VM Acquisition

[…]they all need to be backed by a disk image, which is a file that represents an entire raw physical disk. If a forensic investigator finds themselves having to work with a VM in an investigation, the very fact that the disk is already an image file can be very advantageous. By their very nature, all forensic collections of VM drive images happen by way of a live acquisition, unless of course they are included in a wider powered-off imaging of the hypervisor’s storage. Once the investigator has located the virtual machine to be acquired using the hypervisor management software, they can determine the path to the machine’s disk image(s) (typically a .vmdk format file). Most hypervisors feature a function called ‘snapshotting’ which allows the VM disk image to be frozen in time. For instance, if a snapshot is triggered in VMware ESXi, a commonly used commercial hypervisor platform, a new copy of the disk image is created, writes are prevented on the original copy and the new image gets promoted to being the primary image in use. Essentially this is a software-based write blocker built right in to the platform. This is perfect for incident response; the cost in terms of time and hardware when it comes to creating a snapshot for deeper examination is minimal. Of course, we need to stay on top of things to ensure that this step is completed – the flexibility of VMs means it can be just as quick to recreate the VM from scratch, disregarding any potential evidence. 1

built-in utilities in the VSphere client. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.

References