Virtualization for incident responders:
principles and techniques for recovering evidence from virtualized systems and cloud environments
Eric M. Fiterman, Methodvue
DC 2011 Training Session // january 16 - 17
The cost and efficiency benefits to virtualization and cloud computing have driven many organizations to dramatically consolidate physical infrastructure, greatly reducing the complexity of provisioning IT resources and inventory in a heterogeneous IT environment. As more infrastructure and storage are virtualized, first responders will be increasingly tasked with recovering, restoring, and analyzing evidence that may not be found using traditional means. This course is intended for information security personnel who are responsible for handling incidents involving virtual infrastructure, cloud service providers, or desktop virtualization platforms.
- Virtualization Overview
- Problem Definition
- A changing forensic methodology and approach
- VMware Architecture and Portfolio
- Exercise: Suspending and preserving virtual machine state
- Exercise: Imaging and acquiring virtual partitions and LUNs
- Exercise: Data recovery in the VMware ESXi managed environment
- Exercise: Collecting evidence from VMware hosted products
- Microsoft’s Hyper-V R2 Hypervisor
- Exercise: External attack mitigation and evidence preservation in Microsoft Hyper-V environments
- Culminating Exercise Scenario: Collecting critical evidence in an insider-threat incident
The course is designed to allow students to work comfortably at their own pace when working on the exercise scenarios. The instructor will provide guidance and assistance when necessary, but this flexibility allows students to take breaks when allotted in the schedule. In addition, the instructor will be available after the scheduled hours to answer questions or provide additional assistance if more time is needed.
The course will consist of 25% lecture and 75% hands-on lab and scenario-based exercises. Students will pair up in teams to work through scenarios and practical exercises that have been based on actual security incidents involving virtual infrastructure.
Who Should Attend:
Security personnel responsible for virtualized infrastructure or resources that have been migrated into a private or public cloud will learn techniques to recover data from this new environment.
Students should be familiar with the basic principles of evidence recovery; have a working knowledge of networking, data storage systems, and operating systems.
What to bring:
Students should bring a laptop computer capable of running the Microsoft Windows Operating System (either natively or as a guest operating system). Students should download and install recent versions of AccessData’s FTK Imager, VMware Player, and a Secure Shell utility to remotely access a running SSH service. Attendees may also bring a licensed copy of their forensic analysis tool(s) of choice.
what you will get:
- Hypervisor testbed and lab environment
- Printed course materials
- Test data for exercises
Eric M. Fiterman: is a former FBI Special Agent and founder of Methodvue, a consultancy that provides cyber security and computer forensics services to the federal government and private businesses. Eric began his career as a FreeBSD/Solaris software engineer and is actively involved in the incident response, forensic analysis, and security engineering domains. Eric currently serves as an expert witness for federal and state civil cases involving trade secrets protection, financial fraud, and computer crime. Eric has received several commendations and awards for his investigative work, including a service award from the United States Secret Service for his investigative contributions to law enforcement.
Eric has published several articles in Digital Forensics Magazine, including an article on the impact of virtualization on the field of forensics. Eric recently delivered a presentation at ShmooCon 2010 on the recovery of evidentiary artifacts from virtual environments.