Virtual Hard Disk Forensics Using EnCase

www.encase.com/ceic

Virtual Hard Disk Forensics Using EnCase

®

Randy Nading, EnCE | Security+

Computer Forensic Analyst, Jacobs Technology

I. Virtual Hard Disks (VHDs) as Evidence Containers

Hands On 1:

Create and Mount a VHD Using Windows 7 or 8 OS Tools

II. Ways VHDs Can Be Used to Obfuscate Data

Hands On 2:

Agenda

Agenda

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 3

III. Detecting VHDs Using EnCase: Update the File Types Table

Hands On 3:

Update the File Types Table in EnCase To Detect Common VHDs

IV. Detecting VHDs Using EnCase: Create a VHD Condition

Hands On 4:

Create a Condition to Detect Common VHDs

Agenda

VHD Forensics Using EnCase

V. Putting It All Together: Implementing VHD Analysis in the Workflow

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 5

• Think of VHDs as another type of evidence container

• Current forensic software does not identify VHDs or mount them

• VHDs are becoming more and more prevalent

• Windows users can create their own VHDs from the Disk

Management snap-in

I. Virtual Hard Disks (VHDs) as Evidence Containers

VHD Forensics Using EnCase

• TrueCrypt’s admission

• TrueCrypt’s recommendation

Hands On 1:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 7

• TrueCrypt’s admission

• TrueCrypt’s recommendation

Hands On 1:

Create and Mount a VHD Using Windows 7 or 8 OS Tools

VHD Forensics Using EnCase

A. Open the Computer

Management

window

(in File Explorer right-click

This PC and select

Manage)

Hands On 1:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 9

B. Select Disk

Management

Hands On 1:

Create and Mount a VHD Using Windows 7 or 8 OS Tools

VHD Forensics Using EnCase

C. Open the Action

menu

and select Create VHD

Hands On 1:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 1 1

D. Select location, size and

type of VHD and click OK.

Hands On 1:

Create and Mount a VHD

VHD Forensics Using EnCase

E. Initialize the new VHD:

Right-click the new VHD

disk icon in the Disk

Management

window and

select Initialize Disk

Hands On 1:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 1 3

F. Create a partition on the

VHD:

Still in Disk Management,

right-click the Unallocated

Space of the newly

initialized VHD and select

New Simple Volume

Hands On 1:

Create and Mount a VHD Using Windows 7 or 8 OS Tools

VHD Forensics Using EnCase

G. Encrypt the new VHD using BitLocker: Open File Explorer,

right-click the New Volume and select Turn on BitLocker

Hands On 1:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 1 5

• VHDs residing on hard drives and

thumb drives will not be obvious

to examiners, even if nothing is

done to hide their presence

• The VHD file extension can be

stripped or changed to blend in

with the files around it

II. Ways VHDs Can Be Used to Obfuscate Data

• VHDs may be moved to a

thumb drive and

encrypted for added

security

• VHDs may be nested

• VHDs may be encrypted

VHD Forensics Using EnCase

A. To unmount the

drive, right-click the

drive in File

Explorer

and

select Eject

Hands On 2:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 1 7

B. Alternatively,

right-click the

disk number in

the Disk

Management

window and

select Detach

VHD

Hands On 2:

Add Data, Dismount VHD, Change Extension, Copy to TD

VHD Forensics Using EnCase

C. To mount the

drive again, use

Attach VHD

in the

Action

menu of the

Disk Management

window

Hands On 2:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 1 9

D. Disguise the VHD as

the

Microsoft

®

_Debug

Information Accessor

:

Dismount the drive as in

step A, right-click the

filename of the VHD in

File Explorer

, and

select

Rename

. Change

the name to

msdia80

,

and change the

extension to

.dll

.

Hands On 2:

Add Data, Dismount VHD, Change Extension, Copy to TD

VHD Forensics Using EnCase

E. Move the VHD to

the thumb drive:

Right-click the

filename of the VHD

in

File Explorer

and

select

Cut

.

Right-click the thumb drive

Hands On 2:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 2 1

• Since VHDs operate fine without filename extensions, search for

them by the unique signatures embedded in their file headers

• Update the File Types table with the signatures of popular VHDs in

use today

III. Detecting VHDs Using EnCase: Update the File Types Table

VHD Forensics Using EnCase

III. Detecting

VHDs Using

EnCase:

Update the File

Types Table

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 2 3

A. Start

EnCase and

select View |

File Types

and click on

the New

icon

on the menu

bar

Hands On 3:

Update File Types Table in EnCase To Detect Common VHDs

VHD Forensics Using EnCase

B. In the New File

Type window, click on

the Options

tab and

enter these settings

Hands On 3:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 2 5

B. In the New File

Type window, click on

the Options

tab and

enter these settings

Hands On 3:

Update File Types Table in EnCase To Detect Common VHDs

VHD Forensics Using EnCase

C. In the New File

Type window, click on

the Header

tab and

enter these settings

Hands On 3:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 2 7

Hands On 3:

Update File Types Table in EnCase To Detect Common VHDs

VHD Forensics Using EnCase

D. The Footer tab will not be used. Click OK

to save the settings to

the File Types table.

E. Repeat the above process for each of the VHD file types you

wish to add. Pay attention that the four character Unique Tag

field

begins with “vhd” and is different for each VHD entered. This will be

Hands On 3:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 2 9

F. If you have multiple installations of EnCase as in a lab setting,

you can update the File Types table once, and copy the

FileTypes.ini

incremental file from your C:\Users\username\

AppData\Roaming\EnCase\EnCase7-2\Config folder to the same

folder on all the other machines.

You do all the heavy lifting and your coworkers benefit. : )

Hands On 3:

Update File Types Table in EnCase To Detect Common VHDs

VHD Forensics Using EnCase

Practice this by copying the

FileTypes.ini

incremental file that I

prepared on the instructor materials network share to your

C:\Users\username\AppData\Roaming\EnCase\EnCase7-2\Config folder now.

Hands On 3:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 3 1

• Create a condition to filter out all files except VHDs based on their

file signature analysis

• Searches for and displays only files whose File Type Tag

contains

the tag vhd

IV. Detecting VHDs Using EnCase: Create a VHD Condition

VHD Forensics Using EnCase

A. Click the

Condition

dropdown

menu and select

New Condition

,

which will bring up the New

Condition dialog box. (1) For the

Path field, navigate to the folder in

which you would like the condition

stored, then name the condition

Virtual Hard Disk

and click

Save

.

(2) Click the

New

icon on the

Hands On 4:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 3 3

B. Select the

File

Type Tag

property,

the

Contains

operator, and type

vhd

for the value.

Then click

OK

to

save and close the

New Term

dialog

box and

OK

to save

and close the

New

Condition

dialog

box.

Hands On 4:

Create a Condition to Detect Common VHDs

VHD Forensics Using EnCase

B. Select the

File

Type Tag

property,

the

Contains

operator, and type

vhd

for the value.

Then click

OK

to

save and close the

New Term

dialog

box and

OK

to save

Hands On 4:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 3 5

C. Test the new

condition: (1) Open

EnCase and add at

least one VHD as

evidence. (2) Click

the

Condition

dropdown menu and

select

Run

, then

select the name of

the condition just

created and click

Open

.

Hands On 4:

Create a Condition to Detect Common VHDs

VHD Forensics Using EnCase

D. Select the

appropriate Filter

(Current View,

Current Device, or

All Evidence Files)

and click OK

to run

the condition.

Hands On 4:

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 3 7

Question

:

Why does the condition return no results if you verified you

have at least one virtual hard drive added as evidence?

•

Resist the urge to double-check your File Type table additions…you

copied and pasted the right bits of data.

•

Resist the urge to edit the condition…it is as simple and

straight-forward as any condition you have ever written.

•

Resist the urge to verify the presence of the VHD file in the

evidence…you just put it there a few minutes ago!

•

Resist the urge to question your sanity…think workflow!

Hands On 4:

Create a Condition to Detect Common VHDs

VHD Forensics Using EnCase

• The reason the condition returned no results is due to running it at

the wrong spot in your digital forensics workflow

• The condition identifying the VHDs depends on File Signature

Analysis to work

• One of the initial workflow steps to be performed ought to be File

V. Putting It All Together: VHD Analysis in the Workflow

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 3 9

V. Putting It

All Together:

VHD

Analysis in

the Workflow

VHD Forensics Using EnCase

•

Reminder:

After completing File Signature Analysis, either through

Evidence Processor or Entries | Hash\Sig Selected, you must

reload the evidence so that the results are available to the

condition

• However, it would be a workflow mistake to do File Signature

Analysis as the very first step. Why?

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 4 1

• The first priority in workflow is to Recover Folders

• The second priority is to Mount Compound Files

• The third priority is to conduct File Signature Analysis

• The fourth priority is to reload the evidence

• The fifth priority is to run the new VHD condition

V. Putting It All Together: VHD Analysis in the Workflow

VHD Forensics Using EnCase

V. Putting

It All

Together:

VHD

Analysis

in the

Workflow

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 4 3

• After step 10, continue the rest of your digital forensics workflow as

usual

•

NOTE:

If the exported VHD in workflow step 6 above is a file with

an extension of .vdi, it must be converted to a .vhd or .vmdk

before mounting it in step 7 above. The .vdi file is the Virtual Disk

Image created by Oracle VirtualBox. Install VirtualBox before

continuing. After VirtualBox is installed, use the VBoxManage

command line tool to do the conversion as shown below.

V. Putting It All Together: VHD Analysis in the Workflow

VHD Forensics Using EnCase

V. Putting

It All

Together:

VHD

Analysis

in the

Workflow

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 4 5

Open a command window and type the following command:

VBoxManage clonehd sourceFilename destinationFilename

--format VHD

V. Putting It All Together: VHD Analysis in the Workflow

VHD Forensics Using EnCase

NOTE:

If an error is generated for a duplicate UUID, run the

command below and then repeat the conversion process:

V. Putting It All Together: VHD Analysis in the Workflow

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 4 7

VI. Q & A

VHD Forensics Using EnCase

•

http://www.forensicswiki.org/wiki/Virtual_Hard_Disk_(VHD)

•

https://ad-pdf.s3.amazonaws.com/Forensic_Issues_VHDs_Windows7.pdf

•

http://www.forensickb.com/2014/02/understanding-hyper-v-server-when-doing.html

•

http://www.forensicfocus.com/Forums/viewtopic/t=5806/

•

http://cyber-defense.sans.org/blog/2009/11/17/bitlocker-attached-vhd-drive

•

http://www.uat.edu/academics/Forensic_Challenges_in_Virtualized_Enviro

Resources – VHD Forensics

R a n d y N a d i n g  E n C E  S e c u r i t y +  C o m p u t e r F o r e n s i c A n a l y s t  J a c o b s T e c h n o l o g y  P a g e 4 9

•

http://grandstreamdreams.blogspot.com/2009/08/mounting-vhd-files-in-windows-for-fun.html

•

http://www.slideshare.net/ctin/mounting-virtual-hard-drives

•

http://en.wikipedia.org/wiki/VHD_(file_format)

•

http://blogs.technet.com/b/ranjanajain/archive/2010/03/23/virtual-hard-disk-vhd-architecture-explained.aspx

•

https://technet.microsoft.com/en-us/virtualization/bb676673.aspx

•

https://technet.microsoft.com/en-us/bb738381.aspx

Resources – VHDs