Virtual Appliances forensic - Part1

In the last months I've been most busy exploring virtualization security issues, which anyway I'm going to present at CONFidence and IT Underground Warsaw in a couple of weeks. However, I wanted to share with you an interesting piece of information I've uncovered while exploring some common virtual appliances.

As you surely know, it's really, really hard to make sure that a file is gone from your file system. You have to remove every reference, every tiny bit of information, or it might be uncovered: data structures, actual data left on the disk, backups of the data structures and so on. File System forensics is concerned with precisely this matter, and forensic software are capable of doing wonders when it comes to recovering deleted that from disks.

Well, the same is true for virtual appliances. While some vendors might decide that it's worth cleaning up and shrinking the disk before shipping virtual appliances, most will not. As a result, you can find gold inside those disks: setup scripts, configuration and installation stuff and all sort of "backend knowledge". This is quite hard to extract from actual machines, which are often disk-imaged and quite hard to reach with traditional tools (some are missing cd roms, for instance, and vendors do not really like you opening up their boxes). However, with virtual appliances it's really really easy to do so.

An example? VMware Studio virtual appliance, the virtual appliance which should be used to build other virtual appliances, has got references of the internal deb repository used to install the - custom - VMware Studio software on it, and traces of the actual debian packages as well.

More data on VA security in the near future, likely after my talk!

3 comments:

  سما احمد

September 12, 2015 at 3:58 AM

This comment has been removed by a blog administrator.
  سما احمد

September 12, 2015 at 3:58 AM

This comment has been removed by a blog administrator.
  سما احمد

September 12, 2015 at 3:58 AM

This comment has been removed by a blog administrator.