Savchenko E, Ottmann J, Freiling F (2024)
Publication Type: Journal article, Original article
Publication year: 2024
Book Volume: 49
Article Number: 301758
DOI: 10.1016/j.fsidi.2024.301758
Data remanence in the physical memory of computers, i.e., the fact that data remains temporarily in memory
even after power is cut, is a well-known issue which can be exploited for recovering cryptographic keys and other data in forensic investigations. Since virtual machines in many aspects mimic their physical counterparts, we investigate whether data remanence is also observable in virtual machines. Using KVM as an example of virtualization technology, we experimentally show that it is common for a substantial amount of volatile data to
remain in the memory of virtual machines after a reboot. In digital forensic analysis scenarios such as malware
analysis using virtual machines, our observations imply high risks of evidence contamination if no precautions
are taken. So while the symptoms of data remanence in virtual machines are similar to physical machines, the
implications for digital forensic analysis appear very different.
APA:
Savchenko, E., Ottmann, J., & Freiling, F. (2024). In the time loop: Data remanence in main memory of virtual machines. Forensic Science International: Digital Investigation, 49. https://doi.org/10.1016/j.fsidi.2024.301758
MLA:
Savchenko, Ella, Jenny Ottmann, and Felix Freiling. "In the time loop: Data remanence in main memory of virtual machines." Forensic Science International: Digital Investigation 49 (2024).
BibTeX: Download