Is anyone familiar with VMWare or Oracle Virtual Box?
If a computer is running virtual machines using either of these, and then the virtual machines are deleted, what effect will this have?
Assuming the unallocated space has not been overwritten, will it be easy to recover the data that was on these virtual machines, very difficult or is it pretty much gone?
Is anyone familiar with VMWare or Oracle Virtual Box?
If a computer is running virtual machines using either of these, and then the virtual machines are deleted, what effect will this have?
Assuming the unallocated space has not been overwritten, will it be easy to recover the data that was on these virtual machines, very difficult or is it pretty much gone?
Well, a Virtual Machine (no matter which) uses the one or the other mass storage device, which can be both a physical media or a "virtual drive", basically a disk image.
The most common format for these virtual disk images is (besides "RAW" that very few people use) VMDK or VHD (there are several types/format of those files) whilst the Virtualbox "own" format VDI (also has a few types) is AFAICT a little less used
https://
Of course such image files being the virtual machine mass storage device tend to be very large (like at the very least 20 Gb if the VM boots to a Windows NT 6 or later OS) so the real issue with recovering them is that very likely they will be fragmented, and files within the images could as well be fragmented, adding possibly a layer of complexity.
Of course a direct carving will recover the same files (or file fragments) as if they were "directly" in the unallocated on disk, as a matter of fact the results of a carving might be originated both from the "real machine" storage or from the VM storage and they could be indistinguishable.
jaclaz
Thank you Jaclaz.
It seems the main issue could be data from deleted VMs could be mixed with data deleted from other user accounts but effectively the data would still exist.
This poses an issue as I see it. Say a suspect has virtual machine software installed on his computer but no more virtual machines, and then some data is found in unallocated space that could look very juicy. However he says that other people used the virtual machines via remote software, and there were also other user accounts that were used by other people that have now been deleted. He argues that data could have been the product of any of those others but not him. It seems there's nothing to rebut that defence if the data is indistinguishable from other deleted user accounts or virtual machines.
Thank you Jaclaz.
It seems the main issue could be data from deleted VMs could be mixed with data deleted from other user accounts but effectively the data would still exist.
This poses an issue as I see it. Say a suspect has virtual machine software installed on his computer but no more virtual machines, and then some data is found in unallocated space that could look very juicy. However he says that other people used the virtual machines via remote software, and there were also other user accounts that were used by other people that have now been deleted. He argues that data could have been the product of any of those others but not him. It seems there's nothing to rebut that defence if the data is indistinguishable from other deleted user accounts or virtual machines.
Yep, but you have to add to the hypothesis a self-deleting rootkit (or similar) that allowed the supposed intruder to run a VM from remote BUT that - strangely enough - left the actual data used in the VM recoverable, while perfectly wiping any evidence of remote access.
Of course possible, though a bit unlikely, and anyway it is not in any way different from the base problem of "putting the suspect behind the keyboard".
And there is nothing in "data itself" connecting to "what" created it, the suspect could have (say) booted from a CD and produced the data you find while running a Live OS or even a VM inside the live OS.
And BTW - as a side note - it is not really-really needed to "install" a Virtual Machine software, there are portable Vbox versions and Qemu neds not to be installed, as an example.
jaclaz
Is anyone familiar with VMWare or Oracle Virtual Box?
If a computer is running virtual machines using either of these, and then the virtual machines are deleted, what effect will this have?
I'm not sure that I'm clear as to the question here. On the face of it, it seems pretty obvious…if you open VMWare or VirtualBox and try to launch a VM that no longer exists in the active file system, it won't run.
Assuming the unallocated space has not been overwritten, will it be easy to recover the data that was on these virtual machines, very difficult or is it pretty much gone?
Well, reasoning through this, how would you recover the VM? If the MFT entry has simply been marked as "not in use", you could parse the data runs and recover the entire VM file.
However, if you're carving unallocated space, and there's any fragmentation at all, the most likely result would be that you would not recover something that could be run/launched.
Again, I apologize if my responses seem simplistic…I'm not entirely sure that I understood the question; the answers to the questions appeared to be pretty obvious.
These cases are a total pain to deal with. I'm actually working on a data recovery case (not forensic) right now where it was an ESXi machine running a VM. The VM was hit with ransomware, the backups were found to be six months old, and to boot a tech who looked at it remotely ended up formatting the VMFS filesystem (completely zero filling the filetable in the process).
So now I'm trying to see if there's any hope of putting Humpty Dumpty back together again to at least get back the original VMDK file so there'll at least be the option to pay the criminals. Unfortunately it's looking quite fragmented, so I suspect it was thin provisioned and is in a thousand pieces now.