Citrix XenServer Forensics

The Various Methods of Conducting Citrix XenServer Forensics

Introduction of Citrix XenServer

Virtualization has taken over a broad range of industries in the present time. The involvement of virtualization at common user level has introduced people to an advanced grade of technology that lets them experience computing through a virtual environment. However, at the same time, virtual environments have also resulted in making digital investigations complicated than they are generally. Virtualization has enhanced technologically over time and that, as a result, has made it difficult to trace back activities carried out on the respective platform. The reason being negligible amount of footprints virtual environments leave behind.

A similar level of hypervisor is extended by Citrix as XenServer. This powerful platform is featured with microkernel designs that offer services permitting usage of multiple desktop OS on individual computer hardware, all at the same time. One of the exceptionally noteworthy qualities of Xen is that it is featured for free and as an open source program bound by the General Public Licensing.


NOTE: As compared to any similar software, Xen runs in a better-privileged CPU condition.

Role of XenServer

A hypervisor that XenServer is has the obligation of managing system memory along with scheduling of CPU usage for all available virtual machines, and launch the host machine having direct hardware access. This dom0 is used for managing hypervisor and launching unprivileged domains.

There are five sorts of approaches used by XenSevrer for running the guest Operating Systems:

  1. HVM or Hardware Virtual Machine
  2. PV or Paravirtualization
  3. HVM with PV Drivers
  4. PVHVM, i.e. HVM with PVHVM drivers
  5. PVH or PV in HVM container

Virtual Server and Its Forensics

Hard drive is the prime location for the storage of all data generated by an application/server. Although, it is often possible that only a small trace of evidence may be left behind, leading to the need of recovery. Therefore, the blog further discusses about the various methods of extracting XenServer data for exploration and investigation. It will discuss extraction of data directly from the server, conversion of raw disk image to a virtual platform readable format, and OVA to virtual machine file. Moreover, the affects made by virtualization during Citrix XenServer forensics processing are also discussed. Finally, the blog discusses about the common procedures undertaken for finding virtual environment artifacts with its identification of the virtual platform activities that interfere with the examination.

Once installed and configured, the following options are provided on Citrix XenServer:

  1. Creation of new storage repository for server data
  2. High availability provision
  3. Desired size and storage location can be selected: XenServer or SAN Location


This information is important to be known before performing investigation on the Sever.

Now coming over to the forensics, whether it involves Citrix XenServer or any other platform, the procedure cannot be executed without imaging the evidence.

  1. Clone Evidence: No investigation is carried out on the original piece of evidence thus; a forensic imaging of the XenServer hard drive needs to be done. However, note that the imaging must be done on a forensics computer to ensure that write protection is implemented throughout and no part of the evidence is hampered.
  2. Examine Imaged Artifact: Choose an examination platform to read and investigate the disk image. On accessing the disk image, you will find out the various virtual machines that existed on XenServer in question, based on Linux Kernel.
  3. Spotting Virtual Partition: From the loaded disk image, you can spot the virtual machine partition with the help of its particulars like; either the path or storage (size). Two of the important folders that can be found within the partition are ‘Boot Folder’ and ‘Etc’.

    Spotting Virtual Partition

    NOTE: On going further down the directories in the partition, /IVM/backup folder can be found which stores the information regarding any or all backups made on Xen.

  4. Backup Partition: Using the same examination platform, generate a backup of the respective virtual machine partition. The most common options provided by such applications are ‘.dd’, and ‘E01’ along with others. Let us suppose the extraction has been done in raw .dd format by the provided name (001 or so). Now convert the dd into virtual machine supported format for it to work on the respective platform.

    Backup Partition

TIP: External applications as well as command line utilities can be used for the conversion.

Other Investigative Methods

Citrix XenServer offers the provision to export partitions directly however, the procedure is lengthy in comparison owing to the involvement of complete virtual machine data and metadata transfer over network.

NOTE: The respective virtual machine has to remain offline during the procedure. The output is created in **OVA format file.

Export Partitions

**OVA: An 'Open Virtualization Archive stores the installable edition of virtual machine in a compressed form. When this OVA file is opened, it automatically starts to extract and importing VM to the available virtualization software. Once OVA are generated, it needs to be converted into VMDK/VHD for the contents to be accessible on virtual environment. Being an archive of files, simply extracting the contents using a zip extraction utility would serve the purpose of conversion.
Output: Besides VMDK file, the output folder consists of MF and OVF files. If required, the VMDK can be converted to VHD for further facilitating the accessibility.

Virtual Machine Formats

In Case of Data Recovery: Data corruption is probable to take place during the back and forth conversion procedures being carried out. Using the SysTools VMware Recovery application is suggested in the discussed scenario for acquiring accessible output to proceed with the examination. The growing technology of virtualization does make the investigation a little more complicated than other digital platforms examined. However, the blog discusses not only the various methods of conducting Citrix XenServer Forensics but also suggests applications to handle any kind of mishap that takes place due to the repeated conversions taking place.