Usually, in the “electronic discovery” world, evidence collection consists of simply copying files by a file type and/or from a custodian account. I do not use the word “simply” as in easy or unimportant, but more as a description of a simple collection of files.
Even with a “simple” forensic analysis, we are still just collecting, carving, and filtering files. The common point is the 'collection'; we need to collect the files in order to look at them in order to determine what happened on the system.
Complacency is just around the corner from competency
The thing about becoming proficient in any job is that the better you become and the more you do the same tasks, the higher risk you have of lapsing into complacency. Complacency can lead to mistakes, and a mistake of missing data can lead to losing a case!
One reminder (and the entire point of this post)
Do not forget about virtual computers!
A virtual computer is also called a “virtual machine” (VM). A virtual machine behaves and functions exactly like a physical computer as a user can create documents and surf the Internet within the virtual computer system.
From a computer user’s perspective, the virtual machine behaves exactly like a real, physical computer and any files accessed or created, such as system files or Internet history, are stored and only accessible in the virtual computer system.
Figure 1 Simplest concept of where data lives on a device, within a file. In this case, a "file" is a complete operating system that is no different than the operating system it sits upon.
We most always know where evidence is stored within a given operating system, because every type of data has its place, and every place has its type of data. But I have seen data not captured because a lack of checking for virtual machines, and to a lessor extent, volume shadow copies.
By not checking to see if any virtual machines exist on a storage device, you risk missing an entire computer operating system. You could miss data from multiple operating systems on a single device! This could be called an inadvertent oversight if you didn’t think of looking for virtual machines. But then again, we all have been aware of virtual machines as evidence containers for decades now…same with volume shadow copies…
Imagine that on a collection, you know that your custodian computers (or servers) contain one or more virtual machines, but what if you choose to ignore the virtual machines as a container of possible evidence? I can think of some excuses, such as
“…probably nothing in those virtual machines..” or
“…this is too much effort…” or
“…well, no one said anything about looking at virtual machines…”
Of these excuses, none is valid because a virtual machine, for any practical purpose, is just as much a container of potentially responsive data (or criminal evidence!) as any physical storage device. In fact, you may find exactly what you need in a virtual machine that is just sitting as a file on your evidence storage device.
That’s the most important tip – find the evidence!
The longer you do something (like DFIR!) the more likely that it will be the easy things that will trip you up if you become complacent. Don’t forget the foundations, the little things, and the basics.
Some forensic tips
Learn what a virtual machine is.
Create a virtual machine. Use it. Test it. Test different virtual software applications (VMWare, VirtualBox, etc…). Consider that a virtual machine can access the host system, that it can be run from an external device, and that all your evidence might only be in the virtual machine and not the host machine.
Access the virtual machine using forensic tools
Use tools that can interpret a virtual machine file as if it were its own disk. Then, treat your analysis of the virtual machine file as if it were an entire operating system because it is.
Legacy testing and research
Have you ever needed to see an outdated app work in an outdated operating system to test a theory? Use a virtual machine!
Building forensic test images
Building the perfect forensic test image has never been easier than when done using a virtual machine. Virtual machines can be created for the sole intention of building a forensic test image. Choose the OS of choice, “plant” the evidence to be tested, and then analyze the virtual machine with your forensic tool of choice.
A few more things
A virtual machine can be cloned, snapshots in time can be created (which practically duplicates each OS as forensic targets), and they are disposable. The disposable aspect is the ‘counter-forensics’ point since a person can commit crimes or violate policy in a virtual machine and dispose of it through simple deletion or destruction of the storage device.
The world of virtual machines today is vastly different than from just a few years ago. The technology is incredible! With Microsoft Azure Virtual Machines, you can do some incredibly unique analysis that you can’t do with the standard computer evidence drive.
The next important thing to know about virtual machines, next to analysis, is being able to explain 'what is a virtual machine’ to the layperson. In the easiest explanation, a virtual machine is like the movie Inception, where Leonardo DiCaprio was dreaming in a dream, where each dream is just as real as the next. A virtual machine is just like that: a computer in a computer and each computer is just as real as the next.
Don’t discount evidence in the virtual machine. And when asked to copy all the user files, consider that if you ignore the virtual machines, you are not copying all the user files and just failed your collection. Conversely, when you do it right, it might just make your case!