International Journal of Digital Evidence
Fall 2007, Volume 6, Issue 2
Computer Forensic Analysis in a Virtual Environment
Derek Bem Ewa Huebner University of Western Sydney, Australia
Abstract In this paper we discuss the potential role of virtual environments in the analysis phase of computer forensics investigations. General concepts of virtual environments and software tools are presented and discussed. Further we identify the limitations of virtual environments leading to the conclusion that this method can not be considered to be a replacement for conventional techniques of computer evidence collection and analysis. We propose a new approach where two environments, ...view middle of the document...
An example scenario is described to illustrate our approach. We took a small Windows XP system, created a forensic image of its hard disk, and demonstrated the advantages of using two environments. The example shows that the correct application of a virtual environment approach results in a less time spent on analysing the evidence, giving more chance of discovering important data, and allowing less qualified personnel to be involved in a more productive way. We decided to use only free and readily available utilities to allow everyone to repeat our experiment, and to encourage the reader to try experimenting with their own cases.
International Journal of Digital Evidence What is a Virtual Machine
Fall 2007, Volume 6, Issue 2
Virtual machine (also known as ‘VM’) is a software product which allows the user to create one or more separate environments, each simulating its own set of hardware (CPU, hard disk, memory, network controllers, and other components) and its own software. Ideally each virtual machine should behave like a fully independent computer with its own operating system and its own hardware. The user can control each environment independently and, if required, network virtual computers together or connect them to an external physical network. While this approach is powerful and flexible, it requires a lot of additional resources, because each virtual computer uses real hardware components present in the computer it runs on. It should also be noted that virtual machine software is complex, and many compromises and restrictions are to be expected. Anyone attempting to use it should have a good understanding of what can and cannot be achieved. Virtualisation is an old concept, first introduced in the 1960s with the appearance of mainframe computers. It was re-introduced to personal computers in the 1990s, and currently major products available are: Microsoft Virtual PC (Microsoft Virtual PC 2007), VMWare software tools range (VMWare, 2007), an open source (free) software QEMU (Bellard, 2007), and a few others.
Computer Forensics And Virtual Machine Environments The conventional computer forensics process comprises a number of steps, and it can be broadly encapsulated in four key phases (Kruse II & Heiser, 2002): • • • • Access Acquire Analyse (the focus of this paper) Report
During the acquire phase an investigator captures as much live system volatile data as possible, powers down the system, and later creates a forensic (bit by bit) image of all storage devices (Brown, 2005). An image of a storage device is typically acquired using one of many dd based tools (Nelson, Phillips, Enfinger, & Steuart, 2006). This image is stored in the dd format (Rude, 2000), or a proprietary format typically based on dd (Bunting & Wei, 2006). The image is an identical copy of the original disk. It should be noted, however, that the old rule where the image of a hard disk was assumed to be identical with the original hard...