Does anyone have any experience performing imaging and forensic experience of an Hyper-V architecture ?
We might need to perform a search and seizure in a business that is using Windows Server with Hyper-V. We do not have much more details than that.
I need to know how can I detect if Hyper-V is used? If so, how many virtual machines are in use? How can I acquire/image those virtual machines? Will I be able to examine the VM with Encase or FTK? Is there a way to mount the virtual machines on another computer or in a virtual environment?
Please share your experience with Hyper-V servers.
Thanks
I know that FTK (and FTK Imager if you need a free look) will treat a VMWare virtual drive as if it were a drive image. I haven't tested the other virtual drive systems with it yet.
HyperV uses VHD images for the virtual disks and a xml-file for the config of that VM. (some GUI.xml) - both files can be in one directory but can also be located in different directories.
Winimage and other tools can mount this images
A tool from Starwind named "V2V converter" can convert this *.vhd files into *.vmdk files for further usage.
Windows 7 and 2008 R2 can mount this images natively
Just for the record
http//
can convert from vmdk to vhd (the opposite)
and this one
CLONEDISK
http//
don't be fooled by the outdated screenshot, current version is 1.6.3 and can "do" VHD's too, though you need to "pass through" a RAW image.
Support topic
http//
The Starwind tool is freely available (registration required)
http//
The new .VHD format (NOT for "dynamic" images, ONLY for "full" ones) is a plain RAW, dd-like image with some info appended to it.
Thus it can be opened by most tools as you would do with a dd image.
jaclaz
Thanks everyone for your input. I was very helpful.
HyperV uses VHD images for the virtual disks and a xml-file for the config of that VM. (some GUI.xml) - both files can be in one directory but can also be located in different directories.
I find myself in this same situation of possibly needing to image a Hyper-V server.
Sad part is I haven't been able to find a whole lot of information about how to actually do this. Do I just need to grab the VHD file or do I also need the xml file?
From what I've found trying to research this is it would be best to suspend the server and then just copy off the VHD. What if I'm not able to suspend the machine? Can I just copy the VHD while the virtual machine is running?
In theory, I should be able to just put this file in EnCase and view it right?
Any help is much appreciated.
I guess it depends on what you want to do. If you want to be able to restore a copy of that VHD to your own Windows 2008/7 to be able to boot it, I would suggest taking the XML file also.
If you only want to analyze the VHD file in Encase (which is supported natively), you shouldn't need the XML file.
It's never a good idea to try to copy files in use by a service, so I would definitely shut down the VM and/or the Hyper-V service to make sure that I can copy the entire VM without problem.
Thanks Hitman, that helps.
I guess it would make sense just to grab both the files just in case…can't hurt.