Browse > Article
http://dx.doi.org/10.13089/JKIISC.2011.21.2.61

A study on an investigation procedure of digital forensics for VMware Workstation's virtual machine and a method for a corrupted image recovery  

Lim, Sung-Su (Center for Information Security Technologies, Korea University)
Yoo, Byeong-Yeong (Center for Information Security Technologies, Korea University)
Park, Jung-Heum (Center for Information Security Technologies, Korea University)
Byun, Keun-Duck (Center for Information Security Technologies, Korea University)
Lee, Sang-Jin (Center for Information Security Technologies, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.21, no.2, 2011 , pp. 61-70 More about this Journal
Abstract
Virtualization is a technology that uses a logical environment to overcome physical limitations in hardware. As a part of cost savings and green IT policies, there is a tendency in which recent businesses increase the adoption of such virtualization. In particular, regarding the virtualization in desktop, it is one of the most widely used technology at the present time. Because it is able to efficiently use various types of operating systems in a physical computer. A virtual machine image that is a key component of virtualization is difficult to investigate. because the structure of virtual machine image is different from hard disk image. Therefore, we need researches about appropriate investigation procedure and method based on technical understanding of a virtual machine. In this research, we suggest a procedure of investigation on a virtual machine image and a method for a corrupted image of the VMware Workstation that has the largest number of users.
Keywords
Digital Forensics; Virtualization; VMware; Virtual Machine;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Karl Ray, "Server Virtualization and Virtual Machine Operating Systems," http://anengineersperspective.com/wp -content/uploads/2010/03/VM.pdf, Mar. 2010.
2 가상화의 기본 개념, http://www.vmware.com/kr/technology/virtual-machine.html
3 Harry van der Lint, Michiel Alkemade, "Turbulentie betekent kansen, maar bent u up-to-date?," Computer Profile, pp 36-37, Sep. 2009.
4 Kara Nance, Matt Bishop, and Brian Hay, "Investigating the Implications of Virtual Machine Introspection for Digital Forensics", 2009 International Conference on Availability, Reliability and Security, pp. 1024-1029, Mar. 2009.
5 H. Carvey, "The Windows registry as a forensic resource," Digital Investigation, pp. 201-205, Sep. 2005.
6 Volatile memory extraction utility framework, http://www.volatilesystems. com /volatility/1.3/README.txt
7 GetData, Mount Image Pro V4, http: //www.mountimage.com/download-com puter-forensics-software.php?file=MIP -Setup.exe
8 ASR Data, SmartMount, http://www. asrdata.com/SmartMount/
9 Zairon, Compare VMware snapshots, http://zairon.wordpress.com/2007/08/3 1/find-out-hidden-files-comparingvmwares- snapshots/
10 Chris Betz, memparser, http://www. dfrws.org/2005/challenge/memparser.s html
11 탁정수, 가상화 기술현황과 공공기관 적용 시사점,한국정보사회진흥원, 정보사회 현안 분석II, pp.1-21 , 2007년 12월.
12 VMware Virtual Disks Virtual Disk Format 1.1, www.vmware.com/app/ vmdk/ ?src=vmdk, vmware technical note
13 Brett Shavers, A Discussion of Virtual Machines Related to Forensics Analysis, http://www.forensicfocus.com/downloa ds/virtual-machines-forensics-analysis .pdf
14 Derek Bem, "Virtual Machine for Computer Forensics - the Open Source Perspective," Open Source Software for Digital Forensics, DOI 10.1007, pp. 25-42, Jan. 2010.
15 소프트웨어 시장 동향 및 전망, 소프트웨어 산업백서 2008, pp. 187-389, 2008년 12월.
16 Jeff Daniels, "Server Virtualization Architecture and Implementation," ACM Crossroads, Vol. 16 No. 1, Sep. 2009.
17 권태석, 방제완, 임경수, 이상진, "가상화 환경에서의 디지털 포렌식 조사 방법론 연구," 한국정보기술학회, 한국정보기술학회논문지, 7(2)호, pp.159-167, 2009년 4월.
18 Derek Bem and Ewa Huebner, "Analysis of USB Flash Drives in a Virtual Environment," Small Scale Digital Device Forensics Journal, Vol 1. No. 1, Jun. 2007.
19 Greg Dorn, Chris Marberry, Scott Conrad, and Philip Craiger, "Analyzing the impact of a virtual machine on a host machine," International Federation for Information Processing, Advances in Digital Forensics V, IFIP AICT 306, DOI: 10.1007/978-3-642-04155-6_5, pp. 69-81, 2009.
20 Richard Arthur Bares, "Hiding in a Virtual World Using Unconventionally Installed Operating Systems," ISI 2009, pp. 276-284, Jun. 2009.
21 Christiaan Beek, Virtual Forensics, Black- Hat Europe 2010, http://www.blackhat. com/html/bh-us-10/bh-us-10-briefings. html#Beek, Apr. 2010.
22 김동희, 백승조, 심미나, 임종인, "서버 가상화 환경의 가상머신 이미지에 대한 법적 증거로서의 허용성에 관한 연구", 한국정보보호학회, 정보보호학회논문지, 18권 6(A)호, pp. 163-177, 2008년 12월.