Investigations & Virtualization
Someone once described virtualization as something you pay for but don't actually get. Client virtualization offers a similar analogy: A virtual machine is software that runs on a computer and allows a single host to appear as if it were itself a computer.
It's a technology that offers many benefits, but it also changes the nature of digital forensics investigations. VMs are increasingly the target or instrument of nefarious activity, but they are also used as the platform on which to perform examinations. The following tips can help digital forensics examiners familiarize themselves with virtualized client environments and their impact on computer forensics investigations.
DFEs should implement a VM on their own computer so that they understand how it is used. For example, install VM software, such as Parallels Desktop for Mac, Microsoft VirtualPC or VMware Workstation, on the host computer. To add a guest OS, start the VM application, configure a few parameters such as the amount of disk space and memory to allocate for the new VM, then install the guest OS. This also provides an inexpensive way to gain experience with other OSes.
One difficulty that VMs present to DFEs is that the guest environment is fully self-contained in a small set of files on the host system. The examiner has to find the VM files in order to recover the guest OS and its contents. For example, VMware Fusion on a Mac stores the VM environment in a file with the extension .vmwarevm, while VMware on the PC uses a series of files with file extensions such as .vmdk, .nvram and .vmx. The VM files are often stored in directories with a name like "Virtual Machines."
The Windows Registry also maintains information that might be useful in finding VMs. Most Recently Used keys may provide pointers to VM application software, while File Associations keys will show the link between a VM application and relevant file extensions -- sometimes, even if the application has been removed from the system. Finally, traces of VMs may be found in the process list within RAM.
Because the VM is an environment inside of the host system, there are different methods that need to be considered for forensically imaging the guest OS environment.
Once imaged, the VM can be examined using the same tools and methods as a traditional system with that OS.
There are some situations where it would be useful to actually boot up a suspect computer, an action that is counter to all digital forensics best practices. One solution is to boot the suspect system into a VM from the suspect computer's image files. In this way, the examiner can see exactly what a user would see on the suspect computer without ever actually touching, and possibly altering, the suspect computer. LiveView is one such tool that can create a VMware virtual machine from raw (dd) image files.
Some computer forensics labs save a known, stable forensics environment as a VM and load a new VM for each new examination. In this way, all examinations start out in a forensically clean state, and a snapshot of the examination system is always available to this, or another, examiner.
The challenge of tracing a mobile virtual operating environment is exacerbated by today's high capacity, physically small media devices. A USB thumb drive with 1 gigabyte becomes the equivalent of a bootable CD-ROM, only a lot more convenient to carry.
Let's say a user wants access to the Internet but must elude detection. That person could put a small footprint operating system on a thumb drive, walk into an Internet cafÃ©, insert the thumb drive into a computer and reboot into the thumb drive's OS. (Alternatively, a VM with VM player software on a thumb drive could be used to mount a new OS without rebooting.)
The user could then do whatever he or she wanted to do on the host computer, unplug the thumb drive when finished, reboot the computer (if necessary), and leave without a trace. While it might be possible to track the activity back to the IP address of the physical computer, this scenario will leave no traces of the activity on the hard drive; few, if any, traces in the registry; and, upon rebooting, leave no trace in memory. This type of activity is nearly impossible to investigate.