±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34731
New Yesterday: 2 Visitors: 236

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Forensic Collections of Virtual Machines

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Forensic Collections of Virtual Machines

Post Posted: Fri Nov 09, 2018 12:39 pm

What are your recommendations for collecting VM images such as VMDK's?

I am contemplating whether I really need forensic collection software anymore for these collections.

Why not just make a snapshot of the VM and save it to an external hard drive - then hash the original file and then the copied file?

Am I missing anything?

Thank you!  

steve_linn_trimble
Newbie
 
 
  

Re: Forensic Collections of Virtual Machines

Post Posted: Fri Nov 09, 2018 1:34 pm

That's pretty much how I do it. If it's live, suspend it and get memory while you're at it. The hashes should help with ensuring integrity of the data and always work off a copy of the original.

Plus many forensic tools will ingest VMDK/VDI/VHD/etc. files directly as images so it saves from wrapping them up. The only time it might be beneficial to put it in an image container is if your preferred tool doesn't support the format it's in.

Jamie  

mcman
Senior Member
 
 

Page 1 of 1