Dissertation/Thesis Abstract

Forensic recovery of evidence from deleted VMware vSphere Hypervisor virtual machines
by Kinchla, Brendan, M.S., Utica College, 2015, 107; 1587159
Abstract (Summary)

The purpose of this research was to analyze the potential for recovering evidence from deleted VMware vSphere Hypervisor (ESXi) virtual machines (VMs). There exists an absence of scholarly research on the topic of deleted VM forensic recovery. Research dedicated to forensic recovery of ESXi VMs and VMware’s VM file system (VMFS) is nearly non -existent. This paper examined techniques to recover deleted ESXi VMs to a state where examination for forensic artifacts of user activity can occur. The paper examined the disk-provisioning methods for allocation of virtual disk files and the challenges for forensic recovery associated with each disk-provisioning type. The research determined that the two thick-provisioned virtual disk types provided the best opportunity for complete recovery, while certain characteristics of thin-provisioned virtual disk files made them less likely to recover in their entirety. Fragmentation of virtual disk files presented the greatest challenge for recovery of deleted VMs. Testing of alternate hypotheses attempting to reduce the likelihood of fragmentation within the virtual disk file met with mixed results, leaving fragmentation of virtual disk files as a significant challenge to successful VM recovery. The paper examined the techniques for recovering deleted files from VMFS volumes. Due to a lack of forensic tools with the ability to interpret the VMFS filesystem, forensic recovery focused on data stream searching through the VMFS volume image and file carving from consecutive disk sectors. This method proved to be inefficient, but ultimately successful in most of the test cases.

Keywords: Cybersecurity, Professor Cynthia Gonnella, virtualization, VMDK.

Indexing (document details)
Advisor: Gonnella, Cynthia
Commitee: Neal, Cherilyn
School: Utica College
Department: Cybersecurity
School Location: United States -- New York
Source: MAI 54/04M(E), Masters Abstracts International
Source Type: DISSERTATION
Subjects: Computer science
Keywords: Cyber, Forensic, Virtualization, Virutal machine, Vmware, Vmware vsphere hypervisor
Publication Number: 1587159
ISBN: 978-1-321-70566-9
Copyright © 2019 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy
ProQuest