The following are a few points on the effects of virtualisation on digital forensics. This is a begioning of a paper and a little bit of rambling as I am researching these issues.
- Memory state is retained by the virtualised system
- Memory forensics is currently a technically difficult field with few qualified people
- VM’s make capture simple – both of disk and memory
- VM’s have a snapshot capability, this is handy for incident response and forensic capture
The reasons for these points come from the fact that memory (esp. on Microsoft) may contain details of deleted files and transactions for a long time (an example is email deleted on a server may be retained in the memory stack for weeks though the sender believes that it was deleted and wiped).
The capture capability of the snapshot functions on VM’s means that a single file can be captured with all memory and state information.
Personally I use an open source tool called “Liveview” to view captured images. A simple “dd” bit image can be loaded into Liveview to replay the image as if I was on the host. Liveview links to VMWare to play the captured images.
With the snapshot and replay functions of VMWare coupled with Liveview, I can load a copy of a forensically captured image and test it “offline”. This allows me to use tools that may alter the image without fear of contaminating the evidencal value of the image – as I am only using a copy.
Liveview allows the configuration of the system time to start the image and I can thus experiment without corrupting evidence.
When I have found the evidence of what has occurred, I can replay the actions that I have taken using VMWare’s replay function. This allows for the presentation of the evidence in a non-technical manner that the jurists may comprehend.
In the case of organisations that are already using VM’s, this process is simplified. The vast majority of the capture process is effectively done for me. The issue is that the host may also have much more data then the company running the VM wanted to retain.
eDiscovery and Document retention come into the discussion at this point. There are requirements to hold documents when a case has started or if one is likely. As memory and state hold information, and coupled with some of the decisions in the US that may be influential here in Australia (though not authoritive), it is likely that they could be called under subpoena or captured in an Anton Pillar (civil search) order.
In this, files that a company had believed destroyed could actually be recovered.
Worse, documents outside of the request listed inn the order could be inadvertently provided given the difficulties of separating material held in state data.