Saturday, April 9, 2011

DDos on LiveJournal - turning crisis into opportunity.

Developing an effective incident response procedure is crucial to minimizing the impact of a security breach or DDoS attack. A good incident response plan not only helps secure the impacted infrastructure, but can also increase consumer loyalty. The recent DDoS attack on LiveJournal clearly required the use of public relations techniques, which did not appear to happen in time.

In the absence of information, the rumour mill will take over. Instead, an immediate and honest statement should clarify known details, and the information be frequently updated. The organisation must demonstrate commitment and this will be appreciated by its customers.  In case certain information cannot be released it is important to offer an explanation. By doing this the organisation appear responsive and cooperative even if not a great deal of information has been released.

The organisation also must educate all employees on use of social media during the crisis and monitor Twitter, MySpace, Facebook and other social sites. Tracking and quickly responding to the relevant conversations should help uncovering and defusing any potential crises-in-the-making.

While no organisation is immune to similar  incidents, this does not necessarily have to turn into a disaster.

Saturday, April 2, 2011

Accessing VMFS partitions

VMware VMFS is VMware Virtual Machine File System with is used by VMware ESX and ESXI servers to store virtual machine disk images (.VMDK) and snapshots. The VMDK (Virtual Machine Disk) files are equivalent to the real hard drives, except they are virtual. Many forensic tools, including EnCase can analyse VMware (.vmdk) data files or mount them (FTK Imager, Mount Imager Pro etc.). The problem is getting VMDK files out of VMFS without ESX or ESXI infrastructure. There are several solutions to this problem.

Open Source VMFS Driver was written by fluidOps in Java; it's free and allows read-only access to files located on VMFS partitions by utilising many operating systems including Windows. Java version 6 is required to run it. All you needed is to mount E01 image containing VMFS partition with your favourite tool. I used to love Mount Image Pro and Smart Mount, but people change. I am using FTK Imager v3 now for obvious reasons; it doesn't cost me anything and no pain with dongles or registrations.


Running the following command should get you into the partition via webdav interface C:\vmfs_r95>java -jar fvmfs.jar \\.\PhysicalDrive4 webdav

Next navigate to http://localhost:50080/vmf and you should see VMDK files you were after.
Correction: I forgot to put an "s" at the end of the above address. The correct address would be http://localhost:50080/vmfs Thanks Tim for pointing this out.

The world isn't perfect though and you may run into a couple of problems:

Problem 1:
You may get an error similar to this:
Exception in thread "main" VMFS FDC base not found

Problem 2:
There are several partitions inside your E01 image; some of them could be FAT12 "Hypervisor" partitions, which is enough for fluidOps driver to give up on you.

There are several ways of getting inside however. In my case I happened to have VMware Workstation installed on my machine and one of the guest OS was Ubuntu 10.10. I have added Hard Disk (PhysicalDrive4) to my Linux guest OS and started it.

vmfs-tools is yet another tool, which is "originally loosely based on the vmfs code from fluidOps" and allows read only access to VMFS file systems from non ESX/ESXi hosts.

In Linux I installed vmfs-tools by running: sudo apt-get install vmfs-tools and typed the following command: sudo fdisk –l

The above shows that the vmfs file system is located on /dev/sdb3

The next command is to mount VMware VMFS partition:
mkdir /home/a/Desktop/system and vmfs-fuse /dev/sdb3 /home/a/Desktop/system
and see what's inside.... ls -alh

I then connected (1TB USB Seagate Freeagent GO) to the virtual machine and copied the files for further analysis. DONE.

P.S. Paul Henry did a good write-up on a similar subject  here.