Thoughts on Forensics
Today it is possible for AccessData's FTK and Encase tools to read virtual machine disk files (VMDK) for further forensic study, but how do you get this information off a VMware ESX server's VMFS in a forensically sound manner? Is the VMDK all you need to grab?
The first question is very difficult to answer as a VMFS can be from 2 to 64TBs in size so grabbing the entire filesystem could be very expensive. But in addition to that, none of the current batch of forensic tools can read a VMFS. If you can't read a VMFS then you are in the position of spending time consuming hours carving out the VMDK and other files. So there needs to be a better solution. More on that in another blog.
The answer to the second question is quite a bit easier, and that is no, you need more than the VMDK -- mainly because there are more capabilities now than there were before. Specifically there are now several per virtual machine memory files as well as metadata and configuration files that are extremely useful. Files you should also get are:
.vswp -> Memory Swap File for the VM, only used when ESX has overcommitted memory
.vmsn -> Virtual Memory Snapshot file, a file that contains the memory contents of the VM when a snap shot has been made.
.vmdk -> metafiles about VMDKs
.vmx -> Configuration file, could also show if external media has been used
-flat.vmdk -> Raw Disk data of the appropriate disk format. By default zeroed thick. However, if the file was once bigger you may want the blocks around the disk as well off the VMFS
-rdm.vmdk -> not useful but it points to another disk that is a raw LUN off the storage device.
-delta.vmdk -> Points to the snapshot FIFO of disk changes. As part of your investigation you may wish to commit these changes or not. You can see the raw disk data without the delta file as well, which could be a previous save state.
From a forensics perspective each of these files could aid in research and you should grab them as well as the VMDK. In some cases it is like having an earlier copy of a disk to investigate as well as the memory within the system.
Digital Forensic Practitioners within the virtualization space should definitely grab more than just the disk file.
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
Interesting Blog and a good
Interesting Blog and a good insight into the dificulities and chalanges surrounding virtualised forensics