Hello all,
I am looking for a proven method for imaging a VMware ESX server and it's vmfs and the most important part … how to mount or access the files contained in the image of the vmfs. Using Helix, I have tried imaging the physical device as well as the logical device. In both instances the imaging job completes successfully but when I load the images in EnCase or FTK the partitions just show up as one big unallocated chunk. I have not found any forensic tool that states it supports vmfs. Are there any?
Do I have to image each individual VM?
Thanks for your help …
Mark Hallman
mark.hallman@gmail.com
Sorry for late reply …
I make a Windows-based LiveCD that allows to run a ESXi in a VMware workstation VM - this ESXi can then access local storage and use any VMFS formatted partitions.
This is pretty new stuff - only possible since ESXi and VMware workstation 99530 is available - open to any suggestions.
By the way - this LiveCD is based on 2k3-sp2 and so can be configured to not mount any local disks during boot. It also runs Encase and FTK-imager …
If you are interested visit my site sanbarrow.com
Ulli
Ulli,
MOA 2.3.011 ESX-BANDIT sound so cool and really could have helped on a recently completed project. I am sure that I will run up against ESX servers in the future so I am downloading the exe now.
What OS should I use so that I can make sure that the target disk are mounted read only?
Thanks …
-Mark Hallman
What OS should I use so that I can make sure that the target disk are mounted read only?
Hmm - with 2k3 -sp2 sources when building the BartPE you can make sure that no partition is automatically mounted. Write-protecting mounted partitions is something different.
To do this I do not use the LiveCD itself - but a VM. This VM then can work on a snapshot of any physical disk.
See the as-if stunt video I made
http//
Sorry - I do not know if this approach is forensically sound ?