Skip to main content
SpringerLink
Log in

Identification of Forensic Artifacts in VMWare Virtualized Computing

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2017)

Abstract

With popularity of virtualized computing continuing to grow, it is crucial that digital forensic knowledge keeps pace. This research sought out to identify the forensic artifacts and their locations that may be recovered from a VMware Workstation virtual machine running Windows 7 x64. Several common forensic tools were used to conduct this research, namely AccessData’s Forensic Toolkit (FTK), FTK Imager, and FTK Registry Viewer. This research verified the processes required to gather digital evidence from a virtual machine disk (VMDK) file, creation of a forensic image, and mounting of evidence into these forensic tools. This research then proceeded to document recovered artifacts and their locations related to system configuration, internet usage, file creation and deletion, user administration, and more.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Admin. Password Recovery. Password Recovery RSS. Top Password Software, Inc., 31 May 2013. https://www.top-password.com/blog/tag/windows-samregistry-file/. Accessed 11 July 2017

  2. Atkison, T., Cruz, J.C.F.: Digital Forensics on a Virtual Machine. Rep. (n.d.). http://atkison.cs.ua.edu/papers/ACMSE11_JF.pdf. Accessed 18 July 2017

  3. Aziz, A.S.A., Fouad, M.M., Hassanien, A.E.: Cloud computing forensic analysis: trends and challenges. In: Hassanien, A.E., Fouad, M.M., Manaf, A.A., Zamani, M., Ahmad, R., Kacprzyk, J. (eds.) Multimedia Forensics and Security. ISRL, vol. 115, pp. 3–23. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-44270-9_1

    Chapter  Google Scholar 

  4. Martini, B., Choo, K.-K.R.: Remote programmatic vCloud forensics: a six-step collection process and a proof of concept. In: Proceedings of 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014, pp. 935–942 (2014)

    Google Scholar 

  5. Kleyman, B.: Hypervisor 101: Understanding the Virtualization Market. Data Center Knowledge. Penton, 03 August 2012. http://www.datacenterknowledge.com/archives/2012/08/01/hypervisor-101-a-lookhypervisor-market/. Accessed 14 June 2017

  6. Birk, D., Christoph, W.: Technical Issues of Forensic Investigations in Cloud Computing Environments. Rep. (n.d.)

    Google Scholar 

  7. Eterovic-Soric, B., Choo, K.-K.R., Mubarak, S., Ashman, H.: Windows 7 antiforensics: a review and a novel approach. J. Forensic Sci. 62(4), 1054–1070 (2017)

    Article  Google Scholar 

  8. Esposito, C., Castiglione, A., Pop, F., Choo, K.-K.R.: Challenges of connecting edge and cloud computing: a security and forensic perspective. IEEE Cloud Comput. 4(2), 13–17 (2017)

    Article  Google Scholar 

  9. Quick, D., Choo, K.-K.R.: Digital droplets: microsoft SkyDrive forensic data remnants. Future Gener. Comput. Syst. 29(6), 1378–1394 (2013)

    Article  Google Scholar 

  10. Quick, D., Choo, K.-K.R.: Dropbox analysis: data remnants on user machines. Digit. Invest. 10(1), 3–18 (2013)

    Article  Google Scholar 

  11. Quick, D., Choo, K.-K.R.: Forensic collection of cloud storage data: does the act of collection result in changes to the data or its metadata? Digit. Invest. 10(3), 266–277 (2013)

    Article  Google Scholar 

  12. Quick, D., Choo, K.-K.R.: Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl. 40, 179–193 (2014)

    Article  Google Scholar 

  13. Quick, D., Choo, K.-K.R.: Pervasive social networking forensics: intelligence and evidence from mobile device extracts. J. Netw. Comput. Appl. 86, 24–33 (2017)

    Article  Google Scholar 

  14. Dean, B.: Best Practices in Browser Forensics. IANS. IANS (n.d.). https://www.iansresearch.com/insights/reports/best-practices-in-browser-forensics. Accessed 15 June 2017

  15. Digital Evidence and Forensics. National Institute of Justice, 14 April 2016. https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx. Accessed 23 July 2017

  16. Disabling Prefetch. Microsoft Developer Network. Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx. Accessed 18 July 2017

  17. Dkovar. Dkovar/analyzeMFT. GitHub. GitHub, Inc., 16 July 2017. https://github.com/dkovar/analyzeMFT. Accessed 13 July 2017

  18. Dykstra, J., Sherman, A.T.: Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies. Rep. (2011)

    Google Scholar 

  19. Forensic Analysis of Prefetch Files in Windows. Magnet Forensics Inc. Magnet Forensics, 6 August 2014. https://www.magnetforensics.com/computerforensics/forensic-analysis-of-prefetch-files-in-windows/. Accessed 15 July 2017

  20. Forensic Toolkit (FTK). AccessData (n.d.). http://accessdata.com/products-services/forensic-toolkit-ftk. Accessed 15 July 2017

  21. FTK BootCamp Windows 7 Forensics - Recycle Bin. AccessData (n.d.). http://accessdata.com/. Accessed 16 July 2017

  22. How To: Access the Application Event Log. Microsoft TechNet. Microsoft (n.d.). https://technet.microsoft.com/en-us/library/ms166507(v=sql.90).aspx. Accessed 19 July 2017

  23. How to Clear Cache, Cookies and History. What Is Cache, Cookies, and History and How Do You Clear Them… Content (n.d.). http://www.pgcconline.com/technicalSupport/clearCache/clearCache.html. Accessed 17 July 2017

  24. How to View the System Log in Event Viewer. Microsoft TechNet. Microsoft (n.d.). https://technet.microsoft.com/en-us/library/aa996634(v=exchg.65).aspx. Accessed 19 July 2017

  25. Luttgens, J., Pepe, M., Mandia, K.: Incident Response & Computer Forensics, 3rd edn. McGraw-Hill/Osborne, New York (2014)

    Google Scholar 

  26. Jensen, C.: FTK Imager User Guide. AccessData, Lindon, 21 March 2012

    Google Scholar 

  27. Jensen, C.: FTK User Guide. AccessData, Lindon, 21 January 2015

    Google Scholar 

  28. Choo, K.-K.R., Esposito, C., Castiglione, A.: Evidence and forensics in the cloud: challenges and future research directions. IEEE Cloud Comput. 4(3), 14–19 (2017)

    Article  Google Scholar 

  29. Choo, K.-K.R., Herman, M., Iorga, M., Martini, B.: Cloud forensics: state-of-the-art and future directions. Digit. Invest. 18, 77–78 (2016)

    Article  Google Scholar 

  30. Lee, R.: SANS Digital Forensics and Incident Response Blog. SANS Digital Forensics and Incident Response Blog | New Windows Forensics Evidence of Poster Released | SANS Institute. SANS Institute, 04 June 2015. https://digitalforensics.sans.org/blog/2015/06/04/new-windows-forensics-evidence-of-poster-released. Accessed 18 June 2017

  31. Master File Table. Master File Table (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx. Accessed 12 July 2017

  32. Cahyani, N.D.W., Martini, B., Choo, K.-K.R., Muhammad Nuh Al-Azhar, A.K.B.P.: Forensic data acquisition from cloud-of-things devices: windows smartphones as a case study. Concurr. Comput.: Pract. Exp. 29(14) (2017)

    Article  Google Scholar 

  33. Cahyani, N.D.W., Ab Rahman, N.H., Glisson, W.B., Choo, K.-K.R.: The role of mobile forensics in terrorism investigations involving the use of cloud storage service and communication apps. MONET 22(2), 240–254 (2017)

    Google Scholar 

  34. Ab Rahman, N.H., Cahyani, N.D.W., Choo, K.-K.R.: Cloud incident handling and forensic-by-design: cloud storage as a case study. Concurr. Comput.: Pract. Exp. 29(14) (2017)

    Article  Google Scholar 

  35. Ab Rahman, N.H., Glisson, W.B., Yang, Y., Choo, K.-K.R.: Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud Comput. 3(1), 50–59 (2016)

    Article  Google Scholar 

  36. Predefined Keys. Predefined Keys (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/ms724836(v=vs.85).aspx. Accessed 11 July 2017

  37. Product Downloads. AccessData (n.d.). http://accessdata.com/product-download/registry-viewer-1.8.1.3. Accessed 14 July 2017

  38. Do, Q., Martini, B., Looi, J., Wang, Y., Choo, K.-K.R.: Windows event forensic process. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2014. IAICT, vol. 433, pp. 87–100. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44952-3_7

    Chapter  Google Scholar 

  39. Registry Hives. Registry Hives (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx. Accessed 16 July 2017

  40. RightScale 2017 State of the Cloud Report. Rep. RightScale, Inc (n.d.). http://assets.rightscale.com/uploads/pdfs/RightScale-2017-State-of-the-Cloud-Report.pdf?mkt_tok=eyJpIjoiTjJOaE1qTm1aRFJoTm1ZeSIsInQiOiJGQlB2WklLRWp4OFU1Mm1FS1dzRW9DOFQwaXhuT0lPYVlzcktCMmdUeEVaRk84dTlGQnFIaWNxM0k0WnNIaUgyS2ZRdGs3Nk9hUFZNeXFJVU94ZmFRdU55ZVB5NzF5WjNRQXUrbW1INlhLTUtYdEY5bmdtbFJ3VVFQbXV0YWczNCJ9. Accessed 10 June 2017

  41. McKemmish, R.: What is forensic computing? Trends Issues Crime Crim. Justice 118, 1–6 (1999)

    Google Scholar 

  42. Pokharel, S., Choo, K.-K.R., Liu, J.: Mobile cloud security: an adversary model for lightweight browser security. Comput. Stand. Interfaces 49, 71–78 (2017)

    Article  Google Scholar 

  43. Shavers, B.: Virtual Forensics: A Discussion of Virtual Machines Related to Forensic Analysis. Rep. Virtual Forensics (n.d.). https://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf. Accessed 24 June 2017

  44. Stam, M.: Lab FTK Imager: File Carving Using the MFT. 8 Bits. Techblog, 09 October 2009. http://stam.blogs.com/8bits/2009/10/lab-ftk-imager-file-carvingusing-the-mft-.html. Accessed 10 July 2017

  45. Stoll, C.: The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket, New York (2005)

    Google Scholar 

  46. Task Scheduler. Task Scheduler (Windows). Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/windows/desktop/aa383614(v=vs.85).aspx. Accessed 14 July 2017

  47. Tholeti, B.P.: Learn about Hypervisors, System Virtualization, and How It Works in a Cloud Environment. Hypervisors, Virtualization, and the Cloud, 23 September 2011. https://www.ibm.com/developerworks/cloud/library/clhypervisorcompare/. Accessed 10 June 2017

  48. 2.4 .JOB File Format. [MS-TSCH]: .JOB File Format. Microsoft (n.d.). https://msdn.microsoft.com/en-us/library/cc248285.aspx. Accessed 19 July 2017

  49. Urias, V.E., Young, J.W.: Hypervisor assisted forensics and incident response in the cloud. Publication no. 10.1109. IEEE (2016)

    Google Scholar 

  50. Vandeven, S.: Forensic Images: For Your Viewing Pleasure. Publication. SANS Institute (2014)

    Google Scholar 

  51. Virtualization Technology & Virtual Machine Software. VMWare. VMware, Inc., 20 July 2017. https://www.vmware.com/solutions/virtualization.html. Accessed 22 July 2017

  52. VMware Workstation 5.5. What Files Make Up a Virtual Machine? VMware, Inc (n.d.). https://www.vmware.com/support/ws55/doc/ws_learning_files_in_a_vm.html. Accessed 12 June 2017

  53. Volume Shadow Copy Service. Windows Server. Microsoft (n.d.). https://technet.microsoft.com/en-us/library/ee923636(v=ws.10).aspx. Accessed 15 July 2017

  54. Welcome to MyKey Technology. MFT Ripper. MyKey Technology Inc (n.d.). http://mftripper.com/. Accessed 18 July 2017

  55. WinPrefetchView V1.35. View the Content of Windows Prefetch (.pf) Files. Nir Sofer (n.d.). http://www.nirsoft.net/utils/win_prefetch_view.html. Accessed 16 July 2017

  56. Teing, Y.-Y., Dehghantanha, A., Choo, K.-K.R., Yang, L.T.: Forensic investigation of P2P cloud storage services and backbone for IoT networks: BitTorrent Sync as a case study. Comput. Electr. Eng. 58, 350–363 (2017)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX, 78249, USA

    Cory Smith, Glenn Dietrich & Kim-Kwang Raymond Choo

Authors
  1. Cory Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Glenn Dietrich
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kim-Kwang Raymond Choo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kim-Kwang Raymond Choo .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Smith, C., Dietrich, G., Choo, KK.R. (2018). Identification of Forensic Artifacts in VMWare Virtualized Computing. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 239. Springer, Cham. https://doi.org/10.1007/978-3-319-78816-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78816-6_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78815-9

  • Online ISBN: 978-3-319-78816-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation