Virtualization. Virtualization. Overview. 5 Reasons to Virtualize

VMware Server 2.0 Essentials. Virtualization Deployment and Management

VIRTUALIZATION 101. Brainstorm Conference 2013 PRESENTER INTRODUCTIONS

Intro to Virtualization

System Requirements Guide

Product Brief. it s Backed Up

Deploying and Managing Microsoft System Center Virtual Machine Manager

9/26/2011. What is Virtualization? What are the different types of virtualization.

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Performance Comparison of VMware and Xen Hypervisor on Guest OS

Running vtserver in a Virtual Machine Environment. Technical Note by AVTware

Making a Smooth Transition to a Hybrid Cloud with Microsoft Cloud OS

Microsoft Windows Server 2008: MS-6422 Implementing and Managing Hyper V Virtualization 6422

Professional Xen Visualization

PRIVATE CLOUD PLATFORM OPTIONS. Stephen Lee CEO, ArkiTechs Inc.

Software to Simplify and Share SAN Storage Sanbolic s SAN Storage Enhancing Software Portfolio

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Learn the Essentials of Virtualization Security

OpenStack Cloud Migration:

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

Full and Para Virtualization

How bare-metal client hypervisors will mean the end of agent-based Windows management

Server Virtualization and Consolidation

Best Practices for Virtualised SharePoint

Virtualization. Pradipta De

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

How To Image A Single Vm For Forensic Analysis On Vmwarehouse.Com

Sanbolic s SAN Storage Enhancing Software Portfolio

Efficient Load Balancing using VM Migration by QEMU-KVM

Disaster Recovery Infrastructure

Server and Storage Virtualization

Virtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC

Tenable Webcast Summary Managing Vulnerabilities in Virtualized and Cloud-based Deployments

Installing ModelRisk on Macintosh A quick start guide. Vose Software

How to Install the VMware ESXi Hypervisor on Physical Hardware

Making Data Security The Foundation Of Your Virtualization Infrastructure

VMware vsphere: Install, Configure, Manage [V5.0]

The Xen of Virtualization

How To Get The Most Out Of Redhat.Com

FAQ. NetApp MAT4Shift. March 2015

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

How to create a Virtual machine from a Macrium image backup

MANAGING PRINT SERVER DEVICES WITH "WINDOWS XP" VIRTUAL MACHINES

Virtualization and the U2 Databases

Reader s Choice Preferred product

Transcription:

Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers Dennis Cortjens dennis.cortjens@os3.nl PLAN 28th of February, 2014 Contents 1 Information 1 1.1 Introduction............................................ 1 1.2 Problem.............................................. 1 1.3 Position.............................................. 2 1.4 Questions............................................. 2 1.4.1 Main............................................ 2 1.4.2 Sub............................................ 2 1.5 Goal................................................ 2 1.6 Scope............................................... 3

1 Information 1 1 Information 1.1 Introduction Virtualization plays an important role in the world of IT. In enterprise IT infrastructures it has proven to be very efficient and cost effective. It reduces the amount of physical servers needed for the IT demand and with that the need for large energy consuming data centres. In IT there are different forms of virtualization, but the well-known is the virtual machine. Simply described as a system within a system. It is often used for virtualizing operating systems and the is quite some software for this. This software can be divided in native (type 1) and hosted (type 2) hypervisors or virtual machine managers. A native hypervisor runs directly on the hardware as a virtual machine operating system, where a hosted hypervisor is a virtual machine application on a operating system. The well-known native (type 1) hypervisors are: Microsoft Hyper-V Server Oracle VM Server (Xen based) VMware ESXi The well-known hosted (type 2) hypervisors are: Kernel-based Virtual Machine (KVM) Microsoft Windows Virtual PC Oracle VirtualBox VMware Fusion VMware Workstation Xen Some of these hypervisors can be clustered, distributing and sharing virtual machines and storage across the IT infrastructure. 1.2 Problem Over the last years virtualization has become increasingly popular. A lot of companies (small business and enterprise) adopted virtualization with the use of virtual machines in their IT infrastructure and even for personal use it is very popular. However, the world of digital forensics seems a little bit slow in this matter. It has been researched and documented, but not extensively. There are some books available with general knowledge about the workings of virtualization, but not on how to acquire and analyse it. Especially when it comes to the acquisition and analysis of large clusters of hypervisors with virtual machines and storage distributed across IT infrastructures. ESXi is the widely adopted virtualization architecture by industry-leading virtualization software company VMware. Multiple ESXi servers can be clustered to distribute and share virtual machine and storage. Therefore it is adopted by a lot of companies as an efficient and cost effective solution for IT infrastructures. Besides that, ESXi is freely available and can be (mis)used for personal, small business and enterprise use. With that the chance of computer crime experts and digital forensic investigators running into such systems has also increased. This is noticeable by a significant increase of searches at large data centres and running into clustered VMware ESXi servers last year (2013). A study into the acquisition and analysis of clustered VMware ESXi servers can provide a first guide line for computer crime experts and digital forensic investigators running into such situations.

1.3 Position 2 1.3 Position A literature study on the forensic acquisition and analysis of clustered VMware ESXi servers resulted in no information to that specific subject. However, there were a book, thesis and blog article related to the subject. In 2010 Diane Barrett and Gregory Kipper wrote a (guide) book on virtual environments for digital forensic investigators. They describe virtualization in high detail. Even the acquisition and analysis of virtual environments, but from a desktop application perspective and not from a (clustered) hypervisor server perspective [1]. At the time of writing the book this wasn t a well-known and popular solution yet. The book is somewhat outdated, but a good basis and reference for this research. It is a good book on virtualization forensics and a must have for all computer crime experts and digital forensic investigators with a specialization in this subject. In 2011 Manish Hirwani researched the forensic analysis of VMware virtual hard disks and wrote a thesis about it. He describes the acquisition and analysis of VMware virtual disks using AccesData s Forensic ToolKit, FTK Imager and Guidance Software s EnCase [2]. The VMware virtual disk (VMDK) is still used within all of VMware s product, similarly the VMware ESXi architecture. Nowadays there is full support for the VMDK format in the last versions of the mentioned forensic software. The thesis is somewhat outdated, but still a good basis and reference for this research. In 2013 Phil Hagen wrote a article on his blog about VMware snapshots. He describes the calculation of snapshot creation times from the snapshot meta file (VMSD) with a python script (code published in the article). There is also a very good comment on this article with some links to software tools for analysing VMware snapshots and even the memory part of these snapshots [3]. This will be very useful for the analysis part of this research. 1.4 Questions 1.4.1 Main How can clustered VMware ESXi servers be acquired and analysed in a forensic sound way within the least amount of time? 1.4.2 Sub The main question is researched with the following sub questions: 1. How does VMware ESXi works? 2. What are the forensic artefacts of VMware ESXi? 3. How does a VMware ESXi cluster works? 4. What can be distributed within a cluster? 5. What are the additional forensic artefacts of a cluster? 6. What is the forensic and best way to freeze the virtual machines? 7. What is the forensic and fastest way of acquiring the virtual machines? 8. How can a cluster configuration be analysed? 1.5 Goal The goals are set by the following sub questions: How does VMware ESXi works? Determine the workings of VMware ESXi. What are the forensic artefacts of VMware ESXi? Determine the forensic artefacts of of VMware ESXi. How does a VMware ESXi cluster works? Determine the workings of a VMware ESXi cluster. What can be distributed within a cluster? Determine what can be distribute and shared within a VMware ESXi cluster.

1.6 Scope 3 What are the additional forensic artefacts of a cluster? Determine the additional forensic artefacts of a VMware ESXi cluster (if different). What is the forensic and best way to freeze the virtual machines? Determine the forensic and best way to freeze a virtual machine running on VMware ESXi. Forensic way above best way! What is the forensic and fastest way of acquiring the virtual machines? Determine the forensic and best way to acquire a virtual machine on VMware ESXi. This will be measured by the time difference in acquiring the virtual machine over the IT network and acquiring the full hard disk drive of the VMware ESXi servers. Forensic way above fastest way! How can a cluster configuration be analysed? Determine how the full cluster can analysed using (forensic) software. 1.6 Scope This project is limited by the following scope: It focuses on being usable for the investigation of large scale IT infrastructures; The test environment cluster will consist of 3 physical servers (representable for large scale IT infrastructures, concept stays the same); It focuses on forensic value and validity; It focuses on version 5.5 of VMware ESXi; The measurement will be primary based on time, but speed will be mentioned; It will provide a first guide line for acquiring and analysing (clustered) VMware ESXi environments.

REFERENCES 4 References [1] Diane Barrett and Gregory Kipper, Virtualization and Forensics, 2010. [2] Manish Hirwani, Forensic Analysis of VMware Hard Disks, 2011. [3] Phil Hagen s Scratch Pad: VMware Snapshot Forensics, http://stuffphilwrites.com/2013/03/ vmware-snapshot-forensics/, 20th of March 2013. List of Figures List of Tables

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information