Locating and extracting digital evidence from hosted virtual desktop infrastructures: cloud context

Jawale, Nirbhay
Narayanan, Ajit
Item type
Degree name
Master of Forensic Information Technology
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

The development of virtualization started in 1960, when VMware introduced partitioning of large mainframes for better hardware utilization. (Virtualization History, 2010) Since then virtualization has matured and been adopted to a wide extent in the industry. Recent developments include branching into areas of server virtualization, storage and application virtualization and, very recently, desktop virtualization. Desktop virtualization has so far been through two models: the Client hosted model, which is typically operated from the user’s workstation using Windows Virtual PC; and the VMware workstation or Java Virtual Machine (VM). However, recently a third model has emerged, called the server hosted model or Hosted virtual desktop (HVD), which is a virtualized form of desktop (VM) delivered to users from the cloud infrastructure. In other words virtualization in computing has progressed to an extent where desktops can be virtualized and accessed from anywhere. The server hosted model has already surpassed 1% market share of the worldwide professional PC market, with estimates indicating that this is a rapidly growing area.

This study investigates the adequacy of current digital forensic procedures on hosted virtual desktops (HVDs) as there does not appear to be specific methods of locating and extracting evidences from this infrastructure. Using the Forensic Iterative Development Model (FIDM), HVDs deployed in private cloud were simulated to reflect three different computer crime (quasiexperimental) scenarios. It was found that current digital forensic procedures may not be adequate for locating and extracting evidence, since the infrastructure in scenario 2 and 3 introduces complications such as non-persistent disk modes and segregating data in a multitenant environment. However in scenario 1, findings illustrate that all standard investigation techniques can be followed as a result of the persistent user environment. Furthermore, suggestions are made to extend the current research in the areas of techniques to acquire virtual machines from hypervisors, hashing evidence and forensic readiness in environments consisting HVDs.

Cloud forensics , Cloud Computing , Desktop Virtualization , Hosted desktop virtualization
Publisher's version
Rights statement