vmware Server Envir...
 
Notifications
Clear all

vmware Server Environment forensic acquisition (need Ideas)

5 Posts
3 Users
0 Likes
466 Views
(@kalymistirl)
Posts: 16
Active Member
Topic starter
 

Hows it goings Forensic Focus.

I am doing some lab testing on ways to extract data from Servers which is going well using a mix of tools such a Linen, Encase portable V3(from a boot able disk(I have found this not to be very practical during a search as you need the drivers for the raid controller to carry out this type of acquisition then have to burn another CD etc) and also using encase portable while the system is live and acquiring system drives in this manner.) and Encase version 7/6 network acquisitions.

While working over the various sanario's which I might run into in the future during investigations, I decided to try and acquire data from part of my own network environment and this is where I would love some advice.

I am running a virtualized environment which supports my current employers server needs. This consists of two esx hosts which connect to a san. The San holds 10 Vmware machines all carrying out different tasks such as file and print, email server, web server etc. My question is how would I forensically extract the vmdk files of interest from the SAN (SAN consists of two Luns running RAID 5). ( I have mulled over this for a couple of days and cannot seem to find a solution other than extracting the disks from the SAN and acquiring the data via fast block) would anyone on the forum have a solution, what software applications would you recommend?(as Stable as possible). What would be a different approach rather than extracting the disks and acquiring them.

Thanks for any replies

Kaly.. ?

 
Posted : 27/01/2012 9:53 pm
(@thall)
Posts: 53
Trusted Member
 

From my knowledge if it is esxi you can connect using the VPX client you can view and export the attached VMDK files, from there personally I would then take a logical image of the VMDK obviously documenting the process fully.

 
Posted : 28/01/2012 4:24 am
(@douglasbrush)
Posts: 812
Prominent Member
 

The vSphere Client Utility is a handy little app for this. It also allows you make some logs and other setting captures. The VMDK files are flat files that can be mounted in most forensic programs then imaged to another format such as an .e01 if you want it to carry custodian notes and the hashes.

Paul Henry did a nice write up on the SANS blog
How To - Digital Forensics Copying A VMware VMDK
http//computer-forensics.sans.org/blog/2010/09/28/digital-forensics-copy-vmdk-vmware-virtual-environment/

 
Posted : 28/01/2012 5:04 pm
(@thall)
Posts: 53
Trusted Member
 

Yes sorry vSphere is the program I was referring to, would of been handy to have that write up a few onsites ago P

 
Posted : 29/01/2012 2:55 am
(@kalymistirl)
Posts: 16
Active Member
Topic starter
 

I didnt think of that that is a simple solution. (Feel a bit silly now oops )

Thanks for all the replys.

Kaly….

lol

 
Posted : 30/01/2012 3:12 pm
Share: