I am not sure if this makes sense in a forensic context … anyway maybe its useful…
usually examining virtual machines running on VMware ESXi 3.5 or 4 is a bit tricky as the VMFS filesystem is proprietary to VMware.
You either launch the VM in ESX itself - then you will change the files on disk - or you copy the files to an external storage with a Linux-LiveCD using vmfs-tools and examine them later.
I found a way to examine such VMs without needing to copy them first and without changing them on disk.
To do that I remastered a Ubuntu 11.04 LiveCD and added VMware Workstation and the vmfs-tools to the CD.
Then I boot the ESXi-server with the LiveCD and mount the VMFS 3 Volume with the vmfs-tools.
Next I find the VM I want to examine and create a snapshot.
This snapshot only exists in RAM - or if you want you can also use an external USB-disk.
Once the snapshot is created I can boot the VM - either using the original disk to boot off or by starting it from another LiveCD.
The VM on disk will not be changed in any way doing this.
The process to start the VM can be done quite fast - with a little bit of experience you can start your first VM like this in 2 minutes after boot.
I made a screenshot that shows what I do
http//
If anybody wants to know more about this I can post details
Ulli