Analyzing the Impact of a Virtual Machine on a Host Machine

  • Greg Dorn
  • Chris Marberry
  • Scott Conrad
  • Philip Craiger
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 306)


As virtualization becomes more prevalent in the enterprise and in personal computing, there is a great need to understand the technology as well as its ramifications for recovering digital evidence. This paper focuses on trace evidence related to the installation and execution of virtual machines (VMs) on a host machine. It provides useful information regarding the types and locations of files installed by VM applications, the processes created by running VMs and the structure and identity of VMs, ancillary files and associated artifacts.


Virtualization virtual machine VMware Parallels 


  1. 1.
    AccessData Corporation, Forensic Toolkit 1.7, Linden, Utah (www Scholar
  2. 2.
    F. Bellard, Qemu ( Scholar
  3. 3.
    Canonical, Ubuntu 8.04, London, United Kingdom (www.ubuntu .com).Google Scholar
  4. 4.
    Citrix Systems, What is Xen? Fort Lauderdale, Florida (www Scholar
  5. 5.
    Digital Intelligence, UltraBlock SATA Bridge Write Blocker, New Berlin, Wisconsin ( Scholar
  6. 6.
    Guidance Software, EnCase 5 and 6, Pasadena, California ( Scholar
  7. 7.
    Helios Software Solutions, TextPad, Longridge, United Kingdom ( Scholar
  8. 8.
    HHD Software, Free Hex Editor Neo, London, United Kingdom ( Scholar
  9. 9.
    Knopper.Net, Knoppix Live Linux Filesystem, Knoppix 5.1.1 Release, Schmalenberg, Germany ( Scholar
  10. 10.
    T. Liston and E. Skoudis, On the cutting edge: Thwarting virtual machine detection ( ion_Liston_Skoudis.pdf), 2006.Google Scholar
  11. 11.
    Parallels, Parallels Optimized Computing, Neuhausen am Rheinfall, Switzerland ( Scholar
  12. 12.
    Parallels, Parallels Workstation 2, Neuhausen am Rheinfall, Switzerland ( Scholar
  13. 13.
    Sun Microsystems, VirtualBox, Santa Clara, California (www.vir Scholar
  14. 14.
    VMware, VMware, Palo Alto, California ( Scholar
  15. 15.
    VMware, VMware Workstation 6, Palo Alto, California (www.vm Scholar
  16. 16.
    VMware, What files make up a virtual machine? Palo Alto, California ( _vm.html).Google Scholar
  17. 17.
    Wireshark Foundation, Wireshark, San Jose, California (www.wire Scholar
  18. 18.
    X-Ways Software Technology, WinHex, Cologne, Germany ( Scholar
  19. 19.
    X-Ways Software Technology, X-Ways 14.2, Cologne, Germany ( Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Greg Dorn
  • Chris Marberry
  • Scott Conrad
  • Philip Craiger

There are no affiliations available

Personalised recommendations