Forensics - scan guest OS (WinXP) and files from host OS (Win7 64) using VMWare Player or VirtualBox

1

I have a Windows XP laptop that was infected with a virus; the virus was removed but network connectivity was jacked up. I boot to Ubuntu from a USB key to move files between the system and the network.I also used the VMWare converter to convert the system in a virtual machine which I've now got running on a Windows 7 64 bit host. The vm is pretty locked down; I don't want to give it access to the network or resources on the host in case there is undiscovered malware on the system. I'd like to be able to access the guest virtual hard drive from the host and scan it; and once that's done, be able to move files out of the virtual environment from the host.

Is there a way to safely access the guest virtual hard drive from the host using VMWare Player or VirtualBox? I've got the tools installed from the guest OS under Player.

Also - is there a better way of archiving and analyzing an existing system than this method? Purpose is more to be able to have a controlled environment for diagnosing various types of malware rather than having a bit for bit identical archive of the source. I want to be able to turn on network on the guest OS and route it through a sniffer to understand how the exploits work.

To recap what I'm looking for:
1) Immediate solution to be able to access the VM hard drive just like I can access the physical system from Ubuntu running from USB drive to move files around.
2) Be able to scan the virtual drive with virus scanning tools on the host.
3) Long term, come up with a technique for safely analyzing compromized systems.

Thanks!

dr3x

Posted 2010-12-18T19:36:23.960

Reputation: 121

Answers

2

Safely is a hard thing.

Remember, all viruses are not harmful until executed, so as long as you don't run anything (and for safety, don't even use Windows Explorer, as clicking on a file can generate a preview and it is technically possible to execute a virus - if the viewing program has a vulnerability).

For Linux, Follow this guide - You can extract and get the tools needed to mount a VMWare hard drive (.VMDK file) to the local file system. You can then use any virus scanner and scan it as if it is a local file.

For future use, I would personally either use a dedicated machine that is for this task, or set up a new VM and install everything as normal including the anti virus, and then you can just add additional virtual hard drives (or physical using USB pass through) and scan from a VM.

Hope this helps.

William Hilsum

Posted 2010-12-18T19:36:23.960

Reputation: 111 572

Thanks Wil, good to know that I can access VMDK also, but if I just wanted to be able to access the drives from Linux I could do that from within Ubuntu when I boot to it from USB. <br/>I'm not familiar with Linux based scanners targeting Windows viruses; do you have any recommendations? ClamAV comes up in a search. – dr3x – 2010-12-21T00:25:31.590

ClamAV is the only one I know of as well! – William Hilsum – 2010-12-21T01:46:24.953

0

On windows you can mount VMDKs as well and then you can run a scan with any antivirus you might already have on the host system.

you should find vmware-mount in the vmware folder under program files.

vmware-mount [driveletter:] [path-to-vmdk] [options]

Robert Ivanc

Posted 2010-12-18T19:36:23.960

Reputation: 608

Asked: 2010-12-18T19:36:23.960

Viewed: 970 times

Active: 2015-10-28T07:00:49.277