Recovering data from virtual machine.

House of Blaze wrote: »

Just wondering, would you say you can recover data held on a virtual machine from the host?

Hi House of Blaze. As a matter of fact most of the Linux forensics tools I've seen come with a few virtual machine images to download so you can test the tools e.g DEFT Linux. As Captain Midnight says Backtrack can be used in this way too.

Even implementing full disk encryption wouldn't necessarily help as if the virtual disk image could be examined on separate occasions it may be possible to glean information about encrypted data from analysing the data alone.

House of Blaze wrote: »

That's interesting, I wouldn't have thought that a fully encrypted linux guest disk would be vulnerable like that.

Good to know though, thanks!

No problem House. The vulnerability is theoretical of course and there's no particular reason to pick on virtual machines - the same is true for any computer using full disk encryption - it's not so much a case of actual data being recovered although that's a possibility, it has more to do with plausible denial in that you can't claim that your hard drive was just filled with random data in order to erase it.

Of course if someone has physical access to the virtual machine they could tamper with the boot partition and install some kind of keylogger which would probably make their lives easier.

One way to check against this might be to digitally sign your virtual disk image with gpg each time you shut it down. That way if any tampering took place between then and the next time you used it, it wouldn't match the signature and you'd know not to use it... I think I've just had my first bright idea in years! :-D