Considering virtualization as a new attack surface
Before we start with a forensic analysis, it is important to understand what to look for. With virtualization, there are new attack vectors and scenarios that are introduced. In the following sections, we will describe some of the scenarios and how to look for the corresponding evidence.
Virtualization as an additional layer of abstraction
Virtualization is the technique of emulating IT systems such as servers, workstations, networks, and storages. The component that is responsible for the emulation of virtual hardware is defined as hypervisor. The following figure depicts the two main types of system virtualization that are used today:
The architecture on the left-hand side is called bare-metal hypervisor architecture and is also known as a Type 1 hypervisor. In this architecture, the hypervisor replaces the operating system and runs directly on the bare metal hardware. Examples of Type I hypervisors are VMware ESXi and Microsoft Hyper-V...
