I am conducting an experiment to see what files are created after the usage of VMware. I have a rough idea of what are left. Below are my Experiment Steps, I have to create a virtual machine inside a virtual machine
(2)Setting Up the Virtual Machine
Select File->New->Virtual Machine
The “Welcome to the New Virtual Machine Wizard” is displayed on the screen.
Click the Next button.
Select Custom from the list, and then click Next
Select Linux from the list
Drop down the version list, and select “Other Linux 2.4.x kernel”
Click Next button
Change the Virtual Machine name to any meaningful name
Change the location to D\Virtual Machines\Created\YourName\LiveCD\
Click Next button
De-select “Make virtual machine private”
Click Next
Change the virtual machine account to “Local System Account” – don’t change any other options, and click Next
For the forensic machines, select two processors (we have dual-core processors in the forensics lab) – if you are elsewhere, check to see if you have dual core processors or not.
Click Next button
Use the slider, and set the amount of memory to 2Gb (you can also type in 2000 if you find the slider a little bit messy).
Click Next button
Select “Use network address translation (NAT)”
This will allow the virtual machine to have access to your network card, using the same IP address as you currently have setup on your computer.
Click Next
Select LSI Logic
Click Next
Select “Create a new virtual disk”
Click Next
Select SCSI
Click Next
Change the disk size property to 1.0 Gb
De-Select the option “Allocate all disk space now”
Click Next
Give your virtual disk a name on your real file system(>>>>>)
Click the Finish button
Double click on CD-ROM from the devices page
Click “Use ISO image”
Use the browse button to set the ISO image to point at the file
Find the Location of the ISO File
Click OK
If you have done this correctly, you should receive a menu giving you 4 options
• Removable devices
• Hard Drive
• CD-ROM Drive
• Network Boot
Now you have created the virtual machine
The above steps are for creating the first virtual machine. Now we will have to create another virtual machine inside the original.
(3)Downloading the Virtual Machine
Now to download the Virtual Machine
Open Internet Explore
Visit
Download Trial Version of VMware
Install VMware
Before Setting up the VMware set the location by clicking VM>Settings>
Follow Step 1 in downloading a different ISO
Before Creating the Virtual Machine Take a Snapshot operating system it is created and Drop the file into Encase.
(4)Create Known Files (make Notes on How to)
1. Now create second virtual machine Follow the step 2 in setting up the second virtual machine
2. Open Notepad and Enter random txt.
3. Open Paint and create any image and save the file.
4. Close the Inside virtual machine
5. Take a snapshot of the operating system after the usage of the virtual machine
6. Remove Known Files
7. Look at the files which have been created such as
• .Log files
• .VMDk
• .VMEM
• .VMSN
• .VMSD
• .NVRAM
• VMX
HOW CAN I MAKE THIS MUCH SIMPLER- my suggestion was to take a snapshot of the second virtual machine
Sorry that took a couple of read throughs to understand !
You are examining the results that you can see in your first, clean VM as you create your second …
I would have thought that the place to take the snapshot would be as soon as you have installed your VMWare trial in your top VM. Then you could duplicate/repeat to that point relatively easily for different attempts.
The other thing that I would do that makes life a little easier is to use an OS that is known to VMWare, such as WinXP - as it can then do an automated install, just makes the second stage a bit easier ( or, you could use something like JumpStart for Solaris to script an install from a bootable CD ).
And, like you say, you can snapshot before and after you have done some changes - file creations etc. to determine the state differences between the two.
Other than that, I can't think of anything to make it more streamlined.
( P.S. You left out Step 1 … )