Virtualisation And Computer Forensics

Published Date: 02 Nov 2017

Rick McClelland

CEIS, Northumbria University, Newcastle upon Tyne

Abstract: Virtualisation technologies have progressed considerably over recent years bringing with this the development for both opportunities and new challenges for the digital forensic practitioner. This paper will concentrate on the various roles of virtualisation in the field of digital forensics, how virtualisation technology can support modern digital forensic investigations and how the same virtualisation can assist those wishing not to be discovered. Various challenges, common tools, methods and opportunities virtualisation provides for digital forensics will be analysed.

Keywords: digital forensics; virtualisation; virtual machine introspection; forensic image booting; computer evidence; snapshot;

I Introduction

The increasing demand for virtualisation technologies in industry and by the individual will lead to these virtual machines being increasingly used in illegal activities were digital forensics investigators will require a sound knowledge of virtualisation technologies. The ease of Virtual machines to create, copy, install or hide in comparison to that of the typical physical system makes them a likely selection for use by organisations and the individual. Organisations can benefit by having the entire system virtualised, enabling maximum usage of resource potential while at the same time minimising effort and time in the event of disaster recovery. Digital forensics investigators may also consider the ability to have a ‘clean start’ for each individual case by using a clean virtual machine beneficial in maintaining evidence integrity. The individual can benefit from the ability to run multiple operating systems from within their personal computer without the need of multi boot functionality or for testing applications or programs that otherwise may harm the host system. This paper will review in the next section the concept of virtualisation. Section III reviews the potential uses of virtual machines in the digital forensics sector to assist investigators. Section IV reviews virtual machines as seized evidence in an investigation. The conclusion will look at the findings in this paper.

II Concept of Virtualisation

Virtualisation was introduced in the 1960’s by ways of computers known as mainframes and launched by IBM [Bares, 2009] and since then the technology has become prolific in every day computing. Virtualisation is made possible with the provision of an additional abstraction layer in comparison with the architecture of a traditional computer system. This additional layer is commonly known as the virtual machine monitor (VMM) also known as the hypervisor. A virtual machine (VM) is a virtual computer inside a physical computer as shown in Figure 1. This virtual machine monitor layer enables the abstraction of all computing resources available by means of hiding the particular characteristics of the physical hardware from the actual virtual machine operating system and to the end user.

http://www.mygeekpal.com/wp-content/uploads/2012/04/virtualpc2007-1.jpg

Fig.1 shows Win XP running on Virtual Machine inside Win Vista.

The VMM can be configured to have complete access to all system resources [Hoopes, 2009] although the impact on hardware performance using a VMM is lower in comparison to that of the physical machine. The guest operating system is managed by the VMM residing on the host operating system [Barret and Kipper, 2010]. The VMM exists in two types namely Type I and Type II depending on the position the VMM is applied. The different architectures are shown in Figure 2.

Fig.2 Different VMM architectures, with Type I left and Type II right.

A Type I VMM runs directly on top of the system hardware without requiring an operating system to function. This type of VMM is also known as a hypervisor. Since this type runs directly on the system hardware the performance is far superior to that of Type II architecture.

Type II architecture runs on top of the host operating system and virtual machines are created on top of the VMM. The VMM manages the redirection of requests for hardware resources to the appropriate APIs within the hosting environment. This arrangement provides the virtual machine with access to the system device drivers permitting more flexibility with the hardware components.

III Virtual Machines as Digital Forensic Tools

As discussed in the introduction, virtualisation technologies empower the development of innovative forensic analysis techniques for long-established systems while easing the application of current techniques. Fundamentally virtual machines are extremely easy to deploy, since these deployments can be initialised or destroyed without resulting in any real costs makes them very preferable for developers to test the behaviour and reaction of an operating system, applications, or the effects caused by different interactions [Carvey, 2007]. For instance a virtual machine running the desired operating system can be initiated in order to provide an execution environment in order to analyse what artefacts will be created using a selected browser. This allows the command and instruction stream to be replayed and the state of the virtual machine introspected. This virtualisation provides the investigator with new technologies and methods of investigation.

3.1 Virtual Machine Introspection

The increase in availability and usage of virtualisation can be deployed to provide an investigator total access of the entire condition of a target system without the need for the target system to provide information. This practice of live analysis assures detection by the suspect is very difficult if not impossible. For example an operating system runs within a virtual machine (VM), managed by the virtual machine monitor (VMM) provides the VM with ports, network connections, user accounts and data thus appearing as a normal computer system. Any attack on this system would appear to the attacker to be on a normal system and on discovery enables the security analysts or investigators to initiate their investigation without running any analysis techniques on the target system. In this instance they would revert to the VMM or create a new VM running under the control of the VMM and "investigate and analyse" the VM under attack. This is known as virtual machine introspection (VMI) as introduced by Garfunkel and Rosenblum [Garfunkel, T, Rosenblum, M, 2003].

Live analysis provides alternatives to traditional static analysis however several limitations still exist in the application of this practice. A common limit is known by the term ‘observer effect’, this is defined as observing or measuring some parameter will change that parameter, in IT any operation carried out when the system is active will in turn modify that system. This will result in the integrity of the evidence being contaminated. Brian D. Carrier discusses the risks in any form of live acquisition [Carrier, 2006] that these systems are compromised. By applying virtual machines and using virtual machine introspection it is possible to minimise the potential of a skilled attacker from blocking the investigators methods, deleting data or indeed changing data or operations.

The VMM has privileged access to all memory of the VM enabling read write ability when required. This in turn enables specific programmes to recreate contents of any processes memory space including kernel memory. This can be achieved by using the page table for the VMM to create an image of the VM’s memory. It is then possible to extrapolate this information to determine exactly what processes were being used and exactly what these processes were doing. This method has specific advantages over traditional image analysis when imaging a disk for examination results in the contents of the memory to be lost resulting in potentially critical evidence being unharnessed. Alternatively should an investigator carry out non-quiescent forensic investigations by running forensic programmes on a live system the likelihood is that the evidence itself will be contaminated since the content of the data, libraries or indeed the resident programmes will be changed and therefore compromised. The development of VMI programmes and applications to carry out such analysis of live systems is progressing rapidly. An example of this development is VMI Tools Project [code.google.com, 2011]. Bryan Payne from Georgia Tech who mabages the XenAccess project has produced an open source virtual machine introspection library in the Xen hypervisor. This library permits any privileged domain to view and therefore recreate the runtime state of another domain. A set of virtual introspection tools already exists providing a digital investigator to carry out live analysis of an unprivileged virtual machine from the privileged virtual machine [Hay and Nance, 2008] as shown in Fig. 3 below.

Fig. 3 Virtual Machine Introspection

As discussed by Nance et al. the ability of virtual machine introspection to assist digital forensic practitioners requires more time and development to be proved and eventually applied due to the serious nature of digital forensic investigations.

3.2 Forensic Image Booting

The restoration of a forensic image back to disk was once a long tiresome process. This process was made more difficult when the original machine was not available to boot the disk leading to more time being spent to configure the restored drive to recognise the new system hardware. Virtual machine applications allow for the booting of images relatively easy without the need to configure hardware settings.

There are numerous situations when booting a forensic image would be advantageous. One specific reason is to enable non examiners, such as members of a jury, to witness the seized drive in a friendly desktop view and as the suspect would have seen prior to its seizure. To ask a Jury to look at forensic reports might not have the same impact as looking at the same information displayed with a running operating system.

A forensic image (dd-style) cannot be directly booted however requires some software to convert the raw image to a VM configuration file. One such forensics program that can facilitate this task is Live View [liveview, 2008]. This program allows the investigator to examine the operating system on a forensic image without contaminating the evidence. Any changes made by the examiner will be written to separate virtual machine files and will not impact the original image allowing for multiple boots and examinations. This process of booting the image also allows an examiner to prove or disprove any claim that malware or Trojans had been present on the suspect device.

Bem et al carried out a study to look at the potential uses of forensic image booting. This was called the ‘Parallel Approach’ where the hope was that the total time to conduct an investigation could be shortened by expanding the process to include two parallel investigative streams as shown in figure 4.

Fig.4 Dual Data Analysis Process

The study involved two forensic investigators of different levels of competency. The first investigator was a ‘Professional Investigator’ and the second a ‘Computer Technician’. The evidence was passed to both investigators. The professional investigator carried out the investigation of the evidence following the normal rules and procedures of evidence custody and the computer technician examined the evidence using a virtual environment. The computer technician passed the findings to the professional investigator to confirm the findings. On concluding the study it was deemed that this approach speeded up the investigative process considerably and also harnessed the skills of the lesser qualified personnel.

IV Virtual Machines as Evidence

As with any digital evidence investigation the same rule of acquisition applies to virtual machines in that the evidence must be acquired. Quite often this can be as simple as looking for the virtual machine folder on the root of the drive. On other occasions when the virtual machines cannot be found it is then a case of looking for traces of the virtual machines. This will help to ascertain if the virtual machines resided on some form of portable media or were in fact deleted from the target drive.

4.1 Traces of Virtual Machines

The given rule for the computer forensic process is: access, acquire, analyse and report [Cloward and Simorjay, 2008]. Traces of virtual machines can be very important to examiners in certain instances such as when there is evidence that virtual machines once existed but have been deleted. One example of VM application is produced by VMware Player [VMware, n.d.]. During the installation of the VM files are created and investigators should be aware of the identity of these files which are listed in Figure 5.

Virtual machines may also be deleted by the operating system due to size limits and they are not deleted via the recycle bin. When this type of deletion occurs it can be very difficult to recover any of the deleted files [Dorn G et al. 2009]. Users can run a VM using external media which will leave no traces of the VM on the host system.

File Name

Description

VMX

Configuration file, stores VM settings & configurations.

VMXF

Stores grouping of VM’s. File remains after delete of VM’s.

VMSD

Snapshot Descriptor maintains all metadata on snapshots.

VMDK

Contains info on disk layout, structure & properties of disk including size & partitions.

LOG

Configuration, information & runtime messages.

NVRAM

Contains BIOS Settings

VSWP

Memory Swap File

VMSS

Suspended State File. Represesnts state of suspended machine. On suspend VSWP is deleted.

Fig. 5 A List of VMware File Names.

4.2 Virtual Machine Evidence Acquisition

As with physical systems the acquisition of evidence of a virtual machine has to comply with established evidence handling procedures. The prescribed method of collection of evidence is to seize the machine in question, either switch off the power or shut the machine down (dependant on operating system), create an image of the media and finally analyse the created image [Carrier, 2005].

Investigating a Type I virtual machine can be an intricate task to carry out due to the storage arrangements used to create the VM. It is common for these VM’s to be stored on Network Attached Storage (NAS) or Storage Area Networks (SAN) devices where the traditional method of powering off the system is simply not practical. For instance it is often not possible to power down systems that e-commerce depends upon to function. Another difficulty arises when the virtual machine is stored across arrays of cloud storage accounts or across many centres belonging to the network. The virtual machines file system (VMFS) used by various server applications can be stored across an array of servers again causing problems for investigators to create an image of these files and as the availability of extremely large storage spaces becomes more available to business and enterprise this issue increases. Simply shutting down a system can cause the loss of many running processes residing only on read access memory (RAM). For this reason it is often more practical to carry out a live forensic investigation.

For digital forensics investigators a virtual machine of Type II design is by far the easier of the virtual machines to investigate and image due to the files residing on one local storage disk. Of ten there may be several instances of VM’s on one storage disk. These VM’s will normally have very close ties to the operating system of the host machine. For this reason it is imperative to image the entire storage disk in order to capture as much evidence as possible.

4.3 Virtual Machine Examination

Since a virtual machine operates in the same way as a physical machine it can be digitally analysed using the same methodologies and applications as used on a physical machine whether this is carried out as a live analysis or after imaging in a post mortem analysis. Evidence that can be expected to be found includes device history, user information, processes running and registry information.

The VMEM file will contain information relating to the machines memory, kernel objects, threads and processes. This file will show the state of the machine at the time it was hibernated. Live virtual machines may contain information that is of significant importance however this can affect the information contained on both the virtual and host systems.

One particular function of virtual machines is the ability to create a snapshot of running system. This snapshot will contain important information relating to the current state of the VM at a given time. This can amount to a treasure trove of information for an investigator. The snapshot may contain information that has been since deleted or changed. This can also be used as a method to hide data by taking a snapshot and then deleting the data so as not available to prying eyes but will still be accessible if the virtual machine is reverted back to the state of the snapshot. The snapshots can also provide a trail of when any file has been first created or accessed and subsequently deleted. Each virtual machine behaves differently and experience of the behaviour of the VM is required in order to successfully investigate an individual platform.

The problem arises that currently no form of tool exists that enables the reconstruction of these snapshots in the order required to discover their contents. These snapshots must be reconstructed on the exact order they were created in order to function correctly. The majority of computer forensic investigative applications only read from the base disk and the latest snapshot ignoring all the other snapshots. One method of discovering the contents of these snapshots is to manually recreate the virtual machine and loading the desired snapshot and then in turn imaging the state of the running virtual machine. This method is in itself not forensically sound practice as changes can occur to the state of the system which can contaminate the evidence.

Research and development of suitable tools and applications to allow for the reconstruction of virtual machine snapshots could lead to significant finds in evidence once deemed unobtainable and would assist digital forensic practitioners in their pursuits.

V Conclusion

Virtualisation usage is becoming more widespread in both the commercial and individual domains. In commerce the technology is being harnessed to clone entire company IT systems virtually and to assist in disaster recovery. For the individual the ability to run multiple operating systems on one host machine and the ease to develop new applications makes virtualisation a necessary technology. As discussed in this paper these virtualisation technologies may assist digital forensic investigators with the analysis of computer systems. The increase in usage of virtual machines will undoubtedly see an increase in these virtual machines being used to commit illegal activities or themselves being a target of illegal activities. This will lead to an increase of forensic investigations of virtual environments requiring significant development in the tools and applications used to carry out these analyses. This paper looks at some of the techniques available to investigators while also discussing the ability to easily use virtual machines as an anti-forensics tool. It is mandatory for the digital forensics community to continue development of tools and applications to assist in the analysis of virtual environments. The current inability to examine multiple snapshots of a virtual machine is an area that needs addressed by the forensic community with further development in techniques and methods used required. The examples in this paper are only a very small selection of issues facing the digital forensics community in this growing virtual world and the challenges it presents.