Virtual machines are everywhere, no longer just confined to the corporate environment. It is not unheard of for consumers to use virtualization software on their personal devices these days. Examination of these VMs does not differ much from normal host investigations. Tools, like FTK Imager, support common virtualized HDDs and can be used to preserve and review them. But what happens when a VM is encrypted and password-protected? Compound the issue with an uncooperative custodian and it may be time for more creative solutions. Thankfully, VMware, a popular virtualization program, can create an artifact on the host operating system that gives us insight into what applications are installed on the VM.
Most web applications track account activity. These can alert the user to suspicious activity and provide the investigator a built-in audit log to review. This information is often volatile and may roll off after some time. Knowing where to find this information can prove vital as it may provide useful clues. This post describes where to find login activity details for popular websites. The table below provides a high-level summary of our findings.