Abstract
Research in virtualization technology has gained significant momentum in recent years, which brings not only opportunities to the forensic community, but challenges as well. In this paper, we discuss the potential roles of virtualization in the area of digital forensics and conduct an investigation on the recent progresses which utilize the virtualization techniques to support modern computer forensics. A brief overview of virtualization is presented and discussed. Further, a summary of positive and negative influences on digital forensics that are caused by virtualization technology is provided. Tools and techniques that are potential to be common practices in digital forensics are analyzed and some experience and lessons in our practice are shared. We conclude with our reflections and an outlook.
This paper is supported by the Special Basic Research, Ministry of Science and Technology of the People’s Republic of China (No. 2008FY240200), and the Key Project Funding, Ministry of Public Security of the People’s Republic of China (No. 2008ZDXMSS003).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Live View, http://liveview.sourceforge.net/
Detect if your program is running inside a Virtual Machine, http://www.codeproject.com
Carrier, B.D.: Risks of Live Digital Forensic Analysis. Communications of the ACM 49, 56–61 (2006)
Pollitt, M., Nance, K., Hay, B., Dodge, R., Craiger, P., Burke, P., Marberry, C., Brubaker, B.: Virtualization and Digital Forensics: A Research and Education Agenda. Journal of Digital Forensic Practice 2, 62–73 (2008)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: 10th Annual Symposium on Network and Distributed System Security, pp. 191–206 (2003)
Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? IEEE Security & Privacy 6, 32–37 (2008)
XenAccess, http://code.google.com/p/xenaccess/
Hay, B., Nance, K.: Forensic Examination of Volatile System Data using Virtual Introspection. ACM SIGOPS Operating Systems Review 42, 74–82 (2008)
VMsafe, http://www.vmware.com
Bem, D., Huebner, E.: Computer Forensic Analysis in a Virtual Environment. International Journel of Digital Evidence 6 (2007)
ProDiscover Basic, http://www.techpathways.com/
Virtual Forensics Computing, http://www.mountimage.com/
Mount Image Pro, http://www.mountimage.com/
Encase Forensics Physical Disk Emulator, http://www.encaseenterprise.com/
SmartMount, http://www.asrdata.com/SmartMount/
VMware DiskMount, http://www.vmware.com
Shavers, B.: Virtual Forensics (A Discussion of Virtual Machine Related to Forensic Analysis), http://www.forensicfocus.com/virtual-machines-forensics-analysis
Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Xu, D.: DKSM:Subverting Virtual Machine Introspection for Fun and Profit. Technical report, North Carolina State University (2010)
Carrier, B.: File system forensic analysis. Addison-Wesley, Boston (2005)
Open Source VMFS Driver, http://code.google.com/p/vmfs/
Farmer, D., Venema, W.: Forensic Discovery. Addison-Wesley, Reading (2005)
Dorn, G., Marberry, C., Conrad, S., Craiger, P.: Advances in Digital Forensics V. IFIP Advances in Information and Communication Technology, vol. 306, p. 69. Springer, Heidelberg (2009)
Kornblum, J.D.: Using every part of the buffalo in Windows memory analysis. Digital Investigation 4, 24–29 (2007)
Kruse II, W.G., Heiser, J.G.: Computer Forensics: Incident Response Essentials, 1st edn. Addison Wesley Professional, Reading (2002)
Mrdovic, S., Huseinovic, A., Zajko, E.: Combining Static and Live Digital Forensic Analysis in Virtual Environment. In: 22nd International Symposium on Information, Communication and Automation Technologies (2009)
Penhallurick, M.A.: Methodologies for the use of VMware to boot cloned/mounted subject hard disk image. Digital Investigation 2, 209–222 (2005)
Nance, K., Hay, B., Bishop, M.: Investigating the Implications of Virtual Machine Introspection for Digital Forensics. In: International Conference on Availability, Reliability and Security, pp. 1024–1029 (2009)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebaur, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Nineteenth ACM Symposium on Operating Systems Principles, pp. 164–177. ACM Press, New York (2003)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: 14th ACM conference on Computer and communications security, Alexandria, Virginia, USA, pp. 128–138 (2007)
Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: 11th International Symposium on Recent Advances in Intrusion Detection, pp. 39–58. Springer, Heidelburg (2008)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Annual Conference on USENIX 2006 Annual Technical Conference, p. 1. USENIX Association, Berkeley (2006)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: 17th Conference on Security Symposium. USENIX Association (2008)
Chen, P.M., Noble, B.D.: When virtual is better than real. In: Eighth Workshop on Hot Topics in Operating Systems, p. 133. IEEE Computer Society, Washington, DC (2001)
Volatile systems, https://www.volatilesystems.com/default/volatility
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: 16th ACM Conference on Computer and Communications Security, pp. 555–565. ACM, New York (2009)
Dolan-Gavitt, B., Srivastava, A., Trayor, P., Giffin, J.: Robust signatures for kernel data structures. In: 16th ACM Conference on Computer and Communications Security, pp. 566–577 (2009)
VMware ESXi, http://www.vmware.com/products/esxi/
VMware Workstation, http://www.vmware.com/products/workstation/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Song, Z., Jin, B., Zhu, Y., Sun, Y. (2011). Investigating the Implications of Virtualization for Digital Forensics. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-23602-0_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23601-3
Online ISBN: 978-3-642-23602-0
eBook Packages: Computer ScienceComputer Science (R0)