With the advancement in virtualization technology, virtual machines (VMs) are becoming a common and integral part of datacenters. As the popularity and the use of VMs increases, incidents involving them are also on the rise. There is substantial research on using VMs and virtual appliances to aid forensic investigation, but research on the appropriate forensics procedures for collecting and analyzing evidence within a VM following is lacking. This paper presents a forensically sound way to acquire and analyze VM hard disks. A forensics tool for analyzing VM snapshots and vmdk files is developed and has been proven to be forensically sound.
Date of creation, presentation, or exhibit
Department, Program, or Center
Information Sciences and Technologies (GCCIS)
Hirwani M., Pan Y. , Stackpole W., and Johnson D. Forensic Acquisition and Analysis of VMware Virtual Hard Disks. In SAM'12 - The 2012 International Conference on Security and Management (Las Vegas, NV, USA, July 2012)
RIT – Main Campus