Hi All,
I am after some insight from your experience/wisdom concerning an issue encountered by our unit.
You need to take an image of a server, however, the issues on-site were as follows
- We were prohibited from seizing the server;
- We were prohibited from turning off the VM/Server, as it would affect other systems not covered in the warrant;
- We were unable to get F-Response to see the server (as it was virtualised and sandboxed in an ESXi Virtual Server, and local devices could not be seen);
- … which also meant that we could not connect an external storage drive directly to the physical server box;
- We also had only 10 hours to do this in.
Total size was just under 1TB.
All we had access to was a laptop (ethernet connected, USB2.0 interface) with an RDP session to the VM set up by a Network Manager there, prior to him being send on his way. He had no admin privs and we didn't know his password for his domain account so we couldn't map a new drive (to perform any DOS commands - xcopy etc).
What would you have done or considered as your next step?