Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 10-1
Chapter 10
Virtual Machine Forensics, Live Acquisitions, and
Network Forensics
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 10-2
Lecture Notes
Overview
Chapter 10 is meant to serve as an overview of network forensics, not an in-depth
exploration. Tracing network forensics information can take long, tedious hours of
Chapter Objectives
• Explain standard procedures for conducting forensic analysis of virtual machines
• Describe the process of a live acquisition
• Explain network intrusions and unauthorized access
• Describe standard procedures in network forensics and network-monitoring tools
Teaching Tips
An Overview of Virtual Machine Forensics
2. Describe a hypervisor as software that runs virtual machines. Use Figure 10-1 to discuss
the two types of hypervisors:
3. Mention that type 2 hypervisors are usually the ones found loaded on a suspect
Type 2 Hypervisors
1. Explain that a use of this type of hypervisor is to run legacy hardware that works only
with a specific OS, such as Windows XP.
2. Point out that virtualization needs to the enabled in the BIOS before attempting to create
3. Discuss the following widely used type 2 hypervisors:
• Parallels Desktop
• KVM
Conducting an Investigation with Type 2 Hypervisors
2. Discuss the recommended steps to take when conducting a forensic analysis of VMs:
• Image the host machine
• Locate the virtualization software and VMs, using the information you’ve
learned about file extensions and network adapters
3. Mention that live acquisitions of VMs are often necessary because they include all
snapshots. Discuss the importance of snapshots.
5. After determining that a VM was installed, have students complete the activity to
acquire an image of the VM.
7. Discuss another method of examining a VM is making a copy of its forensic image and
8. Describe the process of using a VM to run forensic tools stored on USB drives. Allow
Working with Type 1 Hypervisors
1. Point out that having a good working relationship with network administrators and lead
2. Introduce students to the most common type 1 hypervisors they are most likely to come
in contact with:
• VMware vSphere
3. Have students complete the activity where they install XenServer as a VM in
Quick Quiz 1
1. A type _____ hypervisor rests on top of an existing OS, such as Windows, Linux, or
Mac OS.
2. True or False: Instruction sets called Virtual Machine Extensions (VMX) are necessary
to use virtualization; without these instruction sets, virtualization software doesn’t work.
3. By linking a VM’s _____ to log files, you might be able to determine what Web sites
the VM accessed.
4. Live acquisitions of VMs are necessary because they include all _____.
5. Which hypervisor type can be installed directly on hardware and is limited only by the
Performing Live Acquisitions
1. Explain that live acquisitions are especially useful when you’re dealing with active
2. Mention that live acquisitions don’t follow typical forensics procedures.
3. Define order of volatility (OOV), which determines how long a piece of information
4. Describe the general steps to perform a live acquisition, including:
a. Create or download a bootable forensic CD or USB drive
b. Make sure you keep a log of all your actions
Performing a Live Acquisition in Windows
1. Discuss several tools available to perform live acquisitions. Point out that GUI tools are
easy to use, but they often require a lot of system resources.
• Mandiant Memoryze
Teaching
For more information about performing a live acquisition in a corporate
Network Forensics Overview
1. Define network forensics and how it works.
a. Intruders leave a trail behind
The Need for Established Procedures
1. Explain that taking the time to follow standard procedures is essential to ensure that all
Securing a Network
2. Define defense in depth (DiD) as a layered network defense approach developed by the
NSA that includes the following modes of protection:
3. Mention that testing networks is as important as testing servers. You need to be up to
date on the latest methods intruders use to infiltrate networks as well as methods
internal employees use to sabotage networks.
Developing Procedures for Network Forensics
1. Mention that network forensics is a long, tedious process.
2. Describe the standard procedure for network forensics as follows:
a. Always use a standard installation image for systems on a network
3. Illustrate the differences between digital forensics and network forensics. As a network
4. Logs record all traffic leaving and entering your network. You can use logs from the
following network components during an investigation:
6. Explain that analyzing traffic includes:
7. Mention that if other companies are involved in the attack, you must proceed as in a
digital forensic investigation. You shouldn’t reveal information discovered about other
Guide to Computer Forensics and Investigations, Fifth Edition 10-7
Using Network Tools
1. Define Sysinternals as a collection of free tools for examining Windows products.
2. Describe some of the Sysinternals tools, including:
a. RegMon shows Registry data in real time
3. Explain the main functions or commands from the PsTools suite developed by
Sysinternals, including:
1. PsExec runs processes remotely
3. PsKill kills process by name or ID
5. PsLoggedOn shows who’s logged locally
7. PsService controls and views services
9. PsSuspend suspends processes
Using Packet Analyzers
1. Define packet analyzers as devices or software that monitor network traffic. Most
2. Explain how network sniffers work. Some packets can be identified by examining the
flags in their TCP headers. Use Figure 10-15 to illustrate your explanation.
3. Describe some of the most common network sniffer tools, including:
1. tcpdump
3. tcpslice
5. tcpdstat
Guide to Computer Forensics and Investigations, Fifth Edition 10-8
7. Etherape
9. Argus
4. Have students complete the activity starting on page 413 of the textbook.
Examining the Honeynet Project
1. Define the Honeynet project as an attempt to thwart Internet and network hackers. The
objectives are awareness, information, and tools.
3. Define zero day attacks as another major threat where attackers look for holes in
networks and OSs and exploit these weaknesses before patches are available.
5. Comment on the legal validity of a honeynet.
Quick Quiz 2
1. The amount of time that a long a piece of information lasts on a system is known as
_____.
2. ____ is the process of collecting and analyzing raw network data and systematically
tracking network traffic to ascertain how an attack was carried out or how an event
occurred on a network.
3. True or False: Testing networks is not as important as testing servers.
4. ____ are devices and/or software placed on a network to monitor traffic.
5. A(n) ____ is a computer set up to look like any other machine on your network; its
purpose is to lure attackers to your network, but the computer contains no information
of real value.
6. ____ are computers set up to monitor what’s happening to honeypots on your network
and record what attackers are doing.
Class Discussion Topics
1. Ask your students to discuss the right of a corporate network administrator to use packet
sniffers. Are employees’ privacy rights being violated?
2. Ask students to debate the legal validity of honeynets. Divide them into two groups, one
Additional Projects
1. Ask students to read more about denial-of-service attacks (DoS) and distributed denial-
of-service attacks (DDoS). As a network administrator, what can you do to prevent
them?
2. Ask your students to read about legal issues with honeynets.
Additional Resources
1. tcpdump:
2. Monitoring with tcpdump:
4. Other network attacks Web sites:
a. How to plan for a possible network attack
Guide to Computer Forensics and Investigations, Fifth Edition 10-10
d. Session hijacking
Key Terms
➢ defense in depth (DiD) — The NSA’s approach to implementing a layered network
➢ distributed denial-of-service (DDoS) attacks — A type of DoS attack in which other
online machines are used, without the owners’ knowledge, to launch an attack.
➢ honeypot — A computer or network set up to lure an attacker.
➢ honeywalls — Intrusion prevention and monitoring systems that track what attackers
do on honeypots.
➢ layered network defense strategy — An approach to network hardening that sets up
several network layers to place the most valuable data at the innermost part of the
network.
contains its own OS.
➢ type 2 hypervisor — A virtual machine interface that’s loaded on top of an existing
OS.
➢ Virtualization Technology (VT) — Intel’s CPU design for security and performance
enhancements that enable the BIOS to support virtualization
➢ Virtual Machine Extension (VMX) — Instruction sets created for Intel processors to
