{"title":"虚拟磁盘消毒的取证有效性","authors":"Joshua Sablatura, Umit Karabiyik","doi":"10.1109/ISDFS.2016.7473530","DOIUrl":null,"url":null,"abstract":"It is a very likely situation for a digital forensics investigator to encounter a virtual machine during an investigation. The evidence found in a vmdk disk may not necessarily belong to the virtual machine. It is possible that a vmdk disk could contain previously deleted data from the host machine. In this paper we investigate the possibility of type 1 and type 2 hypervisor virtual disks to contain previously deleted data from the host machine. We specifically tested VMware Workstation 11 and ESXi vSphere 6.0 products for each type respectively. We also attempt to identify the disk sanitization strategies employed by these products, and locations within a virtual disk that could potentially contain unallocated host data.","PeriodicalId":136977,"journal":{"name":"2016 4th International Symposium on Digital Forensic and Security (ISDFS)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"The forensic effectiveness of virtual disk sanitization\",\"authors\":\"Joshua Sablatura, Umit Karabiyik\",\"doi\":\"10.1109/ISDFS.2016.7473530\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"It is a very likely situation for a digital forensics investigator to encounter a virtual machine during an investigation. The evidence found in a vmdk disk may not necessarily belong to the virtual machine. It is possible that a vmdk disk could contain previously deleted data from the host machine. In this paper we investigate the possibility of type 1 and type 2 hypervisor virtual disks to contain previously deleted data from the host machine. We specifically tested VMware Workstation 11 and ESXi vSphere 6.0 products for each type respectively. We also attempt to identify the disk sanitization strategies employed by these products, and locations within a virtual disk that could potentially contain unallocated host data.\",\"PeriodicalId\":136977,\"journal\":{\"name\":\"2016 4th International Symposium on Digital Forensic and Security (ISDFS)\",\"volume\":\"9 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-04-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 4th International Symposium on Digital Forensic and Security (ISDFS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISDFS.2016.7473530\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 4th International Symposium on Digital Forensic and Security (ISDFS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISDFS.2016.7473530","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
The forensic effectiveness of virtual disk sanitization
It is a very likely situation for a digital forensics investigator to encounter a virtual machine during an investigation. The evidence found in a vmdk disk may not necessarily belong to the virtual machine. It is possible that a vmdk disk could contain previously deleted data from the host machine. In this paper we investigate the possibility of type 1 and type 2 hypervisor virtual disks to contain previously deleted data from the host machine. We specifically tested VMware Workstation 11 and ESXi vSphere 6.0 products for each type respectively. We also attempt to identify the disk sanitization strategies employed by these products, and locations within a virtual disk that could potentially contain unallocated host data.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
