Tuesday 5th November, 2013
11:15am to 11:50am
A program called VirtualMachineFS is described. It permits the comparison of virtual machine disk images. The program recognizes the machine snapshot feature of popular virtualization engines. This feature is used in malware analysis systems (such as Cuckoo Sandbox) to sanitize the filesystem of a virtual machine disk after each malware sample execution. Used in conjunction with disk forensics tools such as Sleuthkit, VirtualMachineFS can quickly and easily show the investigator exactly where virtual machine disk contents change as malware samples are run. Such information complements, enriches and verifies the file system change reporting facilities of existing malware analysis engines.
Sign in to add slides, notes or videos to this session