Forensic acquisition and analysis of VMware virtual machine artifacts

Abstract

Virtual Forensics is a new trend in the area of computer forensics. Virtualization technology paved the way for the growth of virtual forensics. VMware virtual environment provides a completely virtualized set of hardware to the guest operating system. The features of Virtual Machine make it an interesting platform to commit cyber crimes. The combination of innovative criminal techniques and advanced technologies makes the traditional techniques out-dated for detecting such crimes. This paper discusses how live acquisition can be performed to acquire virtual machine related files from the host operating system. The paper also describes how to analyze these acquired files to obtain raw data stored in various grains. The study is supported by methods that assist forensic examiners by providing valuable information from the raw data which is retrieved from various grains pointed by grain table entries.