January 16, 2009, 4:30 PM — Recent VMware Communities forum discussions have brought Forensics to the fore once again. Even so it has made me think of using virtualization tools to do preliminary analysis -- something that could tell you if the time and effort of full acquisition is required.
A Physical to Virtual (P2V) conversion will take the bits on a physical drive and create an image as a virtual disk. Is this image forensically sound? The answer is unfortunately no. The P2V process injects drivers and HAL updates into the image so that the image will properly boot on power-up of the VM. In addition, a P2V could change the size of file systems and virtual disks in use. The P2V process should not change the original drives.
However, P2V could be used as a way to perform an initial analysis that could tell you if the expense of a proper disk acquisition is actually required. While P2V does take time, it takes quite a bit less paper work, is not as intrusive, and could save you storage space as you get a chance to analyze the system to see if you really need to acquire. If you don't, then nothing is at stake. There is no need to even dismantle the system to perform a P2V, and this non-intrusive step could be extremely helpful for the normal corporate security (forensic) analyst.
But if something is found, then a full acquisition, following proper procedures would be required.
