5 Investigating Dead Virtual Environments

Information in This Chapter

Install Files
Remnants
Registry
Microsoft Disk Image Formats
Data to Look for
Investigator Tips

Traditionally, investigators have used virtual machines to create contained environments for malware isolation or to view the environment as a suspect used it. Suspect machines. For example, VMware can be used to mount a dd image, and applications such as LiveView and Virtual Forensic Computing (VFC) can be used to create a VMware virtual machine from a raw disk image or physical disk. VFC uses a combination of VMware's VMPlayer and forensic disk mount tool Mount Image Pro to create and mount the disk. This allows the forensic examiner to boot the image or the disk in ...

Get Virtualization and Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Virtualization and Forensics by Greg Kipper, Diane Barrett

5 Investigating Dead Virtual Environments

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly