Chapter 10 Homework Teaching Tip Read More About Defense Depth

Guide to Computer Forensics and Investigations, Fifth Edition 10-1

Chapter 10

Virtual Machine Forensics, Live Acquisitions, and

Network Forensics

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

• Quick Quizzes

Guide to Computer Forensics and Investigations, Fifth Edition 10-2

Lecture Notes

Overview

Chapter 10 is meant to serve as an overview of network forensics, not an in-depth

exploration. Tracing network forensics information can take long, tedious hours of

Chapter Objectives

• Explain standard procedures for conducting forensic analysis of virtual machines

• Describe the process of a live acquisition

• Explain network intrusions and unauthorized access

• Describe standard procedures in network forensics and network-monitoring tools

Teaching Tips

An Overview of Virtual Machine Forensics

2. Describe a hypervisor as software that runs virtual machines. Use Figure 10-1 to discuss

the two types of hypervisors:

3. Mention that type 2 hypervisors are usually the ones found loaded on a suspect

Type 2 Hypervisors

1. Explain that a use of this type of hypervisor is to run legacy hardware that works only

with a specific OS, such as Windows XP.

2. Point out that virtualization needs to the enabled in the BIOS before attempting to create

3. Discuss the following widely used type 2 hypervisors:

• Parallels Desktop

• KVM

Conducting an Investigation with Type 2 Hypervisors

2. Discuss the recommended steps to take when conducting a forensic analysis of VMs:

• Image the host machine

• Locate the virtualization software and VMs, using the information you’ve

learned about file extensions and network adapters

3. Mention that live acquisitions of VMs are often necessary because they include all

snapshots. Discuss the importance of snapshots.

5. After determining that a VM was installed, have students complete the activity to

acquire an image of the VM.

7. Discuss another method of examining a VM is making a copy of its forensic image and

8. Describe the process of using a VM to run forensic tools stored on USB drives. Allow

Working with Type 1 Hypervisors

1. Point out that having a good working relationship with network administrators and lead

2. Introduce students to the most common type 1 hypervisors they are most likely to come

in contact with:

• VMware vSphere

3. Have students complete the activity where they install XenServer as a VM in

Quick Quiz 1

1. A type _____ hypervisor rests on top of an existing OS, such as Windows, Linux, or

Mac OS.

2. True or False: Instruction sets called Virtual Machine Extensions (VMX) are necessary

to use virtualization; without these instruction sets, virtualization software doesn’t work.

3. By linking a VM’s _____ to log files, you might be able to determine what Web sites

the VM accessed.

4. Live acquisitions of VMs are necessary because they include all _____.

5. Which hypervisor type can be installed directly on hardware and is limited only by the

Performing Live Acquisitions

1. Explain that live acquisitions are especially useful when you’re dealing with active

2. Mention that live acquisitions don’t follow typical forensics procedures.

3. Define order of volatility (OOV), which determines how long a piece of information

4. Describe the general steps to perform a live acquisition, including:

a. Create or download a bootable forensic CD or USB drive

b. Make sure you keep a log of all your actions

Performing a Live Acquisition in Windows

1. Discuss several tools available to perform live acquisitions. Point out that GUI tools are

easy to use, but they often require a lot of system resources.

• Mandiant Memoryze

Teaching

For more information about performing a live acquisition in a corporate

Network Forensics Overview

1. Define network forensics and how it works.

a. Intruders leave a trail behind

The Need for Established Procedures

1. Explain that taking the time to follow standard procedures is essential to ensure that all

Securing a Network

2. Define defense in depth (DiD) as a layered network defense approach developed by the

NSA that includes the following modes of protection:

3. Mention that testing networks is as important as testing servers. You need to be up to

date on the latest methods intruders use to infiltrate networks as well as methods

internal employees use to sabotage networks.

Developing Procedures for Network Forensics

1. Mention that network forensics is a long, tedious process.

2. Describe the standard procedure for network forensics as follows:

a. Always use a standard installation image for systems on a network

3. Illustrate the differences between digital forensics and network forensics. As a network

4. Logs record all traffic leaving and entering your network. You can use logs from the

following network components during an investigation:

6. Explain that analyzing traffic includes:

7. Mention that if other companies are involved in the attack, you must proceed as in a

digital forensic investigation. You shouldn’t reveal information discovered about other

Guide to Computer Forensics and Investigations, Fifth Edition 10-7

Using Network Tools

1. Define Sysinternals as a collection of free tools for examining Windows products.

2. Describe some of the Sysinternals tools, including:

a. RegMon shows Registry data in real time

3. Explain the main functions or commands from the PsTools suite developed by

Sysinternals, including:

1. PsExec runs processes remotely

3. PsKill kills process by name or ID

5. PsLoggedOn shows who’s logged locally

7. PsService controls and views services

9. PsSuspend suspends processes

Using Packet Analyzers

1. Define packet analyzers as devices or software that monitor network traffic. Most

2. Explain how network sniffers work. Some packets can be identified by examining the

flags in their TCP headers. Use Figure 10-15 to illustrate your explanation.

3. Describe some of the most common network sniffer tools, including:

1. tcpdump

3. tcpslice

5. tcpdstat

Guide to Computer Forensics and Investigations, Fifth Edition 10-8

7. Etherape

9. Argus

4. Have students complete the activity starting on page 413 of the textbook.

Examining the Honeynet Project

1. Define the Honeynet project as an attempt to thwart Internet and network hackers. The

objectives are awareness, information, and tools.

3. Define zero day attacks as another major threat where attackers look for holes in

networks and OSs and exploit these weaknesses before patches are available.

5. Comment on the legal validity of a honeynet.

Quick Quiz 2

1. The amount of time that a long a piece of information lasts on a system is known as

_____.

2. ____ is the process of collecting and analyzing raw network data and systematically

tracking network traffic to ascertain how an attack was carried out or how an event

occurred on a network.

3. True or False: Testing networks is not as important as testing servers.

4. ____ are devices and/or software placed on a network to monitor traffic.

5. A(n) ____ is a computer set up to look like any other machine on your network; its

purpose is to lure attackers to your network, but the computer contains no information

of real value.

6. ____ are computers set up to monitor what’s happening to honeypots on your network

and record what attackers are doing.

Class Discussion Topics

1. Ask your students to discuss the right of a corporate network administrator to use packet

sniffers. Are employees’ privacy rights being violated?

2. Ask students to debate the legal validity of honeynets. Divide them into two groups, one

Additional Projects

1. Ask students to read more about denial-of-service attacks (DoS) and distributed denial-

of-service attacks (DDoS). As a network administrator, what can you do to prevent

them?

2. Ask your students to read about legal issues with honeynets.

Additional Resources

1. tcpdump:

2. Monitoring with tcpdump:

4. Other network attacks Web sites:

a. How to plan for a possible network attack

Guide to Computer Forensics and Investigations, Fifth Edition 10-10

d. Session hijacking

Key Terms

➢ defense in depth (DiD) — The NSA’s approach to implementing a layered network

➢ distributed denial-of-service (DDoS) attacks — A type of DoS attack in which other

online machines are used, without the owners’ knowledge, to launch an attack.

➢ honeypot — A computer or network set up to lure an attacker.

➢ honeywalls — Intrusion prevention and monitoring systems that track what attackers

do on honeypots.

➢ layered network defense strategy — An approach to network hardening that sets up

several network layers to place the most valuable data at the innermost part of the

network.

contains its own OS.

➢ type 2 hypervisor — A virtual machine interface that’s loaded on top of an existing

OS.

➢ Virtualization Technology (VT) — Intel’s CPU design for security and performance

enhancements that enable the BIOS to support virtualization

➢ Virtual Machine Extension (VMX) — Instruction sets created for Intel processors to