Title: Virtualising Computer Forensics Dr. Jianming Cai (j.cai@londonmet.ac.uk) Mr. Ayoola Afonja (AYA0230@londonmet.ac.uk) Faculty of Computing London Metropolitan University
1Virtualising Computer ForensicsDr. Jianming
Cai (j.cai_at_londonmet.ac.uk)Mr. Ayoola Afonja
(AYA0230_at_londonmet.ac.uk)Faculty of
ComputingLondon Metropolitan University
2Topics
- Problems with Teaching Computer Forensics
- Introduction to Virtualisation Technology
- Moving towards the Virtual Environment
- A Case Study
- Summary
3Problems with Teaching Computer Forensics
- Digital evidence from different hard/software
platforms - University labs normally equipped with PCs and Ms
Windows O.S. - Specialised Computer Forensic Labs needed
- What kind of labs we can afford?
4Introduction to Virtualisation Technology
- Virtualisation - the current trend reshaping the
software technology industry - Multiple Virtual Machines (VMs) run concurrently
on a physical machine. -
- Supported by the powerful processors and very
large storages - VMware the leading software, 100 Fortune
companies deployed its software
5The VM Layer Structure
6Moving towards the Virtual Environment
- The desktop VMware installed on each PC
- Both virtual Windows XP and virtual Linux then
installed on top of this VMware layer - Students have admin access to each virtual
machine. - Both Windows-based and Linux-based Computer
Forensics toolkits are running concurrently.
7The Virtual Windows XP Running EnCase
8The Virtual Linux Running Autopsy
9A Case Study
- A network incident investigation
- Evidence collected from Linux O.S.
- Not intended to show Network Forensics techniques
- Rather to demonstrate the viability of Forensic
Analysis based on VMs
10Snort HTTP Packet Inspection Results
11Nmap Attack Identification
12Inspecting Grouped Snort Log
13Summary
- Teaching Computer Forensics is not only demanding
but also expensive. - The Virtual Environment is one of the low cost
and efficient solutions. - Its full benefit is being exploited as the
Virtualisation Technology advances. - Are we prepared for the Virtualisation era?
14Reference
- 1 Virtualize Your Business Infrastructure,
http//www.vmware.com/, viewed on 10/11/2009 - 2 http//www.vmware.com/technology/virtualisati
on.html viewed on 27/10/09 - 3 http//en.wikipedia.org/wiki/Computer_forensi
cs , viewed on 05/05/2009 - 4 http//www.guidancesoftware.com/, viewed on
10/11/2009 - 5 http//www.sleuthkit.org/autopsy/, viewed on
10/11/2009 - 6 Keith J. Jones et al (2006), Real Digital
Forensics Computer Security and Incident
response, Addison-Wesley, USA. - 7 http//www.remote-exploit.org/backtrack.html,
viewed on 10/11/2009 - 8 Dan Farmer and Wietse Venema (2005)
Forensic Discovery, Addison-Wesley, ISBN
0-201-63497-X - 9 Intrusion Detection Level Analysis of Nmap
and Queso, http//www.securityfocus.com/infocus/1
225, viewed on 28-08-09 - 10 http//en.wikipedia.org/wiki/Nikto_Web_Scann
er, viewed on 10/11/2009