Category Archives: Digital Forensics

2013
Leave a comment
Digital Forensics, Guide, Info Security

Finding Known Evil With Nessus

When it comes to performing vulnerability assessments, Nessus is by far the industry leader.  Nessus is known as “world’s best vulnerability management tool” and I think the reason for this is because of the continuous research the Nessus team does around new vulnerabilities and push them out to their customers in a timely manner. If you are not families with Nessus here is a very high-level overview – Nessus uses “plugins” which simply put are scripts that run on the target hosts to see if it meets the criteria for a certain vulnerability. And as new plugins get pushed to customers the old plugins also get updated daily.

I have been using Nessus for some time now and I have been very pleased with their level of commitment and excellent support. And recently as I was going through their blogs, I came across an interesting post regarding finding malware through Nessus scans. I found this interesting for two reasons: first, because I had not tried this before and second because as a security professional its better if you find evil in your environment before it gets reported to you.

The process for running malware scan is same as running the normal vulnerability scan. You just need to make sure that you select the appropriate plugins in your scan policy and use credentials that have administrative privileges on the target system. The following blog post lists the default plugin you can use to get started with malware scans – a sample scan policy is available for you to download which you can simply upload in your scanner and run the scan. This blog post also contains links to other related posts that talk about additional plugins that you can enable in your scan policy.

I have not had the chance to run this scan however, I plan to give this a try this coming week using the sample scan policy. I will write a follow-up post to share my experience.

Tagged , ,
2013
Leave a comment
Digital Forensics, Guide, Info Security, Investigation

VMware and Digital Forensic Process

Recently, I have started performing digital forensics on virtual images and wanted to briefly share the process that I am following and the challenges that I am facing:

The Process:

  • Originally, the machines in the environment are virtualized via VMware ESX.
  • To take the forensic image at a given point, the virtual machine is suspended and copied to a forensic workstation.
  • Following the second step, retains the memory in the vmem file and allows for memory analysis.
  • The suspended machines are resumed on the forensic workstation via VMware Workstation.

The Challenge:

  • Usually, the machine coming from the ESX has large resource allocations that are not available on the forensic workstation. For example, the machine in ESX can be allocated 12GB of RAM and 4 processors – however, this cannot be met with what is available on the forensic workstation. This results in the machine being non-responsive when resumed on the VMware Workstation.
  • When you are able to resume the machine in VMware Workstation you are not able to transfer any tools over without first installing the VMware tools – sometimes this requires a restart.
  • If the machine was originally part of a domain and the machine was suspended without someone already logged-in; you do not have a way to get into the system other than resetting the password via some live disk. The other option is to retrieve the password from the memory.
  • If the machine itself does not have enough disk space for you to save the output from all your tools then you have to enable Folder Sharing feature on the VMworktation.

These are some of my immediate experience from performing forensic on virtual images. The reason for this post is to get feedback from the forensic community on how I can improve my process and make sure I minimize the changes made to the evidence.

Tagged ,
Newer posts
Advertisements