Virtual machines are useful for many purposes in computing, but they can also be used to hide evidence of user activity on a computer system. Cybercriminals are using virtual machines because it is apparently easy to remove all trace of their activities just by deleting a single file. This seminar describes virtual machines, their methods of operation, how they are used to hide user activity, and how to detect their use. It also describes how to use virtual machines for malware analysis and other aspects of cyber forensics.
Understanding how files are stored (and may be hidden) on a disk or other storage media (solid-state disk, USB "key", SD card, etc.), is essential to performing a thorough forensic investigation. Learn the essentials of the on-disk formats of NTFS, EFS, FAT 12/16/32, exFAT, CDFS, and UDFS. This seminar also covers details of partitioning methods (MBR vs. GPT), the various types of Windows "volumes," basic vs. dynamic disks, and the new Storage Spaces.