FOR209 - Virtual Machines

Virtual machines are useful for many purposes in computing, but they can also be used to hide evidence of user activity on a computer system. Cybercriminals are using virtual machines because it is apparently easy to remove all trace of their activities just by deleting a single file. This seminar describes virtual machines, their methods of operation, how they are used to hide user activity, and how to detect their use. It also describes how to use virtual machines for malware analysis and other aspects of cyber forensics. 

Level: Intermediate

Cyber forensics investigators

  • Types of virtual machines
    • Hardware-based
    • Software-based
    • Hypervisor (types 1 and 2)
  • Virtual machine products that run Windows and their characteristics
    • Hyper-V
    • VMware
    • VirtualPC
    • VirtualServer
    • Xen
    • Bochs
    • VirtualBox
    • Integrity VM
    • LynxSecure
    • Oracle VM
    • Parallels
    • QEMU
    • RTS Hypervisor
    • Simics
    • Virtual Iron
    • VirtualLogix
    • Virtuozzo
    • Wind River Hypervisor
  • Virtual machine storage files (virtual disks)
    • Microsoft VHD
    • Microsoft VHDx
    • VMware VMDK
    • XEN XVD
  • Locating and recovering deleted VM storage files
    • Signatures
    • Other residual evidence in the host system
  • Attacks using virtual machines
    • "Blue pill" virtualization attack
    • Attacks on hypervisors
    • Attacks on software-based VMs
  • Using virtual machines for malware analysis
    • Hardware
    • Network
    • Setting up VMs
    • Thwarting malware's virtual machine detection

FOR205, Windows Internals for Forensics

Operating systems supported: All versions of Windows
Durations and formats: 1 day with labs