(HEADACHE) Anyone deal with this before?

Toward the middle of the page on Nov 28th there is a reference / lab for Virtual machine Forensics

Things must have changed….it's been moved to the 29th.

Also, based on everything that the OP has provided so far, I'm not sure why anything specific to virtual machines is necessary. There really doesn't seem to be too much difference between "normal" forensics and what needs to be performed in this case.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

What if the vmware virtual machine hard-disk was setup as non-persistent? Would there be relevant data to analyze after the machine was shutdown.

Found a resource for Virtual Machine forensics.

http//www.thetrainingco.com/agenda/agenda.cgi?c=TF-2005

Toward the middle of the page on Nov 28th there is a reference / lab for Virtual machine Forensics

"Virtual Machine Forensics—Dealing with Irregular Data by Tomas Castrejon - Deloitte & Touche"

Didn't get a chance to Google 'Tomas Castrejon", but seems like he would be a good resource for the challenge you are encountering.

Good find! I think I will look into him a little more and maybe try and contact him directly.

Mr. Tomas M. Castrejon

Director of Operations
Digital Disclosure, Inc.

Mr. Castrejon’s background includes 10 years of computer forensics experience. Prior to founding Digital Disclosure, Inc., Mr. Castrejon managed all computer forensic lab operations and staff for Deloitte & Touche in Northern California and Hawaii for two years. During this time, Mr. Castrejon was the lead author for the Computer Forensics and High Technology Investigations Policies and Procedures used nationally by Deloitte & Touche. In addition, Mr. Castrejon conducted and supervised litigation support projects and computer related investigations including the theft of intellectual property, procurement fraud, and revenue recognition issues.

Prior to entering the private sector, Mr. Castrejon served as a law enforcement officer in California for over 8 years. During that time, he developed a solid grounding in investigative techniques, chain of custody, authentication, and other evidentiary matters. Mr. Castrejon gained a wide range of experience in criminal investigations and solving high-technology crime related cases. These cases included analyzing and recovering data used in homicide investigations, fraud, and child exploitation. Mr. Castrejon also functioned as a Field Training Officer responsible for the training of new officers. He remains on active reserve status as a law enforcement officer and regularly consults with law enforcement personnel.

Mr. Castrejon is an active member of the High Technology Crime Investigation Association (HTCIA), InfraGard, the Information Systems Security Association (ISSA), and the International Association of Computer Investigative Specialists (IACIS) where he also serves as a “coach” for students during the rigorous certification process.

Mr. Castrejon has testified in both criminal and civil case in California and before the Grand Jury in New York. He has been interviewed by the New York State Attorney General’s Office on computer forensic matters.

Recent Cases include
· Theft of proprietary information.
· Findings to support the destruction of data during discovery in litigation.
· Comprehensive analysis of email and relevant files during an SEC investigation.
· Review of computers pursuant to a sexual harassment lawsuit.

Mr. Castrejon has a Bachelor of Science degree from Southern Illinois University and has earned several certifications including
· The IACIS Certified Forensic Computer Examiner (CFCE)
· Encase Certified Examiner (EnCE)
· A+ Certification – Administered by CompTIA
· Microsoft Certified Professional (MCP)

What if the vmware virtual machine hard-disk was setup as non-persistent? Would there be relevant data to analyze after the machine was shutdown.

I don't have my VMWare in front of me right now…how does one set up the hard drive as non-persistent? What are the settings? What data would this setting affect?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

I've only used VMWare Workstation 5 but, when a virtual machine is initially set-up you can specify the type of hard-disk drive that will contain the OS persistent or non-persistent. Non-persistent meaning any changes / activity occuring within the virtual machine would not be recorded. I have yet to do any forensic testing to determine what, if anything, is recorded.