Forensically Determining the Presence and Use of Virtual Machines in Windows 7



Similar documents
Determining VHD s in Windows 7 Dustin Hurlbut

Virtual Hard Disk Forensics Using EnCase

1. Introduction About the BackupAssist Hyper-V solution Advantages Features Granular technology... 2

BackupAssist v6 quickstart guide

BackupAssist v6 quickstart guide

MAC/OSX - How to Encrypt Data using TrueCrypt. v

RECOVERING FROM SHAMOON

System Protection for Hyper-V User Guide

UltraBac Documentation. UBDR Gold. Administrator Guide UBDR Gold v8.0

Paragon Backup Retention Wizard

Ans.: You can find your activation key for a Recover My Files by logging on to your account.

Bare Metal Recovery Quick Start Guide

WSDOT ProjectWise V8i Training 101

User Guide. Laplink Software, Inc. Laplink DiskImage 7 Professional. User Guide. UG-DiskImagePro-EN-7 (REV. 5/2013)

VirtualXP Users Guide

Windows XP Home Edition / Windows XP Professional

Lab: Data Backup and Recovery in Windows XP

Comodo Disk Encryption

EaseUS Data Recovery Wizard User Guide

For Windows XP 64 bit

Cleaning your Windows 7, Windows XP and Macintosh OSX Computers

Introduction to BitLocker FVE

Lab - Data Backup and Recovery in Windows XP

Microsoft Vista: Serious Challenges for Digital Investigations

Hard Disk Manager 14 Hyper-V Preview

Call Recorder Quick CD Access System

University of Rochester Sophos SafeGuard Encryption for Windows Support Guide

Hyper-V Protection. User guide

How to Install Applications (APK Files) on Your Android Phone

Symantec File Share Encryption Quick Start Guide Version 10.3

Windows 7: Current Events in the World of Windows Forensics

NovaBACKUP. User Manual. NovaStor / May 2014

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Contents. Getting Started...1. Managing Your Drives Backing Up & Restoring Folders Synchronizing Folders Managing Security...

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Backup Buddy. Welcome to Backup Buddy! The simplest, friendliest backup application for the Mac.

Outlook . Step 1: Open and Configure Outlook

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

Lenovo Online Data Backup User Guide Version

istorage Server: High-Availability iscsi SAN for Windows Server 2008 & Hyper-V Clustering

M100 System File Manager Help

Time Stamp. Instruction Booklet

UNDELETE Users Guide

SATA RAID Function (Only for chipset Sil3132 used) User s Manual

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

Filtering with Microsoft Outlook

MICROSOFT OUTLOOK 2011 READ, SEARCH AND PRINT S

PGP Desktop Quick Start Guide Version 10.2

Joining an XP workstation to a domain Version 1.00

NovaBACKUP. User Manual. NovaStor / November 2011

SonicWALL CDP Local Archiving

System Protection for Hyper-V Whitepaper

Vess A2000 Series. NVR Storage Appliance. Windows Recovery Instructions. Version PROMISE Technology, Inc. All Rights Reserved.

1! Registry. Windows System Artifacts. Understanding the Windows Registry. Organization of the Windows Registry. Windows Registry Viewer

Census. di Monitoring Installation User s Guide

Introduction. This white paper provides technical information on how to approach these steps with Symantec Antivirus Corporate edition.

EnCase 7 - Basic + Intermediate Topics

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

The Meaning. Linkfiles In Forensic Examinations

In order to enable BitLocker, your hard drive must be partitioned in a particular manner.

The following features have been added to FTK with this release:

UNDELETE Users Guide

RSCCD REMOTE PORTAL TABLE OF CONTENTS: Technology Requirements NOTE

AccessData. Registry Quick Find Chart

Dual-boot Windows 10 alongside Windows 8

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Data-Tracker PLUS and Data-Viewer PLUS Software User s Guide

Hiva-network.com. Microsoft_70-680_v _Kat. Exam A

WinClon 6 User Guide. With Screenshots. A Windows Embedded Partner

SIRIS. Bare Metal Restore Guide

MICROSOFT EXCEL 2011 MANAGE WORKBOOKS

USB Bare Metal Restore: Getting Started

Hosting Users Guide 2011

Backup and Disaster Recovery Restoration Guide

Quick Start Guide. Version R91. English

Cautions When Using BitLocker Drive Encryption on PRIMERGY

SecureDoc for Mac v6.1. User Manual

Sophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012

Advanced Event Viewer Manual

Drobo How-To Guide. Cloud Storage Using Amazon Storage Gateway with Drobo iscsi SAN

Outlook Web Access End User Guide

NetBackup Backup, Archive, and Restore Getting Started Guide

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Up-to-the-minute Data Protection

VERITAS NetBackup 6.0

USB 3.0 DUAL SATA HDD DOCKING STATION

How To Restore Your Data On A Backup By Mozy (Windows) On A Pc Or Macbook Or Macintosh (Windows 2) On Your Computer Or Mac) On An Pc Or Ipad (Windows 3) On Pc Or Pc Or Micro

Intelligent disaster recovery. Dell DL backup to Disk Appliance powered by Symantec

vtcommander Installing and Starting vtcommander

HP StorageWorks Automated Storage Manager User Guide

IT Essentials v4.1 LI Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI Windows OS directory structures

UNDELETE 7.0 USER GUIDE

TABLE OF CONTENTS. Administration Guide - Virtual Server idataagent (VMware) Page 1 of 176 OVERVIEW

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Transcription:

Forensically Determining the Presence and Use of Virtual Machines in Windows 7 Introduction Dustin Hurlbut Windows 7 has the ability to create and mount virtual machines based upon launching a single file. The Virtual Hard Disk (VHD) format permits creation of virtual drives that can be used for data storage, backup, and testing. A user can place large amounts of data in a virtual drive and then copy the representative unmounted file to any other computer. It appears most of the Windows 7 versions support the creation of VHDs. The file that stores the VHD is stored with a.vhd extension. Besides being able to create and attach virtual drives in the Manage utility, Windows 7 Ultimate, Enterprise and Server 2008 R2 can also boot to a virtual drive. Microsoft also has a standalone version available. The obvious forensic issues would be the use of virtual drives by suspects to store incriminating data. Mounted drives can be used to store and backup data, and once detached will look like a large file with the contents being visible only by remounting or use of forensics tools to view them. It s nifty way to hide things from another user. Data is carveable and keywords visible in an unprotected.vhd. It would be easy for a user to create a virtual drive, mount it, place the data in it while it is mounted, and once unmounted, change the name of the file s extension from VHD to some other extension or just hide the VHD in some area not likely to be noted by a casual user. Once unmounted, the.vhd file can be copied and opened on any other system that supports the format. Other options include the ability to nest a.vhd inside of another. The user can mount a virtual drive and then mount another inside of it. Microsoft only permits two nested drives 1. Another important feature is when a system is shutdown, non-bootable mounted VHDs will not remount automatically upon reboot. Thus if the system is powered down in a raid environment either with power or by pulling the plug, it won t be apparent that the virtual drives were mounted upon forensic acquisition and analysis. Of course, a user can mount and then encrypt a.vhd file using volume encryption like TrueCrypt or BitLocker or non-volume like EFS or other file encrypting algorithms. The user can either place an encrypted volume inside the mounted VHD using TrueCrypt or can choose to encrypt the VHD volume which can then be auto mounted. This method would mask the data inside and render it impossible to find data via text searching the raw unmounted.vhd file. BitLocker can also be used to encrypt a virtual drive. All the same issues apply to decrypting the drive as a regularly encrypted BitLocker hard drive; namely, the need for a recovery key and the necessity of imaging logically. The testing for this document was conducted on Windows 2008 Server R2 and Windows 7 Ultimate systems. In actual investigations of other versions, they should be tested for consistency and to confirm these findings. AccessData Virtual Machines in Windows 7 Page 1

Creating a VHD Virtual machines can be created in the Manage Utility (right click on Computer and select Manage) by selecting the Action drop down menu and clicking on Create VHD. Supply a location and filename for the VHD and decide on fixed or dynamic sizes. Supply the file size if a fixed size is selected and click on OK. See Figure 1. In fixed size creation, the file size will be the same as the selected size of the drive. Figure 1 Creating a VHD Next, right click on the Disk# tab in the Manage utility to the left of the drive s bar graph and select Initialize Disk. Select the type of partition formatting desired; MBR or GPT and click OK. AccessData Virtual Machines in Windows 7 Page 2

To finalize the drive and format it, right click on the drive s bar indicator (to the right of the drive# tab) and select New Simple Volume. This will start a wizard to allow assigning a drive letter, selecting a file system, and formatting the drive. Once completed, the drive will appear to be a physical drive in all respects from the point of view of the operating system (See Figure 1, last frame). It will behave as a physical drive to Windows Explorer and the MountedDevices registry entry in the System file will use the standard drive identifier located at offset 440-443 in the Master Boot Record (MBR) of the virtual drive. Forensic Determination of the Presence of VHDs Trying to find virtual drives forensically isn t normally too difficult. If a user is archiving data in a VHD, they are easily discovered by sorting on the.vhd file extension in the user s image. The usual operating system file artifacts in a user s NTUSER.DAT registry file may also be present in the form of RecentDocs and in the ComDlg32 Most Recently Used (MRU) entries. Use of the internal virtual drive utility in Windows 7 creates entries for each of these MRU lists (see Figure 2). Figure 2 - RecentDocs List of.vhd files in the NTUSER.DAT The only issue in locating.vhd files is if the suspect takes steps to hide them, such as changing or removing the file extension to mask them. VHDs can be mounted after their file extension is removed. In the example in Figure 4, FTK is used to process an image containing several.vhd files. Prior to processing, a Custom File Identification can be created to identify all VHDs in the image by header. FTK will then place them in a user named container. This speeds up the analysis by placing all the.vhd files in one location, so they can be quickly analyzed for potential evidence by exporting and mounting. The process to create a custom header identification is documented in Figure 3. During the case creation process, click the Detailed Options button. This will bring up the Evidence Processing dialog box. After the processes to perform are selected, click on the Custom File Identification button (upper left corner below Evidence Processing). Click on the Manage Custom Identifiers and then Create New. AccessData Virtual Machines in Windows 7 Page 3

Figure 3 Creating a Custom File Identification in FTK AccessData Virtual Machines in Windows 7 Page 4

Name the Custom Identifier and provide a description if desired. Double click the Value column at the bottom to enter the desired header (See Figure 3). In the case of.vhd files, I have been using: 0x 33c08ed0bc007c8e Note: If the beginning offset for a header is not zero, it can be set in the preceding Offset column. Once completed, click on Close and save the custom identifier to a file. Once the custom identifier is stored as a file, it can be called up on a case by case basis to classify files by header. Figure 4 - Using FTK to identify.vhd files during processing Forensic Determination of the Use of VHDs There are a number of ways to demonstrate use of VHDs by a suspect. The above mentioned examination of MRUs in the registry of the host system will show VHD activity. The best method is to examine the Windows 7 event logs regarding the mounting and unmounting of virtual drives. The event file is located in the Event Viewer left pane menu list at the following path: Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\VHDMP\Operational An Information Event ID of 1 indicates a surfacing of a.vhd file. Microsoft refers to mounting a VHD as surfacing and unmounting as unsurfacing 1. The log viewer will supply the path and filename mounted, date/time of access, and the physical drive number assigned to the drive. See Figure 5. An Event ID of 2 indicates a VHD has been unsurfaced and will also have the path, filename, and date/time of unsurfacing. It interesting to note, that if a virtual drive is functioning when the system is shutdown without a manual dismount, there will be no event identification (2) indicating it was unsurfaced. AccessData Virtual Machines in Windows 7 Page 5

Figure 5 Windows 7 Event Log Viewer / VHD Event Logs An examination of the link files of a user s system may help ascertain if the.vhd files have been in use on the system. Link files can contain a volume name and volume serial number to compare to those contained in the mounted virtual drive. See Figure 6. Figure 6 - Link File pointing to a virtual drive AccessData Virtual Machines in Windows 7 Page 6

This would require mounting the.vhd file to determine its volume name and serial number. Mounting can be accomplished with current forensic tools as most mount a.vhd as an image file (see Figure 7). Figure 7 Mounted.vhd file in FTK Imager showing the Volume Serial Number at offset 72 The image can also be mounted in Windows as a Read-Only drive by selecting the Read-Only check box when attaching the device. See Figure 8. Prior to mounting the first and third device After mounting the first and third device AccessData Virtual Machines in Windows 7 Page 7

Figure 8 Selecting Read-Only when mounting a.vhd file in Windows 7 The top panel of Figure 8 is a list of hashes for three.vhd files prior to mounting. In the middle panel, is a list of those hashes after mounting the first and third.vhd. One of the files was mounted and changed by adding a folder to it. The second was only mounted, but otherwise not changed. Both the hashes changed upon mounting the device. Both VHDs were NTFS file system formatted. The bottom panel of Figure 8 shows the hashes after mounting the diffvhd.vhd file. In this case, prior to mounting the Read-Only check box was selected. With limited testing, I have found the.vhd file s hash does not change when using read-only surfacing. The drive letter assigned may be determined by an examination of the MountedDevices subkey in the System registry file. In the example in Figure 9, the.vhd occupied the T drive. The first four bytes in the \DosDevices\T: value are 0x 2F 03 43 5E. This is the drive identifier for this physical device located at offset 440 in the MBR of the.vhd file. Mounting the.vhd and viewing the drive identifier in its MBR will allow determination of which.vhd file was used for this drive letter. The four values at offset 440-443 match to a file called BACKTRACK VHD.vhd. The drive letter at \DosDevices\<driveletter>: is volatile data. If this VHD was unsurfaced and another VHD, HDD, or USB were mounted and used this drive letter, the drive identifier value will be overwritten in favor of the new device s identification. However, the drive will still be identifiable as having been mounted as there is a persistent number assigned in MountedDevices as well as the volatile one. This persistent entry is preceded with a \??\ <guid> value name with the drive identifier assigned in the same first four bytes of its value. This data is not removed when the drive letter is used by another device. AccessData Virtual Machines in Windows 7 Page 8

Master Boot Record of the VHD File System Registry File of the Host NTUSER.DAT Registry File of the Host System Specific User Figure 9 MBR drive ID to MountedDevices to the GUID in MountPoints AccessData Virtual Machines in Windows 7 Page 9

It can also be determined which user launched BACKTRACK VHD.vhd and at what time it was mounted. First, find the persistent Globally Unique Identifier (GUID) for the drive. This can be determined by finding the drive identifier (in this case 0x 2F 03 43 5E) in MountedDevices that has a value name of \??\Volume{<guid>}. In this example, it is just above the \DosDevices\T: Value: 0x 2F 03 43 5E with the same value header. The GUID is: 68f3aeb8-a1ab-11df-b5da-a8aa87d6c78d Open the NTUSER.DAT for the suspected user (in this case the NTUSER.DAT for user Dustin) and navigate to the following path where <guid> is the GUID for this device: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\<guid> Highlight the GUID assigned to this device by MountedDevices and note the Key Properties last written time, shown in Figure 9 (bottom panel). This date/time is the last written date/time for the subkey highlighted. This updates each time the user mounts the device. This method also works to determine the time/date of mounting a USB device. When testing this value, be sure to account for lazy writes as this value doesn t always update immediately upon mounting of the device. Logging off or restarting may be required to consistently update this value for testing purposes. The storage artifacts that record the volumes mounted for.vhd files are kept in a number of places in the registry similar to USB information. The drives are identified in the SCSI subkey at the following location: HKLM\System\ControlSet###\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk Each drive is identified with a number similar to the old Parent ID Prefix (pip) seen in Windows XP for USB devices. There are also references to them in the following path: HKLM\System\ControlSet###\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\ ##?#SCSI#Disk&Ven_Msft&Prod_Virtual_Disk#<pip from scsi subkey><classidguid> This location is one of the class identifiers that specify device attachments that are used to identify the last time a specific USB was connected. Note the Msft reference in each path. MSFT is the Microsoft stock identifier and this reference is used in the virtual entries in the registry. MSFT is commonly used in company blogs in place of the company name Microsoft. Virtual drives are also referenced by their volume name in the ReadyBoost drive storage archive in the Software registry file at: HKLM\Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt AccessData Virtual Machines in Windows 7 Page 10

Mounting a VHD for Analysis When the virtual drive is mounted by the operating system, it is in all appearances a physical hard disk drive. The first panel in Figure 10 shows the drive mounted while it is live. The second panel shows mounting the.vhd file as an image file. The two views appear to be the same. VHD images can be viewed and evaluated by mounting with your forensic tool of choice. As mentioned earlier, the issue is finding them. Many of the current forensic tools will mount.vhd files as an image file, so the structure can be examined for relevant files to the investigation. Figure 10 Mounted Virtual Drive and Mounted.vhd File AccessData Virtual Machines in Windows 7 Page 11

Once mounted, the examination will be a standard analysis of the file system for relevant data using keyword searches, viewing user created and deleted files, and data carving. Figure 11 FTK Imager view of deleted files Figure 11 shows a standard look at artifacts such as those deleted from the operating system and recycle bin. VHD Footer Offsets 2 In addition to the analysis of the relevant data, the.vhd also contains a footer that may yield important forensic information about its creation. This footer is located in the last sector of the physical.vhd file. The header begins at the sector boundary of the last sector in the file. It is contained in offsets 0-7 and contains the header word conectix to identify a Microsoft Virtual Server file. Data sets stored in this footer appear to be in big endian format. See Figure 13 for Offset Table. AccessData Virtual Machines in Windows 7 Page 12

Figure 12 Footer information in a.vhd file Offsets 24-27 contain a date/time stamp of when the VHD was created. This date and time, according to Microsoft, is based upon the number of seconds since January 1, 2000, 12:00:00 AM UTC time. This appears to be a new date/time stamp to convert (possibly an XFat date/time stamp). I couldn t find a converter for it, so for testing purposes, I added the hex value 0x 38 6D 43 80 to the stored value (the number of seconds between 1970 and 2000) and used the Unix 32-bit, big endian converter to get in the ballpark. This would not be forensically sound, so at some point, someone hopefully will build us a converter for this date and time stamp. Offsets 28-31 store the creator application. In Windows 7.vhd files, the value win is placed here. Offsets 36-39 is the creator host for the OS. In Windows 7 test VHDs, the value Wi2k is stored here. Offsets 40-47 stores the size of the.vhd file in its original state. This value is in bytes and does not include the last 512 bytes where this footer information is stored. If the disk is expanded, the current size will be displayed in offsets 48-55. At offsets 68-83 is stored a unique identifier for the hard disk. Its format is in the 128-bit Universally Unique Identifier (UUID). Field Type Offsets Size in Bytes Standard Value Header 0-7 8 conectix Date and Time Stamp 24-27 4 Creator Application 28-31 4 win Creator Host OS 36-39 4 Wi2k Original Size 40-47 8 Current Size 48-55 8 Unique ID (UUID) 68-83 16 Figure 13 -.vhd Footer Offsets AccessData Virtual Machines in Windows 7 Page 13

References 1. Virtual Hard Disks in Windows Frequently Asked Questions, Microsoft, June 15, 2009, http://technet.microsoft.com/en-us/library/dd440865(ws.10).aspx 2. Virtual Hard Disk Image Format Specification, Microsoft, October 11, 2006 http://technet.microsoft.com/en-us/virtualserver/bb676673.aspx AccessData Virtual Machines in Windows 7 Page 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information