The Virtualisation And Computer Forensics

Published Date: 02 Nov 2017

Abstract: Virtualisation technologies have progressed considerably over recent years bringing with this the development for both opportunities and new challenges for the digital forensic practitioner. This paper will concentrate on the various roles for virtualisation in the field of digital forensics, how virtualisation technology can support modern digital forensic investigations and how the same virtualisation can assist those wishing to hide their tracks. The various challenges, common tools, methods and opportunities virtualisation provides for digital forensics will be analysed.

Keywords: digital forensics; virtualisation; virtual machine introspection; forensic image booting;

I Introduction

The increasing demand for virtualisation technologies in industry and by the individual will lead to these virtual machines being increasingly used in illegal activities were digital forensics investigators will require a sound knowledge of virtualisation technologies. The ease of Virtual machines to create, copy, install or hide in comparison to that of the typical system makes them a likely selection for use by organisations and the individual. Organisations can benefit by having the entire system virtualised enabling maximum usage of resource potential and at the same time minimising effort and time in the event of disaster recovery. Digital forensics investigators may also consider the ability to have a ‘clean start’ for each individual case using a virtual machine beneficial. The individual can benefit from the ability to run multiple operating systems from within their personal computer without the need of dual boot functionality or for testing applications or programs that otherwise may harm their host system. This paper will review in the next section the concept of virtualisation. Section III reviews the potential uses of virtual machines in the digital forensics sector to assist investigators. Section IV reviews virtual machines when they are seized as evidence as part of an investigation. The conclusion will look at the findings in this paper.

II Concept of Virtualisation

Virtualisation was introduced in the 1960’s by ways of computers known as mainframes and launched by IBM [Bares, 2009] and since then the technology has become prolific in every day computing. Virtualisation is made possible with the provision of an additional abstraction level in comparison with the architecture of a traditional computer system. This additional layer is commonly known as the virtual machine monitor (VMM) also known as the hypervisor. A virtual machine (VM) is a virtual computer inside a physical computer as shown in Figure 1. This additional layer enables the abstraction of all computing resources available by means of hiding the particular characteristics of the physical hardware from the actual operating system and to the end user.

http://www.mygeekpal.com/wp-content/uploads/2012/04/virtualpc2007-1.jpg

Fig.1 shows Win XP running on Virtual Machine inside Win Vista.

The VMM can be permitted to have complete access to all system resources [Hoopes, 2009] although the impact on performance using a VMM is lower in comparison to that of the physical machine. The guest operating system is managed by the VMM residing on the host operating system [Barret and Kipper, 2010]. The VMM exists in two types namely Type I and Type II depending on the position the VMM is applied. The different architectures are shown in Figure 2.

Fig.2 Different VMM architectures, with Type I left and Type II right.

A Type I VMM runs directly on top of the system hardware without requiring an operating system to function. This type of VMM is also known as a hypervisor. Since this type runs directly on the system hardware the performance is far superior to that of Type II architecture.

Type II architecture runs on top of the host operating system and virtual machines are created on top of the VMM. The VMM manages the redirection of requests for hardware resources to the appropriate APIs within the hosting environment. This arrangement provides the virtual machine with access to the system device drivers permitting more flexibility with the hardware components.

III Virtual Machines as Digital Forensic Tools

As discussed in the introduction, virtualisation technologies empower the development of innovative forensic analysis techniques for long-established systems while easing the application of current techniques. Fundamentally virtual machines are extremely easy to deploy, since these deployments can be initialised or destroyed without resulting in any real costs makes them very preferable for developers to test the behaviour and reaction of an operating system, applications, or the effects caused by different interactions [Carvey, 2007]. For instance a virtual machine running the desired operating system can be initiated in order to provide an execution environment in order to analyse what artefacts will be created using a selected browser. This allows the command and instruction stream to be replayed and the state of the virtual machine introspected. This virtualisation provides the investigator with new technologies and methods of investigation.

3.1 Virtual Machine Introspection

The increase in availability and usage of virtualisation can be deployed to provide an investigator total access of the entire condition of a target system without the need for the target system to provide information. This practice of live analysis assures detection by the suspect is very difficult if not impossible. For example an operating system runs within a virtual machine (VM), managed by the virtual machine monitor (VMM) provides the VM with ports, network connections, user accounts and data thus appearing as a normal computer system. Any attack on this system would appear to the attacker to be on a normal system and on discovery enables the security analysts or investigators to initiate their investigation without running any analysis techniques on the target system. In this instance they would revert to the VMM or create a new VM running under the control of the VMM and "investigate and analyse" the VM under attack. This is known as virtual machine introspection (VMI) as introduced by Garfunkel and Rosenblum [Garfunkel, T, Rosenblum, M, 2003].

Live analysis provides alternatives to traditional static analysis however several limitations still exist in the application of this practice. A common limit is known by the term ‘observer effect’, this is defined as observing or measuring some parameter will change that parameter, in IT any operation carried out when the system is active will in turn modify that system. This will result in the integrity of the evidence being contaminated. Brian D. Carrier discusses the risks in any form of live acquisition [Carrier, 2006] that these systems are compromised. By applying virtual machines and using virtual machine introspection it is possible to minimise the potential of a skilled attacker from blocking the investigators methods, deleting data or indeed changing data or operations.

The VMM has privileged access to all memory of the VM enabling read write ability when required. This in turn enables specific programmes to recreate contents of any processes memory space including kernel memory. This can be achieved by using the page table for the VMM to create an image of the VM’s memory. It is then possible to extrapolate this information to determine exactly what processes were being used and exactly what these processes were doing. This method has specific advantages over traditional image analysis when imaging a disk for examination results in the contents of the memory to be lost resulting in potentially critical evidence being unharnessed. Alternatively should an investigator carry out non-quiescent forensic investigations by running forensic programmes on a live system the likelihood is that the evidence itself will be contaminated since the content of the data, libraries or indeed the resident programmes will be changed and therefore compromised. The development of VMI programmes and applications to carry out such analysis of live systems is progressing rapidly. An example of this development is VMI Tools Project [code.google.com, 2011]. Bryan Payne from Georgia Tech who mabages the XenAccess project has produced an open source virtual machine introspection library in the Xen hypervisor. This library permits any privileged domain to view and therefore recreate the runtime state of another domain. A set of virtual introspection tools already exists providing a digital investigator to carry out live analysis of an unprivileged virtual machine from the privileged virtual machine [Hay and Nance, 2008] as shown in Fig. 3 below.

Fig. 3 Virtual Machine Introspection

As discussed by Nance et al. the ability of virtual machine introspection to assist digital forensic practitioners requires more time and development to be proved and eventually applied due to the serious nature of digital forensic investigations.

3.2 Forensic Image Booting

The restoration of a forensic image back to disk was once a long tiresome process. This process was made more difficult when the original machine was not available to boot the disk leading to more time being spent to configure the restored drive to recognise the new system hardware. Virtual machine applications allow for the booting of images relatively easy without the need to configure hardware settings.

There are numerous situations when booting a forensic image would be advantageous. One specific reason is to enable non examiners, such as members of a jury, to witness the seized drive in a friendly desktop view and as the suspect would have seen prior to its seizure. To ask a Jury to look at forensic reports might not have the same impact as looking at the same information displayed with a running operating system.

A forensic image (dd-style) cannot be directly booted however requires some software to convert the raw image to a VM configuration file. One such forensics program that can facilitate this task is Live View [liveview, 2008]. This program allows the investigator to examine the operating system on a forensic image without contaminating the evidence. Any changes made by the examiner will be written to separate virtual machine files and will not impact the original image allowing for multiple boots and examinations. This process of booting the image also allows an examiner to prove or disprove any claim that malware or Trojans had been present on the suspect device.

Bem et al carried out a study to look at the potential uses of forensic image booting. This was called the ‘Parallel Approach’ where the hope was that the total time to conduct an investigation could be shortened by expanding the process to include two parallel investigative streams as shown in figure 4 below.

Fig.4 Dual Data Analysis Process

The study involved two forensic investigators of different levels of competency. The first investigator was a ‘Professional Investigator’ and the second a ‘Computer Technician’. The evidence was passed to both investigators. The professional investigator carried out the investigation of the evidence following the normal rules and procedures of evidence custody and the computer technician examined the evidence using a virtual environment. The computer technician passed the findings to the professional investigator to confirm the findings. On concluding the study it was deemed that this approach speeded up the investigative process considerably and also harnessed the skills of the lesser qualified personnel.

IV Virtual Machines as Evidence

As with any digital evidence investigation the same rule of acquisition applies to virtual machines in that the evidence must be acquired. Quite often this can be as simple as looking for the virtual machine folder on the root of the drive. On other occasions when the virtual machines cannot be found it is then a case of looking for traces of the virtual machines. This will help to ascertain if the virtual machines resided on some form of portable media or were in fact deleted from the target drive.

4.1 Traces of Virtual Machines

The given rule for computer forensic process is: access, acquire, analyse and report. Traces of virtual machines can be very important to examiners in certain instances.

REF IMAGES

Fig.1 Google Images, Virtual Machines, https://www.google.co.uk/search?q=virtual+machine&hl=en&rls=com.microsoft:en-gb:IE-Address&source=lnms&tbm=isch&sa=X&ei=SEk2UcDiIKvY7AbY0wE&ved=0CAoQ_AUoAQ&biw=1920&bih=920

[Accessed 20th Feb 2013]

Fig.2 Google Images, VMM Architecture, https://www.google.co.uk/search?q=virtual+machine&hl=en&rls=com.microsoft:en-gb:IE-Address&source=lnms&tbm=isch&sa=X&ei=SEk2UcDiIKvY7AbY0wE&ved=0CAoQ_AUoAQ&biw=1920&bih=920#hl=en&rls=com.microsoft:en-gb:IE-Address&tbm=isch&q=vmm+architecture+type+I+or+type+II&spell=1&sa=X&ei=I0o2UdaKEofvOoqXgUA&ved=0CEoQvwUoAA&bav=on.2,or.r_gc.r_pw.r_qf.&bvm=bv.43148975,d.ZWU&fp=e411c043ade76a5&biw=1920&bih=920

[Accessed 20th Feb 2013]

Fig.3 Google Images, Virtual Machine Introspection https://www.google.co.uk/search?q=virtual+introspoection&rls=com.microsoft:en-gb:IE-Address&oe=&redir_esc=&um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi&authuser=0&ei=6Ec2UeDuCcWtO7WkgZAG&biw=1920&bih=920&sei=6kc2Ud6KC8i-PYe7gOgE

[Accessed 25th Feb 2013]

Fig.4 Dual Data Analysis Process

http://www.utica.edu/academic/institutes/ecii/publications/articles/1C349F35-C73B-DB8A-926F9F46623A1842.pdf

[Accessed 25th Feb 2013]