jaclaz is right, all vm should, for your purpose, function about the same. If you are more familiar with Virtualbox use that, it should still let you network computers just as well as any other VM. Version do not matter that much as long you use the same one for all your test subjects (exception being compatibility and unexpected bugs).
Without taking the all the fun and work out of your project, what i would personally do is a clean install on your vm, take a snapshot, do one variable, snapshot, use originals clean install snapshot repeat process until you have it all (you can also do multiple installs...no real difference). Then map it to your test vm (or just your actual os) and do your forensics work on it. A mapped vm should be able to detect the vm for you to do forensics or you can convert to dd and do forensics on the actual os. Obviously, there are many ways to do this process, mines are just examples.
The academic part is doing this like a science lab, do it variable by variable as consistency as possible. For example, if you do facebook.com alone for one vm, don't go go to ebay before going to twitter on your next one. This could invalidate your results as one can claim ebay may have corrupted your twitter results of the lack of ebay on your facebook could be a lack of a controlled variable (equally invalid). Also don't do all your images in one test, for example, don't do facebook then continue with twitter on the same vm. This could invalidate your results as your facebbok results could have corrupted your twitter results (vice versa).
This link may be a better explanation to your problems with evidence gathering than my own (as well as explain why jaclaz recommend Qemu):
http://www.forensicfocus.com/Forums/viewtopic/printertopic=1/t=10862/start=0/postdays=0/postorder=asc/vote=viewresult/
Hope this helps
↧