WIXLIB

Virtualization and ForensicsA Digital Forensic Investigator’sGuide to Virtual EnvironmentsDiane BarrettGregory KipperTechnical EditorSamuel LilesAMSTERDAM BOSTON HEIDELBERG LONDONNEW YORK OXFORD PARIS SAN DIEGOSAN FRANCISCO SINGAPORE SYDNEY TOKYOSyngress is an imprint of ElsevierSYNGRESS

Syngress is an imprint of Elsevier.30 Corporate Drive, Suite 400, Burlington, MA 01803, USAThis book is printed on acid-free paper. 2010 Elsevier Inc. All rights reserved.No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,including photocopying, recording, or any information storage and retrieval system, without permission in writingfrom the Publisher. Details on how to seek permission, further information about the Publisher’s permissions policies,and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agencycan be found at our Web site: www.elsevier.com/permissions.This book and the individual contributions contained in it are protected under copyright by the Publisher (other thanas may be noted herein).NoticesKnowledge and best practice in this field are constantly changing. As new research and experience broaden ourunderstanding, changes in research methods, professional practices, or medical treatment may become necessary.Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using anyinformation, methods, compounds, or experiments described herein. In using such information or methods, theyshould be mindful of their own safety and the safety of others, including parties for whom they have a professionalresponsibility.To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability forany injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or fromany use or operation of any methods, products, instructions, or ideas contained in the material herein.Library of Congress Cataloging-in-Publication DataApplication submittedBritish Library Cataloguing-in-Publication DataA catalogue record for this book is available from the British Library.ISBN: 978-1-59749-557-8Printed in the United States of America10 11 12 135 4 3 2 1Elsevier Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights;e-mail m.pedersen@elsevier.comFor information on all Syngress publications,visit our Web site at www.syngress.comTypeset by : diacriTech, Chennai, India

To my sister and best friend – Michele.– DianeTo Azure, McCoy, and Grant – the best kids in the world!– Greg

CONTENTSAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvAbout the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiPART 1 VIRTUALIZATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Chapter 1 How Virtualization Happens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Physical Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5How Virtualization Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Virtualizing Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Virtualizing Hardware Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Server Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Bare-Metal Hypervisor (Type 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Embedded Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Hosted Hypervisor (Type 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Main Categories of Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Full Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Paravirtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Hardware-Assisted Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Operating System Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Application Server Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Application Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Network Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Storage Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Service Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Benefits of Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Cost of Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Bibliography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Chapter 2 Server Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25What Is Server Virtualization? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25The Purpose of Server Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Server Virtualization: The Bigger Picture. . . . . . . . . . . . . . . . . . . . . . . . . 27v

viCONTENTSDifferences between Desktop and Server Virtualization. . . . . . . . . . . . . . 29Common Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30VMware Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Microsoft Virtual Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Citrix XenServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Oracle VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Bibliography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Chapter 3 Desktop Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37What Is Desktop Virtualization? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Why Is It Useful? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Common Virtual Desktops. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39VMware Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Microsoft Virtual PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Parallels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Sun VirtualBox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Xen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Virtual Appliances and Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Penguin Sleuth Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50The Revealer Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Intelica IP Inspect Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Helix 2008R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51CAINE 0.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Virtual Desktops as a Forensic Platform . . . . . . . . . . . . . . . . . . . . . . . . . . 53Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Bibliography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Chapter 4 Portable Virtualization, Emulators, and Appliances . . . . . . . . . 57MojoPac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58MokaFive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Preconfigured Virtual Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Microsoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Parallels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69