LinEn Network Acquisition using VMware Fusion for OS X
For those who use EnCase for forensic analysis, a powerful and convenient means of acquiring digital evidence is over the network using Linen, a Linux-based version of EnCase Acquisition. Linen is run off of a Linux boot disk on the target computer serves the an evidence file to EnCase running on the forensic examiners computer over the network. EnCase is a Windows application, but network acquistions can be successfully performed using VMware Fusion for Mac with the following configuration.
For my setup, I have a MacBook running VMWare Fusion 2.0b1 and OS X 10.5.3. I’m running Windows XP as a VM with EnCase 6.11 installed.
Note: Because Mac’s can intelligently sense and correct the Ethernet connection when one computer is connected directly to another, a cross-over cable is not required.
1. Boot the target machine using Helix or another Linux live CD that contains LinEn.
2. Once at the Linux command line, type:
ifconfig eth0 10.0.0.1 netmask 255.0.0.0
3. On the Mac, change the IP address to 10.0.0.50 and subnet mask 255.0.0.0
4. Confirm that the Mac and PC can both ping the other.
5. On the Mac, edit the VMware Fusion boot script (/Library/Application Support/VMware Fusion/boot.sh), lines 676-681 as follows:
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;
Change to:
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;
6. restart VMware fusion
sudo "/Library/Application Support/VMware Fusion/boot.sh" --restart
4. Change the VMware Fusion network mode to Bridged networking
5. Boot the Windows XP VM and change the Windows VM IP to 10.0.0.2 and subnet mask 255.0.0.0
6. The target machine running Linux should now be able to ping the Mac and the Windows VM and vice versa.
7. Run Linen from the Linux Live CD on the target machine
8. From EnCase, acquire over a network cable.
Robert Nicholson said,
Wrote on August 11, 2008 @ 4:08 pm
Can you describe what those changes to the fusion boot script actually do and why they are necessary?
just guess said,
Wrote on September 3, 2008 @ 4:49 pm
I’ll try to describe what i think he’s doing there …
AFAIK he’s changing the way VMware Fusion is setting up the network bridge .. the original file is setting up the bridge (vmnet0) to the first interface the MAC is connected to (e.g. … vmnet0 ”). He’s changing that to hard wire the bridge to en0 (vmnet0 en0) - i guess it is necessary to avoid that the wrong interface is bound to the bridge. After the change te bridge is hard wired to en0 aka your first network port on your mac
Anthony said,
Wrote on September 3, 2008 @ 5:33 pm
Just:
Thanks for taking a stab at answering the question.
Actually, vmnet0 is the network interface for the guest virtual machine. VMware acts as a NAT router by default. For example, my current IP address on my Mac is 10.10.10.139. Within the virtual machine, the IP address is 192.168.222.128. Because of this NAT arrangement, the guest VM can’t ping the host.
By adding “en0″ to the end of the vmnet-bridge command, the vmnet0 interface is bound (if that is the right word) to the Ethernet interface on my Mac. Once VMware’s vmware-vmx program is restarted (via the boot.sh command), the VMware guest machine is on the same “network” as the host machine. At this point my Mac can ping the guest OS, and vice versa.
Making this change is necessary to put the guest OS (in my case Windows XP) on the same network as the machine I want to acquire evidence from via the cross-over cable. Once I have connected my Mac via the cross-over cable to the target machine (the machine I want to acquire evidence from), the target machine, the guest OS (running EnCase), and my Mac can all ping each over.
Essentially, this set up is the same as if I connected the target machine, the Mac, and an XP machine to a switch, and configured all three machines to use the same subnet.
I hope this makes sense. I picked up this trick in the VMware forums here:
http://communities.vmware.com/thread/107821