•  
  •  
 

Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

Virtualized environments can make forensics investigation more difficult. Technological advances in virtualization tools essentially make removable media a PC that can be carried around in a pocket or around a neck. Running operating systems and applications this way leaves very little trace on the host system. This paper will explore all the newest methods for virtualized environments and the implications they have on the world of forensics. It will begin by describing and differentiating between software and hardware virtualization. It will then move on to explain the various methods used for server and desktop virtualization. Next, it will explain how virtualization affects the basic forensic process. Finally, it will describe the common methods to find virtualization artifacts and identify virtual activities that affect the examination process of certain virtualized user environments.

References

[1] Gartner Research, The Server Virtualization Management Marketplace. Publication Date: 19 February 2008, ID Number: G00154109.

[2] Gammage, B., Shiffler III, G. Report Highlight for Dataquest Insight: PC Virtualization Forecast Scenarios. Gartner Research, Publication Date: 8 August 2007 ID Number: G00150832.

[3] Ferrie, P. n.d. Attacks on More Virtual Machine Emulators. www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf.

[4] Paravirtualization API Version 2.5. Copyright 2005, 2006, VMware, Inc. www.vmware.com/pdf/vmi_specs.pdf.

[5] Understanding Full Virtualization Paravirtualization and Hardware Assist. www.vmware.com/files/pdf/VMware_paravirtualization.pdf.

[6] The VMI virtualization interface. http://lwn.net/Articles/175706/. Posted March 15, 2006 by corbet.

[7] Rutkowski, J. Red Pill... or how to detect VMM using (almost) one CPU

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.