Welcome to my blog and first post! My aim is to provide tutorials that describe some of the things about which my colleagues have questions. I’m neither a seasoned blogger nor videographer, so please bear with me as I progress. I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish. Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly. As you’ll see, I have a plan for a few topics and will consider suggestions thereafter. I do, however, have a full time job that already extends beyond a “reasonable” workday, so pardon my delays in posting. The videos herein should be viewed in high-def, and you’re welcome to download them.
This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes. First, we’ll create a virtual machine from a single dd image file. In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF) http://www.x-ways.net/forensics/index-m.html. We can create a target-system VM from a segmented image, but it takes more work to create our configuration file. We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk. First, I always take care to see that my image file is read only. Our image file is MyImage.001. There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment. I’m using VMware 8.x, but the steps are the same in 7.x.
I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes. The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.
Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name. Below is a screen shot of the contents of a Vista/Win7 vmdk file. The yellow-highlighted fields are the ones that you will edit. The first is the number of sectors on the physical disk. Next is the name of your image file. Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63. Then enter the number of cylinders by calculating <total sectors>/255/63. It’s 19458 in our example, and always round up to the next whole number and do not use commas. I usually place this file in the same folder as my image, where we’ll name this file MyImage.vmdk.
Here’s an editable copy of our vmdk file: MyImage.txt. Save the file as a text file and then change the extension to vmdk for actual use. It’s configured for VMware 8.x. If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu:
Next, we’ll create a VM, so open VMware and elect to create a new virtual machine. At this point, the following video will save some explaining:
This is what we do: Run VMware and create a new VM. Select the Custom option in the first window. Choose to install the OS later. Next, choose the OS (32 vs. 64 is not critical). Then, pick a name for the VM and a path for the VM files. It’s best to place them in their own folder. In the next couple of screens, choose one processor and a little more memory (2-4GB) than the default. In the network box, select “do not use…” You can add a network adapter later. For the I/O adapters box, select LSI Logic (SCSI). In the Select a Disk box, choose “Use an existing virtual disk.” Next, navigate to your vmdk file (MyImage.vmdk). Then click Finish, and you will have built a basic VM. Now, take a Snapshot in VMware: VM\Snapshot\Take Snapshot.
In the next step, we’re going to edit the registry of our VM (we don’t do this in XP) and remove the password (keep EFS in mind). We mount the VM as a logical disk in read-write mode (remember, we’re working with a snapshot and the image file is RO). So, mount the system partition in VMware as writable. Watch the video:
As you saw, I loaded the VM’s System hive in my host’s registry. I navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI. I edited the Start value (DWORD) so that it’s 0×00. The 0 has the effect of starting the service at “boot” automatically by the system loader. You can edit the other Control Sets, but it’s unnecessary. Then I unload the System hive and shut down Regedit.
Next, we’ll deal with the user’s password. I use a free tool named ntpwedit.exe, http://cdslow.webhost.ru/ntpwedit/. (It’s in Russian, but you’ll figure it out.) We’ll run ntpwedit and point it to the SAM hive in your mounted virtual disk and remove any password that you wish. Note that you usually can boot a VM with Nordahl’s CD and do so, but it doesn’t always work. Watch:
Now, the VM is ready to boot. You may wish to fire it up to be sure that it runs, but create another snapshot first. We want to but be careful about doing anything that could create a restore point, which could delete one or more existing restore points. For example, installing VMware Tools will create a restore point. Snapshots allow us to go back and recover a pristine system. It’s a good idea to check the shadow volumes in your image and be sure that they all show up later with their proper dates when we examine them. In our example, there are 19: