NirSoft – BlueScreenView v1.55

While attending Citrix Synergy 2017 last week the BlueScreenView tool from NirSoft was mentioned as a tool for troubleshooting desktops in a Citrix VDI environment.  Although this tool can be helpful for troubleshooting BSOD in both physical and virtual computers it also struck me as a good tool for incident response and digital forensics.

BlueScreenView is a free tool provided by NirSoft and is used to view the contents of the dump file generated when a BSOD occurs. Continue reading

XenServer 6.5 Performance Issues

During a recent migration of virtual servers from a XenServer 6.2 pool to a XenServer 6.5 pool severe performance issues were noticed.  These issues were most apparent on XenDesktop workstation with client applications that connected to back end SQL servers. Continue reading

VMDK Direct Access with VMWare Workstation – Hash Analysis

Previous posts outlined some of the benefits of using VMWare Workstation or other virtualization technology to host not only forensic analysis workstations as well as other workstations for test and validation. One of the advantages of utilizing VMWare Workstation is the ability for the host workstation to share a folder with guest workstations in read only mode.

This feature is especially appealing as a way to directly access and analyze the VMDK files of virtual test and validation workstations by a virtual forensic analysis workstation.

To verify that the VMDK file was not modified while utilizing the Read Only option for shared folders in VMWare Workstation I calculated the hash value of the VMDK file via multiple access methods. The results are shown below. Continue reading

Accessing VMWare Workstation Shared Folders with FTK Imager

In the previous posts we have looked at the ability to run test and validation workstations as well as a forensic examination workstations within VMWare Workstation.  The ability to map a drive from within the virtual forensic examination system to directly access the VMDK files of the test workstations was also discussed previously. Continue reading

VMWare Workstation for Research and Validation

In my previous post I talked about the use of virtualization technology and how it is beneficial in the world of digital forensics.  One of the ways that many utilize virtual workstations is for research and validation.

Two of the advantages of virtualization are the ability to revert the workstation to a clean state by utilizing snapshots as well as the ability to quickly examine a virtual workstation in a read only mode without having to acquire a clone of the workstation. Continue reading

Virtualization in Digital Forensics

I have a been a proponent of virtualization both from a personal standpoint but also a business standpoint. My journey into the world of digital forensics is no exception. I have read several articles and listened to multiple podcasts that talk about the advantages of using virtualization for not only the forensic workstation being utilized by an examiner but also for research, testing, and validation.

Forensic workstations, research, and validation are exactly what I am using virtual machines running in VMWare Workstation to accomplish. Continue reading

WiebeTech Forensic UltraDock v5.5 and VMWare Workstation 12.5

I am currently running my forensic workstation as a virtual machine within VMware Workstation 12.5.  I chose to do this for multiple reasons, some of which include snapshots to roll back the workstation, ability to test different forensic tools, test OSs for the workstation (Windows vs Linux), etc. Not to mention the cost associated with VMWare Workstation compared to having several machines running different OSs as well as the portability of it all

So far this setup has worked well as test bed for the start of my expedition.  There have been a few performance hurdles but nothing that a little patience wouldn’t take care of.  However today I ran into an issue that, although I was able to overcome is disappointing to say the least. Continue reading

Security Tokens on XenDesktop

The use of USB Security Tokens with XenDesktop 5.6 FP1 poses some interesting challenges.  In this configuration XenDesktop was run on both Wyse Thin Clients as well as via Citrix Receiver on a PC.  The XenDesktop image would detect the USB token, a SafeNet iKey 2032; however the SafeNet application would not detect that the token was installed or read the certificate that was installed on the certificate.

After much research and testing of ideas proposed on websites regarding the way that the SafeNet application was installed or the disabling of the SmartCard service the resolution ended up being a resolution originally implemented in XenDesktop 3.0.

The following registry key needs to be changed for third party applications to access the USB Security Tokens or SmartCards.

  1. Open Regedit
  2. Browse to HKLM\Software\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
  3. Change the vale of the Flag key to “0″
  4. Restart the workstation

This change immediately resolved the issue with the SafeNet iKey 2032 token being accessed by the SafeNet Authentication Client.

Citrix Support Article: