Secure Acquisition of Digital Evidence from VMware ESXi Hypervisors
Open Access
- Author:
- Tentilucci, Matthew Joseph
- Graduate Program:
- Information Sciences and Technology
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- March 16, 2015
- Committee Members:
- Anna Cinzia Squicciarini, Thesis Advisor/Co-Advisor
- Keywords:
- Digital Forensics
VMware ESXi
Computer Security
Perl - Abstract:
- The use of computer virtualization technologies has rapidly grown since the early 2000’s. Factors driving this growth include the ever-increasing utilization of cloud computing as well as benefits to consolidating physical hardware within a data center. In addition to the growth of virtualization technologies, computer security incidents are also increasing. However, researchers have drawn attention to the problem that many of the traditional computer forensics tools and investigation techniques cannot be used to gather and analyze digital evidence obtained from virtualization technologies or cloud computing resources. To solve a part of this problem, this thesis proposes a new open source tool called ESXimager that securely acquires digital evidence from VMware ESXi hypervisors. The tool securely images selected virtual machine files running on VMware ESXi and ensures image integrity through the entire imaging process. Written in Perl and utilizing Tk, the tool makes use of an ESXi server’s ability to execute shell commands. Bit-stream copies are created using the dd command, image integrity is verified using the MD5 and SHA1 hashing algorithms, and images are securely transferred to an external imaging machine with SFTP. With a secure image created, a forensics investigator can load the image into a separate computer forensics tool for analysis. ESXimagers capabilities are validated in a small yet realistic test environment. The tool connects to an ESXi server, creates images of selected virtual machine files, calculates multiple hashes, and securely transfers images to a local imaging machine. In addition, the tool detects if the integrity of an image file is compromised. With some additional development and testing in a larger environment, this could potentially become the go-to tool used to acquire images from VMware ESXi hypervisors.