Content uploaded by Rajiv Vasantrao Dharaskar
Author content
All content in this area was uploaded by Rajiv Vasantrao Dharaskar on Apr 01, 2018
Content may be subject to copyright.
Digital Forensic Investigation for Virtual Machines
Smita V. Khangar
Department of Computer Science
G.H.R.C.E
Nagpur, India
smita146@gmail.com
Dr. Rajiv V. Dharaskar
Professor in Department of Computer Science
G.H.R.C.E
Nagpur, India
rvdharaskar@rediffmail.com
Abstract—Fundamental approach for digital forensic is static
analysis. It involves the analysis of data preserved on
permanent storage media. When a system is examined by the
static analysis, it does not provide the complete scenario of the
event. Thus, a virtual a machine created from the static data to
help in collecting the evidence. Introduction of virtual machine
enables a much simpler way of investigation. Use of
virtualization technology is continuously growing in
commercial area. Therefore, Instead of using virtual machines
for forensic examination virtual enviourment need to be
examined itself. Investigation can be done without violating the
data collected as evidence since virtual desktop can be made as
forensic platform. This paper discuss about the investigation in
virtualized enviourment. However investigation in virtual
enviourment is simpler than the investigating physical
enviourment.
Keywords-Digital Forensic; Virtulaization; VMware; Virual
Disk Image; Computer Evidence.
I. INTRODUCTION
Traditionally digital forensic focuses on developing and
implementing proper techniques, tools to collect and analyze
the data stored on physical drive(s). Today’s commercial
enviourment demands for large storage space and advanced
computing resource. Hence virtualization technology is
major focus of the all commercial enviourment from data
centers to virtual desktops. Use of virtual enviourment is
growing towards the development of the new applications.
Thus the need of examining the virtual enviourment is
essential [1].The commercial product “VMware” [2] is used
to describe the methodology behind the virtual machines.
Applications of the virtual enviourment in the various phases
of digital investigation are examined. Original enviourment
can be acquired by VMware may differ from that of physical
computer during the investigation. Analysis of the evidence
using VMware may alter the evidence, but there is a
difference between original and virtual machines.
Investigation in virtual enviourment has several issues
regarding the static analysis. While doing digital forensic
investigation original data must be preserved. Forensically
acquired copies of images are made in conventional and
virtual enviourment. Original copy of image is protected as
evidence and multiple copies are made from original. Image
of the virtual disk can be made using forensic tools and
analyzed in virtual enviourment .Recovery of deleted files is
possible upto some extent. Imaging for terabytes of data may
take several hours.
Conventional digital forensic investigation can be broken
into four major steps, mainly- access, acquire, analyze and
report [3]. During access phase, the investigator proceeds at
crime scene and recorded details. In acquisition process, the
investigator copies all data from running system to save the
content of volatile data, power down the system and create
the forensic image of all storage devices. Forensic image can
be made using dd based tools such as Encase [4], FTK
imager [5]. The forensic image of storage device created bit
by bit in this phase. This image is duplicate copy of original
image [6]. Analysis on relevant data is performed and end
result is the report which may be produced in the court of
law.
The goal of this paper is to discuss the various problems
while investigating in virtual enviourment. Section 2 gives
the overview of virtual machines. Section 3 identifies the
challenges in collecting evidence in virtual enviourment.
Section 4 focuses on Virtual Hard Disk (VHD) formats.
Conclusion is given section 5.
II. VIRTUAL MACHINE OVERVIEW
Virtualization appears in the mid 60s with the use of
mainframe computer. IBM was experimenting with virtual
machines [1]. There are several benefits of virtualization.
As power is becoming expensive and trend is shifting
towards green-IT, virtualization offers cost benefits, server
consolidation, testing and a lot more.
Ideally virtual machine (VM) is virtual computer inside a
physical computer.VM are exactly similar to physical
machine.VM resolves around a software application that
behaves like a physical computer and shares all underlying
resources like CPU, memory etc. Multiple operating systems
can reside in the same computer with strong isolation from
each other. Virtualization can be explained through the
virtual machine monitor (VMM). VMM has total control of
the system resources and speed degradation is low than
physical machine. VMM is responsible for running guest
operating system on host operating system [7].
Virtual desktop used in forensic analysis has a lot of
potential .Virtual desktop are used to boot forensic image of
a media in a virtual enviourment. This is a major advantage
of virtual desktop. Although virtual machine is a powerful
tool, it requires some additional resources. Booting the image
into VM can help the computer technician to conduct the
2011 3rd International Conference on Computer Modeling and Simulation (ICCMS 2011)
V2-606
C
978-1-4244-9243-5/11/$26.00 2011 IEEE
preliminary investigation on collected evidence. VMs are
exactly identical to physical machines and simulate all the
underlying hardware resources during creation of VM.
However there are certain limits. It added benefit is for visual
inspection of the operating system in a much easier way [7].
There are several categories of virtualization including full
virtualization and paravirtualization [8].
III. COLLECTING EVIDENCE FOR VIRTUAL MACHINES
This section discusses about the challenges in collecting
evidence in VM. While collecting the evidence in virtual
enviourment, the process varies from vendor to vendor like
VMware. While collecting the data from VM, look for the
files created on physical machines. Forensic acquisition is
not limited only to hard drives. Distributed storage system
has huge volumes of information that requires more specific
tools and equipments [9]. Investigator should have well
known structure to handle the data. Depending upon the VM
product used to create the virtual enviourment, there are
several files of interest such as configuration files, log files
etc. which will be described in the next section.
By interacting with Virtual Machine File System (VMFS)
recovery of data is possible [9]. Whenever investigation of
the files is carried out from the running system, things tend
to get more complicated. Recovery of volatile data from
VM is gaining a lot of attention these days. Forensic
examiner needs to carefully collect data from running
system. Improper handling of the data may cause
irreversible loss of data. Depending upon the type of case,
different forensic tools are used. The cases where the
investigators have full legal authority to seize data, system
needs to be shutdown. In some cases where the client itself
is a victim, investigators may follow the general approach to
analyze the data.
IV. STATIC ANALYSIS OF VIRTUAL MACHINE
Analysis of virtual disk image involves the several
constraints, most importantly being the original evidence
should not be altered by any means during investigation. It
should be acceptable in the court of law. While booting the
image in other enviourment, due to the different hardware
configurations, there is a chance of overwriting the content
of disk. Thus from the acquired image a virtual machine
created for investigation. However this image cannot be
immediately booted in VM, as some changes might be
required to modify the content of the image. Such a changed
image is of no use as forensic evidence in court of law.
This issue can be solved by some forensic tools such as
“Live View” [10] created by CERT. Live View is a forensic
tool which allows creating the VM from physical disk or
image of a virtual disk. It can mount the write protected
image without alteration. It is not applicable to all virtual
enviourment though. Capability to boot the images into the
Windows and Linux enviourment with full physical disk,
disk attached via USB and a specialized image using
mounting software is possible [11].
A. Files generated by VMware
In most of the investigation cases, the suspect used a
VM for its illegal activities which later was deleted.
VMware enviourment creates a set of files on the host
operating system. VM appears as a set file. These files are
important while investigating VM [12]. During creation of
VM, several important files are generated at the user
specified location. These files include-
a) .VMX: A primary confuration file which stores the
VM setting and configuration chosen at the time of creation
of new virtual machine wizard.
b) .VMXF:A supplement configuartion file, which
stores the fearures and settings chosen with VMware
workstation to allow the grouping of VMs for the users.
This file remains on the physical disk if the VM is removed
from the team.
c) .VMSD: A snapshot descripor file which maintain
all meatdata about the sanpshots. This files is empty at the
time of creation of new machine.
d) .VMDK: A virtual disk file containing the disk
layout, structure and properties of the disk. It represent the
storage used by the disk. If VM is directly connected to
physical disk,it also stores the information about the
partitions maintained by VM.
e) .LOG: Contains information,configuration and run
time msessages. This file is useful as it keeps the logs of the
VMware workstation.
f) .NVRAM: Contains the VM’s BIOS setttings.
g) .VSWP: When VM needs additional memory, the
swap will be used of physical memory.
h) .VMSS: A suspended state file reprsenting the state
of paused or suspended VM. Whenever the VM is in
suspended state .VSWP is deleted.
Figure 1 shows the files created by VMware on the host
drive. When VM is resumed from a suspended state, .VMSS
Figure 1. Files created by VMware
2011 3rd International Conference on Computer Modeling and Simulation (ICCMS 2011)
V2-607
File remains and regenerated the .VSWP file. While taking
snapshot of VM, the previously empty .VMSD file is filled
with the information about the new snapshot. A .VMSM file
is generated, containing running state of the VM. If
specified in snapshot menu, it contains the memory content
for VM. A snapshot descriptor file (.VMSD) and redo logs
(.VMDK) are generated to represent changes made after
generation of the snapshot. The original .VMDK disk
descriptor is untouched to provide a forensically sound
image file. After shutting down a VM the .VSWP
and .VMSS files are deleted [12].
B. Virtual Machine Imaging
Most of the forensic investigation is done by static
analysis using image acquisition process and uses that image
to create the virtual enviourment as a suspect used it. But it
does not help the investigator to look inside the virtual
enviourment. Instead of doing this, the investigator can
mount the enviourment to examine the files inside it. As
mentioned before, VM are set files which can be easily
created or deleted from the VMs. Forensic tools like FTK
Imager, Live View are compatible with VMware. Most of
the VM products provide the facility of capturing the
snapshot of VM. This concept is analogous to Windows
restore point [7]. Snapshot generates a hierarchical structure.
Reconstruction from snapshot must locate all the snapshots.
Snapshots could be reverted back if VM is not working
correctly. However reverted state is not limited to the
network and operating system versions. VM allows the
snapshot stored on the specified location.
C. Analysis of VMware Snapshots
Snapshots contain information about VM. It describes the
current and changed state of the machine. It generates the
image of running machine’s memory stored in the .VMSN
file. If snapshot exists there may be evidence in these files.
While taking snapshot it ensures that any changes made to
the VM after taking snapshot are not made on the original
media. Before the snapshot was generated, information on
redo log files preserves the content of disk image file. These
redo log files plays an important role during investigative
steps with generation of memory images and
snapshots. .VMDK file is also known as redo log file and
deletes automatically whenever the snapshot is deleted or
reverted. .VSWP file is locked while the machine is running.
This file can capture if the partition are made on
which .VSWP resides [9]. Original virtual disk can be
verified by using hash values after creating the snapshot.
System writes the data to log file, preserving original image.
Files like .VMWP and .VMSS are deleted during the
VM’s lifecycle. It includes valuable resources and can be
recovered from VMFS. Whenever a suspect was doing
illegal activity in VM, by deleting the log files can hide the
data. In such cases these files can be best source of
investigation. Tools like “Compare VMware Snapshot” [13]
are used to investigate VMware snapshots. It is a string
comparison tool which searches for the hidden data.
A .VMEM file is a guest back up on the host machine.
Figure 2.VMware’s Snapshot manger window
Figure 2 showing the snapshot taking for VMware [7]. If
memory option is selected while taking snapshot this file is
included for snapshot. Forensic tools like “Memparser” [14],
Volatility [15] are used for investigating .VMEM files [16].
V. VHD FORMATS
Examining virtual enviourment VHD formats have
different specification than physical enviourment. As
virtualization is a growing area, all modern operating system
support this technique. The VHD formats supported by
Microsoft Virtual Servers include the fixed hard disk image,
dynamic hard disk image and differencing hard disk image.
Fixed hard disk image file allocated for same size of the disk.
Dynamic hard disk image is allocated for large data size.
Differentiating hard disk image is a VHD comparison with
the original image. Since differentiating hard disk stores the
locator of the original file, when such files are opened in VM
original disk is also opened. Data offset field within the
dynamic and differentiating disk images provide additional
information. The first sector of VHD is Master Boot Record
(MBR). MBR is used in determining the partitions in virtual
disk [17].
In today’s operating system like Windows 7, System
Back Up is stored in the form of VHD formats. This VHD
can be mounted for forensic analysis. Windows Vista uses
complete PC Backup. VHD files are further examined by
FTK Imager. Some facts may found in registry, prefetch data
and cache files. During static analysis of VM, investigating
two files are important, .VMDK and .VMX as discussed in
previous section.
VI. CONCLUSION
Digital forensic for virtual machine is an identified
research area with respect to the interaction between
virtualized host and underlying physical hardware. Recovery
of data using VM files is crucial part. It is possible to recover
the data in virtual enviourment but what is recoverable is not
2011 3rd International Conference on Computer Modeling and Simulation (ICCMS 2011)
V2-608
predictable. Today, use of virtualization is a commonplace in
every organization. The field of digital forensic applied to
virtual enviourment is conceptually accepted wide. Thus
development of more advanced forensic tools and techniques
in this field is definitely advancing. Further area of research
includes the interactive live analysis to overcome the
limitations of static analysis and provide the functionality to
monitor VM more precisely.
REFERENCES
[1] Richard Arther Bares,“Hiding in a Virtual World using
Unconventionally Installed Operating System”, IEEE International
Conference on Inteligence and Security Informatics, 2009, pp.276-
284.
[2] VMware Server, “VMware
server”.Internet:http://www.vmware.com/products/server/ ,accessed 7
AUG 2010.
[3] Derk Bem and Ewa Huebner, “Analysis of USB Flash Drive in
Virtual Enviourment”, Small Scale Digital Device Forensic Journal,
vol. 1, No.1, pp 1-6, June 2007.
[4] Guidence Software “Encase Forensic Modules”.
Internet:http://www.guidencesoftware.com/products/ef_modules.asp,
accessed 10 June 2010.
[5] FTK Imager. Internet:http://www.acessdata.com/downloads/,
accessed 19 June 2010.
[6] D.Bem and E. Huebner, “Computer Forensic Analysis in a Virtual
Enviourment”, International Journal of Digital Evidence ,vol. 6,No.
2,pp 1-13,Jan 2007.
[7] Diane Barret,Gaeg Kipper (2010). “Virtualization and Digital
Forensic Investigator’s Guide to VirtualEnviourment”.(1st edition)
[On line]. Available :http://www. syngress.com/digital-
forensics/Virtualization and Forensics/, accessed 12 aug 2010.
[8] VMware Inc, “Understanding Full Virtualization,Paravirtualization,
and Hardware Assist”.
Internet:http://www.VMware.com/virtualization, accessed 19 June
2010.
[9] J.D.Durick ,Eric Fitterman (2010). “Ghost in the Machine:Forensic
Evidence Collection in the Virtual Enviourment”,[Online].
Available:http://www.vmforensics.org/files/Ghost%20in%20the%20
Machine.pdf, accessed on 2 sep 2010.
[10] CERT, “Live View”. Internet:http://liveview.sourceforge.net/,
accessed 9 July 2010.
[11] Sasa Mrdovie, Alvin Hueseinivic, Erbedin Zajko “Combining Static
and Live Digital Forensic Analysis in Virtual Enviourment”,IEEE
International Confererence on Information, Communication and
Automation Technologies, 2009,pp 1-6.
[12] VMware, “What Files Make up aVirtual Machine?”.
Internet:http://www.vmware.com/support/ws55/doc/ws_learning_file
s_in_a_vm, accessed 10 sep 2010.
[13] Compare Vmware Snapshots.
Internet :http://zairon.wordpress.com/tool-compare-vmware-
snapshots/ , accessed 10 Aug 2010.
[14] Memparser. Internet:http://www.sourceforge.net/projects/memparser,
accessed 9 sep 2010.
[15] Volatility.
Internet :http://volatilesystems.com/voaltileWeb/volatility.gsp,
accessed 9 sep 2010.
[16] Christiann Beek, “Virtual Forensic”. [Online]. Available :http://
www.secuiritybananas.com/wp-content/uploads/2010/04/Virtual-
Forensics_BlackHatEurope2010_CB.pdf, accessed 15 sep 2010.
[17] Microsoft Corporation. “Virtual Hard Disk image format
Specification”.[Online].
Available:http://www.download.microsoft.com/…/Virtual%20Hard%
20Disk%2Format%20Spec_10_18_06.doc, accessed 15 sep 2010.
2011 3rd International Conference on Computer Modeling and Simulation (ICCMS 2011)
V2-609