Friday, February 6, 2015

An Introduction To Virtual Machine Forensics

The virtual machine is a software application using which one can create separate OS environments. Each environment limits the use of its hardware and software resources. In an ideal case, an individual virtual machine behaves as an independent system possessing its personal operating system and hardware. The control over each environment is provided to the user independently.

Some advantages of Virtual Machine are:

          ·   Saves hardware resources.
     ·   Cost of using virtual machine is less.
     ·   Energy resources are saved.
The Virtual machines are widely used for testing software, disaster recovery, educational purpose, business continuity and in forensics. Here, we will limit ourselves to the use of virtual machines in forensics. 

Virtual Machines and Forensics

A beneficial and unintended use of virtual machine is in the field of forensic examination. VMware workstation, player and server are the three products that are widely used in the virtual machine forensics. VMware workstation is the most commonly used product among the above mentioned products due to a large number of features supported by it. However, it is not freely available. VMware Server follows VMware workstation, but its features are a bit limited. However, it is available free of cost. VMware player is available free and is expertise to run VMware virtual machine, but does not allow any option for configuration.

With the increasing use of Virtual machines and the benefit of VMware to boot forensics image, it is proposed to use VMware workstation as a part of virtual machine malware analysis. At present no other applications have features and functions in the VMware workstation so it is totally used in forensics. 

The following files are generally associated with VMware virtual machines which are important for the virtual machine analysis point of view.

.Log file – It contains the log of activities for a virtual machine.
.VMDK – For a virtual guest OS, it is the Virtual hard drive that can either be static or dynamic.
.VMEN – It is the backup of paging file of the virtual machine.
.VMSN – These are the snapshot files of the VMware that stores the state of virtual machine on creating snapshot.
.VMSD – The VMSG files contain Metadata about the snapshots.

Recovery of Deleted or Encrypted Virtual Machine

Any deleted file can be recovered and used for the forensic examination. Even if the offender deletes a file to the recycle bin and empties it, it is possible to recover the files for review. Due to the large size of virtual machine, it cannot be sent to the recycle bin. These files are deleted directly by the system but still it can be recovered for the analysis.

The virtual machines are encrypted through several layers. The encryption can either be a Windows encryption or a third party encryption. The experts can examine the virtual machines by simply bypassing the encryption. The encryption of a virtual machine file is just as an encrypted file and can be handled in the similar way.


In the arena of technology, the concept of virtual machine is blooming and spreading at a faster rate. Virtual machines are identical to the real computers and the examiners need to be aware of the fine line of difference between them and take full advantage of the Virtual Machine in the field of forensic analysis virtual machine. The benefit of using a virtual machine malware analysis is a large amount of time is saved in the restoration process. Moreover, the process can be repeated several times, according to the requirement.


No comments:

Post a Comment