Archive for June 2012

Getting Ready for a Shadow Volume Exam

We now have built a virtual machine from an image of the target system.  Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation.  Building the VM basically is the same as installing a operating system from scratch, and I’ll  go over the basic steps in the following video.

I installed Windows 7 Ultimate 64 from a DVD, but you can use an ISO instead of a disc.  I have a library of operating systems on ISOs, as they come in handy.  Please be mindful of licensing requirements.  I didn’t install a network adapter, but will do so later.  I use as much RAM as I can afford, and you can experiment.  RAM can be adjusted from a powered off state.  I like using a single, growable disk for my VM.  For the most part, I set up the system as I like.  I turn off User Account Control, but we must leave System Protection enabled.  I also set my folder view options to allow access to hidden and system files.  Remember that you can use snapshots to protect the state of your VM.  Below is a screenshot of my VM.  I keep my frequently used tools on the desktop.  Be sure to include a shortcut to the command prompt, and be set it to run in administrator mode.

For you X-Ways users, you can configure your options as you do normally.  Be sure, however, to set the option to run XWF as administrator by default, and allowing multiple instances is suggested.  Remember that XWF, as most forensic suites, is USB dongle based.  When you want to work with XWF in your VM, you must connect the dongle to the VM as in the image below.

 If you have more than one Feitian dongle as in the screenshot, you’ll have to experiment to find the correct dongle.  Then, connect it to the VM (Disconnect from host).  Note that, if XWF is running in the host system, it will become aware that the dongle was disconnected and issue a notice.  The easiest thing to do is close the host instances of XWF before you work in the SEAT application.  Of course, if you have more than one dongle, you can work simultaneously in both environments.  Note that you can install any USB devices that you wish by using the same procedure.

Note, too, that our SEAT workstation is portable. At the moment, my VM is about 18GB, so it’s easily copied to another forensic workstation or USB drive.  In the next post, I’ll review how we mount the target VM in out SEAT workstation and begin an exam.

Creating a VMware Virtual Machine from a Raw Image File

Welcome to my blog and first post!  My aim is to provide tutorials that describe some of the things about which my colleagues have questions.  I’m neither a seasoned blogger nor videographer, so please bear with me as I progress.  I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish.  Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly.  As you’ll see, I have a plan for a few topics and will consider suggestions thereafter.  I do, however, have a full time job that already extends beyond a  “reasonable” workday, so pardon my delays in posting.  The videos herein should be viewed in high-def, and you’re welcome to download them.

This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes.  First, we’ll create a virtual machine from a single dd image file.  In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF) can create a target-system VM from a segmented image, but it takes more work to create our configuration file.  We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk.  First, I always take care to see that my image file is read only.  Our image file is MyImage.001.  There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment.  I’m using VMware 8.x, but the steps are the same in 7.x.

I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes.  The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.

Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name.  Below is a screen shot of the contents of a Vista/Win7 vmdk file.  The yellow-highlighted fields are the ones that you will edit.  The first is the number of sectors on the physical disk.  Next is the name of your image file.  Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63.  Then enter the number of cylinders by calculating <total sectors>/255/63.  It’s 19458 in our example, and always round up to the next whole number and do not use commas.  I usually place this file in the same folder as my image, where we’ll name this file MyImage.vmdk.

Here’s an editable copy of our vmdk file: MyImage.txt.  Save the file as a text file and then change the extension to vmdk for actual use.  It’s configured for VMware 8.x.  If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu:


Next, we’ll create a VM, so open VMware and elect to create a new virtual machine.  At this point, the following video will save some explaining:

This is what we do: Run VMware and create a new VM.  Select the Custom option in the first window.  Choose to install the OS later.  Next, choose the OS (32 vs. 64 is not critical).  Then, pick a name for the VM and a path for the VM files.  It’s best to place them in their own folder.  In the next couple of screens, choose one processor and a little more memory (2-4GB) than the default.  In the network box, select “do not use…”  You can add a network adapter later.  For the I/O adapters box, select LSI Logic (SCSI).  In the Select a Disk box, choose “Use an existing virtual disk.”  Next, navigate to your vmdk file (MyImage.vmdk).  Then click Finish, and you will have built a basic VM.   Now, take a Snapshot in VMware: VM\Snapshot\Take Snapshot.

In the next step, we’re going to edit the registry of our VM (we don’t do this in XP) and remove the password (keep EFS in mind).  We mount the VM as a logical disk in read-write mode (remember, we’re working with a snapshot and the image file is RO).  So, mount the system partition in VMware as writable.  Watch the video: 

As you saw, I loaded the VM’s System hive in my host’s registry.  I navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI.  I edited the Start value (DWORD) so that it’s 0x00.  The 0 has the effect of starting the service at “boot” automatically by the system loader.  You can edit the other Control Sets, but it’s unnecessary.  Then I unload the System hive and shut down Regedit.

Next, we’ll deal with the user’s password.  I use a free tool named ntpwedit.exe,  (It’s in Russian, but you’ll figure it out.)  We’ll run ntpwedit and point it to the SAM hive in your mounted virtual disk and remove any password that you wish.  Note that you usually can boot a VM with Nordahl’s CD and do so, but it doesn’t always work.  Watch:

Now, the VM is ready to boot.  You may wish to fire it up to be sure that it runs, but create another snapshot first.  We want to but be careful about doing anything that could create a restore point, which could delete one or more existing restore points.  For example, installing VMware Tools will create a restore point.  Snapshots allow us to go back and recover a pristine system.  It’s a good idea to check the shadow volumes in your image and be sure that they all show up later with their proper dates when we examine them.  In our example, there are 19: