Forensic Wmware
Páginas: 74 (18294 palabras)
Publicado: 11 de octubre de 2012
Forensic Analysis of VMware Hard Disks by Manish Hirwani
Committee Members Prof. Yin Pan Prof. Daryl Johnson Prof. Bill Stackpole
Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Networking and System Administration Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences
05/04/2011
ForensicAnalysis of VMware Virtual Hard Disks
Manish Hirwani
Acknowledgement
I wish to express my gratitude to each member of my thesis committee without the support and valuable assistance of whom this thesis would not have been possible. My sincere thanks to Prof. Yin Pan who has been the ever encouraging and motivating force behind my work. She was constantly available for discussions andalways gave me prompt advice. Her appreciation of my work has made me work harder each time and has brought forth the best in me at every stage. I would like to thank Prof. Stackpole for the enthusiasm he has shown in my work throughout my course. His constructive and critical comments extended to me has added his perspective and enriched the contents of my study. I also thank Prof. Johnson for hisconstant support and encouragement at every step of the process. The completion of this dissertation would not have been possible without the valuable assistance of the staff at the NSSA Student Advising Office. Last but not the least I would like to thank my parents and family for having given me this opportunity to undertake post graduate studies at this renowned institute – RIT - and fortheir faith in me during my highs and lows throughout these two years.
ii
Forensic Analysis of VMware Virtual Hard Disks
Manish Hirwani
Abstract
With the advancement in virtualization technology, virtual machines (VMs) are becoming a common and an integral part of datacenters. As the popularity and use of VMs increases, incidents involving them are also on the rise. There issubstantial research on using VMs and virtual appliances to aid forensic investigation, but research on collecting evidence from VMs following a forensic procedure is lacking. This thesis studies a forensically sound way to acquire and analyze VM hard disks. It also discusses the development of a tool which assists in forensic analysis of snapshots of virtual hard disks that are used in VMs. This toolanalyzes the changes made to a virtual disk by comparing snapshots created at various stages. Comparing the state of the files in the base snapshot which is believed to be clean with the snapshot which is suspected of being tampered with, forensics investigators are able to identify files that have been recently added, deleted, edited, or modified.
iii
Forensic Analysis of VMware VirtualHard Disks
Manish Hirwani
Table of Contents
Acknowledgement ........................................................................................................................................ii Abstract ........................................................................................................................................................iii List ofTables................................................................................................................................................ vii List of Figures.............................................................................................................................................. viii 1Introduction................................................................................................................................................1 2 Related Work..............................................................................................................................................2 3 Methodology ..............................................................................................................................................4 3.1 Environment...
Committee Members Prof. Yin Pan Prof. Daryl Johnson Prof. Bill Stackpole
Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Networking and System Administration Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences
05/04/2011
ForensicAnalysis of VMware Virtual Hard Disks
Manish Hirwani
Acknowledgement
I wish to express my gratitude to each member of my thesis committee without the support and valuable assistance of whom this thesis would not have been possible. My sincere thanks to Prof. Yin Pan who has been the ever encouraging and motivating force behind my work. She was constantly available for discussions andalways gave me prompt advice. Her appreciation of my work has made me work harder each time and has brought forth the best in me at every stage. I would like to thank Prof. Stackpole for the enthusiasm he has shown in my work throughout my course. His constructive and critical comments extended to me has added his perspective and enriched the contents of my study. I also thank Prof. Johnson for hisconstant support and encouragement at every step of the process. The completion of this dissertation would not have been possible without the valuable assistance of the staff at the NSSA Student Advising Office. Last but not the least I would like to thank my parents and family for having given me this opportunity to undertake post graduate studies at this renowned institute – RIT - and fortheir faith in me during my highs and lows throughout these two years.
ii
Forensic Analysis of VMware Virtual Hard Disks
Manish Hirwani
Abstract
With the advancement in virtualization technology, virtual machines (VMs) are becoming a common and an integral part of datacenters. As the popularity and use of VMs increases, incidents involving them are also on the rise. There issubstantial research on using VMs and virtual appliances to aid forensic investigation, but research on collecting evidence from VMs following a forensic procedure is lacking. This thesis studies a forensically sound way to acquire and analyze VM hard disks. It also discusses the development of a tool which assists in forensic analysis of snapshots of virtual hard disks that are used in VMs. This toolanalyzes the changes made to a virtual disk by comparing snapshots created at various stages. Comparing the state of the files in the base snapshot which is believed to be clean with the snapshot which is suspected of being tampered with, forensics investigators are able to identify files that have been recently added, deleted, edited, or modified.
iii
Forensic Analysis of VMware VirtualHard Disks
Manish Hirwani
Table of Contents
Acknowledgement ........................................................................................................................................ii Abstract ........................................................................................................................................................iii List ofTables................................................................................................................................................ vii List of Figures.............................................................................................................................................. viii 1Introduction................................................................................................................................................1 2 Related Work..............................................................................................................................................2 3 Methodology ..............................................................................................................................................4 3.1 Environment...
Leer documento completo
Regístrate para leer el documento completo.