Advertisement

Analyzing the Impact of a Virtual Machine on a Host Machine

  • Greg Dorn
  • Chris Marberry
  • Scott Conrad
  • Philip Craiger
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 306)

Abstract

As virtualization becomes more prevalent in the enterprise and in personal computing, there is a great need to understand the technology as well as its ramifications for recovering digital evidence. This paper focuses on trace evidence related to the installation and execution of virtual machines (VMs) on a host machine. It provides useful information regarding the types and locations of files installed by VM applications, the processes created by running VMs and the structure and identity of VMs, ancillary files and associated artifacts.

Keywords

Virtualization virtual machine VMware Parallels 

References

  1. 1.
    AccessData Corporation, Forensic Toolkit 1.7, Linden, Utah (www .accessdata.com).Google Scholar
  2. 2.
    F. Bellard, Qemu (bellard.org/qemu).Google Scholar
  3. 3.
    Canonical, Ubuntu 8.04, London, United Kingdom (www.ubuntu .com).Google Scholar
  4. 4.
    Citrix Systems, What is Xen? Fort Lauderdale, Florida (www .xen.org).Google Scholar
  5. 5.
    Digital Intelligence, UltraBlock SATA Bridge Write Blocker, New Berlin, Wisconsin (digitalintelligence.com).Google Scholar
  6. 6.
    Guidance Software, EnCase 5 and 6, Pasadena, California (guidancesoftware.com).Google Scholar
  7. 7.
    Helios Software Solutions, TextPad, Longridge, United Kingdom (www.textpad.com/index.html).Google Scholar
  8. 8.
    HHD Software, Free Hex Editor Neo, London, United Kingdom (www.hhdsoftware.com/Products/home/hex-editor-free.html).Google Scholar
  9. 9.
    Knopper.Net, Knoppix Live Linux Filesystem, Knoppix 5.1.1 Release, Schmalenberg, Germany (www.knopper.net/knoppix/index-en.html).Google Scholar
  10. 10.
    T. Liston and E. Skoudis, On the cutting edge: Thwarting virtual machine detection (handlers.sans.org/tliston/ThwartingVMDetect ion_Liston_Skoudis.pdf), 2006.Google Scholar
  11. 11.
    Parallels, Parallels Optimized Computing, Neuhausen am Rheinfall, Switzerland (www.parallels.com).Google Scholar
  12. 12.
    Parallels, Parallels Workstation 2, Neuhausen am Rheinfall, Switzerland (www.parallels.com/en/products/workstation).Google Scholar
  13. 13.
    Sun Microsystems, VirtualBox, Santa Clara, California (www.vir tualbox.org).Google Scholar
  14. 14.
    VMware, VMware, Palo Alto, California (www.vmware.com).Google Scholar
  15. 15.
    VMware, VMware Workstation 6, Palo Alto, California (www.vm ware.com/products/ws).Google Scholar
  16. 16.
    VMware, What files make up a virtual machine? Palo Alto, California (www.vmware.com/support/ws5/doc/ws_learning_files_in_a _vm.html).Google Scholar
  17. 17.
    Wireshark Foundation, Wireshark, San Jose, California (www.wire shark.org).Google Scholar
  18. 18.
    X-Ways Software Technology, WinHex, Cologne, Germany (x-ways.net/winhex/index-m.html).Google Scholar
  19. 19.
    X-Ways Software Technology, X-Ways 14.2, Cologne, Germany (x-ways.net/forensics/index-m.html).Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Greg Dorn
  • Chris Marberry
  • Scott Conrad
  • Philip Craiger

There are no affiliations available

Personalised recommendations