Retrieved from https://studentshare.org/information-technology/1690322-virtual-machine-forensics-and-network-forensics
https://studentshare.org/information-technology/1690322-virtual-machine-forensics-and-network-forensics.
Virtual Machine Forensics A virtual machine (VM) is a software program for creating different environments with each of the environment simulating its components (both hardware and software). Each of the environments (virtual machine) mimics a real computer system with its operating system and hardware. In digital forensics the user controls each of the virtual machines independently.Network forensics refers to the capture, storage, and analysis of network traffic. It can be used interchangeably with terms such as packet mining, packet forensics, or digital forensics.
Regardless, the concept remains the same i.e. recording packet traffic of emails, database queries, Web browsing to a single searchable network traffic database for detailed examination (Habib).Network forensics involves: 1) Identifying and responding to attacks against computer systems 2) The utilisation of security devices in gathering evidence data 3) utilising the networks for passive information collection during an investigation VM examintion Typical digital forensic investigation is divided into four main stages namely; access, acquire, analyze and report.
In the access phase, the examiner records details of the virtual machines. Then makes copies of all data from the running system and generate the forensic image of all storage media a process known as acquisition. The acquired image can be used by forensics tools (open-source or commercial) such as EnCase, Sleuthkit, Live View and FTK to carry out a forensics analysis. VMware has Snapshot feature that permits the examiner to suspend the state of a VM at any specific point of time. Creating a forensics image of a VMTraditional computer forensics is conducted in relation to physical machines in generating disk images and memory dumps.
In contrast to typical computer forensics, Virtual machine requires live forensics to acquire volatile data and depends on the system hosting the virtual machines. VM simulates basic hardware parts and provides support to a limited range of hardware devices. The created dd image can’t be directly booted in a VM environment.The VM requires extra files of the environment being booted. There are significant changes needed in the original environment to enable the image to boot in the VM environment.
When the system is booted new data will be written to the original image thus modifying it (overwriting of old data). This necessitates the creation of backup copy of the original data. The original data is write-protected. The succeeding phases of data analysis are conducted on this copy leaving the original data untouched.Other system acquisitionsTypically both FTK imager and EnCase forensic tools need a write blocker device to capture the image a live physical drive. This is not the case with VMware virtual disks.
These disks are organized as files and therefore the image can be generated without a write blocker being included. These forensic tools (FTK imager and EnCase) can be used to generate both raw images for VM hard disks and the computed hashes of the raw images. Both tools create the matching MD5 and SHA1 hashes. It is therefore resolved that VM hard disk files can be securely converted to raw/dd images without necessarily using the write block device.Work citedHabib, Joe. 'Network Forensics And Digital Time Travel | Hacking | Technewsworld'.
Technewsworld.com. N.p., 2006. Web. 27 Apr. 2015.Huebner, Ewa, and Stefano Zanero. Open Source Software For Digital Forensics. New York: Springer, 2010. Print
Read More