Forensic Analysis of VMware Hard Disks

research on collecting evidence from VMs following a forensic procedure is lacking. This thesis studies a forensically sound way to acquire and analyze VM hard disks. It also discusses the development of a tool which assists in forensic analysis of snapshots of virtual hard disks that are used in VMs. This tool analyzes the changes made to a virtual disk by comparing snapshots created at various stages. Comparing the state of the files in the base snapshot which is believed to be clean with the snapshot which is suspected of being tampered with, forensics investigators are able to identify files that have been recently added, deleted, edited, or modified.


Download and read more in here

Scalpel 2.0 released

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.

features include:

  •  Support for TRE-based regular expressions for headers and footers
  • Support for minimum carve sizes for recovered files
  • Parallel architecture to take full advantage of multicore processors
  • Beta support for NVIDIA CUDA-based GPU acceleration of header / footer searches
  • An asynchronous IO architecture for significantly faster IO throughput
  • Support for 32 and 64-bit Linux, Windows XP, Vista and 7, and OSX

If you are interested in the GPU research that went into this project, we published a paper at DFRWS that discusses both the CUDA architecture as well as the integration of it into Scalpel. It can be found here.

Download Current Version :