Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


The issue of the volatility of virtual machines is perhaps the most pressing concern in any digital investigation. Current digital forensics tools do not fully address the complexities of data recovery that are posed by virtual hard drives. It is necessary, for this reason, to explore ways to capture evidence other than those using current digital forensic methods. This should be done in the most efficient and secure manner, as quickly, and in a non-intrusive way as can be achieved. All data in a virtual machine is disposed of when that virtual machine is destroyed, it may not therefore be possible to extract and preserve evidence such as incriminating images prior to destruction. Recovering that evidence, or finding some way of associating that evidence with the virtual machine before its destruction, is therefore crucial. In this paper, we present a method of extracting evidence from a virtual hard disk drive in a quick, secure and verifiable manner, with a minimum impact on the drive thus preserving its integrity for further analysis.


Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.

Dykstra, J., & Sherman, A. T. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9, S90- S98.

Goldberg, R. P. (1974). Survey of virtual machine research. Computer, 7(6), 34-45.

Kremer, J. (2010). Cloud Computing and Virtualization. White paper on virtualization.

Cusumano, M. (2010). Cloud computing and SaaS as new computing platforms. Communications of the ACM, 53(4), 27-29.

Barrett, D., & Kipper, G. (2010). Virtualization and forensics: A digital forensic investigator’s guide to virtual environments. Syngress.

Cai, H., Wang, N., & Zhou, M. J. (2010, July). A transparent approach of enabling SaaS multi-tenancy in the cloud. In Services (services-1), 2010 6th world congress on (pp. 40-47). IEEE.

Bitner, B., & Greenlee, S. (2012). z/VM A Brief Review of Its 40 Year History.

Brick, D. (2011, January). Technical challenges of forensic investigations in cloud computing environments. In workshop on cryptography and security in clouds.

Garfinkel, T., & Rosenblum, M. (2003, February). A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Ndss (Vol. 3, No. 2003, pp. 191-206).

Nance, K., Bishop, M., & Hay, B. (2008). Virtual machine introspection: Observation or interference?. IEEE Security & Privacy, 6(5).

Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of digital evidence, 2(2), 1-20.

Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., ... & Xu, D. (2010, October). Dksm: Subverting virtual machine introspection for fun and profit. In Reliable Distributed Systems, 2010 29th IEEE Symposium on (pp. 82-91). IEEE.

The Volatility Foundation (2013 - 2014) Retrieved from http://www.volatilityfoundation.org/

Payne, B. D. (2012). Simplifying virtual machine introspection using libvmi. Sandia report, 43-44.

Wilkinson, S., (2012). Good practice guide for computer-based electronic evidence. Association of Chief Police Officers.

Guidelines for identification, collection, acquisition and preservation of digital evidence, (2012), Retrieved from https://www.iso.org/obp/ui/#iso:std:isoiec: 27037:ed-1:v1:en

Ashcroft, J., Daniels, D., Hart, S., (April 2004). NIJ Special Report, (April 2004) Retrieved from https://www.ncjrs.gov/pdffiles1/nij/199408 .pdf

Kessler, G., (2016, February, 15th.), Guidelines on Digital Forensic Procedures for OLAF Staff, Retrieved from http://ec.europa.eu/anti_fraud/documents /forensics/guidelines_en.pdf

EnCASE® Forensic (1997 - 2016), Retrieved from forensic?cmpid=nav_r

SANS DFIR (2016) Retrieved from http://digital-forensics.sans.org/

Forensic Toolkit (FTK) (2016), from http://accessdata.com/solutions/digitalforensics/ forensic-toolkit-ftk

Carrier, B, (2013 - 2016) The Sleuthkit, Overview, Retrieved from http://www.sleuthkit.org/sleuthkit/

Tobin, P., & Kechadi, T. (2014, January). Virtual machine forensics by means of introspection and kernel code injection. In Proceedings of the 9th International Conference on Cyber Warfare & Security: ICCWS 2014 (p. 294).

Squillante, M. S., & Lazowska, E. D. (1993). Using processor-cache affinity information in shared-memory multiprocessor scheduling. Ieee transactions on parallel and distributed systems, 4(2), 131-143.

Wirzenius, Lars, Oja, J., Stafford, S., Weeks, A., (2016, 27th. January), Linux Systems Administrators Guide, Chapter 6 Memory Management, retrieved from http://www.tldp.org/LDP/sag/html/buffer - cache.html, accessed

Reuther, A., Michaleas, P., Prout, A., & Kepner, J. (2012, September). HPC-VMs: Virtual machines in high performance computing systems. In High Performance Extreme Computing (HPEC), 2012 IEEE Conference on (pp. 1-6). IEEE.

Joshi, A., King, S. T., Dunlap, G. W., & Chen, P. M. (2005, October). Detecting past and present intrusions through vulnerability-specific predicates. In ACM SIGOPS Operating Systems Review (Vol. 39, No. 5, pp. 91-104). ACM.

Love, R. (2003). Kernel korner: CPU affinity. Linux Journal, 2003(111), 8.

Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J. and Lee, W., (2011, May). Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 297-312). IEEE.

Witteman, R., Meijer, A., Kechadi, M. T., & Le-Khac, N. A. (2016, April). Toward a new tool to extract the Evidence from a Memory Card of Mobile phones. In Digital Forensic and Security (ISDFS), 2016 4th International Symposium on (pp. 143-147). IEEE.

Faheem, M., Kechadi, M., & Le-Khac, N. A. (2016). The State of the Art Forensic Techniques in Mobile Cloud Environment: A Survey, Challenges and Current Trends. arXiv preprint arXiv:1611.09566.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.