Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environments

Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environments

by Diane Barrett

See All Formats & Editions

Virtualization and Forensics: A Digital Forensic Investigators Guide to Virtual Environments provides an introduction to virtualized environments and their implications on forensic investigations. It emphasizes the need for organizations using virtualization to be proactive rather than reactive. Being proactive means learning the methods in this book to train staff,


Virtualization and Forensics: A Digital Forensic Investigators Guide to Virtual Environments provides an introduction to virtualized environments and their implications on forensic investigations. It emphasizes the need for organizations using virtualization to be proactive rather than reactive. Being proactive means learning the methods in this book to train staff, so when an incident occurs, they can quickly perform the forensics and minimize the damage to their systems.
The book is organized into three parts. Part I deals with the virtualization process and the different types of virtualized environments. It explains how virtualization happens along with the various methods of virtualization, hypervisors, and the main categories of virtualization. It discusses server virtualization, desktop virtualization, and the various portable virtualization programs, emulators, and appliances. Part II details how virtualization interacts with the basic forensic process. It describes the methods used to find virtualization artifacts in dead and live environments, and identifies the virtual activities that affect the examination process. Part III addresses advanced virtualization issues, such as the challenges of virtualized environments, cloud computing, and the future of virtualization.

  • Named a 2011 Best Digital Forensics Book by InfoSec Reviews
  • Gives you the end-to-end knowledge needed to identify server, desktop, and portable virtual environments, including: VMware, Parallels, Microsoft, and Sun
  • Covers technological advances in virtualization tools, methods, and issues in digital forensic investigations
  • Explores trends and emerging technologies surrounding virtualization technology

Product Details

Elsevier Science
Publication date:
Sold by:
Barnes & Noble
File size:
5 MB

Read an Excerpt

Visualization and Forensics

A Digital Forensic Investigator's Guide to Virtual Environments
By Diane Barrett Gregory Kipper


Copyright © 2010 Elsevier Inc.
All right reserved.

ISBN: 978-1-59749-558-5

Chapter One



• Physical Machines

• How Virtualization Works

• Hypervisors

• Main Categories of Virtualization

• Benefits of Virtualization

• Cost of Virtualization

Just about every technology magazine and article published today mentions virtualization or cloud computing. According to the research published by Gartner, Inc., 18 percent of server workloads in 2009 ran on virtualized servers; that share will grow to 28 percent this year (2010) and reach almost half by 2012 (Messmer, 2009). The survey statistics show that large enterprises have driven server virtualization over the last several years and that VMware holds the largest market share against a handful of competitors, including Microsoft, Citrix, Red Hat, and others. There are close to six million virtual machines (VMs) believed to be in use today. Gartner analysts predict that virtualization will be the default for the enterprise over the next few years.

Furthermore, a Network World article by Dubie (2010) states that the CIOs who participated in the survey put virtualization as a top priority for 2010. This is up from the third position in 2009, and cloud computing technologies shot up from sixteenth place to the second priority for CIOs. With more emphasis being placed on going green and power becoming more expensive, virtualization offers cost benefits by decreasing the number of physical machines required within an environment. A virtualized environment offers reduced support by making testing and maintenance easier.

On the client side, the capability to run multiple operating environments allows a machine to support applications and services for an operating environment other than the primary environment. This reduces upgrade costs and allows more uniformity in desktop environments. The worldwide hosted virtual desktop (HVD) market will accelerate through 2013 to reach 49 million units, up from more than 500,000 units in 2009, according to Gartner, Inc. Worldwide HVD revenue will grow from about $1.3 billion to $1.5 billion in 2009, which is less than 1 percent of the worldwide professional PC market, to $65.7 billion in 2013 (Gammage & Jump, 2009).

Virtualization is also found on mobile devices. For example, the Garnet VM can run native Palm operating system (OS) applications on several models of the Nokia Internet Tablet. As of December 2009, it supports over 30,000 applications. It is estimated that by 2012, more than half of all new smartphones shipped will include hardware virtualization support.

In the data center, approximately 16 percent of the workload is virtualized. Figure 1.1 shows data from a TechTarget Virtualization Decisions 2009 survey, which collected data from July 2009 to September 2009 with responses from more than 900 IT professionals worldwide (Virtual Data CenterE-Zine, 2010).

These developments should be of interest to the digital forensic investigator for several reasons. First and foremost, computer forensics professionals will be required to detect and examine such environments. Virtual environments (VEs) are showing up from the desktop to the data center. In the case in which a virtual desktop is used, acquiring a dead drive image may produce very little, if any, evidence. An increase in the use of VEs and applications that can be run from a Universal Serial Bus (USB) device means that any incriminating evidence may not be readily found, especially if the device itself is not recovered. As the use of virtual machine environments (VMEs) increases, computer attackers are becoming increasingly interested in detecting the presence of VMEs, both locally and across the network. The interest is fueled by those who want to spread malware, steal data, or conceal activities. As malicious code is released that makes use of its own VME, it becomes essential for antimalware researchers to find ways to detect the VME in order to protect against malware.

Physical Machines

For purposes of discussion, and to provide a solid contrast for the remainder of this book, we define a physical machine as a hardware-based device such as a PC or server. Specifically, the physical computer is running at the electronic, or machine, level as opposed to the logical level. Physical machines also operate with much more direct access to the hardware, whereas users of VEs will relate to the data they access and work with based on the name of the file. A physical environment is concerned where the data is physically located on the sectors of the disk.

How Virtualization Works

A VM is a software implementation of a computer that executes programs like a physical machine. In "Formal Requirements for Virtualizable Third Generation Architectures," Popek and Goldberg, who have defined conditions that may be tested to determine whether architecture can support a VM, describe it as "an efficient, isolated duplicate of a real machine." VMs have been in use for many years, and some would say we have come full circle. The fundamental concept of a VM revolves around a software application that behaves as if it were its own computer. This is the original job sharing mechanism prominent in mainframes. The VM application ("guest") runs its own self-contained OS on the actual ("host") machine. Put simply, a VM is a virtual computer running inside a physical computer. The virtual OS can range from a Windows environment to a Macintosh environment and is not limited to one per host machine. For example, you may have a Windows XP host machine with Linux and Windows 2003 VMs. Figure 1.2 shows Linux XP and Windows 2003 server VMs running on a Windows XP host machine.

The explosion of x86 servers revived interest in virtualization. The primary driver was the potential for server consolidation. Virtualization allowed a single server to replace multiple dedicated servers with underutilized resources.

Popek and Goldberg explained virtualization through the idea of a virtual machine monitor (VMM). A VMM is a piece of software that has three essential characteristics. First, the VMM provides an environment for programs that is fundamentally identical to the environment on the physical machine; second, programs that run in this environment have very little speed degradation compared with the physical machine; and finally, the VMM has total control of system resources. However, the x86 architecture did not achieve the "classical virtualization" as defined by the Popek and Goldberg virtualization requirements, and binary translation of the guest kernel code was used instead. This is because x86 OSes are designed to run directly on the physical hardware and presume that they control the computer hardware. Virtualization of the x86 architecture has been accomplished through either full virtualization or paravirtualization. Both create the illusion of physical hardware to achieve the goal of OS independence from the hardware but present some trade-offs in performance and complexity. Creating this illusion is done by placing a virtualization layer under the OS to create and manage the VM. Full virtualization or paravirtualization will be discussed later in this chapter. Both Intel and AMD have now introduced architecture that supports classical virtualization.

For a very in-depth explanation of virtualization, there are several published papers explaining the highly technical details of how virtualization works. For example, Adams and Agesen (2006) from VMware have written "A Comparison of Software and Hardware Techniques for x86 Virtualization." The current associated link is in the reference section at the end of this chapter.

In a physically partitioned system, more than one OS can be hosted on the same machine. The most common example of this type of environment is a dual-boot system where Microsoft and Linux OSes coexist on the same system. Each of these partitions is being supported by a single OS. VM software products allow an entire stack of software to be encapsulated in a container called a VM. The encapsulation starts at the OS and runs all the way up to the application level. This type of technology has the capability to run more than one VM on a single physical computer provided that the computer has sufficient processing power, memory, and storage. Individual VMs are isolated from one another to provide a compartmentalized environment. Each VM contains its own environment just like a physical server and includes an OS, applications, and networking capabilities. The VMs are managed individually similar to a physical environment. Unlike a physically partitioned machine, VM products allow multiple OSes to exist on one partition.

Virtualizing Operating Systems

Virtualized OSes can be used in a variety of ways. These environments allow the user to play with questionable or malicious software in a sandbox-type environment. For example, VMs can be used to see how different OSes react to an attack or a virus. It can give the user access to a Linux environment without having to dual boot the laptop or PC. Finally, it allows an investigator to mount a suspect environment to see the environment just as the suspect used it. This can be helpful in presenting cases to a judge or jury. Showing the environment can have a big impact, especially if it can convey the content in a manner that the judge and jury would understand. Booting up a machine that has a pornographic background gets the point across much faster and clearer in the courtroom and in litigation conferences. Figure 1.3 shows the concept behind virtualizing OSes.

Virtualizing Hardware Platforms

Hardware virtualization, sometimes called platform or server virtualization, is executed on a particular hardware platform by host software. Essentially, it hides the physical hardware. The host software that is actually a control program is called a hypervisor. The hypervisor creates a simulated computer environment for the guest software that could be anything from user applications to complete OSes. The guest software performs as if it were running directly on the physical hardware. However, access to physical resources such as network access and physical ports is usually managed at a more restrictive level than the processor and memory. Guests are often restricted from accessing specific peripheral devices. Managing network connections and external ports such as USB from inside the guest software can be challenging. Figure 1.4 shows the concept behind virtualizing hardware platforms.

Server Virtualization

Server virtualization is actually a subset of hardware virtualization. This concept is most prominently found in data centers. It is mostly relied on as a power-saving measure for enterprises in an effort to implement cost-effective data centers and utilize the increased hardware resource capability of servers. In server virtualization, many virtual servers are contained on one physical server. This configuration is hidden to server users. To the user, the virtual servers appear exactly like physical servers.

Server virtualization has become part of an overall virtualization trend in enterprise environments, which also includes storage and network virtualization along with management solutions. Server virtualization can be used in many other enterprise scenarios including the elimination of server sprawl, more efficient use of server resources, improved server availability, and disaster recovery, as well as in testing and development. This trend is also part of the autonomic computing development, in which the server environment will be able to manage itself based on perceived activity. Chapter 11, "Visions of the Future: Virtualization and Cloud Computing," discusses the autonomic computing concept.


In virtualization technology, a hypervisor is a software program that manages multiple OSes (or multiple instances of the same OS) on a single computer system. The hypervisor manages the system's processor, memory, and other resources to allocate what each OS requires.

Bare-Metal Hypervisor (Type 1

Bare-metal or Type 1 hypervisors are hypervisors that install directly on top of the physical server. Basically, it is a thin OS that controls the hardware, handles resource scheduling, and monitors the guest. Type 1 native or bare-metal hypervisors are run directly on the hardware platform. The guest OS is not aware that it is not running on real hardware and does not require any modification, but it does require resources from the host.

The guest OS actually runs at the second level above the hardware. The hypervisor or VMM coordinates instructions between the guest and the host CPU. What that means is that the guest OS is controlled by the host system and the guest uses a virtual architecture, which is almost like the physical hardware. Type 1 hypervisors are typically the preferred approach to virtualization because they deal directly with the hardware, so higher virtualization efficiency is achieved. Some examples of the type of hypervisor are VMware ESX, Citrix XenServer, and Microsoft Hyper-V.

Embedded Hypervisor

A Type 1 hypervisor that supports the requirements of embedded system's development is an embedded hypervisor. Embedded hypervisors are designed into the hardware device itself. This is similar to the way a computer basic input/output system (BIOS) works. The difference is that embedded hypervisors require additional steps such as formatting the machine storage for a particular product. Dell has been offering the VMware ESX3i hypervisor and the embedded Citrix XenServer hypervisor in the PowerEdgeTR805 and R905 models since mid-2008. In early 2009, LynuxWorks released an embedded hypervisor for high-assurance systems that runs on Intel Core 2 Duo processor-based systems. Some computer and server vendors ship new machines with embedded hypervisors.

The chips used in the embedded industry have less horsepower, the amount of memory they have is limited, and their use may be tied to a particular vendor, but they are popular because they can reduce attack exposure, minimize the number of drivers required, allow for boot up from VM images, and allow all virtual images to be stored on a single storage area network (SAN). Some of the compelling reasons for using embedded hypervisors are as follows:

• Support for multiple operating systems

• Secure encapsulation for any subsystem defined by the developer

• Failure of any subsystem cannot affect other subsystems

• Support for legacy embedded code

• Intellectual property protection from theft or misuse

• Migration of applications to multicore systems

The term embedded hypervisor is not restricted to just servers. For example, VMware and Citrix Systems have releases of a client-side Type 1 hypervisor that can be embedded. Embedded hypervisor technology can be used in systems to control automated machinery on a manufacturing floor or large medical devices. These hypervisors manage the underlying hardware differently from those offered for server virtualizations such as VMware, Citrix, and Microsoft, but the principle is the same. Another growing area for the use of embedded hypervisors is mobile devices. For example, in late 2008, Open Kernel Labs (OK Labs) released an embedded hypervisor named OKL4 that is used on the Qualcomm chipset inside a commercial Android-powered handset.

Hosted Hypervisor (Type 2)

A hosted or Type 2 hypervisor is software that runs on top of an already installed standard OS environment, such as Linux or Windows. The guest OS runs at the third level above the hardware. The hypervisor's control of resources is based on the resources presented by the underlying OS. The hypervisor merely runs as an application on the preconfigured OS, and the guest OS running on the hypervisor is the VM. The state of the guest OS is entirely encapsulated. Type 2 hypervisors are mainly used in systems where there is a need for a variety of input/output devices that can be supported by the host OS and in client systems where efficiency is less critical. Examples of this type of environment are Parallels Workstation, Microsoft Virtual Server, VMware Server, and VMware Workstation.


Excerpted from Visualization and Forensics by Diane Barrett Gregory Kipper Copyright © 2010 by Elsevier Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Meet the Author

Diane Barrett has been a contract forensic examiner at ForenTech since Oct. 2006 and is Professor for Computer Forensics and Network Security programs at the University of Advancing Technology. Additionally, Diane is the Faculty Council Chair for the systems development group and teaches several short online classes for web-based learning sites such as HP and Forbes. CCNA, CISSP, ISSMP, IAM/IEM Certified Steganographer, CCE Certificate of completion.
Gregory Kipper is a futurist and strategic forecaster in emerging technologies. He specialized in IT security and information assurance for 17 years, working for the last 11 years in the fields of digital forensics and the impacts emerging technologies have on crime and crime fighting. Mr. Kipper has been the keynote speaker at select industry events, a digital forensics instructor, and a trusted advisor to both the government and commercial sectors. He has published books in the fields of digital forensics and emerging technologies, including: "Investigator's Guide to Steganography," "Wireless Crime and Forensic Investigation," and "Virtualization and Forensics."

Customer Reviews

Average Review:

Post to your social network


Most Helpful Customer Reviews

See all customer reviews