20IO International Conference on Computer Application and System Modeling (ICCASM 2010)
Live Digital Forensics in a Virtual Machine
Lei Zhang
Laboratory of Computer Forensics Qingdao Technological University
Shandong Computer Science Center
linan, China zhangdongcute@163.com
zhanglei@keylab.net
Abstract-Traditional computer forensics is
towards physical machines, using a set of forensic tools to
acquire disk images and memory dumps. But it is much more
different to deal with virtual machines. Live forensics is used to
acquire volatile data and improve efficiency, but how to
perform live forensics on a subject system with
machines hosted in? This paper discusses how virtual machines
can be used both as forensic evidence and tools, proposes
methods of how to collect data associated
machines from the host system, and discusses methods and
tools of how to boot the acquired subject system OS into a
virtual machine.
Keywords-digital forensics; live forensics; virtual machine;
memory acquisition
1. INTRODUCTION
Traditional computer forensics is mainly performed on a
physical machine. But with the booming of the virtualization
technology and the popularity of virtual machines for end
users to deal with daily works, the probability of using
virtual machines for malicious purposes keeps increasing. So,
the forensic techniques should keep the pace with this new
trend. Virtual machines can be used either as forensic object
- the evidence, or as forensic tools. To be treated as forensic
object, virtual machines are much more different to physical
ones. Besides, while the disk size is becoming even larger, to
acquire the whole disk image by making a disk clone is very
time-consuming and becomes infeasible. Sometimes the only
valuable thing that the investigator interested is only some
special files, e.g., files associated with a virtual machine. So
the most efficient and feasible way is to do live forensics
towards those special files. Methods and steps are discussed
in this paper on how to gather all needed data and files
associated with a virtual machine to perform live forensics.
Virtual machines can also act as forensic tools for
investigators to perform forensic work more efficiently and
easily [1]. By using a cloned physical disk or a disk image
file or the virtual machine files acquired from the subject
machine, investigators can boot the OS inside them into a
virtual machine. Then the investigator can explore evidence
more conveniently and can observe the "live" activities of
interested application programs. The methods and tools of
how to boot the subject system OS in a virtual machine are
discussed in section 5.
The rest of this paper is organized as follows. General
concepts of virtual machines are discussed in Section 2.
978-1-4244-7237-6 /10/$26.00.2010 IEEE
Dong Zhang Lianhai Wang
Laboratory of Computer Forensics
Qingdao, China Shandong Computer Science Center
linan, China
wanglh@keylab.net
performed Section 3 compares live forensics with traditional forensics,
discusses the virtues and disadvantages of live forensics and
why should live forensics be used to deal with systems that
host virtual machines. Section 4 discusses how to do live
forensics towards systems that have virtual machines hosted
virtual
in. Section 5 discusses methods and tools of how to boot the
subject system OS into a virtual machine. Section 6 is the
conclusion of this paper together with a discussion of the
with virtual
future work.
II. GENERAL CONCEPTS OF VIRTUAL MACHINES
Virtual machines are not new and have been in use for
about half a century. The fundamental concept of a virtual
machine revolves around a software application that behaves
as if it were on a true physical computer. The virtual machine
application ("guest") runs its own self-contained operating
system within the actual machine ("host"). This virtual
operating system can be of almost any variant of design.
Perhaps put more simply, it can be described as a virtual
computer running inside a physical computer.
One of the benefits of virtual machines is the ability for a
virtual machine to operate on nearly any underlying
hardware and software configuration. In this manner, there is
an ease of flexibility of sharing and duplication of virtual
machines for many purposes, such as software testing.
Additionally, one host machine (The actual computer) can
run multiple guest machines (Virtual machines) at the same
time. The host machine and all virtual machines running in it
are logically isolated with each other. Besides, virtual
machines can be installed to or removed from the host
system easily and snapshots can be taken at any time and
used at a later time to restore the system to an earlier state.
So, a virtual machine may be a better choice to test malicious
codes or commit cyber crimes with no clues leaved in the
host system. In this paper, the focus will be on the uses of
virtual machines for forensic purposes, with both a virtual
machine as the evidence and as an asset to the forensic tool
box. The operating systems referenced in this paper are of
Microsoft Windows as it is the most prevalent operating
system used worldwide.
III. WHY LIVE FORENSICS
Traditional computer forensics uses the method known as
quiescent or static analysis. This means shutting down the
subject machine and performing bit-by-bit copy of all the
non-volatile storage media attached [2]. Although this is
V4-328
 2010 International Conference on Computer Application and System Modeling (lCCASM 2010)

better to protect the consistency of the evidence, it also IV. VIRTUAL MACHINES AS FORENSIC EVIDENCE
results in many drawbacks such as shut down process,
Unlike physical machine forensics in the data gathering
unreadable encrypted data, incomplete evidence, and long
stage which basically means acquiring forensic images
downtimes [3].
through a disk cloning or memory dumping, virtual machines
Live forensics gathers data from running subject systems.
are usually a dozen of files reside in the physical computer's
It can provide additional contextual information su�h as
hard disk. If the virtual machine is still running, there also
volatile memory and system states that are not acqUIrable
has associated memory information lies in the physical
through static forensics [4]. For systems with large terabyte­
machine's system memory, but, how to get all these data
scale disks or storage systems such as NAS, SANs or RAID
forensically? The direct and most easily way is to perform
arrays, it is impossible or extremely difficult to m�ke whole
static forensics with the subject system's power being shut
disk clones. Live forensics can improve the effiCiency and
down then make a complete disk clone. However,
sometimes the whole disk size is so large that the time
minimize the downtime of those mission critical systems.
File or disk encrypting functions are integrated into
needed to clone the whole disk is unbearable, and sometimes
modem operating systems, this may cause the acquired data
the investigator is only interested in part of the contents, e.g.
meaningless if the decryption key is unknown [5]. But, a lot
files associated with a virtual machine, so the most effective
of encrypting tools leave their keys in the system memory
and feasible way is to acquire the needed files only.
and can be find out by some key-carving tools [6][7]. So,
Furthermore, a lot of files, even the whole disk may be
taking live forensics can improve the probability of acquiring
encrypted by some encrypting tools such as Bit/ocker,
meaningful data.
TrueCrypt, dm-crypt, EFS (Encrypting File System), etc.
Moreover, some advanced malwares only exist in system
Thus, a virtual machine, appears as a dozen of binary files in
memory, and never write down to disk. This can be an
. . the physical machine's hard disk, may also has been
effective way to avoid finding by anti-malware apphcatlOn
encrypted by such tools.
programs. The runing information of this kind of malwares
In order to resolve these problems, the investigator
can't be accquired through static forensics.
should take live forensics both to the virtual machine and the
Despite advantages listed above, live forensics also has
host physical machine. First of all, according to the rule
several drawbacks. One is that it will damage the integrity of
"Gathering data in order of volatility" [8], we should dump
evidence since it typically needs to run software
the physical memory of the host machine because the
application(s) on the subject system, this may overwrite
volatile data in system memory might be tampered by
evidence in subject system memory. So, investigators should
operations of the investigator. To achieve this, we �an use
balance efficiency, data quantity together with usefulness.
software-based memory acquisition tools such as Wm32dd,
Besides, many live forensics tools rely on services provided
Volatility, Responder, F-Response, etc. Hardware-based
by the subjedct system OS, thus could be cheated by some
tools like Tribble [9] or FireWire-based methods [10][11]
kemal malwares with the accquired data being manipulated
also can be used if the physical machine has such a device
or replaced.
(Like Tribble) pre-installed or has such a port (Fire Wire).
Systems with virtual machines hosted in often have large
Then, if there are virtual machines that are still running, they
RAM and disks because they must provide enough resources
should be paused first, this will halt the virtual machine and
for each virtual machine to run. So, to deal with such a
preserve its memory and system states in the host system's
subject system, the best and practical way is to perfor� live
hard disk. Then, if acquiring the whole disk image is difficult
forensics. By using proper live forensics tools that run m the
and the only valuable thing is the virtual machine data, we
host system, live forensics targeting a subject virtual
will get all the virtual machine files generated by the virtual
machine will not alter the virtual machine data since the host
application (e.g., VMware Workstation [12]) out from the
and guest machine are isolated logically, this will provide
host machine's hard disk, generally this includes part or all
better evidence integrity than to directly run forensics tools
of the files listed in Table 1. Table 2 shows the meaning of
in the virtual machine.
each file type used by VMware Workstation.

TABLE! FILES GENERATED BY DIFFERENT VIRTUAL MACHINE ApPLICA nONS AND THEIR LOCA nONS

Virtual Machine Virtual Machine Information

Applications Virtual Machine Files File Locations in a Windows 7 host system
l.User defined virtual machine folder (Like "D:\My Virtual Machine\Windows XP ")
VMware .vmdk, .log, .vmem, .vmsn, .vmx,
2.\Users\"User name "\VMware
Workstation .vmsd, .vmss, .nvram, .vmtm, .vmxf
3. \ProgramData\VMware
1. User defined virtual machine folder
2. \.VirtualBox
Sun VirtualBox .vdi, .sav, .log, .xml 3. \.VirtualBox\Machines\"VM name "
4.\.VirtuaIBox\Machines\"VM name "\Snapshots
5. \.VirtualBox\Machines\"VM name "\Logs
1. User defined virtual machine folder
Windows Virtual
.vhd,.vsv, .vmc, .vmcx, .xml 2. \Users\ "User name "\AppData\Local\Microsoft\Windows Virtual PC
PC .
3.\Users\ "User name "\AppData\Local\Microsoft\Windows Virtual PC \Virtual machme

V4-329
 2010 International Conference on Computer Application and System Modeling (ICCASM 2010)

TABLE II. ACQUIRED VMWARE VIRTUAL MACHINE FILES AND THEIR MEANINGS

VMware Virtual
Meanings
Machine Files
.vmdk Virtual hard disk of the virtual guest operating system, may be dynamic or fixed sizes.
.log The virtual machine's log file.
. vmem A virtual machine's memory file which only exists when the VM is running or a snapshot has created.
. vmsn VMware snapshot file which stores the state of the virtual machine when the snapshot is created.
. vmx A text file contains hardware and operating system configuratons of the virtual machine.
.vmsd Metadata of the snapshot
. vmss Suspended state file, storing the state of a suspended virtual machine.
. nvram The virtual machine's BIOS information.
.vmtm Team configuration data file
. vmxf Remaining file while a virtual machine is removed from a team.

Sometimes this is not enough because there maybe some After acquiring all needed evidence data, we come into
other files or information that resides in other places in the the "Analyze" stage [13] to look for evidence data. To use
host machine, such as shared folders. We should investigate forensic tools that can't deal with virtual machine file
the configuration file (In VMware Workstation, the .vrnx file) formats, some third party tools such as WinMount [14]
first to see if there are such folders that are in using. If should be used to convert virtual machine file formats to
someone does exist, catch it along with other virtual machine formats that can be recognized by those traditional forensic
files. Figure 1 shows part of the .vmx file of a virtual tools. Furthermore, a copy of the acquired virtual machine
machine that indicates a shared folder is in using, the bold files can be used to directly boot the virtual machine in a
lean lines give information of the shared folder. forensic host system, and this is discussed in section 5.
Since the virtual machine files together with shared
folders may have been encrypted by the host system using V. USING A VIRTUAL MACHINE AS A FORENSIC TOOL
methods such as EFS and FDE (Full Disk Encryption), we After acquiring all needed data from the subject machine,
should export the associated encryption keys or certificates we try to analysis them and expect to find useful information
from the host as if possible. and get to a conclusion as fast as possible. By using
traditional methods and tools, we do the analysis work in
usb: l.deviceType = "hub" binary or file level, so the efficiency is very low and very
usb:O.deviceType = "mouse" often there are a lot of valuable things such as "live"
floppyO.autodetect = "TRUE" application software activities and relationships between
ide I :O.autodetect = "TRUE" special file formats and software applications can't be
floppyO.startConnected = "FALSE" achieved by this way. If we can boot the acquired subject
debugStub.winOffsets.version = "7" system's as into a virtual machine by using information
debugStub.winOffsets.value =
stored in the acquired disk and memory images, things wiIl
"Ox88,Ox84,Ox 18,Ox 190,Ox 174, 16,4I 6,Ox22c,0x228,Ox I fO,O
be much different. By this way, we generate a "live" and
x224,Ox20,Ox 18,Ox 18,Ox20,Ox24,4,Ox IIc,Ox8,OxO,Ox 14,Ox I
"restored" subject system, and then we can explore evidence
OOOOO,Ox I bO,Oxc,Oxc,Ox 18,Ox 13c,OxIf4"
more easily and observe application software's behavior in
usb.autoConnect.deviceO = ""

isolation.tools.hgfs.disable
sltaredFolderO.presel/t
sltaredFolderO.el/abled
sltaredFolderO.readAccess
sltaredFolderO.writeAccess
sltaredFolderO.llOstPatlt
sltaredFolderO.gllestName
s/wredFolderO.expiratiol/
sltaredFolder.maxNllm
scsiO: I.present = "FALSE"
ideO:O.present = "FALSE"
Figure I. Shared Folder Information in the
real time. Besides, time bombs and booby traps can be found
= "FALSE"
by manipulating the system time of a virtual machine. Then,
= "TRUE"
= "TRUE"
how could we boot the subject system into a virtual machine
= "TRUE" and what steps should be taken?
= "TRUE" Different steps should be taken based on different
= "G:lojJice" evidence types. If the evidence is a cloned physical disk, it
= "ojJice" can be attached to the host forensic machine through a
= "I/ever" software (e.g., SAFE Block XP [15]) or hardware write
= "1" blocker. If it is a raw type disk image file, it should be
mounted as a physical disk in the forensic host system first,
such tools as Mount Image Pro [16] or VMware Virtual Disk
Development Kit [17] can be used to do this work. A
software or hardware write blocker is also needed in this step
.vmx File. to protect the image file. Then we should create a virtual
machine based on these just "attached" or "mounted" disks.
The creation of a virtual machine means generating all
the files needed by the virtual machine application software

V4-330
 2010 International Conference on Computer Application and System Modeling (ICCASM 2010)

and adjust the virtual machine configurations to adept to the

Sample .vmx file
subject operating system's settings. Several tools like VFC .encoding = "GBK"
( Virtual Forensic Computing) [18] and Live View [19] can do config.version "8"
=

this work automatically now [20]. Figure 2 shows the virtualHW.version = "7"
configuration window of Live View. This tool together with maxvcpus = "4"
VMware Workstation and VMware Virtual Disk scsiO.present = "TRUE"
Development Kit can boot the operating system in the subject memsize = "5 12"
ideO:O.present "TRUE"
disk or image file into a virtual machine automatically. =

ideO:O.fileName "Windows XP Professional.vmdk"

However, because of the substantial hardware changes
=

ideO:O.deviceType = "disk"
between the virtual machine and the original subject physical
ideO:O.mode = "independent-nonpersistent"
machine, there could be a BSOD (Blue Screen of Death) ide I :O.present = "TRUE"
problem when trying to boot the subject system OS into a ide I :O.fileName = "H:"
virtual machine. Resolving of these problems may need to ideI :O.deviceType = "cdrom-raw"
change the contents of the subject disk or image file or more tloppyO.fileType = "device"
complicated virtual machines should be used to support more tloppyO.fileName = ""
devices and sti11 further researches are required. tloppyO.clientDevice = "FALSE"

If what we have got is a set of virtual machine files, we

can use a copy of them to boot the subject virtual machine
Figure 3. .
Configurations in vmx File with a Read-only Virtual Hard Disk.
directly. A few changes can be made to the virtual machine's
configuration file to make the virtual disk image read-only. By this way the subject virtual machine can be booted
Open the . vmx file, modifY or add the entry labeled and analyzed repeatedly without changing the original virtual
ideO:O.mode to: disk file.
ideO:O.IDode = "independent-nonpersistent".
Part of the changed. vmx file is shown in Figure 3, the VI. CONCLUSIONS AND FUTURE WORK
two bold lean lines are the changes being made.
Virtualization brings the computer forensics world both
challenges and chances - how to perform live forensics
@ Live View O.7b
-;:;;c
-[.=·I§I�J towards virtual machines and how to use virtual machines to
file perform forensics work more efficiently.
VM Initi ali zation Parameters With methods proposed in this paper together with
RAM Size System Time memory analysis technologies, investigators can perform live
1512 12010-4-11 10: 54: 37
I forensics towards virtual machines. By gathering all the files
Operating System (on image)
generated by the virtual machine application software,
I Auto Detect
·1 investigators can catch the whole subject virtual machine
Select Your Image or Disk with the evidence integrity being protected.
@ Image File (s) 6 Physical Disk By using the virtual machine as a forensic tool, the
subject system OS can be booted into a virtual machine, the
! Select Your Image File (s)
I[ Browse
I investigator can perform investigation works in a live system,
Select Output Directory For VM Con fig Files
directly and repeatedly, and the efficiency is improved.
However, these methods are only proof of concept now
Ie: \Users\zhl
I[ Browse
I and a lot of additional work should be done to make them
.. nt to do?
What do you .a more applicable to different conditions, the methods of how
to use the acquired subject system memory information to
@ Launch My Image e.> Generate Config OrJ.y
reconstruct the on-the-spot subject machine state is still
Actions under researching.
The future work should also be focused on how to
I Start
II Clear
I perform live forensics on the subject machine with minimum
Messages damaging to the host system data, how to deal with the
BSOD problem when trying to boot the subject system OS in
a virtual machine, and how to use memory analysis
technologies to address file or disk encryption problems.

ACKNOWLEDGMENT

We would like to express thanks to the following people

who assisted in the proofing, testing and live demonstrations
" of the methods described above. Shandong Computer
Figure 2. The Configuration Window of Live View.
Science Center: Ruichao Zhang, Qiuxiang Guo, and Yang
Zhou.

V4-331
 2010 International Conference on Computer Application and System Modeling (ICCASM 2010)
REFERENCES
[ 1] M. A. Penhallurick, "Methodologies for the use of VMware to boot
cloned/mounted subject hard disk images," Digital Investigation,
Volume 2, Issue 3, 2005, pp. 209-222.
[2] C. L. T Brown, Computer Evidence: Collection & Preservation,
Hingham, MA Charles River Media, 2005.
[3] B. Hay, M. Bishop, and K. Nance, "Live Analysis: Progress and
Challenges," IEEE Security and Privacy, vol. 7, Mar. 2009, pp. 30-37.
[4] F. Adelstein, "Live forensics: Diagnosing Your System Without
Killing It First," Communications of the ACM 49, 2 (Feb. 2006), pp.
63-66.
[5] E. Casey, 'The impact of full disk encryption on digital forensics,"
ACM SIGOPS Operating Systems Review, Volume 42 , Issue 3,
2008, pp. 93-98.
[6] 1. A Halderman,S D. Schoen,N. Heninger,W. Clarkson,W. Paul, 1.
A. Calandrino, et aI., "Lest we remember: cold boot attacks on
encryption keys," USENIX Security '08 Proceedings, 2008, pp. 45-60.
[7] C. Maartmann-Moe, S E. Thorkildsen, and Andre Ames, 'The
persistence of memory: Forensic identification and extraction of
cryptographic keys," Digital Investigation, Volume 6, Supplement 1,
September 2009, pp. S 132-S 140.
[8] D. Farmer and W. Venema, Forensic Discovery, Addison-Wesley
Professional, 2004.
V4-332
[9] B. Carrier and 1. Grand, "A Hardware-based Memory Acquisition
Procedure for Digital Investigations," Digital Investigation, Volume 1,
Issue 1, February 2004, pp. 50-60.
[ 10] M. Domseif, "FireWire - all your memory are belong to us,"
http://md.hudora. de/presentations!.
[ 1 1] A. Boileau, "Hit by a Bus Physical Access Attacks with Firewire,"
Security-Assessment com, 2006, wwwsecurity-
assessmentcom/files/presentations/abJirewireJux2k6-final. pdf
[ 12] VMware, Inc., "VMware Workstation,"
http://www.vmware.com/products/workstation/. May. 20 10.
[ 13] W. G. Kruse II and 1. G. Heiser, Computer Forensics: Incident
Response Essentials, 1st ed., Addison-Wesley Professional, 2002.
[ 14] WinMount International Inc , "WinMount,"
http://www.winmountcom/, May. 20 10.
[ 15] ForensicSoft, "SAFE Block XP," http://www.forensicsoft.com/. May.
20 10.
[ 16] GetData, "Mount Image Pro," http://www.mountimage.com/. May.
20 10.
[ 17] VMware, Inc , "VMware Virtual Disk Development Kit,"
http://www.vmware.com/support/developer/vddk/. May. 20 10.
[ 18] MD5 Ltd , "Virtual Forensic Computing," http://www.md5.ukcom/.
May. 20 10.
[ 19] CERT, "Live View," http://liveview.sourceforge.neti, May. 20 10.
[20] D. Bern and E. Huebner, "Computer forensic analysis in a virtual
environment," International Journal of Digital Evidence, vol. 6,2007.