Shulou(Shulou.com)06/02 Report--

Virtualization technology is more and more widely used, and in the domestic virtualization market, sales have grown into double digits in five years. For our forensics industry, there is also an urgent need to understand some virtualization-related knowledge. today, Meiya technical experts bring you forensic research on the use of Linux KVM virtualization technology.

What is KVM?

KVM, short for Kernel-based Virtual Machine, is an open source system virtualization module that has been integrated in major releases of Linux since Linux 2.6.20. It is managed by Linux's own scheduler and is easy to operate and easy to use. It is one of the mainstream virtualization solutions in Linux system.

Creation of KVM virtual machine

You can create a KVM virtual machine by command or through a graphical management interface. Creating virtual fetching is not very helpful for forensics. However, when creating a virtual machine, we must confirm the location of hard disk files for forensics. Therefore, in order to visually display and understand the storage location of hard disk files, use the graphical interface here to demonstrate simply:

1. Use the command virt-manager or find "System Tools" in the desktop environment and open the hypervisor "Virtual Machine Manager". After running, the hypervisor is shown in the following figure.

2. Selecting New will pop up the New Virtual Machine dialog box shown in the following figure.

3. Set the relevant options according to your own needs, and the storage location of the hard disk file is set as shown in the following figure.

4. As you can see from the picture above, we can create new hard disk files or select existing hard disk files. Here we select the second item "select managed or other existing storage" and click "Browse" to browse, and the following dialog box pops up, which already shows the default hard disk file location.

5. We can choose to create a new volume "New Volume" or browse "Browse Local" locally, which can store the hard disk files in another location. As shown in the following figure, a 11111111 hard disk file is created in the tmp directory, and the file does not have a suffix, because linu does not have a suffix to identify the file type.

6, there are many hard disk file formats, the most commonly used is raw, qcow2, vmdk, different linux versions will be different, as shown in the following figure is the hard disk file format supported by ubuntu 16.04 version.

If the hard disk file storage directory is created by default in / var/lib/libvirt/images/

The above is the process of creating a virtual machine, the settings related to hard disk storage, and the virtual machine has been created successfully in the normal forensics process. how can we make sure that the created virtual machine hard disk files are stored there?

How does KVM collect evidence?

The most important thing for forensics is to extract the data stored in the virtual. How to confirm the location of data storage, how to obtain the relevant data, and then use forensics tools to analyze it?

1. How to confirm the storage location of KVM virtual machine files

Method 1: use the command to check the storage location of hard disk files

1. View the list of KVM virtual machines

[root@Bance ~] # virsh list-all

When the command runs successfully, you will get the following picture. As shown in the following figure, you can see that there are three virtual machines.

2. View the configuration file of the xp virtual machine

[root@Bance ~] # virsh edit xp

The command running into a function will be displayed as shown in the following picture.

The disk type option of the configuration file shown above defines the information related to the xp virtual disk text, and the / var/lib/libvirt/images/xp.img defined in source file is the storage path of the xp virtual hard disk.

3. We can confirm whether the hard disk file exists through "ll / var/lib/libvirt/images/", as shown in the following figure.

Method 2: use the graphical interface to view the file location of the hard disk

1. Use the command virt-manager or find "System Tools" in the desktop environment and open the hypervisor "Virtual Machine Manager", as shown in the following figure.

2. After opening the hypervisor, the following figure shows that three virtual machines can also be seen from the figure.

Double-click the xp virtual machine to open the following interface.

4. Select "Details" to check the details of the xp virtual machine.

5. To view the information about the hard disk files, just select the options related to disk, as shown in the following figure.

6. After confirming the location, download the corresponding files to the local forensics master for analysis.

Method 3: if you are familiar with the preparation documents, the evidence can be checked directly through the forensic master after the evidence is fixed.

By default, the configuration file is loaded and viewed in / etc/libvirt/qemu/, using the forensic master, as shown in the following figure:

How to export files, virtual machines, hard disk files

Method 1: if the evidence is fixed and the storage location of the hard disk file has been confirmed by configuring the file, you can directly use the forensics master to export.

I think we are all familiar with the use of the master of forensics, so I won't repeat it here.

Method 2: if the device is a large commercial platform, can not be fixed for server evidence, can only operate remotely, we can use tools such as FTP to download the files we need locally.

As shown in the figure below, use the Xftp tool to download the hard disk files we need.

3. How to analyze KVM hard disk files

After the file is exported, you can use forensics software such as forensics master to analyze directly. At present, forensics masters can support * .img and * .qcow2 format forensics analysis.

Summary: with a wide range of virtualization applications today, forensics of virtualization solutions is also a situation that may be encountered in our work. What we share with you today is also the results of personal research, which cannot cover all the problems encountered in forensics. Just like KVM virtualization solutions, different linux systems will have some differences. If you encounter situations that require forensics, do not do so step by step, you need to integrate them according to the actual situation.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.