Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Computer forensics and virtualization
November 17, 2009
In response to a query I posted last week about computer forensics and virtualization, Clay Calvert of Metrostar Systems was kind enough to write. The procedure he outlines below is essentially what we do at Sensei:
“I’ve had to test files to see if they are malicious, or not. Unfortunately, launching an executable can damage a PC beyond simple repair.
To do malware analysis I will copy the .exe file to a VM, take a snapshot of the VM, and then virtually unplug the VM from the network. The malware is contained and any damage caused can be un-done by reverting to the snapshot. It is also possible to run an external debugger with VMware workstation. Why would you want to run an external debugger? Well, that is because some malware looks to see if it is being directly debugged and then the program will behave differently if it determines such tools are being used against it.
To forensically capture a VM, suspend it and then copy the entire folder to other media. This automatically captures the contents of RAM as well. The contents of the memory will be in a file slightly larger than allocated RAM and in VMware the file often ends with .VMEM.
Multiple forensic tools can be launched in separate VMs. One can be running a Helix CD and a Backtrack .ISO at the same time, while still having the capabilities of the host OS.”
Thanks Clay, for this guest post.
Listen to the Podcast
