by Brett Shavers

(PDF version here)

The Virtual Machine (VM)

Description of the Virtual Machine

The Virtual Machine Concept in Brief

Virtual machines are not new and have been in use for well over a half century. The fundamental concept of a virtual machine revolves around a software application that behaves as if it were its own computer. The VM application ("guest") runs its own self-contained operating system within the actual machine ("host"). This virtual operating system can be of almost any variant of design. Perhaps put more simply, it can be described as a virtual computer running inside a physical computer.

One of the benefits of virtual machines is the ability for a virtual machine to operate on nearly any underlying hardware and software configuration. In this manner, there is an ease of flexibility of sharing and duplication of virtual machines for many purposes, such as software testing. Additionally, one host machine (the actual computer) can run multiple guest machines (virtual machines) at the same time. A visual example of a virtual machine running on a host system is shown below.

Note: Click images to view full size

Figure 1-Virtual Machine (VMware Server)

The Uses of Virtual Machines

The number of uses for virtual machines is limited only by the imagination and needs of an organization or individual. For the individual, a virtual machine can be a sandbox for not only development and testing of new software applications in a controlled environment, but also for the testing of unknown malware on various operating systems. Virtual systems can be isolated from other virtual and actual systems for tests and analysis, or they can be networked with other machines to determine interaction and processes between machines. Isolated systems can allow for the operation of various types of applications that normally may cause conflicts if run on the same system.

Through the testing of software applications, virtual machines can be replicated in a short amount of time to validate and verify tests. Testing software on physical machines require the flattening of the entire hard drive and rebuilding the system to continue testing on numerous occasions. This is not economically feasible due to the time involved to rebuild computer systems nor is it needed.

An organization can have their entire system virtualized to maximize resource potential and decrease the time and effort involved in disaster recovery and business continuity. Considering that a virtual machine is technically only a file (or more accurately, several files), VMs can quickly be copied and distributed network-wide. In regards to legacy software that may not be supported or operate on newer operating systems, virtual machines can remain in use for specific legacy applications in the workplace for any foreseeable future.

Educational institutions can use virtual machines to teach a variety of information technology topics and courses. Many different operating systems can be demonstrated on a single student desktop requiring little time in setting up the systems. The benefits to the students include more instruction and hands on in a shorter period of time.

For the scope of this paper, the focus will be on the uses of virtual machines as it relates to forensic analysis, with both a virtual machine as your evidence and as an asset to your forensic tool box. Although only one virtual application is noted in this paper, the concepts and theories of their focus can be applied to other applications that are not described. The operating systems referenced are of Microsoft Windows (all versions) as this is the most prevalent operating system used worldwide. Some of this information may apply to other operating system in varying degrees, but again, it is the concept and theory of the examinations concerning virtual machines that will remain consistent across various platforms.

A Brief on VMware Files

Workstation, Player, and Server

An unintended and beneficial use for several VMware products is for the 'non-developer Workstation' users', i.e. forensic examiners. There are three products in particular that fit well in the topics presented; VMware Workstation, Server, and Player. VMware Workstation is perhaps the most versatile of the three products as it allows for more features. This is at a financial cost however since it is not freely available (other than a 30-day trial). VMware Server follows a close second with fewer features, but is freely available. VMware Player, also freely available, has the ability to run VMware virtual machines, but allows for almost no options for configuration, which is needed for forensic examinations.

Given the growing use of virtual machines on personal computers as well as the benefit of being able to boot forensic images using VMware, it is highly recommended to have VMware Workstation as part of any examiners toolbox. There are no other virtual applications (currently) that have the features and functions in VMware Workstation; it's almost as if it were almost developed for forensic use.

The following is a listing of the files associated with a VMware virtual machine. With other VM applications, the files may be fewer or even more, so it is imperative to be aware of the associated file types when dealing with different types of virtual machines other than VMware. The existence of only one of these files can indicate that a virtual machine may have existed on the media being examined.

.Log files -Simply a log of activity for a virtual machine.

.VMDK- This is the actual virtual hard drive for the virtual guest operation system, which may be either a dynamic or fixed virtual disk. With dynamic disks, the disk will start small and grow to a predetermined limit. A fixed disk does not change size.

.VMEM -A backup of the virtual machine's paging file which only exists of the VM is running or has crashed.

.VMSN - These are VMware snapshot files, named by the name of the snapshot. A VMSN file stores the state of the virtual machine when the snapshot as created.

.VMSD-A VMSD file contains the metadata about the snapshot.

.NVRAM- This is the file that stores the BIOS information for the virtual machine.

.VMX- This is the configuration file for a virtual machine, such as the operating system, disk information, etc This is a simple text file that can be easily edited.

.VMSS-This is the 'suspended state' file, storing the state of a suspended virtual machine.

.VMTM-This is configuration file containing team data.

.VMXF-If a virtual machine is removed from a team, this configuration file remains.

If the computer time is an important aspect of a virtual forensics examination, it is then important to realize how VMware manages time. A VM has the same issues managing time as does actual BIOS, such as daylight savings time issues. A VM also has other issues as well. The major issue is that the virtual machine relies on the host system's actual time and will correct itself to match the host time. This time adjustment is based upon UTC (Coordinated Universal Time or GMT), so the host computer's clock can be in a different time zone from the virtual machine, but the time will be the same if converted to UTC. Conversely, if the time is to be different from the host, which in all forensic examinations will be the case, then the setting must be made to not update the VM to the host's time. These settings are through the "VMware Tools" included with VMware Workstation.

The use of VMware in any forensic analysis is best when the features, functions, and limitations of the applications are known. VMware provides for extensive resource materials for download at www.vmware.com on a wide range of topics on the operating of each product. It is suggested to review and test functions prior to an actual examination in order to lessen the chances for error. VMware Workstation is very intuitive in its use.