Virtual Hard Disk Forensics Using EnCase

Virtual Hard Disk Forensics Using EnCase Randy Nading, EnCE Security+ Computer Forensic Analyst, Jacobs Technology www.encase.com/ceic Agenda I. Virtual Hard Disks (VHDs) as Evidence Containers Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools II. Ways VHDs Can Be Used to Obfuscate Data Hands On 2: Add Data, Dismount the VHD, Change Extension, Copy to Thumb Drive Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 2 Randy Nading, Jacobs Technology 1

Agenda III. Detecting VHDs Using EnCase: Update the File Types Table Hands On 3: Update the File Types Table in EnCase To Detect Common VHDs IV. Detecting VHDs Using EnCase: Create a VHD Condition Hands On 4: Create a Condition to Detect Common VHDs Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 3 Agenda V. Putting It All Together: Implementing VHD Analysis in the Workflow VI. Q & A Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 4 Randy Nading, Jacobs Technology 2

I. Virtual Hard Disks (VHDs) as Evidence Containers Think of VHDs as another type of evidence container Current forensic software does not identify VHDs or mount them VHDs are becoming more and more prevalent Windows users can create their own VHDs from the Disk Management snap-in Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 5 Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools TrueCrypt s admission TrueCrypt s recommendation Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 6 Randy Nading, Jacobs Technology 3

Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools TrueCrypt s admission TrueCrypt s recommendation Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 7 Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools A. Open the Computer Management window (in File Explorer right-click This PC and select Manage) Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 8 Randy Nading, Jacobs Technology 4

Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools B. Select Disk Management Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 9 Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools C. Open the Action menu and select Create VHD Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 10 Randy Nading, Jacobs Technology 5

Hands On 1: Create and Mount a VHD D. Select location, size and type of VHD and click OK. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 11 Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools E. Initialize the new VHD: Right-click the new VHD disk icon in the Disk Management window and select Initialize Disk Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 12 Randy Nading, Jacobs Technology 6

Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools F. Create a partition on the VHD: Still in Disk Management, right-click the Unallocated Space of the newly initialized VHD and select New Simple Volume Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 13 Hands On 1: Create and Mount a VHD Using Windows 7 or 8 OS Tools G. Encrypt the new VHD using BitLocker: Open File Explorer, right-click the New Volume and select Turn on BitLocker Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 14 Randy Nading, Jacobs Technology 7

II. Ways VHDs Can Be Used to Obfuscate Data VHDs residing on hard drives and thumb drives will not be obvious to examiners, even if nothing is done to hide their presence The VHD file extension can be stripped or changed to blend in with the files around it VHDs may be moved to a thumb drive and encrypted for added security VHDs may be nested VHDs may be encrypted Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 15 Hands On 2: Add Data, Dismount VHD, Change Extension, Copy to TD A. To unmount the drive, right-click the drive in File Explorer and select Eject Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 16 Randy Nading, Jacobs Technology 8

Hands On 2: Add Data, Dismount VHD, Change Extension, Copy to TD B. Alternatively, right-click the disk number in the Disk Management window and select Detach VHD Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 17 Hands On 2: Add Data, Dismount VHD, Change Extension, Copy to TD C. To mount the drive again, use Attach VHD in the Action menu of the Disk Management window Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 18 Randy Nading, Jacobs Technology 9

Hands On 2: Add Data, Dismount VHD, Change Extension, Copy to TD D. Disguise the VHD as the Microsoft Debug Information Accessor: Dismount the drive as in step A, right-click the filename of the VHD in File Explorer, and select Rename. Change the name to msdia80, and change the extension to.dll. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 19 Hands On 2: Add Data, Dismount VHD, Change Extension, Copy to TD E. Move the VHD to the thumb drive: Right-click the filename of the VHD in File Explorer and select Cut. Rightclick the thumb drive in File Explorer and select Paste. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 20 Randy Nading, Jacobs Technology 10

III. Detecting VHDs Using EnCase: Update the File Types Table Since VHDs operate fine without filename extensions, search for them by the unique signatures embedded in their file headers Update the File Types table with the signatures of popular VHDs in use today Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 21 III. Detecting VHDs Using EnCase: Update the File Types Table Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 22 Randy Nading, Jacobs Technology 11

Hands On 3: Update File Types Table in EnCase To Detect Common VHDs A. Start EnCase and select View File Types and click on the New icon on the menu bar Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 23 Hands On 3: Update File Types Table in EnCase To Detect Common VHDs B. In the New File Type window, click on the Options tab and enter these settings Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 24 Randy Nading, Jacobs Technology 12

Hands On 3: Update File Types Table in EnCase To Detect Common VHDs B. In the New File Type window, click on the Options tab and enter these settings Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 25 Hands On 3: Update File Types Table in EnCase To Detect Common VHDs C. In the New File Type window, click on the Header tab and enter these settings Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 26 Randy Nading, Jacobs Technology 13

Hands On 3: Update File Types Table in EnCase To Detect Common VHDs Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 27 Hands On 3: Update File Types Table in EnCase To Detect Common VHDs D. The Footer tab will not be used. Click OK to save the settings to the File Types table. E. Repeat the above process for each of the VHD file types you wish to add. Pay attention that the four character Unique Tag field begins with vhd and is different for each VHD entered. This will be the field you will use later in the process to write a condition that will identify all VHDs on the media being examined. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 28 Randy Nading, Jacobs Technology 14

Hands On 3: Update File Types Table in EnCase To Detect Common VHDs F. If you have multiple installations of EnCase as in a lab setting, you can update the File Types table once, and copy the FileTypes.ini incremental file from your C:\Users\username\ AppData\Roaming\EnCase\EnCase7-2\Config folder to the same folder on all the other machines. You do all the heavy lifting and your coworkers benefit. : ) Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 29 Hands On 3: Update File Types Table in EnCase To Detect Common VHDs Practice this by copying the FileTypes.ini incremental file that I prepared on the instructor materials network share to your C:\Users\username\AppData\Roaming\EnCase\EnCase7-2\Config folder now. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 30 Randy Nading, Jacobs Technology 15

IV. Detecting VHDs Using EnCase: Create a VHD Condition Create a condition to filter out all files except VHDs based on their file signature analysis Searches for and displays only files whose File Type Tag contains the tag vhd Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 31 Hands On 4: Create a Condition to Detect Common VHDs A. Click the Condition dropdown menu and select New Condition, which will bring up the New Condition dialog box. (1) For the Path field, navigate to the folder in which you would like the condition stored, then name the condition Virtual Hard Disk and click Save. (2) Click the New icon on the toolbar, which brings up the New Term dialog box. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 32 Randy Nading, Jacobs Technology 16

Hands On 4: Create a Condition to Detect Common VHDs B. Select the File Type Tag property, the Contains operator, and type vhd for the value. Then click OK to save and close the New Term dialog box and OK to save and close the New Condition dialog box. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 33 Hands On 4: Create a Condition B. Select the File Type Tag property, the Contains operator, and type vhd for the value. Then click OK to save and close the New Term dialog box and OK to save and close the New Condition dialog box. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 34 Randy Nading, Jacobs Technology 17

Hands On 4: Create a Condition to Detect Common VHDs C. Test the new condition: (1) Open EnCase and add at least one VHD as evidence. (2) Click the Condition dropdown menu and select Run, then select the name of the condition just created and click Open. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 35 Hands On 4: Create a Condition to Detect Common VHDs D. Select the appropriate Filter (Current View, Current Device, or All Evidence Files) and click OK to run the condition. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 36 Randy Nading, Jacobs Technology 18

Hands On 4: Create a Condition to Detect Common VHDs Question: Why does the condition return no results if you verified you have at least one virtual hard drive added as evidence? Resist the urge to double-check your File Type table additions you copied and pasted the right bits of data. Resist the urge to edit the condition it is as simple and straightforward as any condition you have ever written. Resist the urge to verify the presence of the VHD file in the evidence you just put it there a few minutes ago! Resist the urge to question your sanity think workflow! Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 37 V. Putting It All Together: VHD Analysis in the Workflow The reason the condition returned no results is due to running it at the wrong spot in your digital forensics workflow The condition identifying the VHDs depends on File Signature Analysis to work One of the initial workflow steps to be performed ought to be File Signature Analysis, either through Evidence Processor or Entries Hash\Sig Selected. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 38 Randy Nading, Jacobs Technology 19

V. Putting It All Together: VHD Analysis in the Workflow Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 39 V. Putting It All Together: VHD Analysis in the Workflow Reminder: After completing File Signature Analysis, either through Evidence Processor or Entries Hash\Sig Selected, you must reload the evidence so that the results are available to the condition However, it would be a workflow mistake to do File Signature Analysis as the very first step. Why? Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 40 Randy Nading, Jacobs Technology 20

V. Putting It All Together: VHD Analysis in the Workflow The first priority in workflow is to Recover Folders The second priority is to Mount Compound Files The third priority is to conduct File Signature Analysis The fourth priority is to reload the evidence The fifth priority is to run the new VHD condition Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 41 V. Putting It All Together: VHD Analysis in the Workflow Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 42 Randy Nading, Jacobs Technology 21

V. Putting It All Together: VHD Analysis in the Workflow After step 10, continue the rest of your digital forensics workflow as usual NOTE: If the exported VHD in workflow step 6 above is a file with an extension of.vdi, it must be converted to a.vhd or.vmdk before mounting it in step 7 above. The.vdi file is the Virtual Disk Image created by Oracle VirtualBox. Install VirtualBox before continuing. After VirtualBox is installed, use the VBoxManage command line tool to do the conversion as shown below. Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 43 V. Putting It All Together: VHD Analysis in the Workflow Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 44 Randy Nading, Jacobs Technology 22

V. Putting It All Together: VHD Analysis in the Workflow Open a command window and type the following command: VBoxManage clonehd sourcefilename destinationfilename --format VHD Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 45 V. Putting It All Together: VHD Analysis in the Workflow NOTE: If an error is generated for a duplicate UUID, run the command below and then repeat the conversion process: VBoxManage internalcommands sethduuid sourcefilename Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 46 Randy Nading, Jacobs Technology 23

VI. Q & A Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 47 Resources VHD Forensics http://www.forensicswiki.org/wiki/virtual_hard_disk_(vhd) https://ad-pdf.s3.amazonaws.com/forensic_issues_vhds_windows7.pdf http://www.forensickb.com/2014/02/understanding-hyper-v-server-whendoing.html http://www.forensicfocus.com/forums/viewtopic/t=5806/ http://cyber-defense.sans.org/blog/2009/11/17/bitlocker-attached-vhd-drive http://www.uat.edu/academics/forensic_challenges_in_virtualized_enviro nments.aspx http://www.ijmo.org/papers/205-s4038.pdf Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 48 Randy Nading, Jacobs Technology 24

Resources VHDs http://grandstreamdreams.blogspot.com/2009/08/mounting-vhd-files-inwindows-for-fun.html http://www.slideshare.net/ctin/mounting-virtual-hard-drives http://en.wikipedia.org/wiki/vhd_(file_format) http://blogs.technet.com/b/ranjanajain/archive/2010/03/23/virtual-harddisk-vhd-architecture-explained.aspx https://technet.microsoft.com/en-us/virtualization/bb676673.aspx https://technet.microsoft.com/en-us/bb738381.aspx Randy Nading EnCE Security+ Computer Forensic Analyst Jacobs Technology Page 49 Randy Nading, Jacobs Technology 25