Virtualization in Digital Forensics

I have a been a proponent of virtualization both from a personal standpoint but also a business standpoint. My journey into the world of digital forensics is no exception. I have read several articles and listened to multiple podcasts that talk about the advantages of using virtualization for not only the forensic workstation being utilized by an examiner but also for research, testing, and validation.

Forensic workstations, research, and validation are exactly what I am using virtual machines running in VMWare Workstation to accomplish.

I am currently running VMWare Workstation 12.5.1 on a Lenovo ThinkPad P50 laptop. The ThinkPad is equipped with 64 GB of RAM, 1.5 TB of hard disk space and is currently running Windows 10 Enterprise. Within VMWare workstation I currently have five virtual workstations build to serve as either forensic examination workstations or test and validation workstations. There are other alternatives to VMWare Workstation that runs on Windows and Linux such as VirtualBox for Windows, Mac or Linux and VMWare Fusion for Mac to name a couple. I can’t speak to the comparable functionality of the other virtualization software as I am not as familiar with them.

You can check out the virtualization options listed above at the following link.

VMWare Workstation
Virtual Box
VMWare Fusion

The five workstations I currently have are outlined below:

  • WINDF_01 – Windows 10 Forensic Workstation
  • SIFT3 – SANS SIFT 3 Forensic Workstation
  • Win7Test – Windows 7 Test Workstation
  • Win8Test – Windows 8 Test Workstation
  • Win10Test – Windows 10 Test Workstation

There are several advantages to running test and validation as well as the forensic workstation as a virtual machine. I am positive that the majority of these benefits have been documented by others but they bear repeating.

  • Cost – At the time of this writing a copy of VMWare Workstation is $249.99. This is considerably cheaper than having to run physical workstations for the 5 examples listed above.
  • Space Savings – You only need the physical workspace for the one physical machine that hosts the virtual machines.
  • Portability – No matter where I go I have all of my forensic workstations and test workstations at my disposal
  • Snap Shots – The ability to take a snap shot of a virtual workstation to preserve the state as well as roll back a workstation to that snapshot.
  • Ease of examination of test workstations – Tools such as Autopsy and FTK Imager both support VMDK files as an image format.
  • VMDK files can be examined as read only without having to acquire an image
  • Ability to create specific scenarios in a controlled environment that can be examined / verified

Below are the steps that I utilize to create a snapshot of a test workstation.  In an upcoming post I will cover how I make the VMDK files for each test workstation available to my forensic workstation for analysis.

VMWare Workstation Snapshot

Once I have the OS loaded and all updates applied to the workstation I take an initial snapshot of the workstation at this point.  This snapshot allows me to return this workstation to this initial state in the event that I run into an issue, want to examine another artifact, or test how artifacts respond to different scenarios.

Creating a snapshot in VMWare Workstation is as simple as clicking on the Create Snapshot button in the tool bar and then providing a description of that snapshot.

Create SnapshotSnapshot Description






Once the initial snapshot has been created, reverting to that snapshot is as easy as select it from the list of available snapshots and allowing the workstation to reboot to that point in time.

snapshotrevertThe ability to create and revert to multiple snapshots allows you to maintain various states of the test workstation that you can utilize.

Virtualization is a great tool for a multitude of reasons and can be leveraged by a large number of areas within a company, or individuals work processes.  Digital forensics is one of those areas where virtualization can be a great fit.  Try out VMWare Workstation or one of the other alternatives and see how you can utilize virtual workstations to benefit your examinations, testing, and validation.