(IJACSA) International Journal of Advanced Computer Science and Applications,

Vol. 12, No. 2, 2021

Disposable Virtual Machines and Challenges to

Digital Forensics Investigation

Mohammed Yousuf Uddin,1 , Sultan Ahmad*2 , Mohammad Mazhar Afzal3

Department of Computer Science and Engineering, Glocal University,
Saharanpur, Uttar Pradesh, India1,3
Department of Computer Science, College of Computer Engineering and Sciences,
Prince Sattam Bin Abdulaziz University,
Al-Kharj 11942, Saudi Arabia2

Abstract—Digital forensics field faces new challenges with

emerging technologies. Virtualization is one of the significant
challenges in the field of digital forensics. Virtual Machines (VM)
have many advantages either it be an optimum utilization of
hardware resources or cost saving for organizations. Traditional
forensics’ tools are not competent enough to analyze the virtual
machines as they only support for physical machines, to overcome
this challenge Virtual Machine Introspection technologies were
developed to perform forensic investigation of virtual machines.
Until now, we were dealing with persistent virtual machines;
these are created once and used many times. We have extreme Fig. 1. Type-1 Hypervisor.
version of virtual machine and that is disposable virtual machine.
However, the disposable virtual machine once created and are
used one time, it vanish from the system without leaving behind
any significant traces or artifacts for digital investigator. The drive holds the evidence and more over vulnerabilities and
purpose of this paper is to discuss various disposable virtualiza- attacks that affect the physical drive will have same effect
tion technologies available and challenges posed by them on the on virtual environment. Analyzing multiple virtual machines
digital forensics investigation process and provided some future using traditional tools of forensics is not possible. Virtual
directions to overcome these challenges. Machine introspection is the technique to monitor a virtual
machine through hypervisor or a privileged VM, where the
Keywords—Digital forensics; digital investigation; disposable
virtual machines; light weight virtual machine; Microsoft sandbox; evidence collected without affecting the target VM [3]. Virtual
QEMU; qubes machines created using oracle virtual box can be recovered
using autopsy and other tools but VMs which were deleted
using destroy command cannot be recovered [4]. The goal of
I. I NTRODUCTION this paper is to explore the disposable virtual machines and
Digital forensics is the process with four basic phases: challenges posed to the digital forensics practitioners. Next
collection, examination, analysis and reporting. During col- section will discuss the virtualization technologies. Section
lection phase, data related to a specific event is identified, 3 explores the disposable virtual machine technologies. Sec-
collected, and its integrity is maintained. Examination phase tion 4 explores the challenges and roadblocks introduced by
uses forensic tools and techniques as well as manual processes disposable virtualization to digital forensics. Section 5 will
to identify and extract the relevant evidences from the collected discuss current solutions to the issues related to disposable
data. Analysis phase deal with analyzing the results of the virtualization. We conclude with possible research directions
examination phase to generate useful information related to to overcome these challenges.
the case. Final phase generates reports of evidence from the
results of the analysis [1]. A virtual machine (VM) is a tightly II. V IRTUAL M ACHINES
isolated software container with an operating system and appli- Virtualization technology enables utilization of resources in
cations inside. VM is self-contained and independent. Multiple an effective way, reduces maintenance and security cost for the
VMs on a single physical machine with different operating end-users. Virtual machine runs up on hypervisor. Hypervisors
systems and applications to run on just one physical server, are of two types, one, which directly operates on physical
or host. Hypervisor is the software layer, which decouples the hardware and does not require operating system, is called
virtual machines from the host and dynamically allocates and type-1 hypervisor, often called as “bare metal” hypervisors,
manages the computing resources to each virtual machine as examples include Citrix, Xen Server, ESXi from VMware, and
per requirement [2]. Forensic investigation of virtual machines Microsoft’s Hyper-V. Layerd architecure of type-1 hypervisor
is challenging task if in a case virtual machine is subject of illustrated in Fig. 1.
crime investigation, obtaining the image of the physical drive
will not result in significant evidence since the virtual hard Second type of hypervisor rests upon operating system
known as type-2 hypervisor. Most popular type-2 hypervisors
* Corresponding Author : Sultan Ahmad are VMware, Virtual Box, and Parallel Desktop for MAC OS.
www.ijacsa.thesai.org 792 | P a g e
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021

TABLE I. D ISPOSABLE V IRTUAL M ACHINES .

Disposable VM Hypervisor Type

Microsoft Sadbox Microsoft Hypervisor Type 2
Qubes Disposable VM KVM, Xen Type 1
Virtual box Nested VM Virtual Box Type 2
Shade SandBox Microsoft Hypervisor Type 2
QEMU Xen, KVM, Hax Type 2
Bitbox Virtual Box Type 2
Fig. 2. Type-2 Hypervisor.

on state of the HDD. Forensic analysis tools; Encase, FTK

supports the conversion of virtual disk image files (.vmdk,
Type1 hypervisors provide greater performance and security .vdi) to raw dd format files [8]. Virtual machine introspection
and there is no overhead task for hypervisor to interact technique uses virtual machine manager to view inside virtual
with host operating system. Type-2 hypervisor runs as an machine, to track and view virtual machine state. VMI can
application on top of the host operating system (OS), it gives inspect and view VM-memory, processor, installed Operating
convenience to the individual users who intend to emulate systems, applications and services. Evidence Search through
a different operating system other than their OS, example: injected code. This strategy is inspired by code injection
windows users can install Linux on virtual machine [5]. Fig. attacks. Which uses vulnerabilities to inject malicious code
2 shows the type-2 hypervisor’s architecture. VMware files in to applications and kernel to control and corrupt the system
like vmdk file is virtual hard disk and vmem file is paging [9].
file act as primary memory RAM[6]. Oracle Virtual Box
hypervisor also maintains such files, for each virtual machine
III. D ISPOSABLE V IRTUAL M ACHINES
there is a machine folder, inside machine folder vmname.vbox
file and vmname.vdi , vdi format file for disk image, and Disposable virtual machine is the lightweight virtual ma-
Log files folder and a snapshot folder. These specific files of chine, created instantly and it will be disposed when it is
virtual machine collected from the host machine, to conducted closed. Disposable VMs commonly used to host single ap-
investigation on virtual machine [7]. plication, such as web browser, viewer, editor and suspicious
applications. This concept of single use virtual machines also
A. Virtual Machine Forensics adopted by various operating systems. In Table I, the few
popular disposable Virtual machine managers are listed.
VM Forensics is similar to traditional digital forensics in
many ways but at the same time, it introduces new pitfalls.
A. Microsoft Windows Sandbox (WSB)
Forensic approaches for virtual machines are many. Simplest
form of forensics investigation of virtual machine starts with Microsoft Windows sandbox runs applications in isolation.
acquiring disk image of host computer on which virtual Secure execution of application in sandbox environment does
machines are running, after acquiring disk image files are not affect the host operating system. New instance of sandbox
extracted for the respective Virtual machine manger. Along created each time and disposed as soon as it is closed.
with VM’s files network logs and host operating system’s Preinstalled applications in host operating system are not ac-
registry also extracted. Disk image acquisition has to be done cessible in sandbox environment instead explicit installation of
with utmost care, to preserve the integrity to ensure the legal application is required. Sandbox uses hardware virtualization
admissibility of the evidence. There are standard procedures for kernel isolation. Windows Sandbox is a new lightweight
and guidelines for digital evidence acquisition approved by disposable desktop environment. Which runs application in
the Association of Chief Police Officers of the UK (ACPO), isolation. Windows 10 pro and enterprise editions include sand-
ISO Standard 27037, U. S. Department of Justice Office, and box environment. As soon as sandbox is closed, applications
the EU publication Guidelines on Digital Forensic. First, the and residual files, and data related to that particular sandbox
machine is powered off by disconnecting power supply. Then deleted permanently. Every time you start a Windows Sandbox,
the hard disk drives or solid-state drives disassembled from it is as clean as a brand-new installation of Windows. Windows
the suspect machine. Extracted disk drive is write protected 10 operating systems has all required files pre-loaded to run
with write blocker kit. Disk drive then connected to forensic the sandbox. It is disposable nothing persists on the host
machine to create a duplicate image of disk drive using device as soon as you close the sandbox.Windows Sandbox
specialized tools such as dd, FTK imager and “encase”, etc. (WSB) gets the dynamically generated base image with its own
Disk image acquired from previous step is used for analysis. directory structure as host operating system, except the mutable
In case of VM disk image there are two approaches, first is re- files are copied in to WBS directory structure. Immutable
suming the suspended virtual machine on corresponding virtual files of host operating system can be accessed through links.
machine manager. Second approach is to create the snapshots Efficiency of the windows sandbox achieved by following:
of virtual machine.In case of resuming the suspended virtual process scheduling integrated with kernel scheduler. Smart
machine VM disk files vmdk, or vdk or vhd files and other memory management where memory pages are allocated to
files related to virtual machine are restored, down side of this WSB and Host operating system on demand, there is no fixed
approach is during resuming process VM files may change chunk of memory for WSB, it gives more flexibility and
and integrity of the evidence is compromised. While snapshot improves efficiency overall. virtual GPU enables dynamic uti-
of VM used for forensic analysis, there will be no changes lization of graphics processing. Windows sandbox architecture
www.ijacsa.thesai.org 793 | P a g e
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021

can work with untrusted files without compromising other

Virtual machines. Disposable VMs created using Disposable
VM Template. Disposable VMs created with these templates
has its own user file system, one for each disposable VM.
Qubes R4.0 has multiple Templates and default template for
disposable VM is fedro-xx—dvm(xx here refers to version
number[11].

C. VirtualBox
Oracle VirtualBox is an open source type 2 hypervisor for
virtualization of window and Linux operating systems from
Oracle Corporation. Creation and management of guest virtual
machines is very much user friendly. Intel VT-x and AMD-
Fig. 3. Windows SandBox Architecture.
V hardware-assisted virtualization is supported on VirtualBox.
It supports nested virtualization that is one of the challenges
for digital forensics experts [7]. Nested virtual machines runs
is illustrated in Fig. 3. To use windows sandbox you must on hypervisor which is on top of other virtual machine, this
start the sandbox first and copy the executable file you wish stacking of hypervisor recursively increases overhead but at the
to run from the host file system and paste the executable same time provides extra layer of security and decouples the
file in sandbox. Once the file copied, you can run it as a VM from physical host [12]. Eventually it comes with extra
normal application. Windows Sandbox gives two options; one overhead for digital forensic investigation.
is to run a full desktop in sandbox. Second option is just
the application in sandbox and as known as rails. Sandbox D. Shade Sandboxie
has many advantages over tradition virtual machines creates
Shade Sandboxie is an application based sandboxing. It
a virtual machine and installs complete operating systems
creates isolated environment to execute suspicious code. Such
where resources are shared among host operating system and
an environment is used to track and notice code behavior and
virtual machines. In case of windows, only few files used for
output activity, it creates functional layer of network security
sandbox from host file system it is dynamically generated
against ATPs and other cyber threats. Applications run inside
image. Memory management is dynamic based on payload
simulated virtual environment without hardware virtualization
system allocates memory to the sandbox. Process scheduling
support. Running malicious code and browsing websites with
is integrated where sandbox and host systems are managed
potential threats will not affect the host Operating System [13].
together . Windows sandbox is secure as it runs on a separate
kernel that provided by Microsoft’s hypervisor keeping it
isolated from the host kernel. Virtualization in case of sandbox E. QEMU (Quick Emulator)
is hardware-based illustrated in Fig. 1. Thus to implement type- QEMU is the hosted virtual machine monitor it operates
1 hypervisor host system must support virtualization, which in different modes. System emulation mode where it em-
can be enabled or disabled from BIOS of the host system. ulates hardware including processor, peripheral devices. In
Any malicious code will not affect the host kernel and will user mode, it runs programs using different instruction set
not persist as soon as sandbox is closed. WSB can be accessed rather than its instruction set by cross-compilation and cross
remotely from server where Sandbox is created in two modes debugging. KVM hosting mode, QEMU emulates hardware
1.WSB with full desktop 2.WSB Rails in Rails a specific but guest operating system runs on KVM. XEN hosting mode,
application is launched on sandbox it is similar as Application here also QEMU emulates hardware and XEN run the guest
VM. Remote clients can access and launch the WSB from operating systems [14].
server, once it is closed no files or changes are saved in host
server[10].
F. BitBox
B. Qubes Disposable VM BitBox is secure firefox encased in virtual machine with
linux OS on oracle virual box. Only drawback of this is
Qubes OS developed with focus on Security through iso- the setup, which takes 2GB of disk space. Developed by
lation approach. Virtualization is based on Xen hypervisor. German cyber Security Company Rohde and Schwarz to
Domains created with different security levels, which runs on prevent cyber-attacks such as APTs, Zero-day exploits and
virtual machine. Work domain is more secure than Shopping Ransomwares[15].
domain. Dom0 is the administrative domain it can access all
the hardware directly, such as graphics devices, input output IV. C HALLENGES P OSED BY D ISPOSABLE V IRTUAL
devices like keyboard and mouse. This administrative domain M ACHINES IN D IGITAL F ORENSICS
manages the virtual disks of the other VMs, it stores these
virtual disk images on its file system. Disk space saved by That, in essence, attackers can start a disposable VM to
storing virtual disk on same file systems and accessed in carry out their act and close the disposable VM, which leaves
read only mode. Qubes allows users to launch disposable VM no traces for forensics expert. Existing Virtual machine foren-
directly from dom0’s start menu or from an AppVM you have sic techniques are not going to yield significant results. The
to choose open with disposable VM. In disposable VM you disposable virtual machines not designed with digital forensics
www.ijacsa.thesai.org 794 | P a g e
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021

and evidence integrity in mind, instead the objective was to TABLE II. D ISPOSABLE VM C HALLENGES .
completely isolate applications from host operating system
and leave a pristine system without leaving any traces behind. Investigation Stage Challenge
Image creation No persistent files of disposable VM exist on disk
However, not any significant work has been done in disposable drive
virtual machine forensic. We could not find any substantial Information identification Host OS or the Hypervisor do not maintain activity
information about disposable virtual machine or lightweight logs of disposable VM
Analysis Snapshots or .vdi files are not available
VM forensics. Forensic investigation begins with identifying Presentation No specific format of reporting is available
the system, which contains potential evidence or involved in
suspicious activity. First step is to identify the incident and
next is to acquire evidence to prove the incident. When it existence in host computer. Even after files are deleted most
comes to disposable virtual machines, no traces are left. The of the time operating system do not completely delete the
very nature of disposable virtual machines architecture is the files instead removes the file reference from master file table.
main challenge in data identification and subsequent collection Specifically for large size, files such as virtual machine files
of evidence. Mostly no artifacts left after closing disposable still exist in the disk. Each of these files can be extracted from
virtual machines. Possible solution could be capturing the the unallocated space of the secondary disk. Data recovery
sandbox or the disposable virtual machine instances while they tools like best disc, handy recovery and R-studio etc. com-
are active other possible solution is to perform data carving monly used to recover data from the disk image.
from memory dumps log files of hypervisor. In presence
of hypervisor, it is difficult to take, the memory dump of C. Analysis
the physical memory it is difficult to extract the data from
Virtual machine analysis: regular virtual machines can be
memory reserved fur virtual machine monitors. One possible
Analyzed by mounting it as disk drive or by accessing it
way to use memory acquisition tools like volatility, Rekall and
through a hypervisor. In case of disposable virtual machines,
Layout Expert [16].It might be able to analyze virtual machine
it is not possible; files related to disposable VM are deleted.
processes running on the machine even after capturing memory
Virtual machine files could be recovered by identifying its
dumps it is difficult to analyze the memory dump for virtual
format based on hypervisor. Files with extensions like .VDI,
machine data. Here we use the standard forensic investigation
.VMDK is used by popular hypervisors [20]. Other options to
steps to discuss the challenges posed by disposable VMs at
investigate the virtual machine is by picking a snapshot of VM
each stage. Stage of forensic investigation are as follows:
and further analyzing snapshot to extract the vital information
1. Forensic Image creation 2. Identification and Recovery 3.
that can be presented as evidence. This provision of snapshot
Analysis 4. Presentation and Documentation[17].
is not available for disposable virtual machines. Only option
left for disposable VM is to analyze host operating system log
A. Forensic Image Creation files, registry entries, etc.
Disk image of suspected system is created from physical
D. Presentation and Documentation
machine. At this stage, integrity of the image created must be
preserved. This is performed using tools like DD, DDRescue, Documenting and presenting the evidence found during in-
Encase and Photorec etc.[18][19]. Investigator never uses the vestigation is the final stage of forensic investigation. Evidence
original disk to conduct investigation; instead, image of the includes time stamps, who accessed and when accessed data
disk used to conduct analysis and further investigation. This or performed an activity. Forensics tools have their proprietary
image used to collect the information about virtual machine format of reports. There are no specific forensic tools for
and hypervisor used. Information included execution time disposable VM forensics, so there exists no specific reporting
logs, temporary files, snapshots and Internet activity log files formats for disposable VM. It is preferable to use the same
etc. Therefore, investigator must collect the image carefully reports as virtual machine. In Table II we have presented the
without tampering its integrity to extract vital information. challenges posed by disposable VM at every stage of forensic
Write blockers are used to prevent accidental writes on to the investigation.
original disk. MD5 hashing is one of the method to ensure
the integrity. Forensic tools allow us to complete this task V. C ONCLUSION
by mounting disk image for further analysis of the Virtual
In this paper, the investigators have explored challenges
machines and Hypervisor. Graphical user interface such as
posed by lightweight VM to the digital forensics experts at
Dymanage and AIR are developed for DD find DD rescue.
every stage of digital forensics investigation. We discovered
In case of disposable virtual machines, data is not persistent
that there is not much research done in disposable VM foren-
so it is not possible to create disk image of disposable virtual
sics. These challenges needs to be addressed by conducting
machines.
experiments on disposable VM. One of the possible thing is to
compare the complete system image before and after running
B. Identifcation and Recovery disposable virtual machine on various platforms and in this
way we find possible traces or changes in the system.
At first, host machine is analyzed to find the traces of
virtual machine in hypervisor. Host operating system maintains
ACKNOWLEDGMENT
log files, which lead to extract traces of virtual machine. Win-
dows operating system maintains registry entries, prefetched The authors would like to acknowledge the support of
files, shared DLL, log files, thumbnails, icons, temporary files, the Deanship of Scientific Research at Prince Sattam Bin
and system event logs etc. that can prove the virtual machine Abdulaziz University, Al-Kharj, Saudi Arabia.
www.ijacsa.thesai.org 795 | P a g e
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021

R EFERENCES 2020). [Online]. Available: https://docs.microsoft.com/en-

us/windows/security/threat-protection/windows-sandbox/windows-
[1] K. Kent, S. Chevalier, T. Grance, and H. Dang, “Guide to integrating sandbox-overview
forensic techniques into incident response,” NIST Special Publication,
vol. 10, no. 14, pp. 800–86, 2006. [11] Q. OS, DisposableVMs, 2020 (accessed October 15, 2020). [Online].
Available: https://www.qubes-os.org/doc/disposablevm/
[2] VMWare.com, VMware, 2020 (accessed October 20, 2020). [Online].
Available: https://www.vmware.com/solutions/virtualization.html [12] B. Kauer, P. Verissimo, and A. Bessani, “Recursive virtual machines for
advanced security mechanisms,” in 2011 IEEE/IFIP 41st International
[3] J. Poore, J. C. Flores, and T. Atkison, “Evolution of digital forensics in Conference on Dependable Systems and Networks Workshops (DSN-W).
virtualization by using virtual machine introspection,” in Proceedings IEEE, 2011, pp. 117–122.
of the 51st ACM Southeast Conference, 2013, pp. 1–6.
[13] shadesandbox.com, Shade Sandbox, 2020 (accessed November 22,
[4] E. Wahyudi, I. Riadi, and Y. Prayudi, “Virtual machine forensic analysis 2020). [Online]. Available: https://shadesandbox.com/blog
and recovery method for recovery and analysis digital evidence,”
International Journal of Computer Science and Information Security, [14] qemu.org, Quick Emulator, 2020 (accessed November 22, 2020).
vol. 16, 2018. [Online]. Available: https://www.qemu.org/documentation/
[5] P. Tobin and T. Kechadi, “Virtual machine forensics by means of [15] https://www.rohde schwarz.com, Browser In The Box, 2020 (accessed
introspection and kernel code injection,” in Proceedings of the 9th November 22, 2020). [Online]. Available: https://www.rohde-
International Conference on Cyber Warfare & Security: ICCWS, 2014, schwarz.com
p. 294. [16] T. Wu, F. Breitinger, and S. O’Shaughnessy, “Digital forensic tools:
[6] S. Lim, B. Yoo, J. Park, K. Byun, and S. Lee, “A research on the Recent advances and enhancing the status quo,” Forensic Science
investigation method of digital forensics for a vmware workstation’s International: Digital Investigation, vol. 34, p. 300999, 2020.
virtual machine,” Mathematical and computer modelling, vol. 55, no. [17] S. R. Selamat, R. Yusof, and S. Sahib, “Mapping process of digital
1-2, pp. 151–160, 2012. forensic investigation framework,” International Journal of Computer
[7] Virtualbox.org, VirtualBox, 2020 (accessed October 20, 2020). [Online]. Science and Network Security, vol. 8, no. 10, pp. 163–169, 2008.
Available: https://www.virtualbox.org/manual/ch10.html [18] N. Reddy, “Linux forensics,” in Practical Cyber Forensics. Springer,
[8] M. Hirwani, Y. Pan, B. Stackpole, and D. Johnson, “Forensic acquisition 2019, pp. 69–100.
and analysis of vmware virtual hard disks,” 2012. [19] S. Widup, Computer forensics and digital investigation with EnCase
[9] P. Tobin, N.-A. Le-Khac, and T. Kechadi, “Forensic analysis of virtual Forensic v7. McGraw-Hill Education Group, 2014.
hard drives,” Journal of Digital Forensics, Security and Law, vol. 12, [20] H. Riaz and M. A. Tahir, “Analysis of vmware virtual machine
no. 1, p. 10, 2017. in forensics and anti-forensics paradigm,” in 2018 6th International
[10] Microsoft, Windows Sandbox, 2020 (accessed October 15, Symposium on Digital Forensic and Security (ISDFS). IEEE, 2018,
pp. 1–6.

www.ijacsa.thesai.org 796 | P a g e
 © 2021. This work is licensed under
https://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding
the ProQuest Terms and Conditions, you may use this content in accordance
with the terms of the License.