With the advancement in virtualization technology, virtual machines (VMs) are becoming a common and integral part of datacenters. As the popularity and the use of VMs increases, incidents involving them are also on the rise. There is substantial research on using VMs and virtual appliances to aid forensic investigation, but research on the appropriate forensics procedures for collecting and analyzing evidence within a VM following is lacking. This paper presents a forensically sound way to acquire and analyze VM hard disks. A forensics tool for analyzing VM snapshots and vmdk files is developed and has been proven to be forensically sound.

Date of creation, presentation, or exhibit



Presented at the 2012 International Conference on Security and Management, Las Vegas, NV, July 16-19.

Document Type

Conference Paper

Department, Program, or Center

Information Sciences and Technologies (GCCIS)


RIT – Main Campus