Abstract
With the advancement in virtualization technology, virtual machines (VMs) are becoming a common and an integral part of datacenters. As the popularity and use of VMs increases, incidents involving them are also on the rise. There is substantial research on using VMs and virtual appliances to aid forensic investigation, but research on collecting evidence from VMs following a forensic procedure is lacking. This thesis studies a forensically sound way to acquire and analyze VM hard disks. It also discusses the development of a tool which assists in forensic analysis of snapshots of virtual hard disks that are used in VMs. This tool analyzes the changes made to a virtual disk by comparing snapshots created at various stages. Comparing the state of the files in the base snapshot which is believed to be clean with the snapshot which is suspected of being tampered with, forensics investigators are able to identify files that have been recently added, deleted, edited, or modified.
Library of Congress Subject Headings
Virtual computer systems--Security measures; Computer crimes--Investigation
Publication Date
2011
Document Type
Thesis
Advisor
Pan, Yin
Advisor/Committee Member
Johnson, Daryl
Advisor/Committee Member
Stackpole, Bill
Recommended Citation
Hirwani, Manish, "Forensic analysis of VMware hard disks" (2011). Thesis. Rochester Institute of Technology. Accessed from
https://repository.rit.edu/theses/624
Campus
RIT – Main Campus
Comments
Note: imported from RIT’s Digital Media Library running on DSpace to RIT Scholar Works in December 2013.