In my previous post I talked about the use of virtualization technology and how it is beneficial in the world of digital forensics. One of the ways that many utilize virtual workstations is for research and validation.
Two of the advantages of virtualization are the ability to revert the workstation to a clean state by utilizing snapshots as well as the ability to quickly examine a virtual workstation in a read only mode without having to acquire a clone of the workstation.
Creating and reverting to snapshots of virtual machines was discussed briefly in the previous post. In this post I will show how I access the VMDK files from my test workstations from within my forensic examination workstation for analysis.
I am currently using virtual workstations for not only my test workstations but also my examination workstation. However, the steps below could easily be modified if you were only running your test workstations in VMWare workstation on your examination system or if the system running the virtual desktops was on another computer by making use of network file shares.
One advantage of having the examination system and the test workstations both running within the virtual environment is the ability to select read only access to the test workstations.
Notes: I have not gone yet completed any verification testing to ensure that the VMWare Workstation read only option is in fact forensically sound, but it does prevent writing to the selected directory that houses the VMDK files via Windows Explorer.
The steps below are how I access the VMDK files.
- Open the examination system within VMWare Workstation
- Click on the VM menu within VMWare Workstation and select Settings
- The Virtual Machine Settings dialog box will open
- Click on the Options tab
- Select Shared Folders from the list on the left side of the dialog box
- Select the option for either Always Enabled or Enabled until next power off or suspend depending on your requirements
- Select the checkbox for Map as a network drive in Windows guests
- Click the Add button
- The Add Shared Folder wizard will launch
- Click Next
- Browse to the folder where the VMDK files are stored for your test workstations
- Provide a name for the folder
- Click Next
- Ensure that Enable this share is checked
- Select the check box for Read Only
- Click Finish
- You will be returned to the Virtual Machine Settings.
- Click Ok
Once the shared folder has been added boot the examination workstation. When you look in Windows Explorer you should now see a “Mapped Drive” that is the shared folder you just created.
Browsing this mapped folder will show the VMDK files for any workstations contained within that folder.
At this point you can analyze the VMDK file with your analysis software of choice by browsing directly to the shared folder and opening the VMDK file. In my case I am utilizing Autopsy 4.1.1.
The image below shows the VMDK file for my Win7-Test workstation added as a Data Source into Autopsy.
Another advantage of examining the VMDK files directly, especially for research and validation is that no additional storage space for the cloned image file is required.
Note: If the shared folder does not show up in your Windows virtual machine as a mapped drive ensure that your installation of the VMWare Tools is current especially if you recently updated VMWare Workstation and have not updated the tools. I ran into this issue a couple of time and uninstalling and reinstalling the VMWare Tools resolved the issue.
I hope this post has been helpful and possibly shown you just one of the ways that virtual workstations can be utilized for testing and validation. If you are using virtual machines in your digital forensics world leave a comment and let me know how you use them.
Look for upcoming posts regarding the use of virtual machines in the digital forensics world.