±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 1 Overall: 35264
New Yesterday: 3 Visitors: 160

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Forensic Collections of Virtual Machines

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


Forensic Collections of Virtual Machines

Post Posted: Nov 09, 18 12:39

What are your recommendations for collecting VM images such as VMDK's?

I am contemplating whether I really need forensic collection software anymore for these collections.

Why not just make a snapshot of the VM and save it to an external hard drive - then hash the original file and then the copied file?

Am I missing anything?

Thank you!  

Senior Member

Re: Forensic Collections of Virtual Machines

Post Posted: Nov 09, 18 13:34

That's pretty much how I do it. If it's live, suspend it and get memory while you're at it. The hashes should help with ensuring integrity of the data and always work off a copy of the original.

Plus many forensic tools will ingest VMDK/VDI/VHD/etc. files directly as images so it saves from wrapping them up. The only time it might be beneficial to put it in an image container is if your preferred tool doesn't support the format it's in.


Page 1 of 1