The virtual machine is a software application using
which one can create separate OS environments. Each environment limits the use
of its hardware and software resources. In an ideal case, an individual virtual
machine behaves as an independent system possessing its personal operating
system and hardware. The control over each environment is provided to the user
independently.
· Saves hardware resources.
· Cost of using virtual machine is less.
· Energy resources are saved.
The
Virtual machines are widely used for testing software, disaster recovery,
educational purpose, business continuity and in forensics. Here, we will limit
ourselves to the use of virtual machines in forensics.
Virtual Machines and Forensics
A
beneficial and unintended use of virtual machine is in the field of forensic
examination. VMware workstation, player
and server are the three
products that are widely used in the virtual machine forensics. VMware
workstation is the most commonly used product among the above mentioned
products due to a large number of features supported by it. However, it is not
freely available. VMware Server follows VMware workstation, but its features
are a bit limited. However, it is available free of cost. VMware player is
available free and is expertise to run VMware virtual machine, but does not
allow any option for configuration.
With
the increasing use of Virtual machines and the benefit of VMware to boot
forensics image, it is proposed to use VMware workstation as a part of virtual
machine malware analysis. At present no other applications have
features and functions in the VMware workstation so it is totally used in
forensics.
The
following files are generally associated with VMware virtual machines which are
important for the virtual machine analysis point of view.
.Log file –
It contains the log of activities for a virtual machine.
.VMDK –
For a virtual guest OS, it is the Virtual hard drive that can either be static
or dynamic.
.VMEN –
It is the backup of paging file of the virtual machine.
.VMSN –
These are the snapshot files of the VMware that stores the state of virtual
machine on creating snapshot.
.VMSD –
The VMSG files contain Metadata about the snapshots.
Recovery
of Deleted or Encrypted Virtual Machine
Any
deleted file can be recovered and used for the forensic examination. Even if
the offender deletes a file to the recycle bin and empties it, it is possible
to recover the files for review. Due to the large size of virtual machine, it
cannot be sent to the recycle bin. These files are deleted directly by the
system but still it can be recovered for the analysis.
The
virtual machines are encrypted through several layers. The encryption can
either be a Windows encryption or a third party encryption. The experts can
examine the virtual machines by simply bypassing the encryption. The encryption
of a virtual machine file is just as an encrypted file and can be handled in
the similar way.
Conclusion
In
the arena of technology, the concept of virtual machine is blooming and
spreading at a faster rate. Virtual machines are identical to the real
computers and the examiners need to be aware of the fine line of difference
between them and take full advantage of the Virtual Machine in the field of forensic
analysis virtual machine. The benefit of using a virtual
machine malware analysis is a large amount of time is saved in the
restoration process. Moreover, the process can be repeated several times,
according to the requirement.
·
No comments:
Post a Comment