Research Article
Identification of Forensic Artifacts in VMWare Virtualized Computing
@INPROCEEDINGS{10.1007/978-3-319-78816-6_7, author={Cory Smith and Glenn Dietrich and Kim-Kwang Choo}, title={Identification of Forensic Artifacts in VMWare Virtualized Computing}, proceedings={Security and Privacy in Communication Networks. SecureComm 2017 International Workshops, ATCS and SePrIoT, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings}, proceedings_a={SECURECOMM \& ATCS \& SEPRIOT}, year={2018}, month={4}, keywords={Digital forensics Forensic artifacts Virtualization Virtual machine VMDK Forensic Toolkit FTK Registry Viewer}, doi={10.1007/978-3-319-78816-6_7} }- Cory Smith
Glenn Dietrich
Kim-Kwang Choo
Year: 2018
Identification of Forensic Artifacts in VMWare Virtualized Computing
SECURECOMM & ATCS & SEPRIOT
Springer
DOI: 10.1007/978-3-319-78816-6_7
Abstract
With popularity of virtualized computing continuing to grow, it is crucial that digital forensic knowledge keeps pace. This research sought out to identify the forensic artifacts and their locations that may be recovered from a VMware Workstation virtual machine running Windows 7 x64. Several common forensic tools were used to conduct this research, namely AccessData’s Forensic Toolkit (FTK), FTK Imager, and FTK Registry Viewer. This research verified the processes required to gather digital evidence from a virtual machine disk (VMDK) file, creation of a forensic image, and mounting of evidence into these forensic tools. This research then proceeded to document recovered artifacts and their locations related to system configuration, internet usage, file creation and deletion, user administration, and more.
