Virtualization and Forensics, 1st Edition

Key Features

• Named a 2011 Best Digital Forensics Book by InfoSec Reviews
• Gives you the end-to-end knowledge needed to identify server, desktop, and portable virtual environments, including: VMware, Parallels, Microsoft, and Sun
• Covers technological advances in virtualization tools, methods, and issues in digital forensic investigations
• Explores trends and emerging technologies surrounding virtualization technology

Virtualization and Forensics, 1st Edition

PART 1 VIRTUALIZATION

Chapter 1 How Virtualization Happens
Physical Machines
How Virtualization Works
Virtualizing Operating Systems
Virtualizing Hardware Platforms
Server Virtualization
Hypervisors
Bare-Metal Hypervisor (Type 1)
Embedded Hypervisor
Hosted Hypervisor (Type 2)
Main Categories of Virtualization
Full Virtualization
Paravirtualization
Hardware-Assisted Virtualization
Operating System Virtualization
Application Server Virtualization
Application Virtualization
Network Virtualization
Storage Virtualization
Service Virtualization
Benefits of Virtualization
Cost of Virtualization

Chapter 2 Server Virtualization
What Is Server Virtualization?
The Purpose of Server Virtualization
Server Virtualization: The Bigger Picture
Differences between Desktop and Server Virtualization
Common Virtual Servers
VMware Server
Microsoft Virtual Server
Citrix XenServer
Oracle VM

Chapter 3 Desktop Virtualization
What Is Desktop Virtualization?
Why Is It Useful?
Common Virtual Desktops
VMware
VMware Fusion
Microsoft Virtual PC
Parallels
Sun VirtualBox
Xen
Virtual Appliances and Forensics
Penguin Sleuth Kit
The Revealer Toolkit
Intelica IP Inspect Virtual Appliance
Helix 2008R1
CAINE 0.3
Virtual Desktops as a Forensic Platform

Chapter 4 Portable Virtualization, Emulators, and Appliances
MojoPac
MokaFive
Preconfigured Virtual Environments
VMware
Microsoft
Parallels
Xen
Virtual Appliance Providers
JumpBox Virtual Appliances
VirtualBox
Virtualization Hardware Devices
Virtual Privacy Machine
Virtual Emulators
Bochs
DOSBox
Future Development

PART 2 FORENSICS

Chapter 5 Investigating Dead Virtual Environments
Install Files
VMware Server
VMware Workstation
Microsoft Virtual PC - Microsoft Virtual PC 2007
MojoPac
MokaFive
Virtual Privacy Machine
Bochs
DOSBox
Remnants
MojoPac
MokaFive
Virtual Privacy Machine
VMware
Microsoft
Citrix Xen
Bochs
DOSBox
Virtual Appliances
Registry
MojoPac
MokaFive
Bochs
DOSBox
VMware and Microsoft
Microsoft Disk Image Formats
Data to Look for Investigator Tips

Chapter 6 Investigating Live Virtual Environments
The Fundamentals of Investigating Live Virtual Environments
Best Practices
Virtual Environments
Artifacts
Processes and Ports
Virtual Environment File Ports and Processes
VMware and Tomcat
IronKey and Tor
SPICE
Log Files
VM Memory Usage
Memory Management
Memory Analysis
ESXi Analysis
Microsoft Analysis Tools
Moving Forward
Trace Collection for a Virtual Machine
Separate Swap Files Corresponding to Different Virtual Machines in a Host Computer System
Profile Based Creation of Virtual Machines in a Virtualization Environment
System and Methods for Enforcing Software License Compliance with Virtual Machines
System and Method for Improving Memory Locality of Virtual Machines
Mechanism for Providing Virtual Machines for Use by Multiple Users

Chapter 7 Finding and Imaging Virtual Environments
Detecting Rogue Virtual Machines
Alternate Data Streams and Rogue Virtual Machines
Is It Real or Is It Memorex?
Virtual Machine Traces
Imaging Virtual Machines
Snapshots
Snapshot Files
VMotion
Identification and Conversion Tools
Live View
WinImage
Virtual Forensic Computing
Environment to Environment Conversion
VM File Format Conversions

PART 3 ADVANCED VIRTUALIZATION

Chapter 8 Virtual Environments and Compliance
Standards
Compliance
Regulatory Requirements
Discoverability of Virtual Environment
Legal and Protocol Document Language
Organizational Chain of Custody
Acquisition
VM Snapshots versus Full Machine Imaging
Mounting Virtual Machines
Data Retention Policies
Virtual Machine Sprawl
The Dynamic Movement of VMs
Backup and Data Recovery

Chapter 9 Virtualization Challenges
Data Centers
Storage Area Networks, Direct Attached Storage, and Network Attached Storage
Cluster File Systems
Analysis of Cluster File Systems
Security Considerations
Technical Guidance
VM Threats
Hypervisors
Virtual Appliances
The VM
Networking
Malware and Virtualization
Detection
Red Pill, Blue Pill, No Pill
Blue Pill
Red Pill and No Pill
Other Rootkits
Other Methods of Finding VMs
Additional Challenges
Encryption
Solid-State Drives
New File Systems and Disk Types
Compression and Data Deduplication
Virtualization Drawbacks

Chapter 10 Cloud Computing and the Forensic Challenges
What Is Cloud Computing?
Multitenancy
Cloud Computing Services
Infrastructure-as-a-Service
Platform-as-a-Service
Desktops-as-a-Service
Software-as-a-Service
Other Cloud Computing Services
Streaming Operating Systems
Application Streaming
Virtual Applications
Benefits and Limitations of Virtual Applications
Cloud Computing, Virtualization, and Security
Cloud Computing and Forensics
Conducting a Forensic Investigation on a Cloud Environment
Incident Response
Conducting a Forensic Investigation in a Cloud Environment

Chapter 11 Visions of the Future: Virtualization and Cloud Computing
Future of Virtualization
Hardware Hypervisors
Virtual Machines Will Be Used for Antiforensics
Mobiles and Virtualization
VMware Mobile Virtualization Platform
The Evolving Cloud
Trends in Cloud Computing
More Robust Legal Procedures Will Be Developed
Data-Flow Tools Will Evolve
The Home Entrepreneur
The iPad, Tablet, and Slate
Autonomic Computing

Appendix: Performing Physical-to-Virtual and Virtual-to-Virtual Migrations