Virtualisation software allows a complete operating system to run from within another. So for example, a user might have a computer running Windows Vista, but by installing virtualisation software, they could run a copy of Windows XP from the desktop. This virtual operating system can then perform every action a ‘real’ virtual operating system can, including browsing the internet, editing files and accessing the CD ROM drive or other portable media.
Such functionality might seem useless to some, but for many users it has a number of applications. For example, because virtualisation software can be stored on portable media such as a USB storage device, it allows the user to effectively take an entire user environment with them wherever they go. So rather than just carrying files, they can access all of their preferences on any machine.
Alternatively, the same user may wish to access a piece of software that only works on the XP version of Windows. By installing virtualisation software, they could access this without having to revert the whole machine back to an older operating system.
Where it is suspected that a computer has been used in the commission of a crime, however, these same benefits can become barriers to a successful investigation. Upon arrest of a suspect, computer equipment is typically confiscated and passed to an expert for computer forensic analysis. Such experts then aim to extract legally admissible evidence in the form of deleted files, registry entries and internet browsing histories.
However, where a virtual machine has been used, the browsing history and registry data is written to the virtual machine and not to the host computer. This means that if the portable storage device is removed, there will be little or no evidence of user activity on the host machine.
Most virtual machines require the user to install software on to the host, so there may at least be registry evidence that the software itself was once present, but some can be accessed directly from a CD ROM or USB storage device, in which case even less of a trace would be left.
For this reason, computer forensic analysts typically check the registry for signs that removable media has been connected. In some cases, computer forensic experts may be able to extract information about activity on a virtual machine by analysing the communications between the portable device and its driver, stored on the host machine.
The common use of portable media to store virtualisation software makes it all the more important that such devices are located and analysed in any computer forensic investigation. Yet even if the virtualisation software is located, a core problem for computer forensic analysts is posed where the user does not save the environment in its new state before exiting. Essentially, this means that records of activity will be permanently deleted in a way that makes them impossible to recover.
At present, the use of virtualisation software in the home is relatively uncommon, and server side monitoring of those accessing indecent images of children or other such illegal material is still effective in capturing perpetrators, even where virtualisation software is in use.
Nevertheless, the recovery of computer based evidence remains vital, so computer forensics is now moving into the virtual world, finding new ways to extract data from ever more elusive virtual machines.