Forensics with VMware VDDK

The Crucial Security Forensics Blog lists reasons why the VMware Virtual Disk Development Kit (VDDK) might be useful for a forensics investigation that needs to mount and manipulate VMDK files.

Some scenarios might include master boot record infection such as the Stoned bootkit. The Stoned bootkit is a Windows bootkit, which attacks all Windows versions from 2000 up to 7. It is loaded before Windows starts and is memory resident.

Another scenario involves the malware inserting itself into all VMDK files on the system.

Thirdly, having offline access to the VMDK would be essential if the malware was able to steal essential files such as the system and software hives, SAM and/or private keys.

Fourth, if the virtualized disk were using full disk encryption, the analyst would be able to access the files via the VDDK API without decryption taking place.

Lastly, if the machine had other controls in place such as AV or host-based firewall protection on certain files, an analyst would have access to them and not require booting up the virtual disk.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.