Professional Documents
Culture Documents
Abstract-Traditional computer forensics is performed Section 3 compares live forensics with traditional forensics,
towards physical machines, using a set of forensic tools to discusses the virtues and disadvantages of live forensics and
acquire disk images and memory dumps. But it is much more why should live forensics be used to deal with systems that
different to deal with virtual machines. Live forensics is used to host virtual machines. Section 4 discusses how to do live
acquire volatile data and improve efficiency, but how to forensics towards systems that have virtual machines hosted
perform live forensics on a subject system with virtual
in. Section 5 discusses methods and tools of how to boot the
machines hosted in? This paper discusses how virtual machines
subject system OS into a virtual machine. Section 6 is the
can be used both as forensic evidence and tools, proposes
conclusion of this paper together with a discussion of the
methods of how to collect data associated with virtual
future work.
machines from the host system, and discusses methods and
tools of how to boot the acquired subject system OS into a
II. GENERAL CONCEPTS OF VIRTUAL MACHINES
virtual machine.
Virtual machines are not new and have been in use for
Keywords-digital forensics; live forensics; virtual machine; about half a century. The fundamental concept of a virtual
memory acquisition machine revolves around a software application that behaves
as if it were on a true physical computer. The virtual machine
1. INTRODUCTION
application ("guest") runs its own self-contained operating
system within the actual machine ("host"). This virtual
Traditional computer forensics is mainly performed on a operating system can be of almost any variant of design.
physical machine. But with the booming of the virtualization Perhaps put more simply, it can be described as a virtual
technology and the popularity of virtual machines for end computer running inside a physical computer.
users to deal with daily works, the probability of using One of the benefits of virtual machines is the ability for a
virtual machines for malicious purposes keeps increasing. So, virtual machine to operate on nearly any underlying
the forensic techniques should keep the pace with this new hardware and software configuration. In this manner, there is
trend. Virtual machines can be used either as forensic object an ease of flexibility of sharing and duplication of virtual
- the evidence, or as forensic tools. To be treated as forensic machines for many purposes, such as software testing.
object, virtual machines are much more different to physical Additionally, one host machine (The actual computer) can
ones. Besides, while the disk size is becoming even larger, to run multiple guest machines (Virtual machines) at the same
acquire the whole disk image by making a disk clone is very time. The host machine and all virtual machines running in it
time-consuming and becomes infeasible. Sometimes the only are logically isolated with each other. Besides, virtual
valuable thing that the investigator interested is only some machines can be installed to or removed from the host
special files, e.g., files associated with a virtual machine. So system easily and snapshots can be taken at any time and
the most efficient and feasible way is to do live forensics used at a later time to restore the system to an earlier state.
towards those special files. Methods and steps are discussed So, a virtual machine may be a better choice to test malicious
in this paper on how to gather all needed data and files codes or commit cyber crimes with no clues leaved in the
associated with a virtual machine to perform live forensics. host system. In this paper, the focus will be on the uses of
Virtual machines can also act as forensic tools for virtual machines for forensic purposes, with both a virtual
investigators to perform forensic work more efficiently and machine as the evidence and as an asset to the forensic tool
easily [1]. By using a cloned physical disk or a disk image box. The operating systems referenced in this paper are of
file or the virtual machine files acquired from the subject Microsoft Windows as it is the most prevalent operating
machine, investigators can boot the OS inside them into a system used worldwide.
virtual machine. Then the investigator can explore evidence
more conveniently and can observe the "live" activities of III. WHY LIVE FORENSICS
interested application programs. The methods and tools of
Traditional computer forensics uses the method known as
how to boot the subject system OS in a virtual machine are
quiescent or static analysis. This means shutting down the
discussed in section 5.
subject machine and performing bit-by-bit copy of all the
The rest of this paper is organized as follows. General
non-volatile storage media attached [2]. Although this is
concepts of virtual machines are discussed in Section 2.
better to protect the consistency of the evidence, it also IV. VIRTUAL MACHINES AS FORENSIC EVIDENCE
results in many drawbacks such as shut down process,
Unlike physical machine forensics in the data gathering
unreadable encrypted data, incomplete evidence, and long
stage which basically means acquiring forensic images
downtimes [3].
through a disk cloning or memory dumping, virtual machines
Live forensics gathers data from running subject systems.
are usually a dozen of files reside in the physical computer's
It can provide additional contextual information su�h as
hard disk. If the virtual machine is still running, there also
volatile memory and system states that are not acqUIrable
has associated memory information lies in the physical
through static forensics [4]. For systems with large terabyte
machine's system memory, but, how to get all these data
scale disks or storage systems such as NAS, SANs or RAID
forensically? The direct and most easily way is to perform
arrays, it is impossible or extremely difficult to m�ke whole
static forensics with the subject system's power being shut
disk clones. Live forensics can improve the effiCiency and
down then make a complete disk clone. However,
sometimes the whole disk size is so large that the time
minimize the downtime of those mission critical systems.
File or disk encrypting functions are integrated into
needed to clone the whole disk is unbearable, and sometimes
modem operating systems, this may cause the acquired data
the investigator is only interested in part of the contents, e.g.
meaningless if the decryption key is unknown [5]. But, a lot
files associated with a virtual machine, so the most effective
of encrypting tools leave their keys in the system memory
and feasible way is to acquire the needed files only.
and can be find out by some key-carving tools [6][7]. So,
Furthermore, a lot of files, even the whole disk may be
taking live forensics can improve the probability of acquiring
encrypted by some encrypting tools such as Bit/ocker,
meaningful data.
TrueCrypt, dm-crypt, EFS (Encrypting File System), etc.
Moreover, some advanced malwares only exist in system
Thus, a virtual machine, appears as a dozen of binary files in
memory, and never write down to disk. This can be an
. . the physical machine's hard disk, may also has been
effective way to avoid finding by anti-malware apphcatlOn
encrypted by such tools.
programs. The runing information of this kind of malwares
In order to resolve these problems, the investigator
can't be accquired through static forensics.
should take live forensics both to the virtual machine and the
Despite advantages listed above, live forensics also has
host physical machine. First of all, according to the rule
several drawbacks. One is that it will damage the integrity of
"Gathering data in order of volatility" [8], we should dump
evidence since it typically needs to run software
the physical memory of the host machine because the
application(s) on the subject system, this may overwrite
volatile data in system memory might be tampered by
evidence in subject system memory. So, investigators should
operations of the investigator. To achieve this, we �an use
balance efficiency, data quantity together with usefulness.
software-based memory acquisition tools such as Wm32dd,
Besides, many live forensics tools rely on services provided
Volatility, Responder, F-Response, etc. Hardware-based
by the subjedct system OS, thus could be cheated by some
tools like Tribble [9] or FireWire-based methods [10][11]
kemal malwares with the accquired data being manipulated
also can be used if the physical machine has such a device
or replaced.
(Like Tribble) pre-installed or has such a port (Fire Wire).
Systems with virtual machines hosted in often have large
Then, if there are virtual machines that are still running, they
RAM and disks because they must provide enough resources
should be paused first, this will halt the virtual machine and
for each virtual machine to run. So, to deal with such a
preserve its memory and system states in the host system's
subject system, the best and practical way is to perfor� live
hard disk. Then, if acquiring the whole disk image is difficult
forensics. By using proper live forensics tools that run m the
and the only valuable thing is the virtual machine data, we
host system, live forensics targeting a subject virtual
will get all the virtual machine files generated by the virtual
machine will not alter the virtual machine data since the host
application (e.g., VMware Workstation [12]) out from the
and guest machine are isolated logically, this will provide
host machine's hard disk, generally this includes part or all
better evidence integrity than to directly run forensics tools
of the files listed in Table 1. Table 2 shows the meaning of
in the virtual machine.
each file type used by VMware Workstation.
TABLE! FILES GENERATED BY DIFFERENT VIRTUAL MACHINE ApPLICA nONS AND THEIR LOCA nONS
V4-329
2010 International Conference on Computer Application and System Modeling (ICCASM 2010)
TABLE II. ACQUIRED VMWARE VIRTUAL MACHINE FILES AND THEIR MEANINGS
VMware Virtual
Meanings
Machine Files
.vmdk Virtual hard disk of the virtual guest operating system, may be dynamic or fixed sizes.
.log The virtual machine's log file.
. vmem A virtual machine's memory file which only exists when the VM is running or a snapshot has created.
. vmsn VMware snapshot file which stores the state of the virtual machine when the snapshot is created.
. vmx A text file contains hardware and operating system configuratons of the virtual machine.
.vmsd Metadata of the snapshot
. vmss Suspended state file, storing the state of a suspended virtual machine.
. nvram The virtual machine's BIOS information.
.vmtm Team configuration data file
. vmxf Remaining file while a virtual machine is removed from a team.
Sometimes this is not enough because there maybe some After acquiring all needed evidence data, we come into
other files or information that resides in other places in the the "Analyze" stage [13] to look for evidence data. To use
host machine, such as shared folders. We should investigate forensic tools that can't deal with virtual machine file
the configuration file (In VMware Workstation, the .vrnx file) formats, some third party tools such as WinMount [14]
first to see if there are such folders that are in using. If should be used to convert virtual machine file formats to
someone does exist, catch it along with other virtual machine formats that can be recognized by those traditional forensic
files. Figure 1 shows part of the .vmx file of a virtual tools. Furthermore, a copy of the acquired virtual machine
machine that indicates a shared folder is in using, the bold files can be used to directly boot the virtual machine in a
lean lines give information of the shared folder. forensic host system, and this is discussed in section 5.
Since the virtual machine files together with shared
folders may have been encrypted by the host system using V. USING A VIRTUAL MACHINE AS A FORENSIC TOOL
methods such as EFS and FDE (Full Disk Encryption), we After acquiring all needed data from the subject machine,
should export the associated encryption keys or certificates we try to analysis them and expect to find useful information
from the host as if possible. and get to a conclusion as fast as possible. By using
traditional methods and tools, we do the analysis work in
usb: l.deviceType = "hub" binary or file level, so the efficiency is very low and very
usb:O.deviceType = "mouse" often there are a lot of valuable things such as "live"
floppyO.autodetect = "TRUE" application software activities and relationships between
ide I :O.autodetect = "TRUE" special file formats and software applications can't be
floppyO.startConnected = "FALSE" achieved by this way. If we can boot the acquired subject
debugStub.winOffsets.version = "7" system's as into a virtual machine by using information
debugStub.winOffsets.value =
stored in the acquired disk and memory images, things wiIl
"Ox88,Ox84,Ox 18,Ox 190,Ox 174, 16,4I 6,Ox22c,0x228,Ox I fO,O
be much different. By this way, we generate a "live" and
x224,Ox20,Ox 18,Ox 18,Ox20,Ox24,4,Ox IIc,Ox8,OxO,Ox 14,Ox I
"restored" subject system, and then we can explore evidence
OOOOO,Ox I bO,Oxc,Oxc,Ox 18,Ox 13c,OxIf4"
more easily and observe application software's behavior in
usb.autoConnect.deviceO = ""
real time. Besides, time bombs and booby traps can be found
isolation.tools.hgfs.disable = "FALSE"
by manipulating the system time of a virtual machine. Then,
sltaredFolderO.presel/t = "TRUE"
sltaredFolderO.el/abled = "TRUE"
how could we boot the subject system into a virtual machine
sltaredFolderO.readAccess = "TRUE" and what steps should be taken?
sltaredFolderO.writeAccess = "TRUE" Different steps should be taken based on different
sltaredFolderO.llOstPatlt = "G:lojJice" evidence types. If the evidence is a cloned physical disk, it
sltaredFolderO.gllestName = "ojJice" can be attached to the host forensic machine through a
s/wredFolderO.expiratiol/ = "I/ever" software (e.g., SAFE Block XP [15]) or hardware write
sltaredFolder.maxNllm = "1" blocker. If it is a raw type disk image file, it should be
scsiO: I.present = "FALSE" mounted as a physical disk in the forensic host system first,
ideO:O.present = "FALSE" such tools as Mount Image Pro [16] or VMware Virtual Disk
Development Kit [17] can be used to do this work. A
software or hardware write blocker is also needed in this step
Figure I. Shared Folder Information in the .vmx File. to protect the image file. Then we should create a virtual
machine based on these just "attached" or "mounted" disks.
The creation of a virtual machine means generating all
the files needed by the virtual machine application software
V4-330
2010 International Conference on Computer Application and System Modeling (ICCASM 2010)
this work automatically now [20]. Figure 2 shows the virtualHW.version = "7"
configuration window of Live View. This tool together with maxvcpus = "4"
VMware Workstation and VMware Virtual Disk scsiO.present = "TRUE"
Development Kit can boot the operating system in the subject memsize = "5 12"
ideO:O.present "TRUE"
disk or image file into a virtual machine automatically. =
ideO:O.deviceType = "disk"
between the virtual machine and the original subject physical
ideO:O.mode = "independent-nonpersistent"
machine, there could be a BSOD (Blue Screen of Death) ide I :O.present = "TRUE"
problem when trying to boot the subject system OS into a ide I :O.fileName = "H:"
virtual machine. Resolving of these problems may need to ideI :O.deviceType = "cdrom-raw"
change the contents of the subject disk or image file or more tloppyO.fileType = "device"
complicated virtual machines should be used to support more tloppyO.fileName = ""
devices and sti11 further researches are required. tloppyO.clientDevice = "FALSE"
ACKNOWLEDGMENT
V4-331
2010 International Conference on Computer Application and System Modeling (ICCASM 2010)
V4-332