I'm a big fan of virtualization, and have seen first-hand how much of a 'game changer' it has been when it comes to infrastructure. With my recent studies of Digital Forensics I wondered how does virtualization 'change the game' when it comes to forensics?

In my so-far brief researching, there seems to have been a bit written about the use of virtualization in forensic analysis. The paper entitled 'Virtual Forensics' [pdf] from ForensicsFocus.com is an interesting start, discussing VMs as a target and the use of VMs to make analysis easier. This presentation from 2005 is boldy titled "Virtual Machines: The Ultimate Tool for Computer Forensics" while this paper [pdf] claimed that "the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence" and suggests that a hybrid approach of using a standard forensic image along with a VM for analysis is the best approach.

There also seem to be plenty of ready to run virtual machine images or appliances to assist the forensics practitioner, but what happens when the target machine is a VM?

This article from cio.com mentions one of the potential problems is that VMFS (VMWare's file system used to store the 'guest' virtual machine images) is not well understood. A virtual machine is simply files on a disk, but when you want to capture a forensic image of a VM do you simply capture the 'disk files' (eg: vmdk file, NVRAM file, etc) or do you need the underlying host storage volume (the VMFS partition) to capture metadata (such as the last accessed time etc)?

The sheer size of the VMFS partition may also cause problems (think multi-terabyte LUNs), along with the fact that vmfs partitions may be shared amongst many guest VMs, which may cause problems if a forensic investigator is only authorized to investigate a single machine.

With continuing explosive growth of server virtualization and now the increase in interest in desktop virtualization it will be interesting to see what changes (if any) will be required for digital forensic investigators in the near future.