<p>With the growing momentum towards a cloud/virtualized computing environment, gone may be the days that forensic practitioners collect an image of a hard disk and head back to the office to analyze the forensic evidence. High performance, concurrent-access, cluster file systems commonly deployed in virtual environments offer a new set of challenges for forensic and security practitioners, requiring some new thinking in the way we review and analyze electronic evidence. This discussion will provide an overview of desktop and platform virtualization and the key tools and concepts that can be applied when recovering evidence in this new medium. The discussion will introduce these concepts by providing two walk-through scenarios: (1) the restoration of a corrupted virtual disk and content and 2) recovering deleted snapshots and redo logs from VMWare's Virtual Machine File System (VMFS).</p>
<p>Eric M. Fiterman is a former FBI Special Agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses. Eric began his career as a FreeBSD/Solaris software engineer, and is actively involved in the incident response, confidence gaming, and security analysis domains. His work is focused on trade secrets protection, intellectual property misappropriation, and crime prevention. Eric has conducted experiments aboard NASA's KC-135 microgravity research aircraft (the "Vomit Comet"), and was the recipient of a service award from the United States Secret Service for his investigative contributions to law enforcement.</p>