Virtual machine forensics  

I am pretty new to this forum, but I have found it to be a very good source of information and help so now that I was looking for inroamtion on virtual machines, I thought I'd try here first!

I am working a case were I have two physical machines with one hard drive each. On these two machines I have found what seems to be a total of five virtual machines, three VMwares and two Virtual PC's.

Now to my problem - I need to find out as much as possible about the virtual machines and I would like to do forensics on them. I have used EnCase to do forensics on the physical drives and that is how I found the virtual ones.

I have managed to get into the VMware ones by extracting them out of my evidence files and then aquiring them once again just as if they were physical discs. This works fine with VMware but not at all, as far as I understand, with the Virtual PC ones. I suppose this is because there is a built in support for VMware in EnCase…

Any ideas anyone, on how to do this in a forensically sound way?

I usually use VMWare or Virtual PC to make an image of them:

- Mount your FDD and / OR CD-ROM Drive
- Set the vmware (or virtualpc) file
- Mount a clean HDD phisically

- Set the FDD or the CD Drive first in the bootorder

- Boot your favorite imager app from the FDD or CD
- Copy the content of the VMWare or Virutal PC to the clean HDD

That is it.

Hope I have understand your problem and this helps,

Hmmm… As I mentioned initially, it works fine with VMware, but not with Virtual PC and I do not see how I should be able to aquire the actual virtual content from a Virtual PC in the way you describe either…

All the virtual machines are already added as evidence files as parts of the two physical machines, my problem is how do I do to treat the Virtual PC as a machine of its own… Everything I have tried so far presents me with a file I cannot view without the Virtual PC software (I want to use EnCase if possible, but any way to get into the VPC virtual machine without messing upp dates etc. would be ok)…

Am I missing something fundamental here…? 😕

