Acquiring disks is a very important part of digital forensics. In my past blogs I discussed some aspects of forensics with respect to VMware ESX servers. This is the last part of the series.
To acquire a VM from a VMFS you must use a forensically sound method. One that duplicates the blocks used by the VM disk, memory, and meta files. Not a method that makes a copy. A copy is not an exact copy as file slack space (the space unused within a block) is ignored. We want this space.
There are several tools that will do this, but only one is currently available on all VMware ESX/ESXi. This is the dd tool. dd will allow you to duplicate the blocks used by the files and not just the files themselves. To copy a file or a directory you need to have some remote or USB storage available that is big enough to hold the data you want to duplicate.
Assuming a USB location that resides on device /dev/sde with a filesystem residing on /dev/sde1 mounted on /mnt/usbdevice, you can use the following to forensically copy a VMs files.
cd /vmfs/volumes/VMName; for x in `ls *.vm*`; do dd if=$x of=/mnt/usbdevice/VMName.vmdk; done
This will make a forensically sound duplicate of the files the comprise the VM. dd has many options, but will use the default blocksize of the file system from which the input file (if option) resides.
Remember to use dd to duplicate minimally the .vmdk, .vmx, .vmsn, and .vswp files.