Abstract
Virtual machines are gaining corporate and home user acceptance in every day computing environments. Virtual machines are created easily or downloaded from the Internet as preconfigured Operating Systems ( called appliances ). The preconfigured Operating Systems in most cases are Linux based Operating Systems since Linux can be distributed for free, but proprietary Operating Systems can’t without complying with licensing agreements. In general, the host Operating System ( configured to run the virtual machine software ) needs only hard drive space to hold the guest Operating System (running inside the virtual machine ) virtual hard drive ( in most cases, a single file, but in some cases it can be divided into 2GB portions ). Besides the hard drive space, virtual machines need their own memory space that can’t be shared with the host, so host machines need to have extended amount of physical memory in order to host other ( virtual ) machines. Virtual machines share the host hardware resources in a fashion that virtual machines see their hardware as physical hardware. Thus, virtual machines can operate just like any physical computer. The way virtual machines are configured to interact with the physical machine’s hardware is stored in configuration files. Users create virtual machines using a wizard like environment where users are asked to dedicate a portion of the physical device or simulate a physical device via a hardware proxy that communicates between the physical device and the virtual environment. Depending on these settings, computers can change their identity in network communication where a single physical device can look like multiple devices communicating on the network. In addition, virtual machines can support other than the host Operating System, like Microsoft host can run a Linux guest. The guest Operating System support is vendor dependent, thus users need to select the virtual machine software that will support the guest Operating System they intend to run as guest. Users can also create reference points ( snapshots ) where the state of the virtual machine is saved and the state of the virtual machine can be restored. That is significant since all user data can be eliminated is a user decides to “roll-back” the Operating System state to a previous state that will contain no user activity. This document will examine multiple virtual machines’ installed files, configuration files, and user interaction of creating new virtual machines.
Summary
Major folder installed or files added
c:\Program Files\Oracle\VirtualBox
c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox
c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox
c:\Users\<UID>\.VirtualBox
c:\Windows\System32\DriverStore\FileRepository\
c:\Windows\System32\DRVSTORE
c:\Windows\Installer\
Link files
c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\License (English).lnk
c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\Oracle VM VirtualBox.lnk
c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (CHM, English).lnk
c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (PDF, English).lnk
c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\License (English).lnk
c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\Oracle VM VirtualBox.lnk
c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (CHM, English).lnk
c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox\User manual (PDF, English).lnk
c:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
c:\Users\{UID}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Oracle VM VirtualBox.lnk
Global Configuration and logs
c:\Users\{UID}\.VirtualBox\VBoxSVC.log
c:\Users\{UID}\.VirtualBox\VirtualBox.xml
c:\Users\{UID}\.VirtualBox\VirtualBox.xml-prev
Registry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBox…
HKEY_CLASSES_ROOT\progId_VirtualBox.Shell. …
HKEY_CLASSES_ROOT\VirtualBox. …
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\SUN_VBOXNETFLTMP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VBOXDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{cac88484-7515-4c03-82e6-71a87abac361}\##?#ROOT#SUN_VBOXNETFLTMP
HKEY_CURRENT_USER\Software\Oracle\VirtualBox\Install
HKEY_CLASSES_ROOT\.hdd "(Default)"
HKEY_CLASSES_ROOT\.hdd "Content Type"
HKEY_CLASSES_ROOT\.ova "Content Type"
HKEY_CLASSES_ROOT\.ovf "Content Type"
HKEY_CLASSES_ROOT\.vbox "(Default)"
HKEY_CLASSES_ROOT\.vbox "Content Type"
HKEY_CLASSES_ROOT\.vbox-extpack "(Default)"
HKEY_CLASSES_ROOT\.vbox-extpack "Content Type"
HKEY_CLASSES_ROOT\.vdi "(Default)"
HKEY_CLASSES_ROOT\.vdi "Content Type"
HKEY_CLASSES_ROOT\.vhd "(Default)"
HKEY_CLASSES_ROOT\.vhd "Content Type"
HKEY_CLASSES_ROOT\.vmdk "Content Type"
HKEY_CLASSES_ROOT\Installer\Products\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxUSBMon
UserAssist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count "P:\Hfref\Choyvp\Qrfxgbc\Benpyr IZ IveghnyObk.yax"
// ROT-13 decoded - C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk"
C:\windows\prefetch
VBOXTESTOGL.EXE-93C3FDFA.pf
VIRTUALBOX.EXE-473C564D.pf
VBOXSVC.EXE-C578C37C.pf
Virtual Machine Specific Files
c:\Users\{UID}\VirtualBox VMs\{VMname}\{VMname}.vbox*
c:\Users\{UID}\VirtualBox VMs\{VMname}\{VMname}.vbox-prev
c:\Users\{UID}\VirtualBox VMs\{VMname}\{VMname}.vdi
c:\Users\{UID}\VirtualBox VMs\{VMname}\Logs\VBox.log
c:\Users\{UID}\VirtualBox VMs\{VMname}\Snapshots\{HardDisk uuid}.vdi //*uuid from XML
c:\Users\{UID}\VirtualBox VMs\{VMname}\Snapshots\{Date}T{Time}-#########Z.sav
Signatures
VM specific
.vdi - <<< Oracle VM VirtualBox Disk Image >>>
.sav - VirtualBox SavedState V2.0 // where is 7f as the first character
.xml - <VirtualBox xmlns="http://www.innotek.de/VirtualBox-settings" version="1.12-windows"><Machine …
The image below shows that each virtual machine’s XML settings will store the MAC Address of the virtual machine and if the virtual machine is set to bridge the network connection, the bridged network interface card will also be listed. Thus, the communication will be passed through the physical NIC, but the DHCP server or other network devices will see the virtual machine as another physical machine. The virtual machine will receive a DHCP assigned IP address, so the DHCP server will have log entries for the virtual machine.
.log - VirtualBox (XP)COM Server 4.1.18 r78361 win.x86
.xml - <VirtualBox xmlns="http://www.innotek.de/VirtualBox-settings" version="1.12-windows"><Global> …
Global Settings Relevant (c:\Users\{UID}\.VirtualBox\VirtualBox.xml)
<ExtraDataItem name="GUI/RecentListCD" value="C:\helix.iso;"/> //iso file assigned to CD/DVD
<ExtraDataItem name="GUI/ProxySettings" value="proxyEnabled,10.10.10.100,5000,authEnabled,testuser,testpassword"/> //proxy settings
<MachineEntry uuid="{84396bae-3fdf-4830-b3ac-8c0a2861b6b6}" src="C:/Users/{UID}/VirtualBox VMs/VBox-test1-machine/VBox-test1-machine.vbox"/> //list of virtual machines
<ExtraDataItem name="GUI/LastVMSelected" value="84396bae-3fdf-4830-b3ac-8c0a2861b6b6"/>
//from the list of virtual machine uuid, we can see what virtual machine was launched last
<DHCPServer networkName="HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter" IPAddress="200.168.56.100" networkMask="255.255.255.0" lowerIP="200.168.56.101" upperIP="200.168.56.254" enabled="1"/> //DHCP settings
<SystemProperties defaultMachineFolder=" C:\Users\{UID}\VirtualBox VMs" defaultHardDiskFormat="VDI" VRDEAuthLibrary="VBoxAuth" webServiceAuthLibrary="VBoxAuth" LogHistoryCount="3"/> //system defaults
DHCP Lease Obtain Time Decode
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D0A6FF00-EC55-4A29-8114-0037BAB929C0}
Class Name: <NO CLASS>
Last Write Time: 7/13/2012 - 2:34 PM
Value 11
Name: LeaseObtainedTime
Type: REG_DWORD
Data: 0x500066f3
No comments:
Post a Comment