Methodologies for the use of VMware to boot cloned/mounted subject hard disk images

Abstract

This paper represents part of the work that was submitted for the RMCS Shrivenham/Cranfield University MSc in Forensic Computing in March 2005. An investigation into the restoration of forensically acquired digital data to virtual hardware was undertaken. The objective of the investigation was to devise a methodology by which a subject operating system could be booted in a virtual environment. This would enable the investigator to experience the subject system in a controlled environment where file system changes could be discarded and the ‘original’ clone preserved for future, repeatable usage. During the research and experimentation stages of this project, the following software was utilised: • Encase 3.22g was the primary forensic imaging tool. • Mount Image Pro 1.05 was used to mount the forensic image files as a physical disk. • Symantec Ghost 2003 was used to clone the physical disk to a new virtual disk. • VMware 4.5.2 build-8848 was the virtual machine software used. The underlying architecture of VMware is Intel based. • Microsoft Windows XP was used as the host examination system. During the research phase of this project, the host examination machines utilised both Intel and VIA (AMD processor) architectures.