This chapter introduces the goals and motivation behind this project. Chapter 2 discusses the background information necessary to understand this project and also about existing work done by others.
Literature Review
In this chapter we introduce fundamental concepts to help us understand VMI and as a result how we manage to carry digital forensics on virtualized environment. Virtualization provides better security than physical servers through isolation, (2 other things). The protection rings provide a mechanism to segregate the execution of codes. Protection rings simply provide different level of access to resources based on the ring from which the codes are being executed.
Digital Forensics
Digital forensics refers to the forensic examination of computers digital storage components. The term is often used to describe the forensic examination of all forms of digital evidence as well as data travelling over networks. Various categories of digital forensics exist including: (1) Computer forensics, (2) Network Forensics, (3) Firewall Forensics, (4) Cyber forensics, (5) Database Forensics, (6) Cellular forensics, and so forth. However, with the surge of technological advances and perpetual breakthroughs, the introduction of computers and gadgets as a criminal tool has encouraged and enhanced the criminal's ability to perform crimes, hide and circumnavigate the judicial framework due to the minor chances of being caught and prosecuted (Reith et al., 2002).
Definition
As stated by Reith et al. (2002), digital forensics has recently sprouted. Taking its roots from computer forensics which is defined as "the collection of techniques and tools used to find evidence in a computer" (Caloyannides, 2001); digital forensics on the other hand is defined as "the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations" (Digital Forensic Research Workshop, 2001).
Digital forensics and its importance
Incidents of computer related crimes are on the upsurge. In 2003, the CERT Coordination centre reported over 135, 000 incidents with a 67% increase in numbers from the previous year, that is, in 2002 (CERT/CC Statistics, 2004). Consequently, digital forensics techniques have been recognised as lawfully accepted tools that can be used to exploit criminal activities. In this respect, forensic investigators have developed ad-hoc procedures for performing digital investigations (Leigland and Krings, 2004). However, the informal nature of the proposed procedures can prevent verification of the value of the evidence in legal proceedings (Carrier, 2003). At the same time, as suggested by Reith et al. (2002), a standard or consistent digital forensic methodology does not exist, but rather a set of procedures and tools built from the experiences of law enforcement, system administrators, and hackers. Over time, digital
forensics has evolved from ad hoc procedures rather than scientific risk assessment and risk management.
Digital forensics models
It is a known fact that the procedures normally used to resolve digital crimes are neither consistent nor standardised. Based on this, many people have attempted to establish rudimentary guidelines over the previous few years. However, the majority of these works were written with a focus on the details of the technology and without laying much emphasis for a generalised process. For example, Farmer and Venema (1999) proposed an outline of some basic steps in their Computer Forensics Analysis Class notes. Their guidelines include steps such as: (1) secure and isolate, (2) record the scene, (3) conduct a systematic search for evidence, (4) collect and package evidence, and (5) maintain chain of custody. While the proposal had a proper foundation, the other portion of the procedure was UNIX specific and hence, the lack of software tools rendered non-UNIX system exploration impossible. Even though the model proved to be a step in the right direction, the very fact that the procedure was focused to one particular platform did not make it an appropriate model for digital forensics (Reith et al., 2002).
Mandia and Prosise (2001) proposed another approach to counter-attack digital crimes following an incident response methodology. The latter comprises of the steps: (1) pre-incident preparation, (2) detection of incidents, (3) initial response, (4) response strategy formulation, (5) duplication, (6) investigation, (7) security measure implementation, (8) network monitoring, (9) recovery, (10) reporting, and (11) follow-up. This model outweighed that proposed by Farmer and Venema since it provided detailed directions for specific platforms such as Windows NT/2000, UNIX and Cisco Routers. Under this model, forensic investigators could meet their targets more efficiently while investigating computer crime since the model can be applied to general computer systems. Nonetheless, such a model does not necessarily address forensics procedures in respect to other digital gadgets such as personal digital assistants, peripheral devices, cell phones, or even future digital technology, computer or otherwise, since their focus is purely computer crime.
In an attempt to establish its own model, the U.S. Department of Justice (DOJ) has intelligently realized the benefits of abstracting the process from specific technologies which
includes the following steps: (1) collection, (2) examination, (3) analysis, and (4) reporting. (NIJ Guide, 2001). This procedure allows the synergistic evolution of both traditional physical forensic knowledge and modern electronic evidence. To enhance the model, the procedure elaborated by DOJ does not differentiate forensics applied to computers from other electronic devices. On the other hand, the system attempts to build a generalised process which will integrate most electronic devices. An additional feature of this model is the possibility to track the exact location of the evidence as it proposes a list of the types of evidence that may be found on electronic devices, their potential locations and even the types of crime that may be associated with it. For example, the model not only allows listing of the commonly cited hidden evidence locations such as deleted files, hidden partitions or slack space, but at the same time, provides the possibility to verify what type of information these locations might contain, such as social security numbers, source code or images.
Finally, in order to meet the challenge of standardising analytical procedures and protocols such that practitioners and researchers use standard terminology, the Digital Forensics Research Workshop (DFRW) has elaborated a model that includes steps such as: (1) identification, (2) preservation, (3) collection, (4) examination, (5) analysis, (6) presentation, and (7) decision (Digital Forensic Research Workshop, 2001). This model offers only the backbone of the framework to which the scientific community may bring refinements to further develop it.
Therefore, following the recommendations of FBI Crime Scene Search (2002) and Digital Forensic Research Workshop (2001), the key components of a proposed model is illustrated in Figure 1 below.
Figure : Key components of the proposed Digital Forensic Model (Adapted from Reith et al., 2002).
The above described model has not been tested or proven to be an elixir against digital criminality, however such a model provides the scope of instantly analysing digital crimes affecting an array of future technologies using a consistent and standardised methodology for providing electronic evidence. Such advancement would result in an unprecedented enhancement in forensic sciences as it provides a foundation for analysing new digital/electronic technology and altogether provide a common framework for law enforcement and the judicial system to feasibly work within a court of law (Digital Forensic Research Workshop, 2001).
Protection Rings
Protection rings (Schroeder 1972) are a mechanism to protect computational systems from faults and malicious behaviours. The hardware implementation of protection rings is in the CPU itself. The rings are arranged in a hierarchical order with ring 0, the most privilege ring, being at the center of the circle (Figure 1). The kernel of an OS runs in ring 0, which is most trusted. Codes running inside the kernel have no limitation simply because these run with unrestricted privileges. From the most to least privilege, the rings are named kernel, executive, supervisor and user.
Ring
Figure 2 .1
Real Protection Ring
Virtual Protection Ring
Virtualization
Server virtualization using time-sharing of resources (Creasy 1981) dates back to 1960. IBM used the VM/370 operating system on an IBM System/370 server to run multiple instances of an OS. At that time a virtual machine was called "a pseudo-machine time-sharing system". The purpose of the latter gave rise because most of the times the systems were idle. By running multiple pseudo-machine time-sharing systems, system resources on the IBM System/370 were used efficiently. Today Server virtualization is defined as the sharing of physical resources on a host among several guest operating systems, each running in isolation in a container called a virtual machine. The virtualized layer allows the virtual machines to run concurrently on the same host and allocation physical resources dynamically. Any failure in terms of corruption, resource exhaustion or ?? in one virtual machine does not affect the state of other virtual machines.
The reason why server virtualization is very popular these days is that the processing power of processors is more than enough to run a single OS. At the time of writing, AMD proposes the AMD Opteron TM 6000 Series ( ref to AMD) with 12 logical Cores. This gigantic processing power is far too much for a single application. Most of the time the physical servers are underutilized. In general recent processors are virtualization aware and same goes to applications. That said, virtualization is the best solution for sharing resources like CPU, RAM and networking. The cost for using virtualization is negligible without catering for high availability features. As a result the IT industry sees virtualization as a cost saving and also promotes towards green IT.
Cpu capacity and disk throughput less maintenance
Recently storage, network, application are being virtualized and several third party vendors are proposing virtualized products. Eg VMware propose VMware view for virtualizing desktop and ThinApp ( for virtualizing applications.
Isolation
Performance
Binary Translation
VMware the leader in virtualization in the market today, uses mainly Binary Translation (BT) technique in its hypervisor ( ref ) vSphere for virtualization. One of the direct benefits of using Binary Translation is that the guest operating system remains unchanged while running inside the virtual machine. In fact the VMM provides an abstraction layer, by hiding the underneath complexity and converting the instructions to the necessary virtualized instruction. As a result the operating system itself is not aware if it is running on a virtualized environment. There are two types ( Adams et al 2006) of binary translation, Simple binary translation and adaptive binary translation.
Figure 3.1 Binary Translation
Simple binary translation
Adaptive binary translation.
Paravirtualization
The word "Para" is an English affix of Greek that means alongside. Thus paravirtualization meaning "alongside virtualization" is the communication between the guest operating system and the hypervisor. In a paravirtualized environment the kernel of the guest operating system needs to be modified before it can send its instructions to the hypervisor. As show in Figure 2.4, the paravirtualized guest OS runs in ring 0 whereas in BT, the unmodified guest OS runs in ring 1. Since the kernel of the guest OS needs to be modified, compatibility and portability is very poor. This is a major drawback compared to BT, it means that not all operating systems can run on a paravirtualized platform or the latter need deep modifications in their kernel.
Figure 2.4
Hardware Assisted
Virtual Machine Monitor
Def from paper(Formal Requirements
for Virtualizable
Third Generation
Architectures)
The Virtual Machine Monitor (VMM) forms part of the Virtualization layer. It i
Put Figure of VMM Here
Memory Translation
Virtual Machine Introspection
