Suspend or snapshot a running system to get all the VM's RAM
Hi Edward,
If you have the administrative and legal authority to stop a running VM and the willingness to do so in order to capture evidence, then you are better off suspending or taking a snapshot of the running VM so that a copy of the VM's virtual RAM is committed to a file on disk along with making the virtual disk images read only at the exact same time.
Then you can capture all the files related to that VM and perform analysis on the virtual disk image and memory image. And if you have acquired the logged-in users password (analysis, court order, etc), you could even resume that VM at a later date, as many times as you'd like to show it as it was when the evidence was captured (in court for example).
dd input and output "files" can be plain files or block devices.
Hi Edward,
I've been using dd as my disk image capturing software of choice for many years, usually booting a FreeBSD live CD and using dd to get disk images onto a mounted USB disk.
However I wanted to point out that from looking at your loop and the input file argument it passes to dd, I see that you are using dd in a non-forensic manner.
The use of dd does not automatically mean that every operation you perform with it will be of a forensic quality. Correct procedure is required to do that.
dd can be used with input and output at the file level or raw block level (where you either specify a file from a mounted filesystem or raw block device respectively). To provide a forensic quality read of a disk, the input file must be a raw block device and NOT a file within a mounted filesystem from that block device.
Unfortunately this is conceptually blurred in UNIX-like operating systems since a raw block device can be considered a "file" and accessed as such. Meaning that this can be confused when providing the input file (if=) to dd (or output file for that matter). The difference between file level and block level requires knowledge of the operating system you are using, since block devices are not always named in the same manner and thus spotting the distinction can be difficult.
One of the first rules to capturing a forensic quality disk image is to NOT mount any filesystem within it, which is a part of why I prefer to use a BSD to capture evidence (it will not just mount a disk it finds without asking me).
In your example, you are copying non-forensically at the file level from a mounted filesystem! This means that you are not getting slack space data, deleted data and meta data which relates to (but not contained in) the file, etc and you are also continuing to run the risk of losing that required data as long as that filesystem on the source disk is mounted.
Wow, check out...
...that IT "cheesecake" calendar on the back wall.
;)
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
This is such a misleading
This is such a misleading comment... Your hotmail inbox will still be in Microsoft's servers. Flicker pics in flicker's servers, facebook profile in Facebooks's servers and so on.
Nothing changes from the web applications as of now. Just you won't have the viruses infections, crashed OS screens, etc...