What are your recommendations for collecting VM images such as VMDK's?
I am contemplating whether I really need forensic collection software anymore for these collections.
Why not just make a snapshot of the VM and save it to an external hard drive - then hash the original file and then the copied file?
Am I missing anything?
Thank you!
That's pretty much how I do it. If it's live, suspend it and get memory while you're at it. The hashes should help with ensuring integrity of the data and always work off a copy of the original.
Plus many forensic tools will ingest VMDK/VDI/VHD/etc. files directly as images so it saves from wrapping them up. The only time it might be beneficial to put it in an image container is if your preferred tool doesn't support the format it's in.
Jamie