<p>With the growing momentum towards a cloud/virtualized computing environment, gone may be the days that forensic practitioners collect an image of a hard disk and head back to the office to analyze the forensic evidence. High performance, concurrent-access, cluster file systems commonly deployed in virtual environments offer a new set of challenges for forensic and security practitioners, requiring some new thinking in the way we review and analyze electronic evidence. This discussion will provide an overview of desktop and platform virtualization and the key tools and concepts that can be applied when recovering evidence in this new medium. The discussion will introduce these concepts by providing two walk-through scenarios: (1) the restoration of a corrupted virtual disk and content and 2) recovering deleted snapshots and redo logs from VMWare's Virtual Machine File System (VMFS).</p>