Recently, I have started performing digital forensics on virtual images and wanted to briefly share the process that I am following and the challenges that I am facing:
- Originally, the machines in the environment are virtualized via VMware ESX.
- To take the forensic image at a given point, the virtual machine is suspended and copied to a forensic workstation.
- Following the second step, retains the memory in the vmem file and allows for memory analysis.
- The suspended machines is resumed on the forensic workstation via VMware Workstation.
- Usually, the machine coming from the ESX has large resource allocations that are not available on the forensic workstation. For example, the machine in ESX can be allocated 12GB of RAM and 4 processors – however, this cannot be met with what is available on the forensic workstation. This results in machine being non-responsive when resumed on the VMware Workstation.
- When you are able to resume the machine in VMware Workstation you are not able to transfer any tools over without first installing the VMmware tools – sometimes this requires a restart.
- If the machine was originally part of a domain and the machine was suspended without someone already logged-in; you do not have a way to get into the system other than resetting the password via some live disk. The other option is to retrieve password from the memory.
- If the machine itself does not have enough disk space for you to save output from all your tools then you have to enable Folder Sharing feature on the VMworktation.
These are some of my immediate experience from performing forensic on virtual images. The reason for this post is to get feedback from the forensic community on how I can improve my process and make sure I minimize the changes made to the evidence.