Research And Design On Virtual Machine Forensic System

Nowadays the number of virtual machine users is increasing rapidly.Virtualmachine not only can be used as a tool for criminals to conduct illegal activities, butalso can become the objects of criminals’ attacks or crimes. In the meantime, virtualmachine technology as a means or a tool of forensic analysis has become one ofinevitable trends of computer forensics development. In this demand and background,research on Virtual Forensic has important academic value and practicalsignificance.Virtual Forensic includes two aspects: one is Virtual-machine-basedForensic,that is， virtual machine as forensic tools; the other is Virtual MachineForensic, that is,virtual machine as evidence.This paper focuses on Virtual Machine Forensic and also researches on severalfields of Virtual-machine-based Forensic, the main work and results are as follows:The first part of the research in this paper is on the theory and the proceduremodel of virtual machine, including concepts, objects and forensic model etc,especially analysis on virtual disk, ranging from classifications to formats, then theVirtual Machine Knowledge Framework is given. Furthermore, Hierarchical MappingModel of Virtual Disk (HM Model) is designed.Next, we focus on the methods of extracting data from virtual machines. Weintroduce the sources of evidence in virtual machine in comprehensiveness. The waysof extracting data vary with virtual machines’ types and modes.we analyze thefeatures of virtual machine at the different types and modes, and point out the relevantway of extracting data.Analyzing the extracted data refers to many different kinds of skills, by analysis ofthe present methods we used, we design a scan-based analyze engine for VirtualMachine Forensic, there are several layers in this engine, adding the concept ofVirtual Layer, and its mapping interface is implemented, for the reason that differentvirtual machine formats in the Physicak Layer are converted into only one format andthe new one can analyzed by traditional forensic methods.The method of fixing virtual disk fragments is also analyzed in this paper.Weintroduce the new concepts of structure-list and block-structure for data location, and points out the fixing method by treating the beginning address of structures andblock-structures, also design a model of fixing virtual disk fragments, as a fuction ofVirtual Layer in the above analyze engine, in order to use tradional forensic analyzemethods.At last, this paper researches on Virtual-machine-based Forensic, there are twofields: one is transferring physical system to virtual system by P2V technology,changing traditional virtual emulate tools’ pattern, reducing the middle operations,and improving the success rate of booting; the other is designing a virtual forensicplatform, providing investigate machine templates for every investigator, supportingremote work etc, and making up the neglect of the investigate machines’ standard.As the first advanced paper on this field in China, this paper provides lots ofinformation and virtual machine forensic methods for law enforcement, governmentand military agencies. And it can be good material for many subjects such asComputer Forensic.