Abstract
With popularity of virtualized computing continuing to grow, it is crucial that digital forensic knowledge keeps pace. This research sought out to identify the forensic artifacts and their locations that may be recovered from a VMware Workstation virtual machine running Windows 7 x64. Several common forensic tools were used to conduct this research, namely AccessData’s Forensic Toolkit (FTK), FTK Imager, and FTK Registry Viewer. This research verified the processes required to gather digital evidence from a virtual machine disk (VMDK) file, creation of a forensic image, and mounting of evidence into these forensic tools. This research then proceeded to document recovered artifacts and their locations related to system configuration, internet usage, file creation and deletion, user administration, and more.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Admin. Password Recovery. Password Recovery RSS. Top Password Software, Inc., 31 May 2013. https://www.top-password.com/blog/tag/windows-samregistry-file/. Accessed 11 July 2017
Atkison, T., Cruz, J.C.F.: Digital Forensics on a Virtual Machine. Rep. (n.d.). http://atkison.cs.ua.edu/papers/ACMSE11_JF.pdf. Accessed 18 July 2017
Aziz, A.S.A., Fouad, M.M., Hassanien, A.E.: Cloud computing forensic analysis: trends and challenges. In: Hassanien, A.E., Fouad, M.M., Manaf, A.A., Zamani, M., Ahmad, R., Kacprzyk, J. (eds.) Multimedia Forensics and Security. ISRL, vol. 115, pp. 3–23. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-44270-9_1
Martini, B., Choo, K.-K.R.: Remote programmatic vCloud forensics: a six-step collection process and a proof of concept. In: Proceedings of 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014, pp. 935–942 (2014)
Kleyman, B.: Hypervisor 101: Understanding the Virtualization Market. Data Center Knowledge. Penton, 03 August 2012. http://www.datacenterknowledge.com/archives/2012/08/01/hypervisor-101-a-lookhypervisor-market/. Accessed 14 June 2017
Birk, D., Christoph, W.: Technical Issues of Forensic Investigations in Cloud Computing Environments. Rep. (n.d.)
Eterovic-Soric, B., Choo, K.-K.R., Mubarak, S., Ashman, H.: Windows 7 antiforensics: a review and a novel approach. J. Forensic Sci. 62(4), 1054–1070 (2017)
Esposito, C., Castiglione, A., Pop, F., Choo, K.-K.R.: Challenges of connecting edge and cloud computing: a security and forensic perspective. IEEE Cloud Comput. 4(2), 13–17 (2017)
Quick, D., Choo, K.-K.R.: Digital droplets: microsoft SkyDrive forensic data remnants. Future Gener. Comput. Syst. 29(6), 1378–1394 (2013)
Quick, D., Choo, K.-K.R.: Dropbox analysis: data remnants on user machines. Digit. Invest. 10(1), 3–18 (2013)
Quick, D., Choo, K.-K.R.: Forensic collection of cloud storage data: does the act of collection result in changes to the data or its metadata? Digit. Invest. 10(3), 266–277 (2013)
Quick, D., Choo, K.-K.R.: Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl. 40, 179–193 (2014)
Quick, D., Choo, K.-K.R.: Pervasive social networking forensics: intelligence and evidence from mobile device extracts. J. Netw. Comput. Appl. 86, 24–33 (2017)
Dean, B.: Best Practices in Browser Forensics. IANS. IANS (n.d.). https://www.iansresearch.com/insights/reports/best-practices-in-browser-forensics. Accessed 15 June 2017
Digital Evidence and Forensics. National Institute of Justice, 14 April 2016. https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx. Accessed 23 July 2017
Disabling Prefetch. Microsoft Developer Network. Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx. Accessed 18 July 2017
Dkovar. Dkovar/analyzeMFT. GitHub. GitHub, Inc., 16 July 2017. https://github.com/dkovar/analyzeMFT. Accessed 13 July 2017
Dykstra, J., Sherman, A.T.: Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies. Rep. (2011)
Forensic Analysis of Prefetch Files in Windows. Magnet Forensics Inc. Magnet Forensics, 6 August 2014. https://www.magnetforensics.com/computerforensics/forensic-analysis-of-prefetch-files-in-windows/. Accessed 15 July 2017
Forensic Toolkit (FTK). AccessData (n.d.). http://accessdata.com/products-services/forensic-toolkit-ftk. Accessed 15 July 2017
FTK BootCamp Windows 7 Forensics - Recycle Bin. AccessData (n.d.). http://accessdata.com/. Accessed 16 July 2017
How To: Access the Application Event Log. Microsoft TechNet. Microsoft (n.d.). https://technet.microsoft.com/en-us/library/ms166507(v=sql.90).aspx. Accessed 19 July 2017
How to Clear Cache, Cookies and History. What Is Cache, Cookies, and History and How Do You Clear Them… Content (n.d.). http://www.pgcconline.com/technicalSupport/clearCache/clearCache.html. Accessed 17 July 2017
How to View the System Log in Event Viewer. Microsoft TechNet. Microsoft (n.d.). https://technet.microsoft.com/en-us/library/aa996634(v=exchg.65).aspx. Accessed 19 July 2017
Luttgens, J., Pepe, M., Mandia, K.: Incident Response & Computer Forensics, 3rd edn. McGraw-Hill/Osborne, New York (2014)
Jensen, C.: FTK Imager User Guide. AccessData, Lindon, 21 March 2012
Jensen, C.: FTK User Guide. AccessData, Lindon, 21 January 2015
Choo, K.-K.R., Esposito, C., Castiglione, A.: Evidence and forensics in the cloud: challenges and future research directions. IEEE Cloud Comput. 4(3), 14–19 (2017)
Choo, K.-K.R., Herman, M., Iorga, M., Martini, B.: Cloud forensics: state-of-the-art and future directions. Digit. Invest. 18, 77–78 (2016)
Lee, R.: SANS Digital Forensics and Incident Response Blog. SANS Digital Forensics and Incident Response Blog | New Windows Forensics Evidence of Poster Released | SANS Institute. SANS Institute, 04 June 2015. https://digitalforensics.sans.org/blog/2015/06/04/new-windows-forensics-evidence-of-poster-released. Accessed 18 June 2017
Master File Table. Master File Table (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx. Accessed 12 July 2017
Cahyani, N.D.W., Martini, B., Choo, K.-K.R., Muhammad Nuh Al-Azhar, A.K.B.P.: Forensic data acquisition from cloud-of-things devices: windows smartphones as a case study. Concurr. Comput.: Pract. Exp. 29(14) (2017)
Cahyani, N.D.W., Ab Rahman, N.H., Glisson, W.B., Choo, K.-K.R.: The role of mobile forensics in terrorism investigations involving the use of cloud storage service and communication apps. MONET 22(2), 240–254 (2017)
Ab Rahman, N.H., Cahyani, N.D.W., Choo, K.-K.R.: Cloud incident handling and forensic-by-design: cloud storage as a case study. Concurr. Comput.: Pract. Exp. 29(14) (2017)
Ab Rahman, N.H., Glisson, W.B., Yang, Y., Choo, K.-K.R.: Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud Comput. 3(1), 50–59 (2016)
Predefined Keys. Predefined Keys (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/ms724836(v=vs.85).aspx. Accessed 11 July 2017
Product Downloads. AccessData (n.d.). http://accessdata.com/product-download/registry-viewer-1.8.1.3. Accessed 14 July 2017
Do, Q., Martini, B., Looi, J., Wang, Y., Choo, K.-K.R.: Windows event forensic process. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2014. IAICT, vol. 433, pp. 87–100. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44952-3_7
Registry Hives. Registry Hives (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx. Accessed 16 July 2017
RightScale 2017 State of the Cloud Report. Rep. RightScale, Inc (n.d.). http://assets.rightscale.com/uploads/pdfs/RightScale-2017-State-of-the-Cloud-Report.pdf?mkt_tok=eyJpIjoiTjJOaE1qTm1aRFJoTm1ZeSIsInQiOiJGQlB2WklLRWp4OFU1Mm1FS1dzRW9DOFQwaXhuT0lPYVlzcktCMmdUeEVaRk84dTlGQnFIaWNxM0k0WnNIaUgyS2ZRdGs3Nk9hUFZNeXFJVU94ZmFRdU55ZVB5NzF5WjNRQXUrbW1INlhLTUtYdEY5bmdtbFJ3VVFQbXV0YWczNCJ9. Accessed 10 June 2017
McKemmish, R.: What is forensic computing? Trends Issues Crime Crim. Justice 118, 1–6 (1999)
Pokharel, S., Choo, K.-K.R., Liu, J.: Mobile cloud security: an adversary model for lightweight browser security. Comput. Stand. Interfaces 49, 71–78 (2017)
Shavers, B.: Virtual Forensics: A Discussion of Virtual Machines Related to Forensic Analysis. Rep. Virtual Forensics (n.d.). https://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf. Accessed 24 June 2017
Stam, M.: Lab FTK Imager: File Carving Using the MFT. 8 Bits. Techblog, 09 October 2009. http://stam.blogs.com/8bits/2009/10/lab-ftk-imager-file-carvingusing-the-mft-.html. Accessed 10 July 2017
Stoll, C.: The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket, New York (2005)
Task Scheduler. Task Scheduler (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/aa383614(v=vs.85).aspx. Accessed 14 July 2017
Tholeti, B.P.: Learn about Hypervisors, System Virtualization, and How It Works in a Cloud Environment. Hypervisors, Virtualization, and the Cloud, 23 September 2011. https://www.ibm.com/developerworks/cloud/library/clhypervisorcompare/. Accessed 10 June 2017
2.4 .JOB File Format. [MS-TSCH]: .JOB File Format. Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/cc248285.aspx. Accessed 19 July 2017
Urias, V.E., Young, J.W.: Hypervisor assisted forensics and incident response in the cloud. Publication no. 10.1109. IEEE (2016)
Vandeven, S.: Forensic Images: For Your Viewing Pleasure. Publication. SANS Institute (2014)
Virtualization Technology & Virtual Machine Software. VMWare. VMware, Inc., 20 July 2017. https://www.vmware.com/solutions/virtualization.html. Accessed 22 July 2017
VMware Workstation 5.5. What Files Make Up a Virtual Machine? VMware, Inc (n.d.). https://www.vmware.com/support/ws55/doc/ws_learning_files_in_a_vm.html. Accessed 12 June 2017
Volume Shadow Copy Service. Windows Server. Microsoft (n.d.). https://technet.microsoft.com/en-us/library/ee923636(v=ws.10).aspx. Accessed 15 July 2017
Welcome to MyKey Technology. MFT Ripper. MyKey Technology Inc (n.d.). http://mftripper.com/. Accessed 18 July 2017
WinPrefetchView V1.35. View the Content of Windows Prefetch (.pf) Files. Nir Sofer (n.d.). http://www.nirsoft.net/utils/win_prefetch_view.html. Accessed 16 July 2017
Teing, Y.-Y., Dehghantanha, A., Choo, K.-K.R., Yang, L.T.: Forensic investigation of P2P cloud storage services and backbone for IoT networks: BitTorrent Sync as a case study. Comput. Electr. Eng. 58, 350–363 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Smith, C., Dietrich, G., Choo, KK.R. (2018). Identification of Forensic Artifacts in VMWare Virtualized Computing. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 239. Springer, Cham. https://doi.org/10.1007/978-3-319-78816-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-78816-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78815-9
Online ISBN: 978-3-319-78816-6
eBook Packages: Computer ScienceComputer Science (R0)