6
th
International Symposium on Digital Forensic and Security (ISDFS 2018)
978-1-5386-3449-3/18/$31.00 ©2018 IEEE
Analysis of VMware Virtual Machine in Forensics and Anti-
Forensics Paradigm
Hammad Riaz, Mohammad Ashraf Tahir
Punjab Forensic Science Agency, Lahore, Pakistan
Corresponding Author Email: hammad.riaz@hotmail.com
Abstract— Virtual machine is an emulation of physical
computer system. It works as a normal computer and
provides complete functionality of an Operating System to
the user. With the advent of virtualization technology, the
use of virtual machines has increased manifold. These are
now used on large scale in modern data centers. So is its
use on personal computers for work, study and research
purpose. However, where there is any new technology for
good purpose, there is always its illegitimate usage as well.
This manuscript focusses on analysis of virtual machine in
forensics and anti-forensics paradigm. Forensic analysis of
virtual machine and particularly the analysis when anti-
forensic measures are taken to hide or destroy the evidence
in virtual machines is covered in this work.
Keywords—VMware Forensics, Virtual Forensics, Virtualization,
Hypervisor, Virtual Machine Monitor, VMDK file format
I. INTRODUCTION
Virtualization has its presence in market since 1960s and the
concept of virtualization is generally believed to be taken from
mainframe days of 1960s and early 1970s [1]. The time when
IBM made concerted efforts to develop robust time-sharing
solutions. Since then, Virtualization technology has taken
various forms. Desktops, Servers, Laptops are traditionally
called Physical computer systems. In contrast, Virtual
computer Systems are those which are running on physical
systems by using its resources and creates Virtual CPU,
Virtual memory, Virtual Network Cards and Virtual Hard
Drive etc. [2]. A virtual machine uses physical resources of
the Host Hardware System on which it runs [2]. Virtualization
is a technology that enable multiple operating systems to run
on a single host computer [3]. A software Virtual Machine
Monitor (VMM) also called as Hypervisor is used to run a
virtual machine [2]. Typically, there are two types of
Hypervisors. Type-1 also identified as ‘Bare-metal’ or ‘native’
Hypervisors [2]. These Hypervisors are installed and run
directly on the physical system hardware. Multiple virtual
machines can then be used over it in parallel. VMware ESX/
ESXi, Citrix Xen Server, Oracle VM are examples of Type-1
Hypervisors. Type-1 are mostly used in data centers and in
server environment [2]. Type-2 or hosted hypervisors are
commonly called Desktop Virtualization. These hypervisors
are installed over the Host operating system. A guest operating
system is then installed over the hypervisor. Common
Examples of Type 2 hypervisors are VMWare Workstation/
Fusion/ Player, Virtual Box, Parallels, Microsoft Virtual PC.
Microsoft Red Hat Enterprise Virtualization and Hyper-V can
both work as Type 1 or Type 2 hypervisor.
With the modernization in computer hardware and increase in
processing powers of CPU, the use of virtual machines is on
its peak. Therefore, it is highly needed to understand this
technology thoroughly from forensic point of view. The
virtual machine can be used for both legitimate and
illegitimate use. Legitimate use can be Software Testing,
malware analysis, backups and disaster recovery of data
centers or any research and development purpose. Illegitimate
use is when the virtual machine is used to perform any sort of
criminal activity. That can be cybercrime, copyright
infringement, money laundering, identify theft, child sexual
abuse, pornography, and cyber terrorism etc. Off-the-shelf
Forensic tools in most of the cases performs analysis of Host
Operating system only. Although, some of these tools identify
the presence of a virtual machine inside operating system
drive, however, that file is only identified as single whole disk
file. The Guest operating systems i.e. virtual machines are
mostly identified just by their extension types in forensic
analysis tool. The forensic behavior of same version of
operating system is similar as both host operating system and
as guest operating system. But for analysis virtual machine
files have to be forensically extracted and been separately
analyzed using forensic tool. The analysis of guest operating
systems is quite similar to the host operating systems.
However, analysis of Virtual machine monitor on Host
operating system has to be performed differently from general
forensic procedure. A user having criminal intentions can use
a guest operating system to deceive the forensic expert by
using virtual machine. May, the host operating system be clear
from forensic perspective and data of evidential value resides
inside a virtual machine or even in any nested virtual machine.
Therefore, analysis of virtual machine monitor and associated
virtual machine files is of utmost importance. This paper is
based on analysis of VMware Workstation and associated
virtual machine files used in VMware Desktop Virtualization.
Forensic Analysis of VMWare virtual machine is performed.
Analysis of VMware virtual machine is also discussed in Anti-
forensics paradigm, where the counter forensic measures are
taken by the user on the virtual machine. Anti-forensics is a
general term for a set of techniques which are used as counter
measures to forensic analysis. These techniques are used to
deceive the analyst and makes analysis of evidence difficult or
impossible to conduct. The most horrible anti-forensic
techniques are those which altogether change the result of
analysis by presenting falsified information to forensic expert.
Data deletion, data hiding, steganography, encryption, wiping,
data state reversion and attack against forensic tools etc. are
common techniques used in anti-forensics. Anti-forensics is
also called as counter forensics.
下载后可阅读完整内容,剩余5页未读,立即下载
beyond_9521
- 粉丝: 0
- 资源: 7
我的内容管理
展开
最新资源
- JavaScript DOM事件处理实战示例
- 全新JDK 1.8.122版本安装包下载指南
- Python实现《点燃你温暖我》爱心代码指南
- 创新后轮驱动技术的电动三轮车介绍
- GPT系列:AI算法模型发展的终极方向?
- 3dsmax批量渲染技巧与VR5插件兼容性
- 3DsMAX破碎效果插件:打造逼真碎片动画
- 掌握最简GPT模型:Andrej Karpathy带你走进AI新时代
- 深入解析XGBOOST在回归预测中的应用
- 深度解析机器学习:原理、算法与应用
- 360智脑企业内测开启,探索人工智能新场景应用
- 3dsmax墙砖地砖插件应用与特性解析
- 微软GPT-4助力大模型指令微调与性能提升
- OpenSARUrban-1200:平衡类别数据集助力算法评估
- SQLAlchemy 1.4.39 版本特性分析与应用
- 高颜值简约个人简历模版分享
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
