Rochester Institute of Technology RIT Scholar Works Theses 2011 Forensic analysis of VMware hard disks Manish Hirwani Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Hirwani, Manish, "Forensic analysis of VMware hard disks" (2011). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Forensic Analysis of VMware Hard Disks by Manish Hirwani Committee Members Prof. Yin Pan Prof. Daryl Johnson Prof. Bill Stackpole Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Networking and System Administration Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences 05/04/2011 Forensic Analysis of VMware Virtual Hard Disks Manish Hirwani Acknowledgement I wish to express my gratitude to each member of my thesis committee without the support and valuable assistance of whom this thesis would not have been possible. My sincere thanks to Prof. Yin Pan who has been the ever encouraging and motivating force behind my work. She was constantly available for discussions and always gave me prompt advice. Her appreciation of my work has made me work harder each time and has brought forth the best in me at every stage. I would like to thank Prof. Stackpole for the enthusiasm he has shown in my work throughout my course. His constructive and critical comments extended to me has added his perspective and enriched the contents of my study. I also thank Prof. Johnson for his constant support and encouragement at every step of the process. The completion of this dissertation would not have been possible without the valuable assistance of the staff at the NSSA Student Advising Office. Last but not the least I would like to thank my parents and family for having given me this opportunity to undertake post graduate studies at this renowned institute – RIT - and for their faith in me during my highs and lows throughout these two years. ii Forensic Analysis of VMware Virtual Hard Disks Manish Hirwani Abstract With the advancement in virtualization technology, virtual machines (VMs) are becoming a common and an integral part of datacenters. As the popularity and use of VMs increases, incidents involving them are also on the rise. There is substantial research on using VMs and virtual appliances to aid forensic investigation, but research on collecting evidence from VMs following a forensic procedure is lacking. This thesis studies a forensically sound way to acquire and analyze VM hard disks. It also discusses the development of a tool which assists in forensic analysis of snapshots of virtual hard disks that are used in VMs. This tool analyzes the changes made to a virtual disk by comparing snapshots created at various stages. Comparing the state of the files in the base snapshot which is believed to be clean with the snapshot which is suspected of being tampered with, forensics investigators are able to identify files that have been recently added, deleted, edited, or modified. iii Forensic Analysis of VMware Virtual Hard Disks Manish Hirwani Table of Contents Acknowledgement ........................................................................................................................................ii Abstract ........................................................................................................................................................iii List of Tables................................................................................................................................................vii List of Figures.............................................................................................................................................. viii 1 Introduction................................................................................................................................................1 2 Related Work..............................................................................................................................................2 3 Methodology..............................................................................................................................................4 3.1 Environment Setup..............................................................................................................................5 3.1.1 Activities performed on the Suspect Machine.............................................................................6 3.1.2 Activities performed on the Analysis Machines...........................................................................7 3.2 Virtual Disk Acquisition .......................................................................................................................8 3.2.1 Guest System Time Skew .............................................................................................................9 3.3 Forensics Snapshot Analysis Tool........................................................................................................9 4 Forensics Snapshot Analysis tool..............................................................................................................11 4.1 Forensics Snapshot Analysis Menu ...................................................................................................11 4.1.1 Select Snapshots to Compare.....................................................................................................12 4.1.2 View Selected Snapshots............................................................................................................13 4.1.3 View Files Deleted......................................................................................................................14 4.1.4 View New Files Added................................................................................................................15 4.1.5 View Files Edited [Modification Time] .......................................................................................15 4.1.6 View Files Changed [Change Time] ............................................................................................15 4.1.7 View SETUID/SETGID Changes ...................................................................................................16 4.1.8 View Analysis Result Files...........................................................................................................16 4.1.9 Compute MD5 & SHA1 hashes...................................................................................................16 iv Forensic Analysis of VMware Virtual Hard Disks Manish Hirwani 5 Results ......................................................................................................................................................18 5.1 Image Acquisition..............................................................................................................................18 5.2 Forensics Snapshot Analysis tool ......................................................................................................19 5.3 Forensics Snapshot Analysis Results .................................................................................................20 5.3.1 Files Deleted...............................................................................................................................20 5.3.2 Files Added to Snapshot.............................................................................................................20 5.3.3 Files Edited .................................................................................................................................21 5.3.4 Files Changed..............................................................................................................................22 5.3.5 Files SETUID/SETGID...................................................................................................................22 5.4 Miscellaneous Observations .............................................................................................................23 5.4.1 Editing a File Changes its Inode..................................................................................................23 5.4.2 Inode Reallocation......................................................................................................................23 5.5 Additional Uses for Tool ....................................................................................................................23 6 Limitations & Future Work.......................................................................................................................24 6.1 Possible Methods of Obfuscation .....................................................................................................24 6.1.1 MAC Times..................................................................................................................................24 6.1.2 Encryption ..................................................................................................................................24 6.2 Future Work ......................................................................................................................................24 7 References................................................................................................................................................25