Forensic Analysis of Virtual Hard Drives

DC FieldValueLanguage
dc.contributor.authorTobin, Patrick-
dc.contributor.authorLe-Khac, Nhien-An-
dc.contributor.authorKechadi, Tahar-
dc.identifier.citationJournal of Digital Forensics, Security and Lawen_US
dc.description.abstractThe issue of the volatility of virtual machines is perhaps the most pressing concern in any digital investigation involving a virtual machine. Current digital forensics tools do not fully address the complexities of data recovery that are posed by virtual hard drives. It is necessary, for this reason, to explore ways to capture evidence, other than those using current digital forensic methods. Data recovery should be done in the most efficient and secure manner, as quickly, and in an as non-intrusive way as can be achieved. All data in a virtual machine is disposed of when that virtual machine is destroyed, it may not therefore be possible to extract and preserve evidence such as incriminating images prior to destruction. Recovering that evidence, or finding some way of associating that evidence with the virtual machine before destruction of that virtual machine, is therefore crucial.In this paper we present a method for extracting evidence from a virtual hard disk drive in a quick, secure and verifiable manner, with a minimum impact on the drive thus preserving its integrity for further analysis.en_US
dc.description.sponsorshipScience Foundation Irelanden_US
dc.publisherThe Association of Digital Forensics, Security and Lawen_US
dc.subjectVirtual machineen_US
dc.subjectDigital forensicsen_US
dc.subjectVirtual machine forensicsen_US
dc.subjectData recoveryen_US
dc.subjectPreserving evidenceen_US
dc.subjectVitual hard driveen_US
dc.titleForensic Analysis of Virtual Hard Drivesen_US
dc.typeJournal Articleen_US
dc.statusPeer revieweden_US
dc.citation.otherArticle 10en_US
item.fulltextWith Fulltext-
Appears in Collections:Insight Research Collection
Files in This Item:
File Description SizeFormat 
insight_publication.pdf119.6 kBAdobe PDFDownload
Show simple item record

Google ScholarTM



This item is available under the Attribution-NonCommercial-NoDerivs 3.0 Ireland. No item may be reproduced for commercial purposes. For other possible restrictions on use please refer to the publisher's URL where this is made available, or to notes contained in the item itself. Other terms may apply.