Security and Privacy in Communication Networks. SecureComm 2017 International Workshops, ATCS and SePrIoT, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

Identification of Forensic Artifacts in VMWare Virtualized Computing

Download
742 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-78816-6_7,
        author={Cory Smith and Glenn Dietrich and Kim-Kwang Choo},
        title={Identification of Forensic Artifacts in VMWare Virtualized Computing},
        proceedings={Security and Privacy in Communication Networks. SecureComm 2017 International Workshops, ATCS and SePrIoT, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM \& ATCS \& SEPRIOT},
        year={2018},
        month={4},
        keywords={Digital forensics Forensic artifacts Virtualization Virtual machine VMDK Forensic Toolkit FTK Registry Viewer},
        doi={10.1007/978-3-319-78816-6_7}
    }
    
  • Cory Smith
    Glenn Dietrich
    Kim-Kwang Choo
    Year: 2018
    Identification of Forensic Artifacts in VMWare Virtualized Computing
    SECURECOMM & ATCS & SEPRIOT
    Springer
    DOI: 10.1007/978-3-319-78816-6_7
Cory Smith1, Glenn Dietrich1, Kim-Kwang Choo1,*
  • 1: University of Texas at San Antonio
*Contact email: raymond.choo@fulbrightmail.org

Abstract

With popularity of virtualized computing continuing to grow, it is crucial that digital forensic knowledge keeps pace. This research sought out to identify the forensic artifacts and their locations that may be recovered from a VMware Workstation virtual machine running Windows 7 x64. Several common forensic tools were used to conduct this research, namely AccessData’s Forensic Toolkit (FTK), FTK Imager, and FTK Registry Viewer. This research verified the processes required to gather digital evidence from a virtual machine disk (VMDK) file, creation of a forensic image, and mounting of evidence into these forensic tools. This research then proceeded to document recovered artifacts and their locations related to system configuration, internet usage, file creation and deletion, user administration, and more.