Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
how to install VMware
1. Restoring Suspect Physical and
Compressed Images with VMWare
Brett Shavers
Computer Technology Investigators Network
2. Topics:
• VMWare Brief
• Capabilities of VMWare
• VMWare Installation
• Guest Operating Systems
• VMWare Networking
• Restoration of forensic images into VMWare
3. What is VMware?
• VMWare is application software that
provides a virtual computer on which you
can install another operating system
• The virtual computer or virtual machine
(VM) runs as if it were a real operating
system on a real computer with real devices
• The VM has its own CPU, memory, hard
disks, and other I/O devices
4. Virtual Hardware
• CPU = Host CPU
• Chipset = Intel 440BX-based motherboard with
NS338 SIO chip and 82093AA IOAPIC
• BIOS = PhoenixBIOS 4.0 Release 6 with VESA
BIOS
• RAM = Host’s RAM
• IDE Devices = Up to 4; Virtual HD up to 950 GB;
can also use real disks (2TB limit)
• SCSI Devices = Up to 7
• NIC = AMD PCnet-PCI II compatible
5. VMware Workstation
Terminology
• Host operating system is the one that runs
VMware Workstation
• Guest operating system is the virtual OS
• The host OS can be either NT-based
Windows or Linux (RedHat, Mandrake,
SuSE)
• The guest OS can be DOS, every flavor of
Windows, Linux, BSD or other OS that runs
on an X86 platform
6. Forensic Uses of VMware
• VM Workstation allows you to restore a suspect’s hard
drive into a VM
• You can work with the suspect’s OS and its installed
applications, some of which may be involved in the alleged
crime
• You can network two VMs, one a suspect client and the
other a suspect server
• You can also mount a suspect’s restored hard drive as a
physical or “raw” disk
• You can easily drag and drop files from the VM to your
host computer
7. Some VM Tips
• VMWare can boot iso images
• Snapshots can be taken (up to 100 per VM
World)
• Videos can be taken using VMWare tools
• You can drag and drop between the host of
virtual OS easily.
8. Installing VMware Workstation
• Meet the minimum requirements for the host:
Component Mimimum Recommended
CPU 400 MHz 500 MHz +
Memory 128 MB 256 MB +
Display VGA SVGA +
Hard Disk (install) 100 MB free 100 MB
Hard Disk (for Whatever guest Whatever guest
guests) requires + apps recommends + apps
Host OS Windows 2003, Windows XP Home and Pro
(SP1), Windows 2000 (SP3), Windows NT
(SP6A)
Continued …
9. Installing VMware Workstation
• Optional components include:
• Floppy Disk
• Ethernet adapter for the host
• CD-ROM
• USB port
• Other hard disks
10. Installing a Guest OS
• Have the installation media available,
typically a CD
• Start VM Workstation and select File, New
Virtual Machine
• A wizard begins ….
18. Installing a Guest OS
• Once the Guest has been configured, you need to
start the OS, but before you do …
• Make sure the installation media for the guest is in
the CD-ROM drive or floppy drive of the host
• As soon as the machine starts, you need to click in
the window and press F2 to get into the guest
CMOS setup program
• Once there, you’ll need to configure the system to
boot from the CD-ROM or floppy
25. Summary
• VMware Workstation allows you to install a guest
OS in a virtual machine
• The guest OS can interact with the host and utilize
the host’s cpu, ram, cd-rom, keyboard, mouse,
floppy disk, and network card
• The host can be practically any NT-based host or
Linux host and the guest can be any Windows OS,
Linux, Novell, FreeBSD and more
• VMware Workstation provides significant
forensic-related capabilities
26. Restore of network and client systems
ILook will be demonstrated, but Encase, FTK, Winhex, etc… can be used as
long as it can restore whatever image format you have. You can also use
physical hard drives directly.
Encase has directions on restoration into VMWare on their website. Using a
boot disk of any sort is half the work of using FTK or Encase for restores.
27. Restore Using I-Look
• Scenario with a WIN2003
domain controller and an XP
Pro client
• Before restoring, establish a
VM Ware occurrence with
VM Ware DHCP service
disabled
• Restore the Domain Controller
first
29. Create the Domain Controller
You have to know the OS of the image to be restored. Use the same version because VMware emulates
hardware for each OS. BUT, XP may be able to handle all the other Windows OS’s. It’ll still boot to the actual
OS, but there may be subtle differences in emulations. Stay with the actual OS.
30. Name and Allocate Resources
Name it what you like. If you will be doing multiple restorations of the same image, then you can use dates,
LFN, OS, etc… Make the location to a new folder where you can manage. For network restorations, keep the
LAN all in one folder otherwise you will lose track. You may have to adjust memory later. The more machines,
the more memory needed. Make sure your folder can hold everything you need (if all images total 100GB, you
need at least that much to restore as the images expand to original size)
31. Define Network Type
Only use host only to
containerize the threat
that the potential
network system could
have with interacting
with the ‘real’
networking
environment that you
are connecting to
For forensic restorations, make sure you don’t choose a connection that goes outside! (Bridged and NAT will go
outside). The other two are safe. For network restorations, choose HOST ONLY NETWORKING). This allows
clients in the virtual world to talk to each other. If you select either of the first two, and the images have a virus,
you just exposed your network to that virus.
32. Defining the Bus
You will go through this process twice for each drive
you are restoring to ID the source and destination
33. Select the Source Disk
Choose the disk that contains the image files. It is possible to have all images on one disk to be used for
restorations.
34. VM Ware Establishes New Machine
VM Ware treats this as
though it is a SCSI system
even though it is really an
IDE drive, don’t worry
about this. It is a SCSI
disk because VMware
likes SCSI disks for
Domain controller OS’s.
SCSI and IDE are just
interfaces, the data will be
the same, so no
difference.
0:O is first SCSI disk on
the first SCSI controller.
36. Define Drive Type and Allocate
Space
Normally choose IDE. Make it the same size as the original hard drive, not size of image. Give a gb for wiggle
room. Then name the target drive.
38. Restore the Image Using ISO
I-Look File
Put an ISO on your desktop of ILook, and point to that. (side note, you can
make an iso of a boot floppy and have it point to that as well, always booting
to your clean boot as an example.
39. Point to the CD and Start the Virtual
I-Look Machine
52. Check the Virtual IP settings for the
virtual network connections
You need to know what the original settings were to reconfigure this. Because of the restore, the restored
image will revert back to Windows default because a different NIC is being used (albiet virtual). Good to
check before imaging if possible.
53. This appears to be LAN2 (as if there was a 1 at sometime). LAN 1 was the original machine,
when restored, LAN2 was created. Look at the Ethernet Adaptor and that will be different as
well. Don’t worry about, has to be that way
54. You can get settings here in the registry on IP settings
56. Check the original DHCP settings
Verify scope
makes sense
and is active
before you
restore any
client systems
57. Suspend the Controller Machine
Because the domain must be working to install a client, just suspend this VM OS. Suspending a machine
doesn’t free up RAM, it uses it just the same. 3 machines at 2gb is about the max for RAM.
58. Create a new client
virtual machine
• Duplicating the previous process used
during the controller restore
• When you get to the drive type select IDE
rather than SCSI (this IDE is the default
setting since this is a client machine)
61. Encase/FTK/etc… Images
• You can use Encase, FTK, Linux, Winhex
or any other program that can restore
images to a physical drive in VMWare.
62. Forensic Issues
• Yes, the data is changed (but only the virtual
world, not the original images)
• No, you can’t see unallocated space when fishing
through the virtual world (it’s not a forensic exam
anyway)
• Yes, hashes will match on specific files on both
the images and virtual world.
• This process can be used to test viruses, Trojans,
worms, and other actions on a suspect system
(maybe disprove suspect’s allegations of virus,
etc…)
63.
64. 5% off purchase
• If you want 5% off an online purchase, you
can use my referral code:
• VMRC-BRESHA248