Hi guys. As my university project i have decided to investigate virtual machines. In particular what inforamtion is left behind on a HDD when the virtual machine O/S has ben closed down. I would be looking at what data files can be found. For example images, browsing habbits, videos etc.
My method of investigation would be taking a "forensic image" using FTK or enCase of the physical HDD. Then install Windows XP pro on VMWare on this physical drive. Add various data files to the VM. Then take another image of the HDD, then compare the two images. Would this be a sound forensic method, and would it produce any results. Anyone with experience with this work would be greatly appreciated.
Gavin
Here is a start for you
http//www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf
Gavin,
Hi guys. As my university project i have decided to investigate virtual machines. In particular what inforamtion is left behind on a HDD when the virtual machine O/S has ben closed down. I would be looking at what data files can be found. For example images, browsing habbits, videos etc.
I'm not sure I understand what you're trying to do. When you say that you're looking for information left behind "on a HDD", are you referring to the HDD within the VMWare guest, or that of the host?
Browsing activity, etc., that occurs within the VM will most likely be found within the VM guest OS itself; therefore, how would analyzing that VM guest image be any different from traditional analysis?
My method of investigation would be taking a "forensic image" using FTK or enCase of the physical HDD. Then install Windows XP pro on VMWare on this physical drive. Add various data files to the VM. Then take another image of the HDD, then compare the two images. Would this be a sound forensic method, and would it produce any results. Anyone with experience with this work would be greatly appreciated.
Again, "sound forensic method" to do what, exactly?
Sorry if i wasnt clear enough. I want to investigate virtual machines in particular VMWare. The main aim of the experiment is to investigate what files are left behind on the host hard drive. After the virtual machine has been run and closed as guest on the host machine.
I hoped it to be a simple experiment. I was just asking what kind of experiment would i perform to investigate what files can be found. Possibly what information can be found from these files left behind, by identifying them.
Judging by the method you describe it sounds like the vmdk file will be on the hard drive. So all you would need to do is look at the vmdk (EnCase can take vmdks) - and hey presto you have the file structure of the VM…or am I missing something here?
You'll also potentially have snapshots and .lck files depending on the usage of the VM. Look at the link Brett provided below (nice one btw Brett, looks like a pretty cool paper) to get more info about these.
I think what might be more interesting to look at is what is left behind if you delete the VM - so do what you have decribed but go the extra step of then removing the folder containing the VM files and see what you can find.
My .02 cents (or my 1 pence or 1 and a half pennies…bloody Aussie dollar)
..or are you looking to see if VMWARE is sloppy and leaves artifacts on the Hosting Hard drive? Outside the VMWARE File…
Hello everyone,
I think what might be more interesting to look at is what is left behind if you delete the VM - so do what you have decribed but go the extra step of then removing the folder containing the VM files and see what you can find.
Uhmm, traces of a deleted VM-Ware partition file, maybe? Depending on the hosts file system, of course. Sorry, but I don't find that much more interesting than looking at the file itself )
..or are you looking to see if VMWARE is sloppy and leaves artifacts on the Hosting Hard drive? Outside the VMWARE File…
I think that's what the OP was hinting at. Think about VM-Ware memory traces in swap and whatever else the emulator might leave behind on the host system that is actually data from inside the client. I'm not sure whether this will lead anywhere, though. Haven't dealt with it. Anyone?
Cheers
Ernest
I think what might be more interesting to look at is what is left behind if you delete the VM - so do what you have decribed but go the extra step of then removing the folder containing the VM files and see what you can find.
I agree with that. My preference however would be a VM still present on a system, but after the suspect committed his crimes, he restored the VM to a previous snapshot.
Any results on this line of analysis. There seem to be some good questions asked, e.g. is there anything left after you revert to a previous snapshot?, what are the artifacts at the host level relative to the guests actions, …
Thanks,
Jim
Hi
check this link you might get some reference http//crucialsecurityblog.harris.com/
