Hi All, -)
I'm looking for some research into the potential of VMWare as an anti-forensic tool. Does anyone know of any ?
Google seems to throw a lot of results back - but none are actually related directly to the question that I can find …
I suppose basically the question is
How much of the VMWare machine "leaks" onto the host ? If I encrypt my VMWare disk image for example - can I deduce anything about what has been done within that sandbox from any artefacts left on the host system ?
I'll do my own research should this not be forthcoming, but I just wondered if someone was cognisant of something I am not ?
Cheers,
Azrael
My experience with VMWare is that nothing excepted the VM Image is on the host that is related to what is going on in the VM. So when you put a VM into a TC volume with a good passphrase nothing excepted the name / path of the machine is storred outside the encrypted area.
Howe ever I don't know how WMVare handles paging if enabled (a modern pc with 4 gig ram can work entirely without a paging file) it may be that some traces are left in the pagefile.sys
However I don't know how WMVare handles paging if enabled (a modern pc with 4 gig ram can work entirely without a paging file) it may be that some traces are left in the pagefile.sys
Thanks for that … I managed to find this reference on the VMWare site - when I searched more specifically for "pagefile"
http//
It suggests that it is possible to prevent VMWare from writing to the system page file … Rather making use of VMWare specific page files for the guest OS, although I guess that there is still a risk, as VMWare is in memory that that would get paged, but it seems that this is unlikely to contain anything of use.
Ta muchly. -D