Virtualization for Security > What Can Be Gained by Booting the Captured Machine? > Using the System to Demonstrate the Meaning of the Evidence

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Search

Table of Contents

Virtualization for Security: Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting

Technical Editor

Contributing Authors

Contents

Chapter 1: An Introduction to Virtualization

Chapter 2: Choosing the Right Solution for the Task

Chapter 3: Building a Sandbox

Chapter 4: Configuring the Virtual Machine

Chapter 5: Honeypotting

Chapter 6: Malware Analysis

Chapter 7: Application Testing

Chapter 8: Fuzzing

Chapter 9: Forensic Analysis

Introduction

Preparing Your Forensic Environment

Capturing the Machine

Preparing the Captured Machine to Boot on New Hardware

What Can Be Gained by Booting the Captured Machine?

Virtualization May Permit You to Observe Behavior That Is Only Visible While Live

Using the System to Demonstrate the Meaning of the Evidence

The System May Have Proprietary/Old Files That Require Special Software

Analyzing Time Bombs and Booby Traps

Easier to Get in the Mind-Set of the Suspect

Collecting Intelligence about Botnets or Virus-Infected Systems

Collecting Intelligence about a Case

Capturing Processes and Data in Memory

Performing Forensics of a Virtual Machine

Caution: VM-Aware Malware Ahead

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 10: Disaster Recovery

Chapter 11: High Availability: Reset to Good

Chapter 12: Best of Both Worlds: Dual Booting

Chapter 13: Protection in Untrusted Environments

Chapter 14: Training

Index

242 Chapter9·ForensicAnalysis Virtualization May Permit You to Observe Behavior That Is Only Visible While Live When Windows starts, there are a myriad of places that can contain instructions to be executed upon startup. Looking in each location that can contain startup instructions and trying to interpret what those text and binary instructions might do is next to impossible. However, if you could boot the system in a virtual instance, you might be able to tell easily that the malicious code you were investigating had replaced the background with a fake security alert. In addition, you run the system and collect network information from the network about open ports and network connections that are initiated or accepted. You can add tools that can look for and interpret information on VM running the suspect's image. Using the System to Demonstrate the Meaning of the Evidence

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

What Can Be Gained by Booting the Captur... > Using the System to Demonstrate the ... - Pg. 242