The field of computer forensics seeks to help investigators reconstruct what happened during a computer intrusion. Did an attacker break in, and if so, how? What havoc did the attacker wreak after breaking in? Tools that help investigators answer these types of questions are still quite primitive and are often hindered by incomplete or incorrect information. Virtual machines can enable more-powerful forensic analysis through techniques such as replaying a computer's instruction stream and introspecting on the state of a virtual machine. This talk describes how to provide and use virtual machine replay and introspection to enable arbitrary forensic analysis, enable reverse debugging of intrusions and bugs, and detect intrusions in the past and present through vulnerability-specific predicates.