Electronic crime investigations in a virtualised environment: a forensic process and prototype for evidence collection and analysis

AbstractThe constant evolution of virtualisation technologies and the availability of anti-forensic techniques and tools complicate efforts by forensic investigators to investigate a crime or a cyber security incident. Forensic collection can be complicated and requires significant efforts to investigate incidents involving contemporary technologies (e.g. crime launched from a virtual machine and there had been attempts to erase evidence after the incident). This paper presents a forensic process to collect and analyse traces of a virtual machine and its corresponding manager, recorded across multiple sources including the file system, Windows registry, history, and log files from a forensic viewpoint. To demonstrate utility of the forensic mechanism, the Virtual Machine Forensic Artefact Collector (VMFAC) prototype is developed and presented in this paper.