are identified. The acquired virtual machine files are used to .log activity logs for a virtual machine.
boot the virtual machine in a host system. For using virtual
.vmem A back up of the virtual machines paging file which
machine as a forensic tool, the subject systems OS is booted
exists in the virtual machine running or has crashed.
in virtual machine, thereby generating a live subject system
[3]. .vmsn VMware snapshot files. This file stores the state of the
virtual machine when the snapshot is created.
The above methods are only proof of concept, and a lot of
additional work has to be done to make it applicable to .vmsd contains metadata about the snapshot.
different conditions. These concepts are augmented in the
proposed method by acquiring only the needed files and .nvram stores the BIOS information for the virtual machine.
extracting the raw data stored in the Virtual hard disk. .vmx text file that contains hardware and operating system
configurations of the virtual machine
III. GENERAL CONCEPTS OF VIRTUAL MACHINES .vmss the state of a suspended virtual machine is stored in
Virtual machine concept is used in computing world to this file [4] [5].
solve problems like sharing same hardware among many
programs by partitioning the hardware, allowing software to IV. ACQUISITION OF VMWARE FILES
be portable between various operating systems and running
older software on a newer computer. Live acquisition is the most effective and feasible way to
acquire the needed files in case of disks with large storage
The term virtual means anything that mimics a real capacity.
object. This term is used in this context because Virtual
machine should behave exactly like the real machine. A The Windows registry has significant information which is
virtualization-enabled system runs multiple VMs under the valuable to the forensic analyst. These include basic system
control of a single VM monitor (VMM). Each VM receives a information such as, who had used the system and what
set of virtual hardware from the VMM and then interacts with applications are installed, and more detailed information on
it as though it were its own physical hardware. The VMM key system areas, what hardware was installed and what
enforces isolation between each of the Virtual Machines, drives were mounted. The Windows registry is a significant
schedules the VM tasks, and provides a mechanism to support forensic resource. The registry is a central hierarchical
the virtual hardware using the underlying physical hardware or database used to store information necessary to configure the
even emulated devices. system for one or more users, applications and hardware
devices.
As organizations began moving functions from physical
systems to virtual systems they ran straight into a new Any Forensic examiner must be provided with additional
problem. Virtual machines are ephemeral; they can be information that supports the investigation and the system
generated, provisioned with the appropriate software and put information of the suspect system is one among them. The
into production very rapidly. In the same way, they can be operating system referenced in this paper is Microsoft
halted and deleted when they are no longer are needed. No Windows 7.
labels define their location or presence .In this paper focus will Registry location having the information of operating system
be on the uses of virtual machine as a forensic evidence, is:
which is an asset to forensic toolbox.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
A. VMware Virtual Environment ws NT\Current Version\Product Name
Virtualization software is most often used to emulate a Registry location having the information of windows
complete computer system in order to allow a guest operating installation path is:
system to be run, for example allowing Windows Vista to run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
as a guest on top of a PC that is natively running a Microsoft ws NT\CurrentVersion\Path Name
Windows 7 operating system.
Registry location having the information f computer name is:
VMware Player is a freeware virtualization software
package from M/s.VMware. Player allows a complete virtual HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Windo
machine to be copied at any time by copying a directory; ws NT\Control\Computer Name
although this is not a fully featured snapshot facility, this
The presence of VMware virtual environment can be
allows a copy of a machine in a particular state to be stored,
detected by searching in the registry in the specified location
and reverted to later if desired, e.g. after a demonstration or a
as shown in Figure 1:
virus infection test.
When performing live acquisition, the following files are
important to investigate-acquire
.vmdk This is the actual virtual hard disk for the virtual guest
operating system.
Figure 1. Registry view of VMware Player location
257
VMware
File locations in a Windows 7 host system
Player Files
.vmdk 1. User defined virtual machine
folder(ex:I:\\VMware\\Windows XP)
.nvram
2. \Users\UserName\VMware
.vmsd OBTAIN OFFSET
HEADER
3. \Program Data\VMware TO GRAIN
.vmx VMDK FILE
INFORMATION DIRECTORY
4. \Users\UserName\AppData FROM gdOffset
.vmxf
.log Figure 3. Obtaining gdOffset value from VMDK header
258
Fig .6.Hex view of a vmdk file showing grain table entries in grain directory
Figure 4. Grain directory entries pointing to grain table
and finally to grains
Figure 5. Flowchart of analysis process Figure 7.Hex view of vmdk file showing grain table entries
259
ACKNOWLEDGMENT
We would like to express thanks to Resource Centre for Cyber
Forensics division, CDAC-Trivandrum for assisting in the
proofing, testing and live demonstrations of the methods
described in this paper. We hope that our research can assist
law enforcement with their investigations.
REFERENCES
[1] Diane Barrett and Greg Kipper, Virtualization and Forensics:A Digital
Forensic Investigators Guide to Virtual Environments, 1st ed.,
Syngress, pp.1-25 , June 2010.
[2] B. Hay, M. Bishop and K. Nance, "Live Analysis: Progress and
Challenges, vol. 7, IEEE Security and Privacy , pp. 30-37, March
2009.
[3] Lei Zhang, Dong Zhang and Lianhai Wang, Live Digital Forensics in a
Virtual Machine , International conference on Computer Application
and System Modelling(ICCASM), IEEE Society, pp.V4-328-332, 2010.
[4] Dan Kusnetzky, Virtual Machines:You have to see them to manage
Figure 8. Hex view of vmdk file showing raw data in a grain them,Kuznetzky group, pp.1-3, October 2007.
[5] Brett Shavers, A Discussion of Virtual Machines Related to Forensics
VII. CONCLUSION Analysis, November 2008.
[6] Youngsoo Kim and Dowon Hong, Windows Registry and Hiding
As proposed by Brett Shavers, the time of virtual machine Suspects Secret in Registry, Development of Digital Forensic System
has come. Cybercrimes are becoming prevalent, so forensic for Information Transparency, IEEE Computer Society, pp.393-398,
experts are eagerly hunting for victims in the cyber space. 2008.
Cyber-crime syndicates are exploiting virtual machine to [7] Kisik Chang, Gibum Kim, Kwonyoup Kim and Woosuk Kim,Initial
commit heinous conspiracy to fulfill lucrative goals. To keep Case Analysis using Windows Registry in Computer Forensics
,unpublished.
up with this new trend, this paper proposes techniques to obtain
valuable evidence stored in virtual hard disk. In this paper we