Investigating VirtualBox
28/10/2022 Friday
VirtualBox is a virtualization solution for home as well as enterprise usage. It is available on Linux, macOS, and all Windows OS versions. Depending on the hardware configurations, a user can run multiple operating systems on top of the host using VirtualBox. The initial versions of VirtualBox are open-source and currently it is maintained by both open-source community and Oracle.
Digital Forensics Value of VirtualBox
Installation of VirtualBox requires administrative privileges. It can spawn virtual networks, VDI and VMDK virtual drives, and supports multiple operating systems on a Windows host. Because it runs as a hypervisor, artifacts related to VirtualBox provide valuable information during forensic investigations. After analyzing VirtualBox artifacts, we can collect details about the guest operating systems run on the host, including virtual network configurations, locations of the VM hard drives, folders shared between host and guests, VM settings, and many more.
Location of VirtualBox Artifacts
The following registry path contains VirtualBox installation details:
HKLM\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\106CC375D8DEF054EBF63A31DD774A0A\InstallProperties
Global settings folder for VirtualBox is at the following location:
C:\Users\%UserName% \.VirtualBox
Default virtual machine settings are at the following directory:
C:\Users\[Username]\VirtualBox VMs
Analyzing VirtualBox Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Oracle VM VirtualBox artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select VirtualBox artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of VirtualBox artifacts in ArtiFast.
Virtual Box General Information: This artifact contains general information about the virtual machines registered in Oracle VM VirtualBox.
- Installation Date - Software installation date.
- Software Name - The name of the software.
- Software Version - The version of the installed software.
- Estimated Installed Size - The Estimated installed size of the software.
Virtual Box Global Settings: This artifact contains information about the global settings and configuration for registered Virtual Machines in Oracle VM VirtualBox.
- Last Item Selected - Last selected Virtual Machine name and details.
- Recent Folder - Recently opened folder and directory.
- Unique Identifier - Universally unique identifier (UUID) of the virtual machine.
- Path - The path to the folder containing virtual machine settings file in addition to other files like storage files.
- Network Name - The network default name or name entered by the host.
- IP Address - Virtual machine IP address.
- Network Mask - Network subnet mask.
- Is Enabled - Indicates whether network connection is enabled or not.
- Machine Folder Path - The location to virtual machine folder.
Virtual Box Leases: This artifact contains information related to VirtualBox DHCP server IP address leases.
- IP Address - The IP address of the lease.
- Issued Date/Time - Lease issued time and date.
Virtual Box Virtual Machines: This artifact contains information about the virtual machine settings.
- Unique Identifier - Virtual machine universally unique identifier (UUID).
- VM name - User created virtual machine name.
- Operating System - The type of operating system selected by the user.
- Last Change Date/Time - Date and time of the last run.
- HD Unique Identifier - Hard disk universally unique identifier (UUID).
- Path - Path of the virtual machine hard disk.
- Format - The hard disk extension of the virtual machine.
For more information or suggestions please contact: [email protected]
