With the increased use of data computing clouds, forensic science requires tools that enable investigation and discovery. The Virtual Machine Log Auditor (VMLA) is one such tool. It is a graphical tool that allows the data cloud forensic investigator to create a timeline of Virtual Machine (VM) hypervisor log events that were gathered from one or more physical Operating System (OS) sources. This paper describes the design, implementation and use of the VMLA. The VM timestamp hypervisor log information visualized by the VMLA tool refers to VM hosted physical OS Modification, Access and Creation (MAC) times, copied from the Storage Area Network (SAN) disks. The paper also gives an overview on how to improve the existing prototype.