Abstract—Virtual Machine is a virtualization technology which is most widely used today to simplify work and save hardware resources. In addition to standard use, this virtual machine is also widely used as a tool for conducting research on malware, network installations and more. The increasing use of virtualization technology is a new challenge for digital forensics experts to conduct further research related to the restoration of evidence of deleted virtual machine image. Because this Virtual Machine (VM) is also widely used by cybercrime actors to commit crimes in cyberspace, and then delete digital traces by destroying the virtual machine image that has been used or returning it to a snapshot, this technique is known as anti- forensic. Many previous studies have discussed about this VM forensics, such as VM memory dumps and snapshots. But no one has discussed the process model or flow used to perform the analysis to digital evidence in the form of a virtual machine. This study tires to identify the Virtual Machine Forensic Analysis & Recovery (VMFAR) which the researchers design as a framework for analyzing digital evidence. After implementing this framework in the process of handling digital evidence, the results of the analysis show that the experimental process was successfully carried outIndex Keywords— Virtual; Machine; Forensics; Recovery; Framework. I. INTRODUCTION Digital forensics is a sequence of process of identifying, obtaining, analyzing and presenting evidences to the court to resolve a criminal case by observing and maintaining the integrity and authenticity of the evidence[1]. The applying of digital forensics in a virtual machine is by and large called as virtual machine forensics. However, this case cannot be separated from the existence of various techniques or other methods to remove evidences, this technique is commonly called anti-forensics. From such anti-forensic techniques, removing and restoring the VM to the system's initial snapshot are categorized into the tapping of artifact and trace removal [2]. When the attacker has finished carrying out the action, the attacker immediately destroys the evidence by deleting or downloading all files on the virtual machine which is used to carry out the crime. This will certainly make it is difficult for the forensic investigator to return the file and the data or evidence stored by the perpetrator inside the VM. Because what is acquired is a drive in the operating system, that is in the operating system (virtual machine). Even though the VM has been destroyed by the perpetrator, it is possible that the file can still be returned and evidence can be found[3]. Forensic investigations on virtual machines has brought out a challenge to investigators due to their systems are different from physical computer in common. It is not corresponding with the ease of usage and the rapidity development of this technology today. Most of literature discuss about file recovery, performance optimization, and security enhancements, only a few which is deal with virtual machine forensics[4]. Based on the background above that has been described, the purpose in this research is to extract information and perform forensic analysis on the virtual machine to the files that have been downloaded by the perpetrator to retrieve the virtual operating system files and all the information inside that supports investigators to find digital evidence and solve related cases using the VMFAR framework method that the researchers has designed. II. RELATED WORKS Previous research duplicated a server into two or more virtual machine servers, in which each virtual machine image as the result of the duplication was run in a different VM. Various usage of VMs depended on the computing power, availability and cost. As a result, they presented a new optimization model to determine the number and type of VM required for each server that could minimize costs and ensured the availability of the SLR (Service Level Agreement). It also showed that the use of duplicate on several different VMs could be more cost-effective to run multiple servers in virtual machine rather limited the server copy to run in single VM [5]. Maintaining the integrity of original evidence is essential for the forensic examination process since only changing one bit between the gigabits will change the data and can not be undone and doubt the evidence being extracted. In traditional write-blockers, virtual machine forensics are used to maintain the integrity of the evidence and prevent the OS from altering, but it presents a more difficult challenge to be handled. Juhartini 1 Universitas Teknologi Mataram, Indonesia Juhartini8815@gmail.com Erfan Wahyudi 2, * Universitas Teknologi Mataram, Indonesia erfan.wahyudie@gmail.com* Bahtiar Imran 3 Universitas Teknologi Mataram, Indonesia bahtiarimranlombok@gmail.com Zaenudin 4 Universitas Teknologi Mataram, Indonesia Zen3d.itb@gmail.com Design Framework for Digital Evidence Analysis Using the Virtual Machine Forensic Analysis & Recovery (VMFAR) Method D International Journal of Computer Science and Information Security (IJCSIS), Vol. 18, No. 10, October 2020 https://doi.org/10.5281/zenodo.4249385 9 https://sites.google.com/site/ijcsis/ ISSN 1947-5500