A Tool for Answering the Question: What Changed on Disk?

A session at 4th Annual Open Source Digital Forensics Conference & Workshops

  • Stuart Maclean

Tuesday 5th November, 2013

11:15am to 11:50am (EST)

A program called VirtualMachineFS is described. It permits the comparison of virtual machine disk images. The program recognizes the machine snapshot feature of popular virtualization engines. This feature is used in malware analysis systems (such as Cuckoo Sandbox) to sanitize the filesystem of a virtual machine disk after each malware sample execution. Used in conjunction with disk forensics tools such as Sleuthkit, VirtualMachineFS can quickly and easily show the investigator exactly where virtual machine disk contents change as malware samples are run. Such information complements, enriches and verifies the file system change reporting facilities of existing malware analysis engines.

About the speaker

This person is speaking at this event.
Stuart Maclean

Sign in to add slides, notes or videos to this session

Tell your friends!


Time 11:15am11:50am EST

Date Tue 5th November 2013

Short URL


Official event site


View the schedule


See something wrong?

Report an issue with this session