Jump to content

keeping track of VMs


Recommended Posts


Got a few items I could use some advice on. 

If a file gets deleted on a computer, with a few pieces of software it can easily be recovered.  So my question is let's say I delete a file then virtualize the hard drive.  From that virtual machine can I recover that same file?  I believe a physical to virtual is supposed to grab everything but if you have 10G used on a 40G HD the VM will only be around 10G not 40G even if the hard drive had 20G used on it at one time.  So how can I be sure the virtual machine has the deleted files that I'm after other than just trying the recovery software? 

Another question would be browser cookies.  If I can capture a machine and virtualize it, will any cookies on that physical machine copy over to the VM?  In which I can sort through them as if I were on the machine itself?  

One more question, how easy is it to put a backdoor in a VM?  What I'd like to know is if I have several employees running independent VMs is there a way to keep track of them and have control over them?  I have a concern that the VMs might be being cloned without my knowledge.  Obviously I cannot catch the ones already out there but any new ones used I'd like to install some sort of backdoor or software that will allow me to shut them down and even possibly delete unauthorized clones.  Any help would be great.


Link to comment
Share on other sites

Unlikely that it would copy at the block level to virtualize a harddrive, but depends on how you go about it.  Maybe there is a way but things like disk2vhd only copy at the file level as far as i'm aware.  If whatever you use does do block level copy you are right in thinking the size of the virtual drive would be much larger than the currently consumed space, more likely would be the full size of the disk.

Browser cookies would be at the file level so those would be there (unless they were deleted, then same thing as above applies)

I mean you could put a backdoor in the vm and maybe screw the system up if you wanted to stop it, but nothing would stop them from just using a copy of the virtual drive file to run each time and then you would need to do that every time or have something in place to lock access to the system.  But remember with physical access to a machine (or virtual drive in this case) there's normally little you can do to stop someone from getting in.  Best suggestion would be to use full disk encryption with a strong passphrase and strong passphrase for actually logging into the system and don't share it with people you think might clone your system without your knowledge.  The bigger issue you need to solve is being able to trust who is using your stuff, if you don't you're already fighting a loosing battle.

Link to comment
Share on other sites

  • 2 weeks later...

Thanks for getting back with me bored369.  You are absolutely right that trust is the issue.  I didn't want to give up the vm to begin with and I never gave up the second vm that was asked for.  So that made me feel a bit better.  I just wish I had a way to either screw up or delete the vm in place before giving out the first one.  I would love nothing more than to see the individual's face after a hard day's work and having the files get deleted or completely screwing up the vm.  There's no better way to loose faith in a vm then to have it constantly screwing up on you when you least expect it.  I may still toy with the idea of putting something in place as a POC but the damage is already done and the individual no longer works for the company.  

I would guess some sort of C&C machine on my end waiting for a connection to come up.  And put some sort of reverse connection on the vm so that it phones home each time it's started up.  Then a simple command to either delete newly created files or just a complete "delete all system files" command.  I've been hearing more and more about malware in vm's being able to jump out of the vm and infect the host but maybe even some way to force a vmx file to have certain settings regardless of how it's customized.  That way even if the new owner of the vm would shut off networking it could somehow get turned back on to allow the vm to phone home.  Just ideas.  If anyone has any experience with any of this I'd be very interested.  If not I'll just play around with it and see what I can come up with.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...