Skip to main content
SpringerLink
Log in

Investigating the Implications of Virtualization for Digital Forensics

  • Conference paper
Forensics in Telecommunications, Information, and Multimedia (e-Forensics 2010)

  • 884 Accesses

Abstract

Research in virtualization technology has gained significant momentum in recent years, which brings not only opportunities to the forensic community, but challenges as well. In this paper, we discuss the potential roles of virtualization in the area of digital forensics and conduct an investigation on the recent progresses which utilize the virtualization techniques to support modern computer forensics. A brief overview of virtualization is presented and discussed. Further, a summary of positive and negative influences on digital forensics that are caused by virtualization technology is provided. Tools and techniques that are potential to be common practices in digital forensics are analyzed and some experience and lessons in our practice are shared. We conclude with our reflections and an outlook.

This paper is supported by the Special Basic Research, Ministry of Science and Technology of the People’s Republic of China (No. 2008FY240200), and the Key Project Funding, Ministry of Public Security of the People’s Republic of China (No. 2008ZDXMSS003).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Live View, http://liveview.sourceforge.net/

  2. Detect if your program is running inside a Virtual Machine, http://www.codeproject.com

  3. Carrier, B.D.: Risks of Live Digital Forensic Analysis. Communications of the ACM 49, 56–61 (2006)

    Article  Google Scholar 

  4. Pollitt, M., Nance, K., Hay, B., Dodge, R., Craiger, P., Burke, P., Marberry, C., Brubaker, B.: Virtualization and Digital Forensics: A Research and Education Agenda. Journal of Digital Forensic Practice 2, 62–73 (2008)

    Article  Google Scholar 

  5. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: 10th Annual Symposium on Network and Distributed System Security, pp. 191–206 (2003)

    Google Scholar 

  6. Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? IEEE Security & Privacy 6, 32–37 (2008)

    Article  Google Scholar 

  7. XenAccess, http://code.google.com/p/xenaccess/

  8. Hay, B., Nance, K.: Forensic Examination of Volatile System Data using Virtual Introspection. ACM SIGOPS Operating Systems Review 42, 74–82 (2008)

    Article  Google Scholar 

  9. VMsafe, http://www.vmware.com

  10. Bem, D., Huebner, E.: Computer Forensic Analysis in a Virtual Environment. International Journel of Digital Evidence 6 (2007)

    Google Scholar 

  11. ProDiscover Basic, http://www.techpathways.com/

  12. Virtual Forensics Computing, http://www.mountimage.com/

  13. Mount Image Pro, http://www.mountimage.com/

  14. Encase Forensics Physical Disk Emulator, http://www.encaseenterprise.com/

  15. SmartMount, http://www.asrdata.com/SmartMount/

  16. VMware DiskMount, http://www.vmware.com

  17. Shavers, B.: Virtual Forensics (A Discussion of Virtual Machine Related to Forensic Analysis), http://www.forensicfocus.com/virtual-machines-forensics-analysis

  18. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Xu, D.: DKSM:Subverting Virtual Machine Introspection for Fun and Profit. Technical report, North Carolina State University (2010)

    Google Scholar 

  19. Carrier, B.: File system forensic analysis. Addison-Wesley, Boston (2005)

    Google Scholar 

  20. VMFS, http://www.vmware.com/products/vmfs/

  21. Open Source VMFS Driver, http://code.google.com/p/vmfs/

  22. Farmer, D., Venema, W.: Forensic Discovery. Addison-Wesley, Reading (2005)

    Google Scholar 

  23. Dorn, G., Marberry, C., Conrad, S., Craiger, P.: Advances in Digital Forensics V. IFIP Advances in Information and Communication Technology, vol. 306, p. 69. Springer, Heidelberg (2009)

    Book  Google Scholar 

  24. Kornblum, J.D.: Using every part of the buffalo in Windows memory analysis. Digital Investigation 4, 24–29 (2007)

    Article  Google Scholar 

  25. Kruse II, W.G., Heiser, J.G.: Computer Forensics: Incident Response Essentials, 1st edn. Addison Wesley Professional, Reading (2002)

    Google Scholar 

  26. Mrdovic, S., Huseinovic, A., Zajko, E.: Combining Static and Live Digital Forensic Analysis in Virtual Environment. In: 22nd International Symposium on Information, Communication and Automation Technologies (2009)

    Google Scholar 

  27. Penhallurick, M.A.: Methodologies for the use of VMware to boot cloned/mounted subject hard disk image. Digital Investigation 2, 209–222 (2005)

    Article  Google Scholar 

  28. Nance, K., Hay, B., Bishop, M.: Investigating the Implications of Virtual Machine Introspection for Digital Forensics. In: International Conference on Availability, Reliability and Security, pp. 1024–1029 (2009)

    Google Scholar 

  29. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebaur, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Nineteenth ACM Symposium on Operating Systems Principles, pp. 164–177. ACM Press, New York (2003)

    Chapter  Google Scholar 

  30. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: 14th ACM conference on Computer and communications security, Alexandria, Virginia, USA, pp. 128–138 (2007)

    Google Scholar 

  31. Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: 11th International Symposium on Recent Advances in Intrusion Detection, pp. 39–58. Springer, Heidelburg (2008)

    Chapter  Google Scholar 

  32. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Annual Conference on USENIX 2006 Annual Technical Conference, p. 1. USENIX Association, Berkeley (2006)

    Google Scholar 

  33. Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: 17th Conference on Security Symposium. USENIX Association (2008)

    Google Scholar 

  34. Chen, P.M., Noble, B.D.: When virtual is better than real. In: Eighth Workshop on Hot Topics in Operating Systems, p. 133. IEEE Computer Society, Washington, DC (2001)

    Chapter  Google Scholar 

  35. Volatile systems, https://www.volatilesystems.com/default/volatility

  36. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: 16th ACM Conference on Computer and Communications Security, pp. 555–565. ACM, New York (2009)

    Google Scholar 

  37. Dolan-Gavitt, B., Srivastava, A., Trayor, P., Giffin, J.: Robust signatures for kernel data structures. In: 16th ACM Conference on Computer and Communications Security, pp. 566–577 (2009)

    Google Scholar 

  38. VMware ESXi, http://www.vmware.com/products/esxi/

  39. VMware Workstation, http://www.vmware.com/products/workstation/

Download references

Author information

Authors and Affiliations

  1. School of Software, Shanghai Jiao Tong University, Shanghai, 200240, China

    Zheng Song & Yinghong Zhu

  2. Key Laboratory of Information Network Security, Ministry of Public Security, People’s Republic of China (The Third Research Institute of Ministry of Public Security), Shanghai, 201204, China

    Bo Jin & Yongqing Sun

Authors
  1. Zheng Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bo Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yinghong Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yongqing Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800 Dong Chuan Road, 200240, Shanghai, P.R. China

    Xuejia Lai  & Dawu Gu  & 

  2. The 3rd Research Institute of Ministry of Public Security, 339 bi Shen Road, A 303, Zhang Jiang, Pu Dong, 210031, Shangahi, P.R. China

    Bo Jin

  3. East China University of Political Science and Law, No. 555, Longyuan Road, Songjiang District, 201620, Shanghai, China

    Yongquan Wang

  4. Xidian University, P.O. Box 101, 710071, Xian, Shaanxi, P.R. China

    Hui Li

Rights and permissions

Reprints and permissions

Copyright information

© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Song, Z., Jin, B., Zhu, Y., Sun, Y. (2011). Investigating the Implications of Virtualization for Digital Forensics. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23602-0_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23601-3

  • Online ISBN: 978-3-642-23602-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation