255

Forensic Acquisition and Analysis of VMware

Virtual Machine Artifacts
Meera V Meera Mary Isaac Balan C
Department of Computer Science, Resource Centre for Cyber Forensics Resource Centre for Cyber Forensics
TocH Institute of Science and Centre for Development of Advanced Centre for Development of Advanced
Technology, Computing, Computing,
Cochin, India Trivandrum, India Trivandrum, India
meera6620@gmail.com meeramary@cdactvm.in cbalan@cdac.in
Abstract Virtual Forensics is a new trend in the area of acquiring and analysing VMware files supported by
computer forensics. Virtualization technology paved the way for implementation results. Conclusion and scope for future work
the growth of virtual forensics. VMware virtual environment is presented in Section 6.
provides a completely virtualized set of hardware to the guest
operating system. The features of Virtual Machine make it an
interesting platform to commit cyber crimes. The combination of II. BACKGROUND
innovative criminal techniques and advanced technologies makes Interest in virtualization for production systems is
the traditional techniques out-dated for detecting such crimes. experiencing resurgence, driven in part by the increase in
This paper discusses how live acquisition can be performed to resources such as multiple cores and large amounts of RAM in
acquire virtual machine related files from the host operating commodity x86-based systems. The growing attention
system. The paper also describes how to analyze these acquired provides an opportunity to perform analysis of a virtual
files to obtain raw data stored in various grains. The study is machine from a perspective external to that Virtual machine
supported by methods that assist forensic examiners by [2].
providing valuable information from the raw data which is
retrieved from various grains pointed by grain table entries. The virtual machine application ("guest") runs its own self-
contained operating system within the actual machine
("host").Virtual machines exist as a dozen of files in physical
KeywordsVirtual Forensics; Virtualization; VMware; Virtual computers hard disk. Traditional computer forensics was
machine; VMDK file format aimed at physical machines. Presently, organizations are
virtualized and various crimes are carried out in virtual
I. INTRODUCTION environment. Multiple virtual machines can run in the same
Virtualization is now a buzzword. It is the creation of host machine at the same time. The host machine and all the
virtual version of server, operating system, desktop etc.; where virtual machines are logically isolated with each other.
the framework divides the resource into one or more execution Earlier approach in computer forensics was to perform
environments. With the advancement in virtualization static forensics using tools like Encase or FTK to acquire the
technology virtual machines are becoming a subject of interest. hard disk image of physical machine. This means shutting
Traces generated by the activities performed using virtual down the subject machine and performing bit-by-bit copy of
machines are stored to a virtual storage system and not all the non-volatile storage media attached data. Static
available from the physical machine on which it is running. analysis, however, can result in an incomplete picture of
Due to the various technological advancements the nature of events. Among the limiting factors are the shutdown process,
crime scene has changed a lot. Virtual machine is chosen as a encrypted data, incomplete evidence, single snapshot, and
good platform for committing crimes because of its hiding impact on users.
nature. Forensic techniques should keep the pace with this
new trend [1]. Storage space is another important factor. Disk cloning is
difficult in terabyte storage systems. Due to the many
Virtual machine is used as a forensic evidence to obtain limitations of traditional forensics, live forensic acquisition
valuable data. VMware virtual machine software is used to seems to be a better alternative. This helps forensic
create virtual machines in this paper. Virtual machine files are practitioners to access a variety of invaluable information that
acquired from the physical system and stored to a storage would have been lost in traditional forensic analysis.
medium in a live environment. The VMware virtual hard disk
file is analysed to retrieve all its contents. The methods and Live forensics gathers data from running subject systems. It
tools that assist in obtaining meaningful data from virtual hard can provide additional contextual information such as volatile
disk are discussed in sections 4 and 5. memory and system states that are not acquirable through
static forensics.
The rest of this paper is organized as follows. Background
related to this paper is discussed in Section 2.Section 3 gives Some methods have been proposed to use virtual machine
general concepts of virtual machines and VMware virtual as forensic evidence or as forensic tool. To treat virtual
environment. Sections 4 and 5 discuss the proposed method of machine as forensic evidence, memory dump of host physical
machine is taken in live environment and virtual machine files

978-1-4673-5090-7/13/$31.00 2013 IEEE


are identified. The acquired virtual machine files are used to
boot the virtual machine in a host system. For using virtual
machine as a forensic tool, the subject systems OS is booted
in virtual machine, thereby generating a live subject system
[3].
The above methods are only proof of concept, and a lot of
additional work has to be done to make it applicable to
different conditions. These concepts are augmented in the
proposed method by acquiring only the needed files and
extracting the raw data stored in the Virtual hard disk.
III. GENERAL CONCEPTS OF VIRTUAL MACHINES
Virtual machine concept is used in computing world to
solve problems like sharing same hardware among many
programs by partitioning the hardware, allowing software to
be portable between various operating systems and running
older software on a newer computer.
The term virtual means anything that mimics a real
object. This term is used in this context because Virtual
machine should behave exactly like the real machine. A
virtualization-enabled system runs multiple VMs under the
control of a single VM monitor (VMM). Each VM receives a
set of virtual hardware from the VMM and then interacts with
it as though it were its own physical hardware. The VMM
enforces isolation between each of the Virtual Machines,
schedules the VM tasks, and provides a mechanism to support
the virtual hardware using the underlying physical hardware or
even emulated devices.
As organizations began moving functions from physical
systems to virtual systems they ran straight into a new
problem. Virtual machines are ephemeral; they can be
generated, provisioned with the appropriate software and put
into production very rapidly. In the same way, they can be
halted and deleted when they are no longer are needed. No
labels define their location or presence .In this paper focus will
be on the uses of virtual machine as a forensic evidence,
which is an asset to forensic toolbox.
A. VMware Virtual Environment
Virtualization software is most often used to emulate a
complete computer system in order to allow a guest operating
system to be run, for example allowing Windows Vista to run
as a guest on top of a PC that is natively running a Microsoft
Windows 7 operating system.
VMware Player is a freeware virtualization software
package from M/s.VMware. Player allows a complete virtual
machine to be copied at any time by copying a directory;
although this is not a fully featured snapshot facility, this
allows a copy of a machine in a particular state to be stored,
and reverted to later if desired, e.g. after a demonstration or a
virus infection test.
When performing live acquisition, the following files are
important to investigate-acquire
.vmdk This is the actual virtual hard disk for the virtual guest
operating system.
256
.log activity logs for a virtual machine.
.vmem A back up of the virtual machines paging file which
exists in the virtual machine running or has crashed.
.vmsn VMware snapshot files. This file stores the state of the
virtual machine when the snapshot is created.
.vmsd contains metadata about the snapshot.
.nvram stores the BIOS information for the virtual machine.
.vmx text file that contains hardware and operating system
configurations of the virtual machine
.vmss the state of a suspended virtual machine is stored in
this file [4] [5].
IV. ACQUISITION OF VMWARE FILES
Live acquisition is the most effective and feasible way to
acquire the needed files in case of disks with large storage
capacity.
The Windows registry has significant information which is
valuable to the forensic analyst. These include basic system
information such as, who had used the system and what
applications are installed, and more detailed information on
key system areas, what hardware was installed and what
drives were mounted. The Windows registry is a significant
forensic resource. The registry is a central hierarchical
database used to store information necessary to configure the
system for one or more users, applications and hardware
devices.
Any Forensic examiner must be provided with additional
information that supports the investigation and the system
information of the suspect system is one among them. The
operating system referenced in this paper is Microsoft
Windows 7.
Registry location having the information of operating system
is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
ws NT\Current Version\Product Name
Registry location having the information of windows
installation path is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
ws NT\CurrentVersion\Path Name
Registry location having the information f computer name is:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Windo
ws NT\Control\Computer Name
The presence of VMware virtual environment can be
detected by searching in the registry in the specified location
as shown in Figure 1:
Figure 1. Registry view of VMware Player location
 257

The corresponding key in the registry is V.ANALYSIS OF VMWARE HARD DISK

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applicati
ons\vmplayer.exe\shell\open\command [6], [7].
A custom search performed by the application will acquire
.vmdk and related VMware virtual machine files to a storage
medium.
The flowchart of the live acquisition process is shown in
Figure 2.
Virtual machines created with VMware products typically
use virtual disks. The virtual disks, stored as files on the host
computer or on a remote storage device, appear to the guest
operating systems as standard disk drives. The acquired vmdk
(virtual hard disk file of VMware) file is analyzed to obtain
valuable evidence.
General structure:
The VMDK sparse extent data file contains the actual disk
data. The layout of sparse extent header is like this:
File header
Optional embedded descriptor
Secondary grain directory
Secondary grain tables
(Primary) grain directory
(Primary) grain tables
Grains
A. File Header
The file header is 512 bytes of size. Table 2 depicts the file
header parameter along with the offset and size in bytes. The
grain directory offset value obtained from header will point to
the grain directory entries as shown in figure 3 and 4.Each
entry in a grain directory is called a grain directory entry or
GDE. A grain directory entry is the offset in sectors of a grain
table in a sparse extent. The number of grain directory entries
per grain directory (the size of the grain directory) depends on
the length of the extent. A grain directory entry is a 32 bit
quantity.
TABLE 2.VMDK FILE HEADER

Figure 2. Flowchart of live acquisition process

Table 1 shows the files generated by VMware Player and their

locations in the suspect system.
TABLE 1. FILES GENERATED BY VMWARE PLAYER ALONG WITH
THEIR LOCATION

VMware
File locations in a Windows 7 host system
Player Files
.vmdk 1. User defined virtual machine
folder(ex:I:\\VMware\\Windows XP)
.nvram
2. \Users\UserName\VMware
.vmsd OBTAIN OFFSET
HEADER
3. \Program Data\VMware TO GRAIN
.vmx VMDK FILE
INFORMATION DIRECTORY
4. \Users\UserName\AppData FROM gdOffset
.vmxf
.log Figure 3. Obtaining gdOffset value from VMDK header
 258

The raw data obtained from various grains is decoded to get

the files and folders stored in the hard disk using various
available tools like CyberCheck4.0 developed by CDAC-
Trivandrum, Encase,FTK Imager etc.
VI.IMPLEMENTATION RESULTS
The whole scenario of analysis of Windows XP
Professional.vmdk file is illustrated in figures 6, 7 and 8.

Fig .6.Hex view of a vmdk file showing grain table entries in grain directory
Figure 4. Grain directory entries pointing to grain table
and finally to grains

The grain directory offset value obtained from header will

point to a grain directory; which has the offsets to grain table.
Each entry in a grain table is called a grain table entry or
GTE. A grain table entry points to the offset of a grain in the
sparse extent. There are always 512 entries in a grain table,
and a grain table entry is a 32 bit quantity. The grain table in
turn contains address of grain, which contains the raw data.
A grain is a block of sectors containing data for the virtual
disk. The granularity is the size of a grain in sectors. It is a
property of the extent and is specified in the sparse extent
header as grain Size. The default is currently 128, thus each
grain contains 64KB of virtual machine data. The size of a Figure 6.Hex view of vmdk file showing grain directory entries
sparse extent should be a multiple of grain Size. Each grain
starts at an offset that is a multiple of the grain size.
The flowchart of the analysis process is shown in Figure 5.

Figure 5. Flowchart of analysis process Figure 7.Hex view of vmdk file showing grain table entries

Figure 8. Hex view of vmdk file showing raw data in a grain
VII. CONCLUSION
As proposed by Brett Shavers, the time of virtual machine
has come. Cybercrimes are becoming prevalent, so forensic
experts are eagerly hunting for victims in the cyber space.
Cyber-crime syndicates are exploiting virtual machine to
commit heinous conspiracy to fulfill lucrative goals. To keep
up with this new trend, this paper proposes techniques to obtain
valuable evidence stored in virtual hard disk. In this paper we
259
provide methods for acquiring VMware files via live internal
data acquisition. The analysis of acquired VMware virtual hard
disk file following the file format specification to get the raw
data from various grains is also discussed and supported by
snapshots. The future work should be focused on forensics of
other acquired VMware files.
ACKNOWLEDGMENT
We would like to express thanks to Resource Centre for Cyber
Forensics division, CDAC-Trivandrum for assisting in the
proofing, testing and live demonstrations of the methods
described in this paper. We hope that our research can assist
law enforcement with their investigations.
REFERENCES
[1] Diane Barrett and Greg Kipper, Virtualization and Forensics:A Digital
Forensic Investigators Guide to Virtual Environments, 1st ed.,
Syngress, pp.1-25 , June 2010.
[2] B. Hay, M. Bishop and K. Nance, "Live Analysis: Progress and
Challenges, vol. 7, IEEE Security and Privacy , pp. 30-37, March
2009.
[3] Lei Zhang, Dong Zhang and Lianhai Wang, Live Digital Forensics in a
Virtual Machine , International conference on Computer Application
and System Modelling(ICCASM), IEEE Society, pp.V4-328-332, 2010.
[4] Dan Kusnetzky, Virtual Machines:You have to see them to manage
them,Kuznetzky group, pp.1-3, October 2007.
[5] Brett Shavers, A Discussion of Virtual Machines Related to Forensics
Analysis, November 2008.
[6] Youngsoo Kim and Dowon Hong, Windows Registry and Hiding
Suspects Secret in Registry, Development of Digital Forensic System
for Information Transparency, IEEE Computer Society, pp.393-398,
2008.
[7] Kisik Chang, Gibum Kim, Kwonyoup Kim and Woosuk Kim,Initial
Case Analysis using Windows Registry in Computer Forensics
,unpublished.