May 26th, 2010 by ahoogLike many of you, we work very hard to setup and maintain our forensic lab, in particular storage, software, hardware and security. We’ve learned a lot and would like to share some of it. After testing VMWare, KVM, Xen and VirtualBox, we settled on VirtualBox as the best solution for virtualization in our environment. Our forensic workstations have 8GB of RAM and a couple of processors. Below are my step-by-step directions for creating a Windows Server 2008 R2 (64-bit) guest in Ubuntu 10.04 headless (i.e. without need of a GUI).
Create VM
First we create a blank VM:
VBoxManage createvm --name Win2008SvrR2 --ostype Windows2008_64 --register
Add options, including full h/w visualization support (online VirtualBox manual is indispensable)
VBoxManage modifyvm Win2008SvrR2 --memory 4096 --acpi on --boot1 dvd --nic1 bridged --usb on --usbehci on \ --vrdp on --vrdpport 3390 --clipboard bidirectional --pae on --hwvirtex on --hwvirtexexcl on --vtxvpid on \ --nestedpaging on --largepages on
Setup bridge to eth0
VBoxManage modifyvm Win2008SvrR2 --bridgeadapter1 eth0
Add IDE controller (other options exist such as SCSI and SATA…IDE seems be the most used)
VBoxManage storagectl Win2008SvrR2 --name "IDE Controller" --add ide
Create and register hard drive (vdi)
VBoxManage createvdi -filename "/opt/vbox/HardDisks/win2008svrR2.vdi" -size 20000 -register
Attach hdd to VM
VBoxManage storageattach Win2008SvrR2 --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium /opt/vbox/HardDisks/win2008svrR2.vdi
Attach DVD to VM (upload your OS installation .iso to the host machine first)
VBoxManage storageattach Win2008SvrR2 --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive --medium ~/win2008svr.iso
Start VM and install OS (recommend using screen to prevent killed session on detach)
VBoxHeadless -startvm Win2008SvrR2 -p 3390 &
Install VBox Additions
To enable shared folder, better video, usb support (if you downloaded/bought the PUEL edition). you need to install VBox Additions.
wget http://download.virtualbox.org/virtualbox/3.2.0/VBoxGuestAdditions_3.2.0.iso VBoxManage registerimage dvd ~/VBoxGuestAdditions_3.2.0.iso VBoxManage storageattach Win2008SvrR2 --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive --medium ~/VBoxGuestAdditions_3.2.0.iso
DVD should now be mapped, double click to autorun.
Add shared folders
Make sure Windows guest OS is shutdown.
VBoxManage sharedfolder add Win2008SvrR2 --name "mnt" --hostpath "/mnt" --readonly VBoxManage sharedfolder add Win2008SvrR2 --name "ahoog" --hostpath "/home/ahoog"
Start VM in screen as detailed above; access via UNC share at \\VBoxSvr
Add usb device filter to headless VirtualBox guest
Provided you have VBox Additions installed and are using the PUEL version, you can connect USB devices to your guest OS (must be powered off). After some Google work, I came across this article which had the magic (much thanks). Here are the steps:
Add usbusers group
sudo addgroup usbusers
Add each user to new group
Then, you need to add each local user that might run VirtualBox to the userusers group:
sudo usermod -a -G usbusers ahoog
Determine attached USB device info
You then run the follow to determine the specifics of the USB device you want to attach:
VBoxManage list usbhost ahoog@linux-wks-003:~$ VBoxManage list usbhost Oracle VM VirtualBox Command Line Management Interface Version 3.2.8 (C) 2005-2010 Oracle Corporation All rights reserved. Host USB Devices: UUID: b1c23004-db71-49ec-b5cb-348e2038b409 VendorId: 0x0781 (0781) ProductId: 0x554f (554F) Revision: 2.0 (0200) Manufacturer: Best Buy Product: Geek Squad SerialNumber: 153563119AC07CAD Address: sysfs:/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.5//device:/dev/bus/usb/002/004 Current State: Busy
Create the filter:
VBoxManage usbfilter add 0 --target Win2003SvrR2 --vendorid 0781 --productid 554F --name "Geek Squad" --active yes
Ensure USB is enabled:
VBoxManage modifyvm Win2003SvrR2 --usb on
And then power on the guest.
Conclusion
I plan on writing a more detailed and explanatory guide for Digital Forensics Magazine (DFM), a newcomer to the forensics magazine/journal space. Tony and Roy (and all the authors) have done a great job with the magazine and I recommend you check it out. So stayed tuned for updates… will link to the article when it is available. I also want to link to some articles (Blog-Ga-Jim and Howto Forge) which I referenced as I started setting things up. Finally, if you have any helpful experiences to share, especially with regards to forensics and visualization, please leave a comment.
Add usbusers group
sudo addgroup usbusers
Add each user
Then, you need to add each local user that might run VirtualBox to the userusers group:
sudo usermod -a -G usbusers ahoog
