Friday, January 25, 2013

GPT/MBR Quick Reference

Made a quick reference guide for GPT/MBR analysis for class, figured I would post it on here as well.

Wednesday, January 23, 2013

Capstone Intro: Virtual Desktop Environments

Capstone is finally here.  Almost five years of college later, and it’s all about to end.  Time to get cracking on the final project.  Ideas were bouncing through my head for quite some time as I debated about what I wanted to do.  I dabbled into the ideas of Siri, Google Chrome Sync, Samsung Keis, Evernote, and a few other things.  Nothing was really grabbing my attention though and sucking me in.  I wanted my project to be an “all-star” level project with the potential of going to a conference.  Fortunately, my professors here at Champlain College know some pretty big name people in the industry, and a very unique and fun project idea was dropped on me.  Corey Harrell sparked the idea a few months ago thinking about virtual desktop environments and it was passed down to me through my professor Jon Rajewski.  I’d like to give credit to both of them for the project idea, and I can’t wait to see what information I obtain from it in the long run!


Virtual desktop environments (VDI’s) are quickly becoming more popular as businesses are attempting to cut costs in different areas while increasing productivity.  Employing a VDI automates many processes that networks currently undertake, and allows for administration of new machines and machine scalability to increase.  There are many popular clients currently used right now, including VMWare, Hyper-V, and Citrix.  Though the technology isn't quite as widespread and implemented in many corporations yet, it is important to realize that it very well could be.  It is always better to be proactive and already have a set idea of what measures need to be implemented and what data is retrievable ahead of time.


Understanding why this project is important is relatively important to hit on here as well.  VDI's are definitely the way that networks, regardless of if they're small or large, are moving.  It's much easier for a company to purchase multiple thin-client $200 computers and have them remotely connect to a powerful virtual machine than it is for a company to purchase multiple $1,500 machines.  Being able to determine, at the very least, a basic understanding of what we can get as forensicators on VDI's will be invaluable.  Although many people that have been in the industry for a while will probably say they have come across this scenario a handful of times in their career, the answer would be very different in a few years.

While researching VDI’s, I plan on using Citrix as my main client.  My setup will involve a server using Citrix’s XenServer as the hypervisor, Citrix XenCenter controlling the hypervisor, a Windows Server 2008 R2 domain controller primarily for DHCP, and multiple Windows virtual machines.  Windows virtual machines are arguably the most common thin-client that will be seen in the work place.  I plan on examining what is capable of being obtained from both persistent and non-persistent VDI’s by creating a base scenario/template that will have multiple users accessing different, commonly found, artifacts.  Ideally, if my time before the project is due permits, I would like to explore into what information can be found on the XenServer itself, what may be obtainable through the Windows Server, and what potential information may be available through either XenCenter.


The project outline involves the initial setup, which may take some time, creating the template scenario, working with both persistent and non-persistent machines, and ultimately attempting forensics on these machines.

There is a lot of appeal in the project to me.  First and foremost, there is not much research that has been done on the topic to date.  This is something that could easily take months to do and could continue, looking for various artifacts and attempting different ways to capture the information.  My hope is that I can at least, if nothing else, come to the conclusion that information “A-G” is available on a persistent VDI, maybe no information, or “A-C” is available on a non-persistent, and “A-Z” is available when the VDI as well as the hypervisor and domain controller are all obtainable.  To be able to have the initial research done will help in many future endeavors as the technology becomes much more prevalent and more investigators are coming across virtual desktops environments.  I’m excited to start digging into it, make sure to check back over the next 10 weeks to see my progress! 


Please feel free to leave any comments as well and any insight on where you think this should go!