6
th
International Symposium on Digital Forensic and Security (ISDFS 2018)
978-1-5386-3449-3/18/$31.00 ©2018 IEEE
Analysis of VMware Virtual Machine in Forensics and Anti-
Forensics Paradigm
Hammad Riaz, Mohammad Ashraf Tahir
Punjab Forensic Science Agency, Lahore, Pakistan
Corresponding Author Email: hammad.riaz@hotmail.com
Abstract— Virtual machine is an emulation of physical
computer system. It works as a normal computer and
provides complete functionality of an Operating System to
the user. With the advent of virtualization technology, the
use of virtual machines has increased manifold. These are
now used on large scale in modern data centers. So is its
use on personal computers for work, study and research
purpose. However, where there is any new technology for
good purpose, there is always its illegitimate usage as well.
This manuscript focusses on analysis of virtual machine in
forensics and anti-forensics paradigm. Forensic analysis of
virtual machine and particularly the analysis when anti-
forensic measures are taken to hide or destroy the evidence
in virtual machines is covered in this work.
Keywords—VMware Forensics, Virtual Forensics, Virtualization,
Hypervisor, Virtual Machine Monitor, VMDK file format
I. INTRODUCTION
Virtualization has its presence in market since 1960s and the
concept of virtualization is generally believed to be taken from
mainframe days of 1960s and early 1970s [1]. The time when
IBM made concerted efforts to develop robust time-sharing
solutions. Since then, Virtualization technology has taken
various forms. Desktops, Servers, Laptops are traditionally
called Physical computer systems. In contrast, Virtual
computer Systems are those which are running on physical
systems by using its resources and creates Virtual CPU,
Virtual memory, Virtual Network Cards and Virtual Hard
Drive etc. [2]. A virtual machine uses physical resources of
the Host Hardware System on which it runs [2]. Virtualization
is a technology that enable multiple operating systems to run
on a single host computer [3]. A software Virtual Machine
Monitor (VMM) also called as Hypervisor is used to run a
virtual machine [2]. Typically, there are two types of
Hypervisors. Type-1 also identified as ‘Bare-metal’ or ‘native’
Hypervisors [2]. These Hypervisors are installed and run
directly on the physical system hardware. Multiple virtual
machines can then be used over it in parallel. VMware ESX/
ESXi, Citrix Xen Server, Oracle VM are examples of Type-1
Hypervisors. Type-1 are mostly used in data centers and in
server environment [2]. Type-2 or hosted hypervisors are
commonly called Desktop Virtualization. These hypervisors
are installed over the Host operating system. A guest operating
system is then installed over the hypervisor. Common
Examples of Type 2 hypervisors are VMWare Workstation/
Fusion/ Player, Virtual Box, Parallels, Microsoft Virtual PC.
Microsoft Red Hat Enterprise Virtualization and Hyper-V can
both work as Type 1 or Type 2 hypervisor.
With the modernization in computer hardware and increase in
processing powers of CPU, the use of virtual machines is on
its peak. Therefore, it is highly needed to understand this
technology thoroughly from forensic point of view. The
virtual machine can be used for both legitimate and
illegitimate use. Legitimate use can be Software Testing,
malware analysis, backups and disaster recovery of data
centers or any research and development purpose. Illegitimate
use is when the virtual machine is used to perform any sort of
criminal activity. That can be cybercrime, copyright
infringement, money laundering, identify theft, child sexual
abuse, pornography, and cyber terrorism etc. Off-the-shelf
Forensic tools in most of the cases performs analysis of Host
Operating system only. Although, some of these tools identify
the presence of a virtual machine inside operating system
drive, however, that file is only identified as single whole disk
file. The Guest operating systems i.e. virtual machines are
mostly identified just by their extension types in forensic
analysis tool. The forensic behavior of same version of
operating system is similar as both host operating system and
as guest operating system. But for analysis virtual machine
files have to be forensically extracted and been separately
analyzed using forensic tool. The analysis of guest operating
systems is quite similar to the host operating systems.
However, analysis of Virtual machine monitor on Host
operating system has to be performed differently from general
forensic procedure. A user having criminal intentions can use
a guest operating system to deceive the forensic expert by
using virtual machine. May, the host operating system be clear
from forensic perspective and data of evidential value resides
inside a virtual machine or even in any nested virtual machine.
Therefore, analysis of virtual machine monitor and associated
virtual machine files is of utmost importance. This paper is
based on analysis of VMware Workstation and associated
virtual machine files used in VMware Desktop Virtualization.
Forensic Analysis of VMWare virtual machine is performed.
Analysis of VMware virtual machine is also discussed in Anti-
forensics paradigm, where the counter forensic measures are
taken by the user on the virtual machine. Anti-forensics is a
general term for a set of techniques which are used as counter
measures to forensic analysis. These techniques are used to
deceive the analyst and makes analysis of evidence difficult or
impossible to conduct. The most horrible anti-forensic
techniques are those which altogether change the result of
analysis by presenting falsified information to forensic expert.
Data deletion, data hiding, steganography, encryption, wiping,
data state reversion and attack against forensic tools etc. are
common techniques used in anti-forensics. Anti-forensics is
also called as counter forensics.