Date of Award


Degree Type


Degree Name

Master of Science (MS)


Computer and Information Technology

Committee Chair

Marcus K. Rogers

Committee Member 1

Kathryn C. Seigfried-Spellar

Committee Member 2

John A. Springer


Kernel-based Virtual Machine (KVM) is one of the most popular hypervisors used by cloud providers to offer virtual private servers (VPSs) to their customers. A VPS is just a virtual machine (VM) hired and controlled by a customer but hosted in the cloud provider infrastructure. In spite of the fact that the usage of VPS is popular and will continue to grow in the future, it is rare to fnd technical publications in the digital forensic feld related to the acquisition process of a VPS involved in a crime. For this research, four VMs were created in a KVM virtualization node, simulating four independent VPSs and running different operating systems and applications. The utilities virsh and tcpdump were used at the hypervisor level to collect digital data from the four VPSs. The utility virsh was employed to take snapshots of the hard drives and to create images of the RAM content while the utility tcpdump was employed to capture in real-time the network traffc. The results generated by these utilities were evaluated in terms of effciency, integrity, and completeness. The analysis of these results suggested both utilities were capable of collecting digital data from the VPSs in an effcient manner, respecting the integrity and completeness of the data acquired. Therefore, these tools can be used to acquire forensically-sound digital evidence from a VPS hosted in a cloud provider’s virtualization node that uses KVM as a hypervisor.