As a member of the Citrix Consulting team, I focus on projects at enterprise customers in Latin America across a range of industries, from healthcare to education, retail, and more. I am involved in these projects during each phase of our methodology — infrastructure assessment, design, and rollout. As we work through the development, we often encounter this question: “What information is available to perform forensic analysis in VDI environments?”
Forensic analysis usually happens when a company suspects employee misconduct and needs evidence of what the employee was doing over time or when a company needs to investigate a security breach.
Corporate IT security teams try to keep as much information as possible at hand when conducting a forensic investigation. When it comes to desktop computers, they often seize the computer and try to keep it on as long as possible so as not to lose access to RAM (volatile memory) and data from temporary files that might be useful for further analysis.
Other useful data to analyze includes:
- Windows logs
- Temp files
- User profile
- User data
- Application temp and logs
This is the same kind of information that a security analyst would try to get from a virtual desktop.
As we know, there are two types of virtual desktops (persistent and non-persistent), so the information available will depend on the type of desktop we’re using. On a persistent desktop, you can isolate the machine from the network and treat it in a similar way to a physical machine, having access to the virtual hardware (RAM and hard drives) and software components. But when it comes to a non-persistent desktop, not all data will be available all the time. In fact, there is a lot of information that will be lost after the user logs out and/or the machine is restarted.
You will not be able to retain some of the information after restarting a machine, so it will be necessary to generate a strategy for gathering data separated by layers, where you must define what is the relevant information that will be needed for a posterior analysis.
The diagram below illustrates which information belongs to which layer and gives a general idea about the location of each of the elements, and a simple suggestion of how to address the separation of information. Click the image to view larger.
Citrix’s Dynamic Provisioning Mechanisms and Forensic Analysis
Keeping in mind the differences between persistent and non-persistent VDIs, you might think, “I knew all this, and there is not much to do.” That’s not totally true. In fact, there are some important points to keep in mind.
If you need to isolate the VM from the network and/or create a VM snapshot, then you will need to think about the provisioning strategy because you have two scenarios:
- Using Citrix Provisioning Services: If you isolate the VM network, you will get a VM error and it will be stuck, or you will have a nice Blue Screen of Death (BSOD) because this technology is network-based. So, this will not happen, you will need to ensure that all required data is redirected away from the non-persistent drive. Snapshots are not possible because you are receiving the OS driver by demand from the network.
- Using Citrix Machine Creation Services: This is a storage-based technology, so you can isolate the VM from the network and then take a VM snapshot to rebuild a complete VM from the snapshot point (keeping all temp files, regs, logs, and whatever files are on the VM). It is important to keep in mind that if the user logs off their session or the Citrix console restarts the VM, you will lose the opportunity to run this process.
In both cases, we recommend defining a strategy to gather all information that you may consider needing in the future to perform your analysis.
Citrix Products That Provide Additional Data for Forensic Analysis.
All Citrix environments include tools that will give you additional information about user behavior. For example, you can record the session screen as a video by using Citrix Session Recording. A user session can be tracked in Director Trend Reports, so you know which resources were accessed (including time, IP, device name, and more). Access can be proxied by Citrix ADC and tracked by Citrix Application Delivery Management (ADM), so you can query information about how many times the user tried to connect to the environment. Citrix Analytics includes a security module to monitor the user behavior using machine learning, so it could act in case it detects any unusual user behavior.
As any good consultant would, when I’m asked about the data that will be available to perform a forensic analysis, I always respond, “It depends.” In the end, it depends on the type of virtual desktop being delivered to users and the policies around data retention that were set in the design of the environment. Although the solution might be different from what is used in the physical desktop world, a wealth of data can be made available in a non-persistent one, too.
Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Click here for more Tech Bytes and subscribe.
Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.