Deleted Files in a Virtual Machine

I don' t get it. 😯

If the VM uses an area on disk as the VM OS "backing file" or "virtual disk" and from within the VM (or from outside the VM) that area is wiped, it remains wiped (and ALL data in it are lost forever).

On the other hand, if an area on disk is used by the VM OS as "backing file" or "virtual disk", depending on the actual OS AND filesystem used AND on the deleting method used, files (or fragments of them) may still be there (completely or only partially).

Accessing this area as

• the original filesystem from within the VM
• the original filesystem as "mounted volume" in another OS
• as RAW sectors/with Hex editor/etc.

only makes a difference in accessibility/visualization/parsing of the data residing there, but it doesn't "create data" where there are not any.

I.e. data either still exist or they do not, the difference is only in the way those data can be (possibly) more easily interpreted from the "native" OS (inside the VM) when compared to an "external" parsing.

jaclaz

Thanks! )

What I wanted to ask was if we delete a file from VM. (like normal shift+del). That data would still be present in the 'physical drive' and 'logical drive(part of vmdk i guess)'. But over time if the space allocation to VM is on-the-fly, then incase more space is freed from VM, then would that piece of data in unallocated space float out of the logical drive of vm to the physical part of the hard-disk?

for example, if we have 10GB allocated to VM and its currently using 8Gb. we delete around 6GB of data and are left with 2GB. In this case if we acquire the Virtual machine we wouldnt cover the lost 6Gb right?! as it would have been unallocated from the VM's logical space.

I hope I am able to explain what I am trying to find here.. oops

You can re image a VM to an E01 or DD using FTK imager to analyse on the forensic tool of your choice

Thanks! )

What I wanted to ask was if we delete a file from VM. (like normal shift+del). That data would still be present in the 'physical drive' and 'logical drive(part of vmdk i guess)'. But over time if the space allocation to VM is on-the-fly, then incase more space is freed from VM, then would that piece of data in unallocated space float out of the logical drive of vm to the physical part of the hard-disk?

for example, if we have 10GB allocated to VM and its currently using 8Gb. we delete around 6GB of data and are left with 2GB. In this case if we acquire the Virtual machine we wouldnt cover the lost 6Gb right?! as it would have been unallocated from the VM's logical space.

I hope I am able to explain what I am trying to find here.. oops

No, there is still something lost in translation or terminology (and an overall lack of *needed* details).

A "normal" VM accesses an area on the "real" hard disk by "mounting that area" as a Volume (the *whatever* that under DOS or Windows would get a "drive letter"), again normally that area is indexed on the "host machine" as a file.
The size of this area is the size of the file as it appears on the host machine, BUT there are particular kind of virtual disk files that can use "sparse backing files" and/or "dynamic allocation".
If you simply delete a file you don't automatically resize the (virtual) volume hosting it, nor the "backing file".
A sparse file, once a sector has been written to does not "shrink back", as well "dynamic allocation" volumes are often called "growable" as they grow, but don't shrink.

Let's start from scratch. )

1. WHICH EXACT VM is that?
2. WHICH EXACT OS was running in it?
3. WHICH EXACT type of virtual disk file is used ?
4. WHICH EXACT filesystem is used inside the VM?
5. WHICH EXACT OS was running on the host machine?
6. WHICH EXACT filesystem is used on the host machine?

[/listo]

Failing to provide answers to any of the above listed questions will result in (wild or educated wink ) "guesses" 😯 as the issue would remain too "vague" to be answered properly.

jaclaz