VMware and forensics

[layusn1]

HI, I am new here and trying to navegate the forums to figure out the best place to post this question and this one seems like a decent match. Anyway, here is my question....I work on computer security and forensic related topics and was wondering how VMware affects forensics. Specifically if a VMware image is deleted what traces of activity conducted on that image can be retrieved by forensics software. Could forensics software retrieve the image? If someone was to use a privacy utility that "erases" track/overwrites the drive would anything be recoverable from within the image if the image was recovered? From a network perspective, the internet traffic and file sharing traffic still has to pass through the host OS network adapter to the virtual adapter/image correct? What kind of evidence does that leave on the physical hard drive that hosted the VMware/image? Any thoughts/inputs would be greatly appreciated. Thanks.

 

[gb0mb]

I am not a forensics guy but I do have 2 cents lol.

I would thing on the actual host same rules apply on lifting a "deleted" image of the vm. If you can get the drive file you are set.

Now if you are in a VM and delete information in the vm, how easy is it to recover, I do not know but think that is interesting.

Gb0mb

........99.9% User Error........