4 Replies Latest reply on Jun 4, 2012 9:41 PM by Art.Peck

    How to collect forensic evidence from a flexible VM

      Customer is asking how would you be able to collect forensic evidence from a flexible VM. He is concerned that despite all efforts to prevent malicious use of the system, someone does so. With a persistent VM, like with a physical PC, Windows 7 would have collected trace evidence in the various log files. The Information Assurance folks would be able to track the incident to a specific user (CAC card), on a specific VM and exactly what was done.

      With 1100+ Students we are looking at flexible/destroy VMs as a way to minimize the number of Windows 7 images that need to be maintained. A "personal" or persistent VM would work, but we would have to maintain all the VMs.

      Any suggestions welcomed. If our thinking is off-base, we'd like to know that too.


        • 1. Re: How to collect forensic evidence from a flexible VM
          Your request is too general and unspecified to make specific recommendations, but you might want to look into Windows centralized event logging. It can alert you to security issues and other events throughout your network, archive logs and assist you in meeting your audit requirements. There are several options available, check with Google.
          • 2. Re: How to collect forensic evidence from a flexible VM
            Thanks! I know the question was pretty open ended since I am hoping to get a discussion going with several ideas. I think we will wind up with the central logging type option. What the security folks want is to say "Mr. Mustard did it in the library with the candlestick at midnight." to paraphrase.

            Central logging leaves the question of which machine did the event happen on? My instinct is with non-persistent desktops, it doesn't matter. Still thinking that through.
            • 3. Re: How to collect forensic evidence from a flexible VM
              I guess the first order of business is to decide what risk behaviors you're concerned about - file-level auditing on a non-persistent desktop probably probably isn't really going to address the risks you're concerned with. The problem with "auditing" lies in capturing the right data, and then being able to detect a possible problem. The usual instinct is to audit everything - which will create a tremendous amount of data - so much data, you'll never spot the activities that are of concern.

              But there are useful audit channels in Windows 7 in a Domain environment - I assume these are domain-joined VM's? You might start here for auditing: http://technet.microsoft.com/en-us/library/cc771395(v=ws.10)

              Bust this is a passive, after-the-fact thing - I'd first try to eliminate the kinds of activities that aren't necessary for the use case, and which are obvious security risks. Then use auditing and network forensics to monitor activities that must be allowed in your environment, but which represent risk.

              The first thing I'm concerned with is someone installing software on those VM's - someone installing unapproved (possibly infected by malware) software is one kind of threat, while installing wireshark or putty or nessus or a rootkit is another, more specific kind - they may be indications of someone preparing to do reconnaissance or worse. And installing a keylogger makes clear what someone is up to.

              So, depending on your environment, I'd look to prevent such installs. GPO's can help lock-down an environment (to the point of making the environment nearly unusable) - so, use GPO's to lock down the desktop as much as the use-case permits. If users need to be able to install software, look at restricting/eliminating sources of software. For example, disable USB mapping, and disable or strictly control web browsing (which might be your biggest threat), file sharing services, etc.

              If web access is allowed, to use an authenticating proxy service with filtering, and whitelist/blacklist services. Depending on the level of control you need, you can use a variety of approaches to locking down the web browsers - "kiosk mode", if you will.

              There are also third-party tools that can be used to do end-point administration - but I'd be particularly concerned about the amount of network traffic an end-point admin tool might generate in the VDI environment.

              There are network forensics tools, usually in the form of appliances or IDS sensors, to detect and record network activities. Firewalls can be configured for deep packet inspection. There are a number of tools and techniques, which fit "best" it just depends on what kind of applications and activities your environment will be allowing.

              For an example of an open source toolkit, have a look at Snort NIDS and BASE, for reporting. And of course, there are commercial products which do the same things - that is, packet sniffing/inspection/recording, pattern recognition, etc.

              After implementing a security methodology using GPO's and proxy/firewalls policies (and physical security, like disabling USB redirection, and don't forget, you can buy in-line keyloggers on Ebay), using Windows audit services (selectively) and a network monitoring / intrusion detection tool, you should be able to protect yourself from most risks.
              • 4. Re: How to collect forensic evidence from a flexible VM
                WOW! Excellent info. Thanks for taking the time to write this long of a reply.

                The Customer is a branch of the US Military. They already have extensive network security tools installed. We regularly see PCs that are taken off the domain because of out-of-compliance activities. So I think what they are asking, more than how to do network security is how do I do that in a non-persistent VM context. As I pointed out earlier, some of these offenses may result in prosecution. They have to present evidence that will stand up in court.

                Thanks again!