The Rise of the Virtual Machines

October 20th, 2020 by Vladimir Katalov
Category: «Elcomsoft News», «GPU acceleration»

Criminals are among the most advanced users of modern technology. They learned how to hide information in their smartphones and how to encrypt their laptops. They communicate via secure channels. Their passwords never leak, and they do their best to leave no traces. Forensic investigators encounter new challenges every other day. In this article, we will discuss yet another tool used by the criminals to cover their traces: the encrypted virtual machine.

Introduction to virtual machines

Virtual machines use a portable, hardware-independent environment to perform essentially the same tasks as the actual computer. User activities performed inside a virtual machine remain leave trails mostly in the VM image files and not on the host computer, limiting the number and severity of traces in a natural way. Virtual machine analysis becomes an important factor when performing digital investigations.

Some of the most popular virtual machines include VirtualBox, Parallels, and VMWare. While Microsoft offers Hyper-V, the tool to create virtual machines on Windows 10, Hyper-V offers limited encryption options, requiring Windows Server as a host OS. For this and other reasons, Hyper-V is rarely picked by the criminals.

Virtual machine as a criminal tool

Many types of virtual machines used in the criminal world can be securely encrypted. Using an encrypted VM gives criminals an opportunity to cover their activities under a virtual umbrella, reducing the risks of an accidental leak of incriminating evidence.

Virtual machines in general offer multiple benefits, and the main one is the complete isolation from the normal working environment. This stands true even though several attacks exist, e.g. Virtual machine escape. From the other side, a virtual machine delivers the complete desktop experience, completely tuned for whatever specific purposes the VM is used for. Most of those are legitimate uses, including forensics:

When investigating the suspect’s computer, forensic specialists may not simply image the hard disk but make a fully featured virtual machine for further forensically sound live investigation, emulating the work of the real computer. This gives a lot more possibilities, such as extracting the data and passwords from the memory, booting a forensic image on a virtual machine.

But of course, this is a double-edged sword. The criminals use virtual machines too, today more often than ever. It sounds like a neat idea: collect all the instruments required for their purposes, ready to launch a malware distribution or DDoS attack, compromise remote systems, etc. All of that is no longer a fire-and-forget endeavor. A lot of software, scripts and data is required. Would a malicious person bring that with them, especially when crossing the border? Not really.

Instead, they prepare everything they need, pack it as a virtual machine, upload the image to a fast and reliable hosting, and carry a laptop with just the bare system. Once arrived at the final location, they can quickly download the image, run it, and then delete it from the local drive.

Here is a good story about it: Maze ransomware criminals go virtual to evade detection.

In the description above, I deliberately omitted a critical step. Like most of the data, virtual machine images can be password-protected. We were involved in about a dozen investigations where the suspect used multiple virtual machines protected with a password. In our work, we’ve been recovering the password manually by extracting the password hashes, then recovering them using our tools. Today, we decided to add this feature to Distributed Password Recovery.

Further analysis

Once the virtual machine is unlocked, there is quite a lot of work ahead, see Computer Forensics: Forensic Issues With Virtual Systems. [Case Study] Computer Forensics: How To Forensically Extract Evidence Data From A Virtual Machine is another good source.

If the virtual machine has a password over a password (e.g. there is a Windows account password and/or BitLocker protection), use Elcomsoft System Recovery. And once you are in, the first thing I recommend to run will be Elcomsoft Internet Password Breaker to collect all passwords saved in the Web browsers. If you encounter more encrypted files, remember: we have a tool for that!



Elcomsoft Desktop Forensic Bundle

A complete suite of ElcomSoft password recovery tools allows corporate and government customers to unprotect disks and systems and decrypt files and documents protected with popular applications. The password recovery suite features the latest and most advanced cryptanalysis algorithms developed by ElcomSoft Research department.

Elcomsoft Desktop Forensic Bundle official web page & downloads »

Elcomsoft Distributed Password Recovery

Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.

Elcomsoft Distributed Password Recovery official web page & downloads »

Elcomsoft Premium Forensic Bundle

Every tool we make in a deeply discounted value pack. The complete suite of ElcomSoft password recovery tools allows corporate and government customers to extract data from mobile devices, unlock documents, decrypt archives, break into encrypted containers, view and analyze evidence. The password recovery suite features the latest and most advanced cryptanalysis algorithms developed by ElcomSoft Research department, while the mobile forensic tools enable access to critical evidence stored in physical devices, local backups and cloud services.

Elcomsoft Premium Forensic Bundle official web page & downloads »