Abstract
As virtualization becomes more prevalent in the enterprise and in personal computing, there is a great need to understand the technology as well as its ramifications for recovering digital evidence. This paper focuses on trace evidence related to the installation and execution of virtual machines (VMs) on a host machine. It provides useful information regarding the types and locations of files installed by VM applications, the processes created by running VMs and the structure and identity of VMs, ancillary files and associated artifacts.
Chapter PDF
References
AccessData Corporation, Forensic Toolkit 1.7, Linden, Utah (www .accessdata.com).
F. Bellard, Qemu (bellard.org/qemu).
Canonical, Ubuntu 8.04, London, United Kingdom (www.ubuntu .com).
Citrix Systems, What is Xen? Fort Lauderdale, Florida (www .xen.org).
Digital Intelligence, UltraBlock SATA Bridge Write Blocker, New Berlin, Wisconsin (digitalintelligence.com).
Guidance Software, EnCase 5 and 6, Pasadena, California (guidancesoftware.com).
Helios Software Solutions, TextPad, Longridge, United Kingdom (www.textpad.com/index.html).
HHD Software, Free Hex Editor Neo, London, United Kingdom (www.hhdsoftware.com/Products/home/hex-editor-free.html).
Knopper.Net, Knoppix Live Linux Filesystem, Knoppix 5.1.1 Release, Schmalenberg, Germany (www.knopper.net/knoppix/index-en.html).
T. Liston and E. Skoudis, On the cutting edge: Thwarting virtual machine detection (handlers.sans.org/tliston/ThwartingVMDetect ion_Liston_Skoudis.pdf), 2006.
Parallels, Parallels Optimized Computing, Neuhausen am Rheinfall, Switzerland (www.parallels.com).
Parallels, Parallels Workstation 2, Neuhausen am Rheinfall, Switzerland (www.parallels.com/en/products/workstation).
Sun Microsystems, VirtualBox, Santa Clara, California (www.vir tualbox.org).
VMware, VMware, Palo Alto, California (www.vmware.com).
VMware, VMware Workstation 6, Palo Alto, California (www.vm ware.com/products/ws).
VMware, What files make up a virtual machine? Palo Alto, California (www.vmware.com/support/ws5/doc/ws_learning_files_in_a _vm.html).
Wireshark Foundation, Wireshark, San Jose, California (www.wire shark.org).
X-Ways Software Technology, WinHex, Cologne, Germany (x-ways.net/winhex/index-m.html).
X-Ways Software Technology, X-Ways 14.2, Cologne, Germany (x-ways.net/forensics/index-m.html).
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Dorn, G., Marberry, C., Conrad, S., Craiger, P. (2009). Analyzing the Impact of a Virtual Machine on a Host Machine. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics V. DigitalForensics 2009. IFIP Advances in Information and Communication Technology, vol 306. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04155-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-04155-6_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04154-9
Online ISBN: 978-3-642-04155-6
eBook Packages: Computer ScienceComputer Science (R0)