True, the VM itself is not usually of direct forensic interest. On the other hand, it would appear that someone didn't wipe the XP SP2 VHD before distribution
http//
If the vendor has released the VMWare image (or in Microsoft's case, a VHD image), it may be one that can be *built* as a forensic image for teaching or legal sharing with the forensic community. In other words, you can create a crime scene for others to work through, then DD or otherwise image it. This could be like the images availible in training classes provided by a couple of major forensic vendors, and not unlike the DC3 challenge images. I'm looking for a legal way to do this with a Windows OS.
I put in a call to my local MS rep today. Maybe I'll hear back, maybe not. One can hope.
http//
Go the Lance Muellers blog. He's posted two forensic exercises so far, and sounds discouraged that so few posted results.
Grab 'em, analyze 'em, post 'em….. 'cause anyone willing to put effort in to this needs to be encouraged to continue 😉
http//