Hello,
do you have an article about which traces a virtual machine usually leaves on the host machine (other than the virtual disk and configuration files)?
In what way is the host swapfile revealing? Are there any temporary files / snapshots etc?
Charles
Is there a particular virtual environment you're interested in? How about host platform/OS?
Virtual Machine and Virtual PC. Host Win XP, 7 and Linux.
Virtual Machine and Virtual PC. Host Win XP, 7 and Linux.
I understand "virtual machine", but the question was, "which one?" Do you mean VMWare?
As to the artifacts, the virtual environment would be there, including Registry keys (on Windows), etc.
Can you clarify a bit more regarding what you're looking for?
Thanks.
With VMware it depends on the configurartion.
A VM needs to backup the allocated virtual RAM in a so called mainmem-file.
This can be either stored in a *.mem file along with other files of the virtual machine - or it can be allocated in real RAM + pagefile or real RAM + swap space on Linux - or it can use a mixture of both variants.
read http//
The mainmem file may be deleted after the VM is powered off - again this depends on the configuration of the VM - but AFAIK it is not wiped after use ?
So it maybe possible to find remnants of this file if you know what to search for.
A VM leaves hints on the USB-devices last used by a VM inregistry.
In the preferences.ini you find notes of the VMs each user has used in the past.
In the config.ini you find notes on the last used host configurartion - useful to find out which memory settings were used last time.
In the favorites.vmls you can look up the favorite VMs of each user.
For a longer list of files see my site
http//
A VM leaves hints on the USB-devices last used by a VM inregistry.
How so?
Virtual Machine and Virtual PC. Host Win XP, 7 and Linux.
I understand "virtual machine", but the question was, "which one?" Do you mean VMWare?
Sorry, I meant Virtual Box and Virtual PC.
A VM leaves hints on the USB-devices last used by a VM inregistry.
How so?
look at the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0E0F&Pid_0001
If that key does not exist you can assume that no USB devices were used by a VM recently.
If it exists you can look up the links and find out which devices were used