A taxonomy of hypervisor forensic tools

Abstract

Cloud computing models are deployed on a compute server whose hardware resources are virtualized to enable multiple virtual machines to run on a single physical system. Several types of virtualization such as bare metal and hosted virtualization are available along with virtualization modes such as full, paravirtualized, hardware-assisted and paravirtualized-hardware-assisted virtualization. Virtual machines are inaccessible from each other when the physical server hardware is abstracted in the full virtualization mode. Physical information such as hard disk drives and server memory are made available in a virtualized environment as a virtual hard disk, vCPU and guest operating system state. Hypervisor operations generate copious amounts of data that are of value in forensic investigations of virtualized cloud environments. This chapter presents a taxonomy of hypervisor forensic tools, which provides a searchable catalog for forensic practitioners to identify specific tools that fulfill their technical requirements. A case study involving a KVM hypervisor demonstrates the evidence that can be found in a virtual machine at the virtual machine manager and host system layers.