Virtual machines have always been one of the neatest aspects in computer technology. My first exposure to a virtual machine was in a digital forensics courses I took at FLETC and I knew that this would be the coolest thing ever. The coolness factor of being able to run one operating system (the virtual machine or VM) inside another operating system (the host) has not grown old for me especially because of the forensic and security implications that exist more so today than that day of first exposure.
It has been 10 years since I wrote the first of two papers on virtualization and forensics. The first, “vmware as a forensic tool” and subsequently “Virtual Forensics: A Discussion of Virtual Machines Related to Forensic Analysis”. Some of the information has been outdated, but most of the information and certainly the concepts are still in play today. I recommend looking at these two papers to get started on thinking about VMs as it relates to your cases.
Skip forward some years after those first papers; I began to find VM use occur more often on forensic cases in civil litigation matters. In the majority of the cases, the VMs I found were not used to facilitate any malicious activity, but did result in longer examination time of each hard drive with VMs. In one case of my cases, a single hard drive contained over 50 (yes, FIFTY) virtual machines and each one VM had multiple snapshots and practically all were being used with malicious intent. After that case, I made sure to include virtual machine investigative information in two books I wrote (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard) to make sure investigators consider VMs as a source of evidence.
There was a time when computer users, including criminal using computers, were oblivious to the amount of evidence a forensic analysis can recover. Those days are virtually gone since most anyone with a computer knows for the most part, that a ‘deleted’ file can be recovered. In addition, with Hollywood producing movies and TV shows showing forensic analysis of computers, common criminal knowledge now includes knowing about electronic evidence that is created on computers and forensics recovers it. Every push of a button, click of a mouse, and click of a link litters the system with evidence. The litter (creation/modification/access/deletion of files) is everywhere in the system, spread out among various locations from the registry to free space to system files, and most can be attributed to a user’s activity. Getting rid of every bit of the electronic litter is practically impossible, even as certain amounts can be wiped securely.
However, with a VM, all of that electronic litter, aka evidence, is kept within one file that stores the virtual machine. The user need only wipe that one file to destroy all the electronic litter and evidence that was created during the malicious activity. The only evidence able to be found will be on the host, and usually that will just show a VM had been started. The malicious activity/user activity…gone. Going a step further, a VM booted to a Linux bootable OS (even to an .iso file), will have no evidence saved in the VM to begin with.
I am not discounting other important evidence, such as network logs, captured traffic, or the evidence that can be recovered on the host machine. That is all good evidence too, but when the actual user activity is contained in a single file that can be wiped securely, digital forensics gets harder if not downright impossible.
A recent article I read on malicious use of VMs goes one-step further. In the article (https://www.secureworks.com/blog/virtual-machines-used-to-hide-activity), an attempt to remotely start a VM inside a compromised system failed only because the compromised system was also a VM. Considering that scenario, a hacker starting a VM on a compromised machine can effectively hide nearly all activity within that VM by subsequently wiping it after the hacker is finished. Incident response just got harder.
Not only are virtual machines used to facilitate criminal activity, but can also be used as a tool to compromise systems. One creative example of malicious VM use can be read here: https://www.helpnetsecurity.com/2016/08/18/compromising-linux-virtual-machines/ where virtual machines in the cloud can be used to attack another virtual machine if hosted on the same server. Now that is clever.
Virtual machines are here to stay for all the good uses they provide, which also means they are here for all the bad uses too. In the world of cyber-cop vs cyber-criminal, every day is another day where each side tries to out-MacGyver the other side with something new, unique, and sometimes pretty cool.