A virtual machine (VM) is a software application that acts like a computer and runs its own self-contained operating system, complete with applications inside the physical host machine. A single host machine can support one or more guest virtual machines at the same time, on different operating systems.
If you’re in the forensic investigation business long enough, you’re going to end up working with virtual machines sooner or later. As the use of virtual machines on personal computers grows, forensic investigators are more likely to find virtual machines as the subject of an investigation. In addition to being the subject of an investigation, virtual machines can be a benefit to the forensic investigator and you can also use them as part of your forensic tool box. Virtual machines allow you to do a physical to virtual (P2V) migration of the suspect system. Essentially, P2V enables you to clone the suspect machine and put the cloned image inside a virtual machine. Slick, isn’t it?
Lots of tools are available to help you use virtual machines in your forensic investigations. Virtualization products include such tools as Live View, VMware, Microsoft VirtualServer / Virtual PC (free virtualization products from Microsoft), QEmu, and VirtualBox. There isn’t enough space in this book to discuss all of these tools in detail but a brief overview of Live View should suggest what’s available to forensic investigators.
Live View is a Java-based graphical forensic tool developed by CERT, Software Engineering Institute. It creates a VMware virtual machine from a physical disk or raw disk image. A forensic investigator can then “boot up” that image to get an interactive user’s perspective on the environment without changing the underlying image or disk. Any changes made to the disk are written to a separate file, so you can easily maintain the original state of the disk. This helps you as a forensic investigator because you don’t need to create extra copies of a disk or image to set up the virtual machine.
VMware is another product you may want in your forensic toolkit. VMware offers a commercial VMware Workstation <agree>product as well as a free VMware Server product.
Virtual environments are not without their limitations and caution should be exercised when gathering evidence from this type of environment. For example, virtual environments created by VMware are often considerably different from the original computer image, which will limit the admissibility in court of evidence gathered (or at the very least make it subject to challenges by the opposing counsel).
Even though the copied image of the target computer is exactly the same as the original, if the copied image is booted on a machine with a different hardware configuration from the original, the operating system will try to recreate the original image in its entirety and will attempt to install missing drivers during the boot-up process. This results in new data being written to the system—which, of course, modifies the image. In other words, you no longer have an exact duplicate of the original image of the suspect computer. Any seasoned attorney will challenge the authenticity and admissibility of modified images in court.
In addition, forensic investigators may find that some of the installed software products refuse to start, installed services may not work, and the computer itself might not boot. Virtual environments are a useful tool for forensic investigations but the limitations inherent to virtual environments may make the evidence gleaned inadmissible in court.
Virtual machines are often used to reduce analysis time in an investigation. Using virtual machines, investigators can take a parallel approach to searching for evidence—two examiners can work simultaneously on two separate images. This enables the investigative team to shorten the time necessary to search for and extract evidence using traditional investigative techniques and processes. This approach enables one investigator to do a “quick-and-dirty” search of the evidence using the virtual machine copy without the normal worries about invalidating the integrity of the acquired image. To protect the evidence, the second investigator works with proper computer forensic techniques and processes to validate the findings of the quick-and-dirty evidence search.
Remember, while using a virtual image to search for evidence can save valuable time, you must still follow traditional investigative processes and conduct a forensically sound (and well-documented) search on the nonvirtual machine image to collect evidence and have it stand up in court. Virtual images are also an extremely effective way to present and display evidence to the judge and jury at the time of trial. Using virtual images allows them to view the evidence exactly as it appeared to the suspect. This creates a great visual impact for the judge and jury in helping them to understand the details of the case.
In the next section, we’ll briefly describe some of the imaging capture tools available to forensic investigators. You’ll encounter these again in more depth in Chapter 8, which also introduces other tools available for capturing memory and disk images.