Virtualization offers great benefits to digital forensics science. In virtualization, everything is a file, including the guest memory and the guest hard drive. What the handler needs to do is to identify the right file of the source that they need to acquire and copy this file to the external storage.

The snapshot concept that can be found in most of the virtualization programs offers the investigator more images of the machine at different times. This can, if acquired and analyzed, view the timeline behavior of the machine, that is, before and after the malware infection:

Windows memory files in the virtual machine

In the previous image, we can see the vmem files of the VMware program. VMware is one of the virtualization programs. This image contains the current memory file and two vmem files for two snapshots taken on two different dates. The size of the files are all the same because this is like the memory dump process, it copies the entire machine's...