Virtualization and Forensics book cover

Virtualization and Forensics

A Digital Forensic Investigator’s Guide to Virtual Environments

Virtualized environments are growing quicker than the predicted pace, and according to O’Reilly’s computer book market report, they are the second largest computer book topic in terms of sales for 2008 with a growth of 63%. With more companies using virtual servers and environments, the ability to handle forensic data in this environment will be a necessity. This book provides forensic investigators end-to-end knowledge of examinations in server, desktop, and portable environments, including the leaders in the market: VMware, Microsoft, and Citrix.

Audience

Forensic Investigators (corporate and law enforcement) and Incident Response Professionals.

Paperback, 272 Pages

Published: May 2010

Imprint: Syngress

ISBN: 978-1-59749-557-8

Contents

  • PART 1 VIRTUALIZATION

    Chapter 1 How Virtualization Happens
    Physical Machines
    How Virtualization Works
    Virtualizing Operating Systems
    Virtualizing Hardware Platforms
    Server Virtualization
    Hypervisors
    Bare-Metal Hypervisor (Type 1)
    Embedded Hypervisor
    Hosted Hypervisor (Type 2)
    Main Categories of Virtualization
    Full Virtualization
    Paravirtualization
    Hardware-Assisted Virtualization
    Operating System Virtualization
    Application Server Virtualization
    Application Virtualization
    Network Virtualization
    Storage Virtualization
    Service Virtualization
    Benefits of Virtualization
    Cost of Virtualization

    Chapter 2 Server Virtualization
    What Is Server Virtualization?
    The Purpose of Server Virtualization
    Server Virtualization: The Bigger Picture
    Differences between Desktop and Server Virtualization
    Common Virtual Servers
    VMware Server
    Microsoft Virtual Server
    Citrix XenServer
    Oracle VM

    Chapter 3 Desktop Virtualization
    What Is Desktop Virtualization?
    Why Is It Useful?
    Common Virtual Desktops
    VMware
    VMware Fusion
    Microsoft Virtual PC
    Parallels
    Sun VirtualBox
    Xen
    Virtual Appliances and Forensics
    Penguin Sleuth Kit
    The Revealer Toolkit
    Intelica IP Inspect Virtual Appliance
    Helix 2008R1
    CAINE 0.3
    Virtual Desktops as a Forensic Platform

    Chapter 4 Portable Virtualization, Emulators, and Appliances
    MojoPac
    MokaFive
    Preconfigured Virtual Environments
    VMware
    Microsoft
    Parallels
    Xen
    Virtual Appliance Providers
    JumpBox Virtual Appliances
    VirtualBox
    Virtualization Hardware Devices
    Virtual Privacy Machine
    Virtual Emulators
    Bochs
    DOSBox
    Future Development

    PART 2 FORENSICS

    Chapter 5 Investigating Dead Virtual Environments
    Install Files
    VMware Server
    VMware Workstation
    Microsoft Virtual PC - Microsoft Virtual PC 2007
    MojoPac
    MokaFive
    Virtual Privacy Machine
    Bochs
    DOSBox
    Remnants
    MojoPac
    MokaFive
    Virtual Privacy Machine
    VMware
    Microsoft
    Citrix Xen
    Bochs
    DOSBox
    Virtual Appliances
    Registry
    MojoPac
    MokaFive
    Bochs
    DOSBox
    VMware and Microsoft
    Microsoft Disk Image Formats
    Data to Look for Investigator Tips

    Chapter 6 Investigating Live Virtual Environments
    The Fundamentals of Investigating Live Virtual Environments
    Best Practices
    Virtual Environments
    Artifacts
    Processes and Ports
    Virtual Environment File Ports and Processes
    VMware and Tomcat
    IronKey and Tor
    SPICE
    Log Files
    VM Memory Usage
    Memory Management
    Memory Analysis
    ESXi Analysis
    Microsoft Analysis Tools
    Moving Forward
    Trace Collection for a Virtual Machine
    Separate Swap Files Corresponding to Different Virtual Machines in a Host Computer System
    Profile Based Creation of Virtual Machines in a Virtualization Environment
    System and Methods for Enforcing Software License Compliance with Virtual Machines
    System and Method for Improving Memory Locality of Virtual Machines
    Mechanism for Providing Virtual Machines for Use by Multiple Users

    Chapter 7 Finding and Imaging Virtual Environments
    Detecting Rogue Virtual Machines
    Alternate Data Streams and Rogue Virtual Machines
    Is It Real or Is It Memorex?
    Virtual Machine Traces
    Imaging Virtual Machines
    Snapshots
    Snapshot Files
    VMotion
    Identification and Conversion Tools
    Live View
    WinImage
    Virtual Forensic Computing
    Environment to Environment Conversion
    VM File Format Conversions

    PART 3 ADVANCED VIRTUALIZATION

    Chapter 8 Virtual Environments and Compliance
    Standards
    Compliance
    Regulatory Requirements
    Discoverability of Virtual Environment
    Legal and Protocol Document Language
    Organizational Chain of Custody
    Acquisition
    VM Snapshots versus Full Machine Imaging
    Mounting Virtual Machines
    Data Retention Policies
    Virtual Machine Sprawl
    The Dynamic Movement of VMs
    Backup and Data Recovery

    Chapter 9 Virtualization Challenges
    Data Centers
    Storage Area Networks, Direct Attached Storage, and Network Attached Storage
    Cluster File Systems
    Analysis of Cluster File Systems
    Security Considerations
    Technical Guidance
    VM Threats
    Hypervisors
    Virtual Appliances
    The VM
    Networking
    Malware and Virtualization
    Detection
    Red Pill, Blue Pill, No Pill
    Blue Pill
    Red Pill and No Pill
    Other Rootkits
    Other Methods of Finding VMs
    Additional Challenges
    Encryption
    Solid-State Drives
    New File Systems and Disk Types
    Compression and Data Deduplication
    Virtualization Drawbacks

    Chapter 10 Cloud Computing and the Forensic Challenges
    What Is Cloud Computing?
    Multitenancy
    Cloud Computing Services
    Infrastructure-as-a-Service
    Platform-as-a-Service
    Desktops-as-a-Service
    Software-as-a-Service
    Other Cloud Computing Services
    Streaming Operating Systems
    Application Streaming
    Virtual Applications
    Benefits and Limitations of Virtual Applications
    Cloud Computing, Virtualization, and Security
    Cloud Computing and Forensics
    Conducting a Forensic Investigation on a Cloud Environment
    Incident Response
    Conducting a Forensic Investigation in a Cloud Environment

    Chapter 11 Visions of the Future: Virtualization and Cloud Computing
    Future of Virtualization
    Hardware Hypervisors
    Virtual Machines Will Be Used for Antiforensics
    Mobiles and Virtualization
    VMware Mobile Virtualization Platform
    The Evolving Cloud
    Trends in Cloud Computing
    More Robust Legal Procedures Will Be Developed
    Data-Flow Tools Will Evolve
    The Home Entrepreneur
    The iPad, Tablet, and Slate
    Autonomic Computing

    Appendix: Performing Physical-to-Virtual and Virtual-to-Virtual Migrations

Advertisement

advert image