Abstract Digital Archaeology in a Virtual Environment

Korać, Digital archeology in a virtual envi ... (131-142) Archaeology and Science 8 (2012) VANJA KORAĆ, UDC: 902/904:004; 572:004 Mathematical Institute, Original research article Received: October 12th 2013 Belgrade, Serbia Accepted: October 15th 2013 [email protected]

Digital ArChAeologY IN A VIRTUAL ENVIRONMENT

Abstract

In this paper the most important elements are described which should gain special attention while doing digital forensic analysis in a virtual environment. The most important segments of virtual environments themselves are also explained, as well as ways in which they can be of importance for processes of digital forensic analyses. In the paper, two aspects of virtual environment are discussed. The first aspect regards virtual environment as a digital scene of crime. Services and networks of virtual environment are described within it, places in which potential evidence can be found, ways of securing digital scene of crime and preservation of digital proves discovered. The second aspect regards virtual environment as environment for a digital forensic data analysis.

Keywords: digital archaeology, digital forensic, virtual environment, forensic analysis.

When it comes to digital data archaeology should be regarded while performing digital in a virtual environment, it is very important to forensic analysis in a virtual environment. The know the virtual environment, its features and most important segments of a virtual environment possibilities which the environment can offer itself shall be explained and a way in which they in the sense of knowing the advantages and dis- could be of importance for the process of digital advantages which can occur during its usage. It forensic analysis. should also be mentioned that there are certain The idea of virtualization was constructed differences in the research access of a digital aiming to make managing of a large number of forensic investigator when physical, i.e. virtu- virtual machines simplier, most of all in order al machines are concerned.1 This paper shall not to save space, time, money and energy. As a deal with detailed forensic methodology which concept, it appeared already in 1960 with the regards digital virtual environment, but it aims appearance of mainframe computers and it was to sterss only the most important elements which reborn with personal computers in 1990. In their paper "Formal requirements for virtualizable 1 Virtual machine represents a created environment made with a program package for visualization which posses- third generation architectures" (Popek and ses a simulated assemblage of hardwares (processor, Goldberg 1974: 412-421), Popek and Goldberg hard disc, memory, network transmittors and other com- wrote about requirements for architecture which ponents) and personal system and application program.

131 Archaeology and Science 8 (2012) Korać, Digital archeology in a virtual envi ... (131-142) can support a virtual machine describing it as a it can share resources with other virtual machines "effective, isolated duplicate of a real machine". within the same or other server platform. Due The virtualization itself was described as an idea to this specific design and optimized processor of virtual machine monitor (VMM).2 operations within realized virtual environment, What is specific for virtual machines is that there is no difference between operating virtual they use complete hardwares of physical servers. machines and physical machines. There are The VM application, the so-called guest, starts its different types of virtual environment, the most own operation system on a real host machine. In famous ones being Microsoft Hyper-V10, VMWare simple words, the VM represents a virtual computer Vsphere ESXi11, QEMU12, Citrix XenServer13. This started within a physical computer. For example,a work is focused on two angles of digital forensic physical server can represent virtual environment in a virtual environment on two angles of digital with more than twenty virtual machines. forensic in a virtual environment. The first one re- Communication between physical server and gards virtual environment as a digital crime scene, virtual machines goes over a hypervisor (program while the second one regards virtual environment supplying virtualization) or over a virtual machine as environment for a digital forensic analysis. manager via hyper-call. Hypervisor drives system processor, memory and other resources, putting Virtual environment as a digital them at disposal to other guest systems on demand crime scene (Barrett and Kipper 2010). Hypervisor can supply virtuelization directly on hardware (native VM As every environment, virtual environment or Bare-Metal Hypervisor) or on operating can also be compromised in many ways, possibly system (host VM or Hosted Hypervisor) (Ivaniš resulting in compromising virtual machines them- 2011). The representatives of virtualization being selves, as well as operating systems and files posi- performed directly on hardware are: VMware tioned within particular environments. ESX3, Citrix XenServer4 and Microsoft Hyper- To a digital forensic investigator, to whom V5. The representatives of virtualization being a digital crime scene is the actual virtual envi- performed on operating systems are: Parallels ronment consisting of virtual machines, it is very Desktop6, Microsoft Virtual Server7, VMware important to be well-informed and to know how Server8 and VMware Workstation9. to work in a virtual environment. Access to in- In other words, according to the mentioned vestigation is based upon locating and accessing concepts, a virtual machine can operate isolated or physical server which drives virtual machines. It is of great importance that digital forensics scein- 2 Virtual machine monitor represents a part of a pro- tist has “live” access to digital machine which is gram with three features. The first one is that VMM regarded as digital crime scene. In such a way, offers a environment for programs which is identical to environment on a physical machine. Second, pro- valuable data and information can be gathered as grams being started within in such a virtual environ- potential digital evidence during operation of a ment have a very small reduction of performances physical server (Milosavljević and Grubor 2010). when it comes to speed compared to physical machine A fact should be pointed out that suspect has great and thirdly, the VMM fully controls system resources. possibilities to manipulate with evidence in such 3 Available at http://www.vmware.com/products/esxi-an- a environment, thus making acquiring of digital d-esx/overview evidence rather complicated. 4 Available at http://www.citrix.com/products/xenserver/ overview.html 10 Microsoft Hyper-V, http://www.microsoft.com/en-us/ 5 Available at http://www.microsoft.com/en-us/server-clo- server-cloud/hyper-v-server/ , Accessed 09.02.2012. ud/hyper-v-server/default.aspx 11 VMWare Vsphere ESXi, http://www.vmware.com/ 6 Available at http://www.parallels.com/ products/vsphere-hypervisor/overview.html , Aces- 7A vailable at http://www.microsoft.com/windowsserver- sed 09.02.2012. system/virtualserver/ 12 QEMU, http://wiki.qemu.org/Main_Page , Acessed 8 Available at http://www.vmware.com/products/vcenter- 09.02.2012 server/ 13 Citrix Xenserver http://www.citrix.com/English/ 9 Available at http://www.vmware.com/products/worksta- ps2/products/product.asp?contentID=683148 , Acessed tion/ 09.02.2012.

132 Korać, Digital archeology in a virtual envi ... (131-142) Archaeology and Science 8 (2012) Principles regarding digital computer foren- dissapearance of important digital data can occur. sics and which are applicable during acquiring, Forensics in a virtual environment shows more analyzing and presenting digital proves can also gathered evidence compared to classical digital be applied at virtual machines in a virtual envi- forensic, since digital forensic investigator must ronment, but with certain differences, which shall gather information about data packages and about be pointed out later on in this paper. It is important communication between abuser and user upon to stress that it is necesarry to use only tested and whom the illegal action was performed. During reliable forensic tools (ex. Access data FTK, En- investigation of virtual environment, everything case, X-Way Forensic) which support working in happens within virtual spaces put on physical a virtual environment and possess compatibility (server) machines, being connected to Internet, with new operating systems. so actually virtualy they could be anywhere (one If investigation dealing with illegal activi- of such examples is Cloud computing14). In order ties focuses on a virtual environment and if it is to search digital places of crime, a digital foren- conducted according to adequate methodologies, sic investigator has to enter digital virtual envi- using reliable forensic tools and aiming to find ronment, which is complex and can represent a relevant digital proves, investigation shall be suc- great problem to a forensic investigator if no cessfull. Contrary to that, it can end up unexpect- preparations were performed. Such preparations edly. Digital investigation in a virtual environment include following and filming activities of sus- can be public (official) and corporative, depend- pect, as well as getting acquainted with operating on the type of incident. Investigation begins ing systems themselves which are placed inside a with a physical access to a physical crime scene, virtual environment. Contrary to classical digital where physical evidence is gathered. Further on, forensic, in which physical computer is accessed digital crime scene is accessed (virtual environ- physically, when one is dealing with forensics in ment consisting of virtual machines) and it lasts virtual environment, a forensic investigator would until digital forensic investigator is not finished not have simple access to a physical machine on with investigating digital data ready to be includ- which virtual environment was designed. Exact- ed in a report, i.e. for presenting reconstructed ly this is specific about digital forensics in virtual crime or incident. All of the evidence found must environment. One of the aims of a digital foren- be documented, secured, relevant, unchanged and sic investigator is locating a central spot with vir- acceptable in court, while the whole investigation tual computers (not just the location of a virtual (when dealing with official investigation) must be machine). This place contains great quantity of transparent for trial in court (Milosavljević and useful information which can be used as poten- Grubor 2010). tial digital proves whitnessing illegal activity. It It should be emphasized that virtual envi- is also very important that digital forensic inves- ronment is a environment offering a row of pos- tigator is well-acquainted to all of the concepts of itive possibilities through its very useful opera- virtualization. tions, but it is exactly them that can be abused. For example, operations which can be abused are migrations of virtual machines, manipulations with images of virtual machines, live migration 14 The way how Cloud computing is functioning as a type (manipulations connected to „live“ migrations of of virtual environment: user gains access to a computer virtual machines). Some of the abuses can result placed in far north. This system enables its user safe and in controling or abusing virtual machines by a vi- cosy work. Great advantage of such a system is that its cious person. user does not have to know where his/her computer is situated, while data are always at his/her disposal. The Malicious activities can be detected, since user also does have to worry about computer maintaining all of the activities are noted on server, i.e. host and depending on what he/she paid for, the user can have and it is very important that from the vey begin- great quantity of space. Making connection with a vir- ning, digital forensic investigator approaches in- tual machine is quite simple. There are certain program vestigation and acquiring evidence according to clients who are in charge for making connections with strictly defined procedures, since otherwise loss or servers connected to public networks. After successfull authentification, the user accesses his/her virtual machine.

133 Archaeology and Science 8 (2012) Korać, Digital archeology in a virtual envi ... (131-142) Services and elements of virtual - The Windows Hypervisor Interface Li- environment brary – represents kernel component as dynamic link library (DLL). It enables drives of operating Further on, a vivid description of important systems to access the processor. As part of oper- services making virtual environment shall be giv- ating system, it is placed on host. DLL file makes en. Getting acquainted with them can be of use drivers of operating systems possible to access the to digital forensic investigators15 (Tulloch 2010): processor. -Virtual machine management service The services named above may not have di- (VMMS) – drives, i.e. determines which opera- rect influence on investigation, but it is important tions can be performed in some of the states of to know important processes and their possibili- virtual machines. The VMMS drives the follow- ties in hardware communication between proces- ing states of virtual machines: starting, active sor and hypervisor, actually host and child. state, inactive state, state of snapshot making, state The presence of the files mentioned in of snapshot application, deleting state snapshots, shape of virtual devices and drives can indicate disc connecting. According to these states, the existence of virtual machines to a digital forensic VMMS drives operations on virtual machines, i.e. investigator. children. It does not drive operations like Pause, The Fairbanks Alaska University16 performs Recording, Switch-off. This is done with the Vir- research in the field of volatile data by using virtual machine worker proces (VMWP) process, tual introspection (VI). Virtual introspection as a which is being created when virtual machines are new field of research and development in digital started; forensics, represents an observation process of - Virtual machine worker process – is state of virtual machine either through Virtual Ma- created on a virtual machine and it appears as chine monitor (VMM) or from some other virtual executive file vmwp.exe participating in a great machine which is no subejct to forensic research. number of interactions between opeartive system They developed a set of tools for Xen environ- on host and virtual machines (children). These in- ment called VIX tools (Hay and Nance 2008), teractions include creating virtual machines and aiming to reduce the risk of changing evidence their configutrations, driving pauses and resum- while they are examined. This tool also makes ing virtual machines, saving and restoring virtual “live” analysis on Xen virutal machine possible.17 machines and snapshooting states of virtual ma- Basic access of these tools is to pause suspected chines. It also drives memory, in- and out ports on virtual machine, then gather necessary data by us- computer’s motherboard and driving IRQs. Exis- ing the „read only“ operation and afterwards end tence of such a file (vmwp.exe) represents a proof the pause. One of the useful things possible with that there are virtual machines of host. this tool is memory mapping of the suspected ma- -virtual devices – represent program mod- chine and ascribing of the mapped segment to the ules (driving programs) which enable configura- virtual forensic machine. tion of devices and controlling partitions of virtul machines. They are steered through virtual moth- Networks in virtual environment erboard ( VMB) which is given to each virtual machine; When it comes to networks in virtual envi- -driver VMBus – supplies optimized com- ronment, there are three different kinds of virtual munication between host and child, at the same networks (Tulloch 2010) (Garrison 2010): time representing a part of Hyper-V service; - Virtual Infrastructure Driver – rep- Internal virtual networks – this type of resents kernel component responsible for regime network does not rely on physical network adapt- of virtualization on host, making it possible to er, but the physical network adapter is being used. drive virtual processor and memory; 16 http://www.uaf.edu/, 03.01.2012. 17 http://assert.uaf.edu/papers/forensicsVMI_SIGOPS08. 15 Example is connected to making a Hyper V environ- pdf, 03.01.2012. ment, on whse host Windows server 2008 R2 is installed.

134 Korać, Digital archeology in a virtual envi ... (131-142) Archaeology and Science 8 (2012) Internal virtual network is used as intranet and it is and AMD-V19. Why is it important for digital fo- used for connecting virtual machines on intranet. rensic investigator to find out the location of phys- There is also an option of their connection to host, ical server on which there is virtual machine be- potentially opening a possibility of children abuse ing the subject of investigation? The reason is that if it comes to compromising the host computer. that is exactly the way (physical access to host) to Malicious attack would aim at the program area prove the existence of such processor types which with the goal to abuse virtual machines or stop support hardware virtualization, also proving a them; possibility of existence of machines which could External virtual networks – this type of have been (ab)used for illegal actions, which are network relies on physical network adapter and on host itself or physical machine. For example, on virtual network adapter, thus making commu- Properties of an operating system can offer basic nication of physical and virtual machines possi- and sufficient information about processor type. ble, in the Intranet as well as towards the Internet. Digital forensic investigator can also find data A potential possibility of abuse of host is opened about virtualization in BIOS (under options for from the outside, but also from virtual machnes adjusting virtualization), which indirectly can in- themselves, since communication between host fluence investigation and acquiring of evidence. and child is opened. Malicious attack would also The presence of application being driven by virtu- aim the program area in order to abuse virtual ma- al machines (virtual machine manager) indicates chines or turn them off; the existence of virtual machines, but also a place Private virtual networks – this type of net- from which virtual machines are being operated, work does not rely on physical network adapter being whitnessed also by log files of the regarded (similar to Internal virtual network) and no com- environment. munication with members outside private virtual To a digital forensic investigator, console network is allowed. Host also does not have direct tools which can operate virtual machines can be communication with this network, making mali- of great use in cases when monitoring is needed cious attacks on this type of network impossible. and getting acquanited live to virtual machines. In There is a theoretical possibility of attack, but it is such a way, important data can be exposed: names limited to the hardware host part. of virtual machines, condition of virtual machines Certain tools are used in order to find out (active or not), in which regime of work they are host’s name, data about network cards (physical in, resource usage by virtual machines and data and virtual) and their configurations (DHCP pa- about time and time-zones. Such are for example rameters, MAC addresses). All these pieces of „last logon“ files or „configuration log“ files, their information about network adapters of virtual operations depending on programs which make machines directly on host are of great importance virtual environment possible. Profiles or roaming to a digital forensic investigator in order to get profile files which can be of interest to a digital fo- acquainted to the architecture of virtual environ- rensic investigator include NTUSER.dat (specific ment. system registry file) and other application data. In some cases, it can occur that TEMP directory is Proof of the existence of hard- not copied together with profile and it is necessary ware which supports virtualiza- to pay special attention to it during forensic inves- tion tigation of gathered virtual hard disc.

Modern concepts of virtualization (for ex- Time prooving ample performing cloud computing) can be made only when specially adapted hardware compatible Digital forensic investigator has to pay spe- processors are being used, supported to work with cial attention to time and time zones of the exam- hypervisor. The processors most commonly used ined virtual machine, of the host itself (if physi- for making virtual environments are Intel VT18 19 AMD platform for virtualization: http://sites.amd.com/ 18 Here the list of Intel processors which support virtuali- uk/business/it-solutions/virtualization/Pages/amd-v.aspx, zation: http://ark.intel.com/VTList.aspx, 10.02.2012 10.02.2012

135 Archaeology and Science 8 (2012) Korać, Digital archeology in a virtual envi ... (131-142) cal access is possible) and of the environment in Forensic23) for accessing digital data. When snap- which forensic investigation is takin place. It must shot of a virtual machine is being performed (for be ascertained if times match and whether there example with VMware24 environment), there is are differences.20 an option to choose whether the snapshot would also switch on the memory. If the investigated vir- Securing digital crime scenes in tual machine had this option switchen on while virtual environment snapshoting, the „vmem“ files would be present in snapshooting. A tool created by Chris Betz which In order to save all potential digital evi- can investigate these vmem files is named Mem- dence, in classical digital forensic as well as in parser25 (Beek 2010). forensics of a virtual environment, before live investigation takes place, it is very important to dis- Virtualni hard disc able network communications of suspected host. It is done by pulling out the network cable from Every virtual machine writes its data on a the physical host machine. If host is performing virtual hard disc. For a digital forensic investiga- wireless communication to Intranet or Internet, tor, its location, extensions, size and configuration wiresless machine to switch it is connected has to are of great importance, since virtual hard disc can be switched off. contain potential digital evidence. Every child on host must also have a place Acessing RAM to write its data. Virtual hard discs can be placed 26 27 In order to perform a virtual environment on a SAN (Storage Area Network) or NAS with sixteen virtual machines working under Win- (Network Attached Storage) devices or on local dows 7 operating system for example, at least 16 hard discs (Grubor, Njeguš i Ivaniš 2011). Infor- Gb RAM would be necessary. As minimum RAM mation about size matters because of copying im- memory, Windows 7 requires 1GB RAM. For an ages of a virtual hard disc on its forensic medium, operating system on host, minimum 512gb to 4 from which further investigation shall take place. GB Ram memory would be necessary, depend- This is important if one is dealing with virtual ing on the OS responsible for virtualization. Total hard discs of great capacity, since they can pro- RAM quantity in such a case is 20gb RAM (16 23 http://www.x-ways.net/forensics/ Gb RAM memory per child and 4 Gb for host). 24 http://www.vmware.com/ This information is important, since according to 25 Acessible at http://sourceforge.net/projects/memparser it, digital forensic investigator would get to know 26 SAN represents a device for storing data and it func- the total amount of RAM memory which is placed tions at the level of data blocks, intended for enterprise so- on a physical machine and how much has being lutions. Contrary to NAS devices, the SAN devices allow by virtual machines. sharing of storage space into parts which can be ascribed Gaining information from RAM memory to bigger number of servers with direct attached storage, is possible from a part of RAM memory on host making great speed of data transmissioning possible. Con- nection is made through fibre channel. It consists of a great which is determined for virtual machine under in- number of high-speed SAS discs (15K rpm). Solid state vestigation. It is performed by using live forensic discs (SSD) can also be used if performanse and saving (under the condition that computer was previous- enery are priorities. There are also vendors offering com- ly not switched off, because then the content of bined systems, so that data can also be accessible via block RAM would be deleted) and with application of access through fibre channel or they can be accessed on forensic tools (su Encase21, FTK Imager22, X-Way the level of databases with expected speed increased up to 100GBps in the decade to come. 20 Documenting time form a virtual machine or from the 27 NAS represents a device for data storage functioning host can be recorded with a camera, while time of the on database level. It connects with computers via local ne- environment can be recorded on an official TV station or twork, mostly via TCP/IP over internet. It consists of a gre- radio. at number of discs adjusted to operate using SAS SCSI or 21 https://www.encase.com/products/Pages/encase-foren- SATA discs. NAS is most commonly used as a file server sic/overview.aspx supporting file systems and protocoles, for windows ne- 22 http://www.accessdata.com/products/digital-forensics/ftk tworking CIFS, HTTP, linux networking SAMBA, NFS.

136 Korać, Digital archeology in a virtual envi ... (131-142) Archaeology and Science 8 (2012) longue investigation. For a digital forensic inves- digital forensic investigator it is very useful, since tigator it is important to find out as much infor- such an image (which can contain great amount of mation as possible about the number of partitions useful information) can be connected to a forensic and to make a snapshot only for those partitions computer in read-only mode. suspected to contain digital prooves. This information can be found in configuration files of the Snapshots of virtual machines virtual machine itself. Certain extension28 can indicate the state of virtual machine itself, if it is Snapshots of virtual machines have a wide complete, is it a snapshot or change of state. Such field of usage. They can be used for finding changes on operating system, returning virtual machine changes can testify installing certain programs into the previous working menu in case installing and their usage. Regarding classical research of of a program (applicative or system) influenced a digital crime scene which deals with physical change of work of an operating system. For a digital environment exclusively, information re- digital forensic investigator they are of great im- garding condition of a virtual machine can only portance, since by getting to know the moment be placed in a virtual environment. There are also of illegal action, over snapshooting (reversed) on files which bear configuration information ofa a forensic machine and with applying forensic virtual machine under investigation. It is import- tools, a simple overview of a virtual machine for ant to tell discs of defined size from dynamic vir- a forensic relevant moment would be performed. tual discs (dynamc capacity enlargement depend- according to that, it is possible to gain data from ing on needs). It is also important to stress that RAM memory or virtual hard disc about action some programs for virtualization can drive virtaul of an illegal virtual machine. Snaphot compara- hard discs in different ways. This is of importance tion of the investigated virtual machine aiming to note changes, change of files or identification for digital forensic investigator, since after certain of hidden files can also be of great interest. The operations on virtual hard discs, their structure tool which enables tracing of changes on Vmware can be very much changed. There are operations virtual machines is written by Zairon29 and it is which can reduce virtual machine size by remov- called Compare Vmware snapshots (Beek 2010). ing the unused space (on host such a space would be marked with zeros). Further on, there are op- Forensic copies of virtual ma- erations which can convert dynamic virtual discs chines into the fixed ones and vice versa or to enlarge fixed virtual discs. They can also merge virtual When digital forensic is concerned, physi- hard discs and merge physical hard disc into a cal machines made two copies of physical hard new virtual hard disc. disc by using appropriate forensic tools. The first Since the field of virtualization grows big- copy, which is numerated, is used to calculate the ger, Microsoft began to integrate virtualization hash value of MD5 or SHA algorythm, aiming to techniques into its operating systems, such as proove that it was not changed, i.e. integrity of Microsoft Windows 7. In the Configuration menu hard disc. This copy represents a proof and it is which regards disk management, it is possible kept until it is necessary in court to indicate that there were no changes in bits. The second copy to mount virtual hard disc (VHD) into read-on- is used for performing forensic anaylses on a fo- ly mode. Another useful operation is bootin the rensic computer. Recently, when virtual machines computer from a virtual hard disc (it regards only came to use, the need arose to make a third hard Windows vhd files). What was called Complete disc copy for suspected machines, representing a PC backup in Windows Vista, in Windows 7 it is special feature. On such copies there are virtual called System image backup and it is saved in vhd hard discs and their snapshots, together with all formate (Beek 2010). From the perspective of a folders and files which describe a virtual machine 28 Extensions of these files are different depending on 29 Accessed at http://zairon.wordpress.com/2007/09/19/ programs which perform virtual environment. tool-compare-vmware-snapshots/

137 Archaeology and Science 8 (2012) Korać, Digital archeology in a virtual envi ... (131-142) under investigation. The third copy is used for digital forensic cannon be fully used in a virtual investigation on a forensic virtual machine in a environment either because of their compatibility similar environment, referred to further on in the with later operating systems or because the use of paper. Making snapshots of an operating system is tools is inadequate (dynamic and capacity of hard- an extremely complex process, since integrity of ware are in such a state that complete investigation hard disc must remain undamaged. Bootable disc would become very slow). This is another feature is usually used in such cases, containing all the of virtual environment, so it is recommended to necessary tools, but external forensic device can perform live forensic investigation of virtual envi- be used as well for storing hard disc snaphots of ronment whenever possible, making snapshots of a suspected machine. File analysis from hard disc partitions or disc parts which might contain poten- snapshots should be performed on a forensic com- tial evidences. It should be pointed out that when puter. Just like with every forensic analysis, docu- investigation is aiming to a virtual environment in mentation has to be kept about gathered prooves. which one machine is being suspected for an ille- There are even program tools for such a purpose. gal action, it is also necessary to investigate other virtual machines on forensic working station. All Migration of a virtual machine of this indicates certain special features in collecting data and contrary to a classical digital forensic One important feature of a virtual envi- of physical machines. ronment (as its component in most cases) is an operation of transferring i.e. migration of virtual Virtual environment as environ- machines. It was already mentioned that such an ment for digital forensic analy- operation is of great advantage for administrator sis of virtual environment (migrating a virtual ma- The concept of virtualization and the spe- chine from one place to the other inside the same cifics of digital forensic of a virtual environment physical server or to some other physical server). were explained at the beginning of this paper, On the other hand, it can make it possible for a while this part of the paper shall be dedicated to supect to hide evidence of illegal action. virtual environment representing environment for It should be pointed out that when a virtual performing digital archaeology while investigat- machine migrates, only information containing ing digital crime scene. General concept of virtual data about configuration used for multiplying environment and its limitations in applying digital virtual machines is being transferred. Still, if it forensic analysis shall be analyzed. The idea of comes to export of a virtual machine, all of the this approach is to apply the process of digital fo- data shall be transferred, including snapshots (if rensic analysis at the same time under convention- there were any). These operations can influence al and virtual environment independently, which digital forensic investigator to make wrong con- can benefit in reducing duration of digital forensic analysis. The focus of this chapter is a phase clusions if no preparations were performed, i.e. of digital investigation, actually digital forensic the following of virtual environment. analysis. The process of digital forensic analysis The goal of a digital forensic investigator can include three key phases, as shown by Kruse for virtual environment is to create the sequence and Heiser in their model: acquiring evidence, of illegal actions, gathered with digital and phys- establishing authenticity and analysis (Kruse and ical evidence. The investigator needs to collect Heiser 2010). data of network adapters, network configuration Christopher Brown, founder of one of the of the virtual environment itself, domain, data leading companies dealing with digital forensic regarding virtual hard discs, data from system (CTO of Technology Pathways LLC30) stresses snapshoting, data about periphere virtual devic- that in the acquiring phase, digital forensic in- es, data from RAM memory etc. vestigator should record and note as many vol- Forensics shall develop towards virtual en- 30 http://www.techpathways.com/Desktop Default.aspx, vironment, since some of the classical tools for 31.02.2012

138 Korać, Digital archeology in a virtual envi ... (131-142) Archaeology and Science 8 (2012) atile data as possible from live system, further in order to run the operating system successfully. switch off the computer and finally create bit Still in some cases, system would not be able to stream copy31 of all of the data storage devices, run successfully or there would be systems and actually hard discs. Most of the authors claim that programs which would not be able to run. The making forensic copies i.e. images of a suspected mentioned problem also relates to application in hard disc is relized with programs based on "dd a virtual environment, since virtual machines can tools"32 and that the gained forensic copy is kept only simulate basic hardware components and in dd format or some format based on dd (Nelson, they are not intended to support a great number of Phillips, Enfinger, and Steuart, 2006)(Rude 2003) hardware devices. That also means that a foren- (Bunting and Wei 2006). The gained forensic sic snapshhot obtained with a „dd tool“ cannot be copy i.e. image represents an identical copy of the run without adding files with certain parametres original disc. It should be mentioned the old rule, needed to run the snapshot in a new environment. according to which image needs to be identical There are differnt tools that can solve this roblem. with the original disc, is not applied lately. There Comercial tools include Encase’s Physical Disk is a great number of apropriate image formates of Emulator34 and Technology Pathways’es Prodis- the original hard disc used most commonly, but cover.35 Among free tools there are Live View36 which are not identical to the original hard disc, and some free tools by Technology Pathways. since they can contain additional metadata. like In literature it is still discussed whether data investigators' names, notes or hash values. An obtained from a virtual environment can be rele- example for such forensic adequate format is the vant. The reasons are exactly the changes which popular Advanced forensic format - AFF (Garfin- have to be applied upon the snapshot of the orig- kel 2005) (Garfinkel, Malan, Dubec, Stevens and inal hard disc (original environment) in order to Pham 2006) developed by Dr. Simson Garfinkel make running of the virtual environment possible. and the Basis Technology company.33 Since this If it is known that snapshot was much changed, format also includes segmentation of the original it can imediately be sustained in court, although snapshot with adding chapetrs, digital forensic an IT expert could claim that changes have no in- investigator bases its finding on investigating the fluence on presented evidence. Some authors con- image which is in some way altered, actually not sider that virtual environment in the role of a di- identical with the original. gital forensic tool has no perspective regarding its On the other hand, the dd tools creates a application in forensic analysis (Fogie 2004). Still, snapshot identical to the original and can be creat- if virtual environment in the role of digital foren- ed at the same or at a hard disc of greater capacity sic tool is applied in a combination with classical and can be driven on another computer system. digital forensic approach, data analysis can be ra- A problem could occur here regarding re-estab- dically reduced and better results can be obtained. lishing original environment because of different One of the models suggesting this approach is the hardware components’ computer combinations. Ben and Huebner model (Bem and Huebner 2007 For example, if a snapshot of a researched comput- : 1-13). This model type includes two levels of er is driven on a computer with different hardware digital forensic staff. The first one includes digital components from the first one, operating system forensic investigators - professionals (DFIP), fully shall try to recognize the differences and add driv- trained and with great experience, strictly acting er programs for the missing hardware components according to methods of rules and proceduresof digital forensic investigation. The second level 31 These bit-stream copies can be made as bit-for-bit includes digital forensic investigators – computer copies or bit-for-bit plus copies. Both ways are widely accepted, while the difference is that bit copy plus imple- technicians (DFIRT) with less forensic knowledge ments certain metadata data which aim to tag proof-files in order to preserve the responsibility chain (Nelson, Phil- 34 http://www.pc-ware.com/medialibrary/central_files/ lips, Enfinger, and Steuart, 2006) (Bunting and Wei 2006) de/hersteller/software/guidance_software/files/guidan- (Scott 2004). ce_07_06_19_encase_forensic_prosuite.pdf, 16.02.2012 32http://en.wikipedia.org/wiki/Dd_%28Unix%29, acces- 35 http://www.techpathways.com/prodiscoverdft.htm, sed 31.02.2012 16.02.2012 33 http://www.basistech.com/e-discovery/ , 13.02.2012 36 http://liveview.sourceforge.net/, 16.02.2012

139 Archaeology and Science 8 (2012) Korać, Digital archeology in a virtual envi ... (131-142) and experience and do not strictly need to stick to the discovered digital prooves. The importance the rules and procedures, since they have no direct of digital forensic investigator’s live access to a influence on the investigatin process. Their role is digital machine regarded as digital crime scene to search the copies of digital evidence in order was pointed out. In such a way, it is possible to to find as many data possible of interest for the gather valuable data and information which can investigation and to report everything they find to represent potential digital evidence. Manipulation digital investigators – professionals who, by using possibility in such a environment by a suspect relevant forensic techniques approve the finds or is huge, making the process of collecting digital search the data further if needed. evidence rather complex. All of the principles re- The methodology used a show-case would garding digital forensic of a computer which can go as follows: computer technicians run a copy of be applied during collecting, documenting, ana- gathered snapshots in a virtual environment (as a lysing, preserving integrity and presentation of virtual machine), treating it as a normal system evidence are applicable also for virtual machines and search „live“ all of the details relevant for in a digital environment, with certain differences the investigation. Although methodology used by which were pointed out in this paper. computer technicians influences the integrity of The second aspect regards virtual environ- gathered snapshots of the original system, it does ment as a environment for digital forensic data not influence the investigation. The reason is that analysis. A general concept of virtual environment computer technician works only with one of the with described limitations in applying digital foren- copies of digital snapshots of the suspected hard sic analysis was shown. Such a concept shows that disc. That means that computer technicians pos- process of digital forensic analysis is performed si- sess good technical, but less forensic knowledge multaneously in a conventional and virtual environ- can apply computer forensic techniques also in ment independently, which can benefit in reducing phases without endangering digital evidence. the duration of digital forensic analysis. This actual- It is logical that to one copy, the hashing ly means that with such a forensic access, combina- function aiming to keep the integrity is being ap- tion of classical and virtual concept, which is being plied and it should be kept safe, while the other performed as a co-operation of teams on different copy remains with digital investigators – profes- expertise levels and with applying different tools, sionals intact and forensically valid. can lead to reducing time of a digital forensic analy- According to the data obtained by computer sis. Time is saved and also pressure upon digital in- technicians, the DFIP can confirm all of the results vestigators – professionals, which is very important using adequate forensic tools, strictly sticking to since there is a lack of forensic professionals. adequate forensic methodology, techniques and procedures. Bibliography

Closing considerations Popek, G. J. and Goldberg, R. P., 1974 Formal requirements for virtualizable third genera- Virtual environment, just like any other tion architectures, Communications of the ACM 17 environment, can be compromited in different (7): 412–421. ways, which can result in compromizing virtual machines, as well as operating systems and files Barrett, D. and Kipper, G., 2010 placed within such a environment. This is why Virtualization and Forensics – A digital forensic In- digital archaeology becomes necessary when vestigator’s guide to Virtual Environments, Elsevier compromizing computer systems. In this paper, Inc., USA. two aspects of virtual environments of were con- sidered. The first aspect regards virtual environ- Ivaniš, N., 2011 ment as a digital crime scene. Services and nets Digitalna forenzička istraga u virtuelnom okružen- of digital environment were described in it, places ju, master rad, Univerzitet Singidunum in which potential evidences can be found, ways of securing digital crime scenes and preserving

140 Korać, Digital archeology in a virtual envi ... (131-142) Archaeology and Science 8 (2012) Tulloch, M., 2010 sics, National Center for Forensic Science , Orlan- Understanding Microsoft Virtualization Solutions do, Florida, USA, January 20-February 1. from desktop to the datacentar, second edition, Microsoft Press A Division of Microsoft Corpora- Fogie, S., 2004 tion One Microsoft Way Redmond. VOOM vs The Virus (CIH), http://voomtech.com/ downloads/Shadow%20Eval%20-%20Fogie.pdf. Hay, B. and Nance, K., 2008 Forensics Examination of Volatile System Data Bem, D. and Huebner, E., 2007 Using Virtual Introspection, SIGOPS Operating Computer Forensic Analysis in a Virtual Environ- Systems Review, ACM Special Interest Group on ment, International Journal of Digital Evidence Operating Systems, Volume 42 Issue 3, ACM. Fall 2007, Volume 6, Issue 2: 1-13.

Beek, C., 2010 Garrison, C., 2010 Virtual Forensics, TenICT proffesionals, http://se- Digital Forensics for Network, Internet, and curitybananas.com/wp-content/uploads/2010/04/ Cloud Computing a forensic evidence guide for Virtual-Forensics_BlackHatEurope2010_CB.pdf. moving target and data, Elsevier Inc., Burlington, MA 01803, USA. Kruse, G. W. and Heiser, G. J., 2010 Computer Forensics Incident response essentials, Milosavljević, M., Grubor, G., 2010 14th printing, New York: Addison Wesley, March. Istraga kompjuterskog kriminala – metodološko tehnološke osnove, Univerzitet Singidunum, Beo- Nelson, B., Phillips, A., Enfinger, F., and grad. Steuart, C., 2006 Guide to Computer Forensics and Investigations, Grubor, G., Njeguš, A. i Ivaniš, N., 2011 Second Edition, Thomson Course Technology, Glavni faktori uticaja virtuelizacije tipa I na Boston. forenzičku istragu”, Naučni skup sa međunarod- nim učešćem Sinergija. Rude, T., 2003 DD and Computer Forensics, Retrieved October 23. REZIME Bunting, S., and Wei, W., 2006 En Case Computer Forensics: The Official EnCE: Digitalna Arheologija u EnCase Certified Examiner Study Guide, India- virtuelnom okruženju napolis, in: Wiley Publishing. Ključne reči: digitalna arheologija, digi- Scott, M., 2004 talna forenzika, virtuelno okruženje, forenzička Independent Review of Common Forensics Im- analiza. aging Tools, Memphis Technology Group, SANS GIAC Paper Submission. U ovom radu su opisani najznačajniji el- ementi kojima treba posvetiti posebnu pažnju Garfinkel, S., 2005 prilikom digitalno forenzičke analize u virtuel- The Advanced Forensic Format 1.0. 2005, http:// nom okruženju. Takođe su objašnjeni i najvažni- stuff.mit.edu/afs/sipb/user/simsong/afflib/affdoc. ji segmeti samog virtuelnog okruženja i na koji doc. način oni mogu biti značajni za postupak digi- talne forenzičke analize. U radu su razmatrane Garfinkel, S., Malan, D., Dubec, K., Stevens,C . dva aspekta virtuelnog okruženja. Sa prvog as- and Pham, C., 2006 pekta posmatra se virtuelno okruženje kao digi- Disk imaging with the advanced forensics format, talno mesto krivičnog dela. U njemu su opisani library and tools, The second Annual IFIP WG servisi i mreže virtuelnog okruženja, mesta na 11.9 International Conference on Digital Foren- kome se mogu pronaći potencijalni dokazi, nači-

141 Archaeology and Science 8 (2012) Korać, Digital archeology in a virtual envi ... (131-142) ni obezbeđenja digitalnog mesta krivičnog dela i očuvanja pronađenih digitalnih dokaza. Drugi as- pekt posmatra virtuelno okruženje kao okruženje za digitalno forenzičku analizu podataka. Anali- ziran je jedan opšti koncept virtuelnog okruženja sa prikazanim ograničenjima u primeni digitalno forenzičke analize. Koncept podrazumeva da se proces digitalno forenzičke analize sprovodi is- tovremeno pod konvencionalnim i virtuelnim okruženjem nezavisno jedno od drugog, što kao benefit može da ima skraćenje trajanja digitalno forenzičke analize. To zapravo znači da se sa ovakvim forenzičkim pristupom, kombinacijom klasičnog i virtuelnog pristupa, koji se realizuje kroz saradnju timova različitih nivoa stručnosti uz primenu različitih tipova alata rezultati u fazi digitalno forenzičke analize mogu brže dobiti.

142