Virtualization is a technology that uses a logical environment to overcome physical limitations in hardware. Recently, its coverage has become broader. Because a virtual machine can perform the same role as an actual system, a recorded user's activity trail in the virtual machine is important factor in terms of digital forensics. If the investigator found trails of the VMware Workstation on the host, he should investigate the virtual machine along with host system. However, due to a lack of understanding of the virtual machine, the investigation process is not clear. Moreover, a damaged virtual machine image is difficult to investigate because of the structural characteristics. Therefore, we need a technical understanding and a research about investigation procedures and recovery methods on the virtual machine. In this research, we suggest an investigation procedure of digital forensics and a recovery method on damaged images for the VMware Workstation that has the largest number of users.
Bibliographical noteFunding Information:
This work was supported by the IT R&D program of MKE/KEIT ( 10035157 , Development of Digital Forensic Technologies for Real-Time Analysis).
- Digital forensics
- Virtual machine
ASJC Scopus subject areas
- Modelling and Simulation
- Computer Science Applications