If you ask 10 people about security in their VDI environment, you will get at least one response stating forensics as a top priority. And it should as forensics is a critical in solving crimes and obtaining evidence in legal cases! In VDI environment data manipulated by users reside in different locations than in physical environments. This is due to virtualization decouples layers from each other.
Users can manipulate data in one of three main locations:
Operating System: For those virtual machines that do not utilize a folder redirection for user profile, these settings will reside inside the operating system (C:\Users\user-name)
Persona layer: in a VDI environment, the end user profile is likely to reside on a network share. Profiles could take the form of Roaming profile or 3rd party tool such as RES Software, Appsense or Liquidware ProfileUnity. These locations should be backed up frequently as this is a place where forensics analysis will take place.The other solutions such as VMware’s own Persona Management or VMware View’s persistent user data drives has data sitting in the persona partition disk. So these data drives need to be kept intact in case they need to be attached to virtual machines to do forensics analysis.
Temp internet files: These files can be a prime target for investigators and having these files on a personal vDisk provide the ability to access later for forensics analysis.
Forensics in VDI environments is similar to forensics in a crime scene, you are looking for fingerprints, well virtual fingerprints. None persistent desktops is the equivalent of a cleaner coming to the office every night and wiping off off those fingerprints! Understanding of areas that you need to preserve and monitor is a key in helping collect evidence and track culprits.
Thank you for reading.
Nick
