| With the wide-spread application of computers, computer forensic technology has provided valuable supports for the judicial authority in handling electronic evidence, and plays a cornerstone role in fighting against computer-related crime, and maintaining social equality and justice. However, with the innovation and development of information technology, computer forensics technology needs to keep up with the times.Currently, the virtual computing technology has been integrated into our lives widely, and users can use virtualization products conveniently without knowledge of their technical details. There is a wide range of deployment of virtual machine in enterprise, government, organization, research institution etc., and virtual machine is used in teaching, research, production, office and other fields. With the development of virtual computing technology and its products, it brings both new opportunities and challenges to computer forensics: on one hand, virtual computing technology as a new technology can bring new changes in computer forensics, so as to promote and facilitate the development of computer forensics; on the other hand, the virtual machine-related products may become tools of criminals or the victims of the attacks, so how to conduct computer forensics under the virtual computing environment is a new topic.The purpose of this paper is to focus on the above opportunities and challenges. Detail work in this paper includes: 1) investigate the current requirements of computer forensics in practice, and try to make improvements on the virtual machine dynamic booting forensic technology by research into the EWF-E01 series format of digital evidence, and by developing a tool named ewf2dd; 2) research and propose the forensic analysis methods which focus on virtual machines as targets, including the common virtual machine disk files and virtual machine memory image files, and sum up experience from experiments.Research of this subject on one hand, depends on some of the existing documentations and related tools, but on the other hand, relies on reverse analysis and reasoning methods to conduct forensic analysis to not only the EWF-E01 series format, but the virtual machine disk files and memory Image files as well.In this paper, experiments show that the working result of the developed format conversion tool ewf2dd is entirely correct and meets the requirements of the practice. Meanwhile, the improved dynamic virtual machine booting forensic technology is applied successfully in forensic practice. In addition, this paper also carried out forensic analysis and research on the virtual machine's memory image, which is still not seen in any publications. |
PDF Full Text Request