Thursday, July 25, 2013

VDI-in-a-Box Analysis Results

Despite the fact that my capstone thesis was complete over three months ago, it’s been a struggle to make this post.  That being said, hopefully this blog post doesn't appear too much like a paper, but it was pretty hard to avoid doing.  The full paper, as of right now, is not publically available, but hopefully will be some time in the near future.  Please reach out with any questions relating to the research, the subject, my process, or anything.

Although it was previously highlighted in my prior blog posts, I feel that it is necessary to outline the importance of this research again with a little more detail. 

Note: Clicking the pictures will enlarge them.  I formatted most easy enough to read, but some need enlarging.

Why is this important to us?

Technology is an ever-evolving creature.  In the world of digital forensics, attempting to keep up to speed with the constant changes is an absolute must.  Doing so will make not only for a better investigator, but a greater impact on the work that needs to be done.  With the recent boom in the terms “cloud computing” and “virtualization,” digital forensic examiners find themselves needing to immerse into a new era of the investigation age.  According to the State of SMB IT Report, written by Spiceworks, the trends in the adoption of virtualization and cloud computing have been on a constant rise.  Moving back to the first half of 2010, 44% of small to midsized businesses (SMB’s) were using virtualized products.  Progressing forward, it is estimated that nearly 79% of SMB’s will be using virtualized platforms, (Sweeney).

Figure 1: State of SMB IT Report, November 2012, Spiceworks (Source: Sweeney)

With such a dramatic increase in the implementation of virtualized software, it is extremely pertinent that digital forensic investigators begin to understand the logic of the systems and what evidence can be found on them.

Two of the most common companies that investigators will see in practice are VMware and its patented VMware Workstation, as well as Citrix and its XenDesktop and VDI-in-a-Box platforms.  The low long-term cost of these products allow for small and large companies alike to implement and maintain these technologies.  According to Phil Hochmuth of Forbes, “Providers of VDI technology say their systems can save between 30% and 50% of the current cost for IT administrators to manage, patch, upgrade and support employees' PCs in a client/server environment. By some estimates, this could cut the annual per-desktop support cost from around $530 to $376--a savings which can add up for the larger the organization,” (Hochmuth).  With an increased return on investment, companies that deploy VDI’s will quickly advertise and transition partner companies to similar technologies. 

Unfortunately with all good comes some bad and implementation of cloud computing is no different.  As virtualization becomes more prevalent in business practice, malicious code and malware will quickly take a turn towards attacking cloud computing.  “Attackers will go where users go, so it should come as no surprise that mobile platforms and cloud services will be high-risk targets for attacks and breaches in 2013. The rapid rise in malware on Android in 2012 confirms this,” (Powledge).  As attackers move towards cloud services and online platforms, it becomes more necessary to not only secure them better, but to be able to analyze and examine what happened after an attack and where vulnerabilities lie.  According to Symantec, “the median cost of downtime for an SMB is $12,500 per day,” (Powledge).  If a small sized business can lose this much money while being down for such a short period of time, imagine the ramifications if a large company like Amazon was hit for even two hours.  It simply cannot be overstated enough; digital forensic examiners must be prepared for this to happen as it is inevitable.

So, what are virtual desktop environments?

A Virtual Desktop Infrastructure is simply cloud computing.   Virtualization changes the information technology work place.  Desktops and workstations can be set up, configured, and dispersed in merely minutes instead of hours or days.  Costs are reduced after initial investment while security and machine integrity are increased.  The user experience becomes easier than before, allowing for employees to remotely connect and work from anywhere.  Centralized storage provides administrators and incident responders with a plethora of information at their fingertips in the event of an emergency or breach.

An extremely popular company in the VDI business is Citrix.  Through their products of XenDesktop, XenApp, and VDI-in-a-Box, Citrix has emerged as a forerunner, and major companies all over are  to use their products.  According to Eric Savitz of Forbes in his article entitled Citrix Shares Rally As Q4 Results Crush Street Estimates, “the enterprise software company posted revenue of $740 million, up 19% from a year ago, and ahead of the Street consensus at $705.7 million,” (Savitz).  It’s rather clear by these numbers that the investment into cloud computing is booming and that all sizes of companies are transitioning.  Citrix is among the top in VDI providers, and as such, is the focal point of this research.

Now we understand why this is important and what they are, so what am I doing?

VDI-in-a-Box is a unique toolset that provides a network administrator with all of the tools necessary to deploy a VDI to a business.  Through the use of only a few physical machines, VDI-in-a-Box can be successfully setup and running in a very short time.  Considering small to midsized businesses are the target audience for this product and that so many are making the transition already, VDI-in-a-Box version 5.2.0 is the software that is being analyzed. 

Figure 2: Citrix VDI-in-a-Box Version 5.2

How did I go about doing this then?

Acquisition of a Citrix Virtual Desktop Infrastructure required a great deal of trial and error.  Due to being unable to use some of the enterprise level tools because of licensing limitations, or the software not supporting remote imaging of a server, Windows Secure Copy (WinSCP) over port 22 was used to capture a live image.

The XenServer itself, being the physical hypervisor, was the primary target to acquire in hopes of finding all the virtual machines stored on it.  

Figure 3: XenCenter VM Pool

WinSCP is a program that gives a user a graphical user interface to the secure copy protocol and will allow a choice of what information to copy.  By entering a server address and administrative credentials, WinSCP will create a secure connection to a remote location allowing information to be viewed or duplicated.

Figure 4: WinSCP Login Prompt

Once logged into the server, WinSCP will provide the user with a side-by-side view of both the remote machine and the local machine.  At this point, the entirety of the server folder structure was copied over from the server in an attempt to create the closest to a logical image as possible. 

Figure 5: WinSCP File Transfer Session

It is important to note that multiple errors occurred while copying files and folders from the server to the examination machine.  These errors would cause the file being copied to fail and not copy successfully.  The errors would typically read either “Can’t create file…” or “…not a regular file.”

Figure 6: "Not a regular file" error message

Figure 7: "Can't create file" error message

Although there were errors on the transfer, it did complete successfully and allowed for examination of the drive.  The most important item for review were the virtual hard disks (VHD’s) that contained information relevant to the golden images as well as virtual machines that had been created.

Figure 8: Virtual Hard Disk Storage Location

These virtual hard disks are stored in a location determined during the initial setup, and in this project they were located at /var/run/sr-mount.  Each VHD is listed by a universally unique identifier (UUID).  These UUID’s can be related back to specific machines in different ways.  If access to the Citrix vdiManager is available, each virtual machines general properties will list its UUID.  This will be extremely helpful when working with personal desktops as the VHD’s will not be deleted, therefore finding the UUID through vdiManager would be a simple task.  When working with pooled desktops, however, the VHD files are destroyed after the machine is shut down.
Pooled virtual hard disks being destroyed was an obstacle that was easily overcome by the use of snapshots, thus the virtual hard disks are now not destroyed.  Much like VMware, Citrix allows for the use of snapshots.

Figure 9: XenCenter Snapshot View

Each of these snapshots will create two VHDs.  The user can determine which VHD’s are snapshots by a command via the XenServer command line.  From the root directory of the drive, the command xe vdi-list is-a-snapshot=true will prompt a list of all virtual hard disks that are snapshots.

Figure 10: XenServer Snapshot List by Command Line Instruction

The list of snapshots that is returned will provide the UUID of each snapshot, a label of the golden image that it was generated from, the storage repository UUID that is holding the snapshot, and the virtual size of the snapshot.  To verify that this command was accurately creating a list all snapshots, a new snapshot was taken and the command again was run again.  This appended a new entry to the end of the list, and also created two new VHD’s on the server.

Figure 11: New Virtual Hard Disk Creation

Figure 12: New Snapshot Verification

When using Citrix VM Protection and Recovery, two types of snapshots can be taken with three different scheduling options.  Disk-only snapshots can be taken that will “store the VM's disks (storage) and metadata. They are crash-consistent and can be performed on all VM types, including Linux VMs,” (Citrix EDocs).  Disk and memory snapshots are also available which will “save the VM's disks (storage), metadata, and its current memory state (RAM),” (Citrix EDocs).  Once the decision is made to either perform disk-only or disk and memory snapshots, the administrator must choose whether to do hourly, daily, or weekly snapshots.  In any event, the snapshot retention policy is limited to a maximum of 10 scheduled snapshots or until archived, automatically deleting the oldest one when this number is exceeded.

Figure 13: Citrix VM Protection and Recovery

A daily or weekly archive schedule can then be configured, independent from the scheduled snapshots, which will archive all scheduled snapshots to a remote location for storage.  Alternatively, all snapshots can be automatically archived if the administrator wishes.  When examining the archived virtual hard disks, each archive folder is given a specific name.  This naming convention will always be the VM name followed by the first sixteen characters of the UUID.  For example, if the VM name is Win7 and the UUID is 6a88edee-5b42-453a-a60d-4605c689f338, the archive folder will be Win7_6a88edee-5b42-45.  “This folder contains archived VM files, in the YYYYMMDD-HHMM.xva form,” (Citrix RSS).

Depending on how this is done, the investigator will need to link a user to a specific snapshot to alleviate the need to sift through what could be hundreds of snapshots.  One method would be to examine each virtual hard disk file individually.  Although this will take quite some time, it will still provide accurate results.  One benefit to this method is that no information will be overlooked in the event that the suspect was using another user account or username. 

On the domain controller with XenCenter installed, running the command “xe vm-list –s <server> -u <user> -pw <password>” provides a list of all virtual machines currently being run.  The virtual machine vdiManager_Xen is the interface that the administrator interacts with to initially configure the server, the machine that keeps activity logs, and the web portal that users must access in order to spawn a virtual desktop.

Figure 14: XenCenter Command Line VM List

Still being SSH connected into the XenServer, under the directory /var/run/nonpersistent/xenops/VM, the investigator can locate and view the configuration files for the vdiManager.  This will point to the virtual hard disk that retains these records.

Figure 15: vdiManager Configuration File

This configuration file will first list the same UUID found when the XenCenter command was used.  In the middle of the log is the VDI UUID, with the storage repository UUID being listed, followed by \/, and then the vdiManager’s UUID.  Within the /var/run/nonpersistent/xenops/VM directory are two files, vdb.xvda and vdb.xvdb.  The first of these (.xvda) will correspond this information again, linking the two UUID’s.

Figure 16: vdiManager Virtual Hard Disk Verification

Once this is achieved, examination of the virtual hard disks can begin.  The investigator should now be able to extract and examine the vdiManager machine as well as all of the snapshots that were taken.  Unfortunately, when examining a VHD in EnCase, it is not recognized as a normal operating drive and therefore does not have any form of folder structure.  Rather, it is all listed as unallocated and must be manually parsed.

What can I find from this?

There is a great deal of information that is recoverable from the XenServer.  Some of these files are relevant to the server itself and will depict information about the XenServer, while others reflect the vdiManager.  A plethora of virtual machine information is also recoverable as long as a snapshot is present.

XenServer Files

The first file of interest from the XenServer is xensource-inventory, located in /etc.  This file contains information related to the actual server itself and would be useful in an investigation.  The installation date of the server is recoverable, but more importantly, the primary disk and backup partition locations are located within this file as well. 

Figure 17: XenServer Disk and Installation Details

The next file of interest is located again in /etc and is the timezone file.  Considering time zones are extremely important to any forensic investigation, examining this artifact will be very helpful as it lists in plaintext the time zone that the server is set for.

Figure 18: XenServer Timezone Details

The last file pertaining to information from the server is the bash history.  Bash is a unix command-line interpreter, or shell, that will allow for a user to input commands and information into a system.  It is comparable to the Windows command line.  The bash history can be located at /root and is named .bash_history.

Figure 19: Bash History

vdiManager Files

When examining the vdiManager virtual hard disk, the investigator is capable of pulling all users that were associated to the drive, what templates the user was assigned to, the groups the user was a part of, the user’s ID in Citrix, and more. 

Figure 20: vdiManager User Entries

This VHD also contained logs in reference to the spawning of virtual machines, including the time and date that it was created.  The log will list the user that connected, the machine IP address that the connection originated from, the template the user logged in with, and the MAC address that the created virtual machine was given. 

Figure 21: vdiManager User Connection

Further investigation of these logs provides more information on user interaction with virtual machines, specifying when a user logged both in and out of a desktop, what IP address it was given, what template it was provisioned from, and what vdiServer it accessed. 

Figure 22: vdiManager Connection Log

This log file is also able to be obtained via the vdiManager web portal.  Within the admin menu is a View Audit Log function that provides an excel spreadsheet containing user activity.

Virtual Machine Files

The virtual hard disk files are the focal point of investigation when attempting to uncover information from non-persistent machines.  The non-persistent VHD’s will be destroyed when the reset policy is set, either at logout or on a schedule.  Due to this, snapshots of these hard disks are necessary to uncover potential evidence. 
Each virtual hard disk contains a header that points to its parent drive.  Although EnCase was listing these pointers at the beginning and making it relatively easy to navigate between, server-side verification of this was completed.  Running the command xe vdi-list params will provide a list of metadata about each virtual hard disk. 

Figure 23: VDI-List Parameters Command

This command can populate a list that will tell the user the UUID of the virtual disk, whether it is a snapshot or not, the time of the snapshot if one was taken, the number of snapshots taken, and the virtual hard disks parent.

Figure 24: Parent UUID Verification

By proving that the virtual disk with the UUID of b54cb669-f4e6-44a9-8b97-2038aa7ea7a2 has the parent with the UUID of 8edd0321-2f59-4fcb-9a1e-634fd5d68d37, the results being displayed by EnCase were verified and thus trustworthy.

Figure 25: EnCase Parent UUID Correlation to XenServer Verification

As previously mentioned, there are two virtual hard disk files associated with each snapshot.  The first of these disks is the identity disk, which will typically range up to sixteen megabytes and simply provides each VM with a unique identity.  The second disk, referred to as the difference disk, is “used to store any writes made to the VM.  The disk is thin provisioned (if supported by the storage) and will increase to the maximum size of the base VM if required,” (Feller). 

Figure 26: Disk Creation (Source: Feller)

Review of the identity disk yields just a pointer UUID to the difference disk associated with it.  The difference disk contains content from the virtual machine as well as a pointer to the golden image it was created from.  Although this is all shown as unallocated space and needs manual parsing, some very helpful artifacts remain and can be found. 
A virtual machine was created that had limited activity on it but with enough different items to look for.  The following table depicts the activity on the machine.

Visited using Internet Explorer (IE)
Visited using IE
Visited using IE
Ran MSPaint.exe
Saved a paint file – “findthis.png” to the desktop
Google search for “april fools jokes”
Saved file from website – xzibit_meme.png
Changed the file type of xzibit_meme.png to xzibit_meme.bmp
Created a file named Deleted Item and deleted it, removed it from the recycling bin
Changed file type of xzibit_meme.bmp to xzibit_meme.jpeg

Due to the disk being all unallocated space, the quickest way to determine if any information was still recoverable on the drive was by doing simple keyword searches.   Keyword searches were executed for the following phrases:
“”, “”, “”, “paint”, “paint.exe”, “findthis.png”, “findthis”, “efleisher”, “”, “april fools jokes”, “”, “deleted item”, “xzibit_meme”.
One of the most intriguing and important artifacts that was recovered were multiple entries from the Master file table (MFT).  These MFT entries contain accurate time stamps and accurate information in regards to the files that were created on the virtual machine. 

Figure 27: MFT Entry for "findthis.png" with accurate creation date

A search was done for the phrase “FILE0” as this is a typical indicator of a MFT record.  There were a total of 1457 hits in response to this keyword.  This is at least indicative of 1457 MFT entries being present on this virtual disk.  There were MFT entries present for each file and folder that was created on the machine which will at least provide information about some pertinent items on the machine.

Figure 28: Keyword results for MFT Entry Header "FILE0"

The keyword search for the phrase “april fools jokes” successfully pulled the Google search in plaintext from the unallocated space as well.

Figure 29: Retrieved Google Search

A keyword search was done with a username of “efleisher” to search for any data that may be relevant to what the user was doing on the computer.  Nearly two thousand hits responded containing information primarily relating to browsing history.  The data was in a plaintext readable format, with results being displayed in similar format to “”. 

Figure 30: User Activity via Username Search

This data provides the investigator with insight into the users browsing history.  By manually parsing these entries, the investigator is able to ascertain when the username was accessing certain websites.  These time stamps can be found prior to the website address.  It will be stored in little endian hex format  and will be eight bytes long. 

Figure 31: Internet History Timestamp Verification

Through keyword searches of websites that were visited, an entry was found that revealed each website that was browsed to.  The order that these websites were presented was in the reverse order that they were visited, with the last website browsed to being the first website listed in the entry.  It is potentially indicative of a file that contained all web browsing history, similar to an index.dat file.  Unlike most internet history entries, however, there were no records of potential timestamp information.

Figure 32: Complete Browsing History

With the previous findings presenting a plethora of internet history information, the next step was to try an automated tool.  Internet history tools will attempt to perform an automated acquisition of the internet history on a hard disk and present the findings to an investigator in an easy to read format.  Internet Evidence Finder v5 was able to successfully parse and extract internet history, including cookies, with accurate time stamps and user correlation.

Figure 33: Successful Internet Evidence Finder Parsing of VHD

Further research into web browsing artifacts provided HTML code for specific websites that were visited.  This code provides a plaintext view of some of the information that was on the webpage when it was visited by the user.

Figure 34: Plaintext HTML Code of Webpage

An important and common artifact that is looked at in a forensic investigation is deleted items.  A deleted item can mean many things to an investigator, such as an attempt to hide information, an attempt at removing evidence, or perhaps merely an attempt at removing clutter.  Both data recovery and forensic investigations frequently deal with deleted items, thus making the ability to recover them a desirable skill. 

During this research, a text file was created named deleted item.  This item was created on April 1st, 2013 at 6:13:07pm and immediately deleted afterwards at 6:13:20pm.  The keyword search for this particular artifact provided multiple hits, including accurate timestamps for the file creation time.

Figure 35: Accurate Timestamp of Deleted Item Creation Time

When a file is deleted on a Windows machine, it creates two files in the recycling bin that are associated with it.  These files are known as “$I” and “$R” files.  The $I file will contain the original name and path of the file, along with its deletion date.  The $R file will retain the actual data of the file.  When examining the evidence near the location to the original file, the investigator will find references to $I and $R files associated with the deleted item.

Figure 36: Discovery of Deleted Item as well as $I and $R files

In order to recover the deletion time of the file, it is necessary to obtain the creation time of the $I and $R files.  This timestamp can be recovered by moving twenty bytes prior to the $ symbol and then obtaining the previous eight bytes prior to that.  If done correctly, these eight bytes can be decoded in little-endian format to produce the created time of both $I and $R files, therefore the deletion time of the original file.

Figure 37: Accurate Timestamp of Deleted Item Deletion Time

Perhaps the most interesting piece of evidence left behind on the virtual hard disk was the resemblance to a timeline of system activity.  An entry within the virtual hard disk depicted a chain of events that occurred on the hard drive, including website visits, usernames, applications opening, files being created, and a list of some of the values that would have been updated on a system during the activity that occurred.

Figure 38: Entry reflecting Timeline of Events

What would you recommend my company to do?

Analysis of a Citrix Virtual Desktop Environment requires a fair amount of setup behind the scenes in order for it to be accomplished successfully.  Without the presence of snapshots, an investigator would be hard pressed in finding any information that occurred on a pooled virtual machine.  Although network monitoring tools could be put in place that would monitor everything that occurs, these options are often very costly and can still miss important artifacts.  For a SMB or large business that is implementing a VDI, it would be recommended that snapshots be scheduled of at least the hard disk.  Depending on storage available, if both disk and memory snapshots are capable, more information would be recoverable.  This type of snapshot would require high quantities of storage.   

Through implementation of snapshots and with appropriate administrative access, an investigator is able to manually parse through virtual hard disk files that the Citrix VDI-in-a-Box maintains.  User information such as web history, created files and folders, opened programs, Google searches, passwords, deleted items, and master file table entries are all recoverable.  This information may not be everything that is needed to crack the case, but it is surely a huge stepping stone into uncovering more information and perhaps even the “smoking gun.”

When looking at the vdiManager virtual hard disk, the investigator is able to obtain information about when a user is logging into a virtual desktop.  Using this and information from the domain controller, further research needs to be done to be able to successfully link a specific user to a given UUID.  Doing this will allow for the investigator to not need to sift through hundreds of hard drives for information, and instead  have immediate access to which snapshots are linked to which users.  Doing so will provide for a streamlined investigative process in both acquisition and analysis.  Although this is just the tip of the iceberg, there is without a doubt much more information that can be uncovered.  While access to these servers and machines are no longer available, I hope to someday expand this research, or at least see another professional take what has already been done and expand upon it to allow for even more thorough analysis of Citrix VDI’s in the future.

"Citrix XenServer ® 5.6 Feature Pack 1 Administrator's Guide." Citrix RSS. Citrix, 24 Mar. 2011.

“Create the First Windows Image." Citrix EDocs. Citrix, 12 Feb. 2013. Web.

"Create a VM Protection Policy." Citrix EDocs. Citrix, 26 Nov. 2012. Web.

Feller, Daniel. "Machine Creation Services Primer – Part 1." Citrix Blogs. Citrix, 28 June 2011.

Hochmuth, Phil. "The Benefits Of Virtual Desktops." Forbes. Forbes Magazine, 12 Jan. 2010.

"Internet Evidence Finder." Magnet Forensics. N.p., n.d. Web.

"Master Boot Record." Master Boot Record. Microsoft TechNet, n.d. Web.

"NTFS Master File Table (MFT)." NTFS Master File Table (MFT). N.p., n.d. Web

Powledge, Tom. "Top 7 SMB Information Protection Predictions for 2013." Endpoint, Cloud,
Mobile & Virtual Security Solutions. Symantec, 4 Dec. 2012. Web.

Savitz, Eric. "Citrix Shares Rally As Q4 Results Crush Street Estimates." Forbes. Forbes Magazine,
30 Jan. 2013. Web.

Sweeney, Brandon. "State of SMB IT Report – Equip Yourself with These Stats to Help Make
Vital IT Decisions." VMware SMB Blog. VMware, 20 Feb. 2013. Web.


  1. Nicely done Ethan. I need to read back through this and digest it a bit more. But I can see already it will give me a starting point to begin to investigate user activity in our thin-client XenDesktop environment at work. I'm looking forward to seeing your entire paper when you release it.

    FYI, Jon Rajewski turned me on to your research via the SANS DFIR mailing list.

  2. Thanks for the feedback, I'm glad my work was able to give you a greater insight into investigating this type of environment. There is without a doubt much more work to be done still, but please reach out to me if you come across anything that I may be able to help out with or if you have any questions about what my process.

  3. Great work not just with the idea of finishing the thesis but with the study itself. I'm sure a lot of students would be grateful for this post where they can gain excellent thesis ideas as they are having a hard time completing theirs. This could also motivate and inspire them that all the effort will just pay off.

  4. Hello Ethan,

    What's the next best tool to analyze the VHD files with besides ENcase?

  5. Hey there I am so happy I found your blog page, I really found you by mistake, while I was
    browsing on Bing for something else, Nonetheless I am here
    now and would just like to say thanks for a tremendous post and a all
    round exciting blog (I also love the theme/design), I don’t have
    time to go through it all at the minute but I have book-marked it and also
    added in your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the fantastic jo.