Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environments

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $44.37
Usually ships in 1-2 business days
(Save 29%)
Other sellers (Paperback)
  • All (10) from $44.37   
  • New (6) from $48.34   
  • Used (4) from $44.37   

Overview

Virtualization creates new and difficult challenges for forensic investigations. Operating systems and applications running in virtualized environments often leave few traces, yielding little evidence with which to conduct an investigation.

Virtualization and Forensics offers an in-depth view into the world of virtualized environments and the implications they have on forensic investigations. Part I explains the process of virtualization and the different types of virtualized environments. Part II details how virtualization interacts with the basic forensic process, describing the methods used to find virtualization artifacts in dead and live environments as well as identifying the virtual activities that affect the examination process. Part III address advanced virtualization issues, such as the challenges of virtualized environments, cloud computing, and the future of virtualization. After reading this book, you’ll be equipped to conduct investigations in these environments with confidence.

Read More Show Less

Product Details

  • ISBN-13: 9781597495578
  • Publisher: Elsevier Science
  • Publication date: 6/1/2010
  • Pages: 272
  • Sales rank: 1,326,388
  • Product dimensions: 7.50 (w) x 9.20 (h) x 0.70 (d)

Meet the Author

Diane Barrett has been a contract forensic examiner at ForenTech since Oct. 2006 and is Professor for Computer Forensics and Network Security programs at the University of Advancing Technology. Additionally, Diane is the Faculty Council Chair for the systems development group and teaches several short online classes for web-based learning sites such as HP and Forbes. CCNA, CISSP, ISSMP, IAM/IEM Certified Steganographer, CCE Certificate of completion.

Gregory Kipper is a futurist and strategic forecaster in emerging technologies. He specialized in IT security and information assurance for 17 years, working for the last 11 years in the fields of digital forensics and the impacts emerging technologies have on crime and crime fighting. Mr. Kipper has been the keynote speaker at select industry events, a digital forensics instructor, and a trusted advisor to both the government and commercial sectors. He has published books in the fields of digital forensics and emerging technologies, including: "Investigator's Guide to Steganography," "Wireless Crime and Forensic Investigation," and "Virtualization and Forensics."

Read More Show Less

Read an Excerpt

Visualization and Forensics

A Digital Forensic Investigator's Guide to Virtual Environments
By Diane Barrett Gregory Kipper

Syngress

Copyright © 2010 Elsevier Inc.
All right reserved.

ISBN: 978-1-59749-558-5


Chapter One

HOW VIRTUALIZATION HAPPENS

INFORMATION IN THIS CHAPTER

• Physical Machines

• How Virtualization Works

• Hypervisors

• Main Categories of Virtualization

• Benefits of Virtualization

• Cost of Virtualization

Just about every technology magazine and article published today mentions virtualization or cloud computing. According to the research published by Gartner, Inc., 18 percent of server workloads in 2009 ran on virtualized servers; that share will grow to 28 percent this year (2010) and reach almost half by 2012 (Messmer, 2009). The survey statistics show that large enterprises have driven server virtualization over the last several years and that VMware holds the largest market share against a handful of competitors, including Microsoft, Citrix, Red Hat, and others. There are close to six million virtual machines (VMs) believed to be in use today. Gartner analysts predict that virtualization will be the default for the enterprise over the next few years.

Furthermore, a Network World article by Dubie (2010) states that the CIOs who participated in the survey put virtualization as a top priority for 2010. This is up from the third position in 2009, and cloud computing technologies shot up from sixteenth place to the second priority for CIOs. With more emphasis being placed on going green and power becoming more expensive, virtualization offers cost benefits by decreasing the number of physical machines required within an environment. A virtualized environment offers reduced support by making testing and maintenance easier.

On the client side, the capability to run multiple operating environments allows a machine to support applications and services for an operating environment other than the primary environment. This reduces upgrade costs and allows more uniformity in desktop environments. The worldwide hosted virtual desktop (HVD) market will accelerate through 2013 to reach 49 million units, up from more than 500,000 units in 2009, according to Gartner, Inc. Worldwide HVD revenue will grow from about $1.3 billion to $1.5 billion in 2009, which is less than 1 percent of the worldwide professional PC market, to $65.7 billion in 2013 (Gammage & Jump, 2009).

Virtualization is also found on mobile devices. For example, the Garnet VM can run native Palm operating system (OS) applications on several models of the Nokia Internet Tablet. As of December 2009, it supports over 30,000 applications. It is estimated that by 2012, more than half of all new smartphones shipped will include hardware virtualization support.

In the data center, approximately 16 percent of the workload is virtualized. Figure 1.1 shows data from a TechTarget Virtualization Decisions 2009 survey, which collected data from July 2009 to September 2009 with responses from more than 900 IT professionals worldwide (Virtual Data CenterE-Zine, 2010).

These developments should be of interest to the digital forensic investigator for several reasons. First and foremost, computer forensics professionals will be required to detect and examine such environments. Virtual environments (VEs) are showing up from the desktop to the data center. In the case in which a virtual desktop is used, acquiring a dead drive image may produce very little, if any, evidence. An increase in the use of VEs and applications that can be run from a Universal Serial Bus (USB) device means that any incriminating evidence may not be readily found, especially if the device itself is not recovered. As the use of virtual machine environments (VMEs) increases, computer attackers are becoming increasingly interested in detecting the presence of VMEs, both locally and across the network. The interest is fueled by those who want to spread malware, steal data, or conceal activities. As malicious code is released that makes use of its own VME, it becomes essential for antimalware researchers to find ways to detect the VME in order to protect against malware.

Physical Machines

For purposes of discussion, and to provide a solid contrast for the remainder of this book, we define a physical machine as a hardware-based device such as a PC or server. Specifically, the physical computer is running at the electronic, or machine, level as opposed to the logical level. Physical machines also operate with much more direct access to the hardware, whereas users of VEs will relate to the data they access and work with based on the name of the file. A physical environment is concerned where the data is physically located on the sectors of the disk.

How Virtualization Works

A VM is a software implementation of a computer that executes programs like a physical machine. In "Formal Requirements for Virtualizable Third Generation Architectures," Popek and Goldberg, who have defined conditions that may be tested to determine whether architecture can support a VM, describe it as "an efficient, isolated duplicate of a real machine." VMs have been in use for many years, and some would say we have come full circle. The fundamental concept of a VM revolves around a software application that behaves as if it were its own computer. This is the original job sharing mechanism prominent in mainframes. The VM application ("guest") runs its own self-contained OS on the actual ("host") machine. Put simply, a VM is a virtual computer running inside a physical computer. The virtual OS can range from a Windows environment to a Macintosh environment and is not limited to one per host machine. For example, you may have a Windows XP host machine with Linux and Windows 2003 VMs. Figure 1.2 shows Linux XP and Windows 2003 server VMs running on a Windows XP host machine.

The explosion of x86 servers revived interest in virtualization. The primary driver was the potential for server consolidation. Virtualization allowed a single server to replace multiple dedicated servers with underutilized resources.

Popek and Goldberg explained virtualization through the idea of a virtual machine monitor (VMM). A VMM is a piece of software that has three essential characteristics. First, the VMM provides an environment for programs that is fundamentally identical to the environment on the physical machine; second, programs that run in this environment have very little speed degradation compared with the physical machine; and finally, the VMM has total control of system resources. However, the x86 architecture did not achieve the "classical virtualization" as defined by the Popek and Goldberg virtualization requirements, and binary translation of the guest kernel code was used instead. This is because x86 OSes are designed to run directly on the physical hardware and presume that they control the computer hardware. Virtualization of the x86 architecture has been accomplished through either full virtualization or paravirtualization. Both create the illusion of physical hardware to achieve the goal of OS independence from the hardware but present some trade-offs in performance and complexity. Creating this illusion is done by placing a virtualization layer under the OS to create and manage the VM. Full virtualization or paravirtualization will be discussed later in this chapter. Both Intel and AMD have now introduced architecture that supports classical virtualization.

For a very in-depth explanation of virtualization, there are several published papers explaining the highly technical details of how virtualization works. For example, Adams and Agesen (2006) from VMware have written "A Comparison of Software and Hardware Techniques for x86 Virtualization." The current associated link is in the reference section at the end of this chapter.

In a physically partitioned system, more than one OS can be hosted on the same machine. The most common example of this type of environment is a dual-boot system where Microsoft and Linux OSes coexist on the same system. Each of these partitions is being supported by a single OS. VM software products allow an entire stack of software to be encapsulated in a container called a VM. The encapsulation starts at the OS and runs all the way up to the application level. This type of technology has the capability to run more than one VM on a single physical computer provided that the computer has sufficient processing power, memory, and storage. Individual VMs are isolated from one another to provide a compartmentalized environment. Each VM contains its own environment just like a physical server and includes an OS, applications, and networking capabilities. The VMs are managed individually similar to a physical environment. Unlike a physically partitioned machine, VM products allow multiple OSes to exist on one partition.

Virtualizing Operating Systems

Virtualized OSes can be used in a variety of ways. These environments allow the user to play with questionable or malicious software in a sandbox-type environment. For example, VMs can be used to see how different OSes react to an attack or a virus. It can give the user access to a Linux environment without having to dual boot the laptop or PC. Finally, it allows an investigator to mount a suspect environment to see the environment just as the suspect used it. This can be helpful in presenting cases to a judge or jury. Showing the environment can have a big impact, especially if it can convey the content in a manner that the judge and jury would understand. Booting up a machine that has a pornographic background gets the point across much faster and clearer in the courtroom and in litigation conferences. Figure 1.3 shows the concept behind virtualizing OSes.

Virtualizing Hardware Platforms

Hardware virtualization, sometimes called platform or server virtualization, is executed on a particular hardware platform by host software. Essentially, it hides the physical hardware. The host software that is actually a control program is called a hypervisor. The hypervisor creates a simulated computer environment for the guest software that could be anything from user applications to complete OSes. The guest software performs as if it were running directly on the physical hardware. However, access to physical resources such as network access and physical ports is usually managed at a more restrictive level than the processor and memory. Guests are often restricted from accessing specific peripheral devices. Managing network connections and external ports such as USB from inside the guest software can be challenging. Figure 1.4 shows the concept behind virtualizing hardware platforms.

Server Virtualization

Server virtualization is actually a subset of hardware virtualization. This concept is most prominently found in data centers. It is mostly relied on as a power-saving measure for enterprises in an effort to implement cost-effective data centers and utilize the increased hardware resource capability of servers. In server virtualization, many virtual servers are contained on one physical server. This configuration is hidden to server users. To the user, the virtual servers appear exactly like physical servers.

Server virtualization has become part of an overall virtualization trend in enterprise environments, which also includes storage and network virtualization along with management solutions. Server virtualization can be used in many other enterprise scenarios including the elimination of server sprawl, more efficient use of server resources, improved server availability, and disaster recovery, as well as in testing and development. This trend is also part of the autonomic computing development, in which the server environment will be able to manage itself based on perceived activity. Chapter 11, "Visions of the Future: Virtualization and Cloud Computing," discusses the autonomic computing concept.

Hypervisors

In virtualization technology, a hypervisor is a software program that manages multiple OSes (or multiple instances of the same OS) on a single computer system. The hypervisor manages the system's processor, memory, and other resources to allocate what each OS requires.

Bare-Metal Hypervisor (Type 1

Bare-metal or Type 1 hypervisors are hypervisors that install directly on top of the physical server. Basically, it is a thin OS that controls the hardware, handles resource scheduling, and monitors the guest. Type 1 native or bare-metal hypervisors are run directly on the hardware platform. The guest OS is not aware that it is not running on real hardware and does not require any modification, but it does require resources from the host.

The guest OS actually runs at the second level above the hardware. The hypervisor or VMM coordinates instructions between the guest and the host CPU. What that means is that the guest OS is controlled by the host system and the guest uses a virtual architecture, which is almost like the physical hardware. Type 1 hypervisors are typically the preferred approach to virtualization because they deal directly with the hardware, so higher virtualization efficiency is achieved. Some examples of the type of hypervisor are VMware ESX, Citrix XenServer, and Microsoft Hyper-V.

Embedded Hypervisor

A Type 1 hypervisor that supports the requirements of embedded system's development is an embedded hypervisor. Embedded hypervisors are designed into the hardware device itself. This is similar to the way a computer basic input/output system (BIOS) works. The difference is that embedded hypervisors require additional steps such as formatting the machine storage for a particular product. Dell has been offering the VMware ESX3i hypervisor and the embedded Citrix XenServer hypervisor in the PowerEdgeTR805 and R905 models since mid-2008. In early 2009, LynuxWorks released an embedded hypervisor for high-assurance systems that runs on Intel Core 2 Duo processor-based systems. Some computer and server vendors ship new machines with embedded hypervisors.

The chips used in the embedded industry have less horsepower, the amount of memory they have is limited, and their use may be tied to a particular vendor, but they are popular because they can reduce attack exposure, minimize the number of drivers required, allow for boot up from VM images, and allow all virtual images to be stored on a single storage area network (SAN). Some of the compelling reasons for using embedded hypervisors are as follows:

• Support for multiple operating systems

• Secure encapsulation for any subsystem defined by the developer

• Failure of any subsystem cannot affect other subsystems

• Support for legacy embedded code

• Intellectual property protection from theft or misuse

• Migration of applications to multicore systems

The term embedded hypervisor is not restricted to just servers. For example, VMware and Citrix Systems have releases of a client-side Type 1 hypervisor that can be embedded. Embedded hypervisor technology can be used in systems to control automated machinery on a manufacturing floor or large medical devices. These hypervisors manage the underlying hardware differently from those offered for server virtualizations such as VMware, Citrix, and Microsoft, but the principle is the same. Another growing area for the use of embedded hypervisors is mobile devices. For example, in late 2008, Open Kernel Labs (OK Labs) released an embedded hypervisor named OKL4 that is used on the Qualcomm chipset inside a commercial Android-powered handset.

Hosted Hypervisor (Type 2)

A hosted or Type 2 hypervisor is software that runs on top of an already installed standard OS environment, such as Linux or Windows. The guest OS runs at the third level above the hardware. The hypervisor's control of resources is based on the resources presented by the underlying OS. The hypervisor merely runs as an application on the preconfigured OS, and the guest OS running on the hypervisor is the VM. The state of the guest OS is entirely encapsulated. Type 2 hypervisors are mainly used in systems where there is a need for a variety of input/output devices that can be supported by the host OS and in client systems where efficiency is less critical. Examples of this type of environment are Parallels Workstation, Microsoft Virtual Server, VMware Server, and VMware Workstation.

(Continues...)



Excerpted from Visualization and Forensics by Diane Barrett Gregory Kipper Copyright © 2010 by Elsevier Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

PART 1. VIRTUALIZATION Chapter 1. How Virtualization Happens Chapter 2. Server Virtualization Chapter 3. Desktop Virtualization Chapter 4. Portable Virtualization, Emulators, and Appliances

PART 2. FORENSICS Chapter 5. Investigating Dead Virtual Environments Chapter 6. Investigating Live Virtual Environments Chapter 7. Finding and Imaging Virtual Environments

PART 3. ADVANCED VIRTUALIZATION Chapter 8. Virtual Environments and Compliance Chapter 9. Virtualization Challenges Chapter 10. Cloud Computing and the Forensic Challenges Chapter 11. Visions of the Future: Virtualization and Cloud Computing Appendix: Performing Physical-to-Virtual and Virtual-to-Virtual Migrations

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)