It’s been a while since I last posted something re. digital forensics mostly due to the fact that I’ve been cramped down by studies and work. Nevertheless, I came across this document by Brett Shavers entitled Virtual Forensics – A Discussion of Virtual Machines Related to Forensics Analysis. A brief summary of the 35 page document is quoted below.
The time of virtual machines has come and will only become more commonplace. Although a virtual machine is nearly identical to an actual computer system, there are differences that need examiners should be aware. Given the capabilities that are inherent in booting forensic images into a virtual environment, this should be the first choice in the restoration of any forensic image as it not only saves time in the restoration process, but it can be repeated as many times as needed, quickly and easily.
Early in the PDF, we get a primer on VMWare files (such as .VMDK and .VMSD files) and continues to describe the pro’s and con’s of using virtual machines as a forensic OS. Later, he discusses topics like using VM’s for antiforensics i.e. using a good tool for bad things followed by a number of How-To’s.
I cannot help but say that this is a very good read, graphically supplemented and full of valuable information whether you’re wanting to learn more about VM’s or analyzing a VM’s for possible intrusion or compromise.
Download it here.