We have added support in Oxygen Forensic® Detective for the import and analysis of images of virtual machines of VMX and VBOX formats.
What is a Virtual Machine?
A virtual machine is similar to a physical computer like a laptop, smart phone, or server. It stores files on a CPU, memory, disks, and can connect to the internet. It can run in a window as a separate computing environment, often running a different operating system—or even functioning as the user’s computer .
Virtual machines in Oxygen Forensic® Detective
In Oxygen Forensic® Detective v.14.1, we added support for the import of hard disk images of VDI, VHD, and VMDK virtual machines. However, back then users could not import the entire image, only the disks it consisted of.
With version 14.5, investigators are able to analyze images of virtual machines to the fullest, without any inconveniences or backlogs.
Supported Formats
VMX
VMX is a configuration file used by VMware virtualization software such as VMware Workstation and VMware Fusion. It stores settings for a virtual machine created using VMWare’s New Virtual Machine Wizard.
Each VMX file includes a virtual machine’s memory, hard disk, and processor limit settings.
VBOX
Oracle VM VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox, and Innotek VirtualBox) is a type-2 hypervisor for x86 virtualization developed by Oracle Corporation. Users of VirtualBox can load multiple guest operating systems (OS)s under a single host OS.
Each guest can be started, paused, and stopped independently within its own virtual machine (VM). The user can independently configure each VM and run it under a choice of software-based virtualization or hardware-assisted virtualization if the underlying host hardware supports this.
The host OS, guest OSs, and applications can communicate with each other through a number of mechanisms, including a common clipboard and a virtualized network facility. Guest VMs can also directly communicate with each other, if configured to do so.
Virtual Machine Importing Process
Desktop Extraction
To initiate the import, open the Home screen of Oxygen Forensic® Detective and scroll to the “Import” section.
From there, choose the option available within “Desktop extractions”.
In the opened window, select the file of interest to import it into the system.
Import with Oxygen Forensic® KeyScout
Alternatively, investigators can launch Oxygen Forensic® KeyScout from the Home screen of Oxygen Forensic® Detective and then select the image of interest by clicking “Open” on the start screen.
In the new window that opens, select an image of interest and wait till its data is parsed.
As soon as the image is parsed, its data will become available for further analysis in Oxygen Forensic® Detective.
If a VMX or a VBOX file is chosen for import, KeyScout loads all disks connected to the virtual machine automatically and adds information to the extraction.
Click on the “Advanced options” button to review all partitions included in the image. Investigators can manually uncheck the options they think are irrelevant to the investigation.
Conclusion
Imported data from virtual machines can provide evidence to law enforcement and help aid in solving cases. This is the reason why Oxygen Forensics continues to work on new features in our solution, making sure we provide investigators with the most innovative tools to help make the world a safer place.
Interested in importing and analyzing data from virtual machines?
Contact us for an Oxygen Forensic® Detective trial license and have access to the entire suite.