• A framework for evidence integrity preservation in virtualized environment: a digital forensic approach

      Ani, Uchenna Peter Daniel (University of Bedfordshire, 2012-01)
      Virtual machine technology has emerged with relishing features such as versioning, isolation and encapsulation. These features have made evidence acquisition and preservation difficult and impracticable. Virtual machines have proved excellence in anti-forensics, such that conventional approaches to integrity preservation have not yielded the best results required to facilitate admissibility. Issues around virtual machine forensics, its relationship with digital evidence integrity, and effects to admissibility have been resolutely investigated. In this work, we focused on the identification of threats to the integrity of evidence in a virtual machine environment using VMware hypervisor as case study. A conceptual framework, EIPF for preserving integrity of evidences resident in a virtual machine environment is introduced. The framework emphasises rules, processes and parameters necessary for upholding the accuracy, reliability and trustworthiness of digital evidence. The framework adopts the widely known Clark-Wilson‟s principles on Data Integrity. In our investigation, the key parameters used are the security strength of the hash algorithms, the relative Number of Evidence Attributes), and the Number of Evidence Circles. To simplify the analysis further, a reliability rating factor has been introduced as a means of defining conceptual integrity levels. We have mathematically modelled all the penalty parameters for data integrity in our model following widely known and recommended standards and processes. Although a demonstration of the behaviour of EIPF had not been exhaustively featured, the proposed framework has offered a starting point towards adopting an improved way of ensuring integrity. While opening up a path for unification, it has amplified the trust level for a court‟s acceptance of a claimed integrity state for digital evidence.