August 11, 2008, 3:59 PM — Today it is possible for AccessData's FTK and Encase tools to read virtual machine disk files (VMDK) for further forensic study, but how do you get this information off a VMware ESX server's VMFS in a forensically sound manner? Is the VMDK all you need to grab?
The first question is very difficult to answer as a VMFS can be from 2 to 64TBs in size so grabbing the entire filesystem could be very expensive. But in addition to that, none of the current batch of forensic tools can read a VMFS. If you can't read a VMFS then you are in the position of spending time consuming hours carving out the VMDK and other files. So there needs to be a better solution. More on that in another blog.
The answer to the second question is quite a bit easier, and that is no, you need more than the VMDK -- mainly because there are more capabilities now than there were before. Specifically there are now several per virtual machine memory files as well as metadata and configuration files that are extremely useful. Files you should also get are:
.vswp -> Memory Swap File for the VM, only used when ESX has overcommitted memory
.vmsn -> Virtual Memory Snapshot file, a file that contains the memory contents of the VM when a snap shot has been made.
.vmdk -> metafiles about VMDKs
.vmx -> Configuration file, could also show if external media has been used
-flat.vmdk -> Raw Disk data of the appropriate disk format. By default zeroed thick. However, if the file was once bigger you may want the blocks around the disk as well off the VMFS
-rdm.vmdk -> not useful but it points to another disk that is a raw LUN off the storage device.
-delta.vmdk -> Points to the snapshot FIFO of disk changes. As part of your investigation you may wish to commit these changes or not. You can see the raw disk data without the delta file as well, which could be a previous save state.
From a forensics perspective each of these files could aid in research and you should grab them as well as the VMDK. In some cases it is like having an earlier copy of a disk to investigate as well as the memory within the system.
Digital Forensic Practitioners within the virtualization space should definitely grab more than just the disk file.
