Data remanence in the physical memory of computers, i.e., the fact that data remains temporarily in memory even after power is cut, is a well-known issue which can be exploited for recovering cryptographic keys and other data in forensic investigations. Since virtual machines in many aspects mimic their physical counterparts, we investigate whether data remanence is also observable in virtual machines. Using KVM as an example of virtualization technology, we experimentally show that it is common for a substantial amount of volatile data to remain in the memory of virtual machines after a reboot. In digital forensic analysis scenarios such as malware analysis using virtual machines, our observations imply high risks of evidence contamination if no precautions are taken. So while the symptoms of data remanence in virtual machines are similar to physical machines, the implications for digital forensic analysis appear very different.
Read full abstract