Virtualization

P2V as a Part of Forensics

Be the first to comment | 13I like it!
Tags: Blue Gears, Forensics, P2V, texiwill, VM, VMware

Recent Posts

January 16, 2009, 04:30 PM —

Recent VMware Communities forum discussions have brought Forensics to the fore once again. Even so it has made me think of using virtualization tools to do preliminary analysis -- something that could tell you if the time and effort of full acquisition is required.

A Physical to Virtual (P2V) conversion will take the bits on a physical drive and create an image as a virtual disk. Is this image forensically sound? The answer is unfortunately no. The P2V process injects drivers and HAL updates into the image so that the image will properly boot on power-up of the VM. In addition, a P2V could change the size of file systems and virtual disks in use. The P2V process should not change the original drives.

However, P2V could be used as a way to perform an initial analysis that could tell you if the expense of a proper disk acquisition is actually required. While P2V does take time, it takes quite a bit less paper work, is not as intrusive, and could save you storage space as you get a chance to analyze the system to see if you really need to acquire. If you don't, then nothing is at stake. There is no need to even dismantle the system to perform a P2V, and this non-intrusive step could be extremely helpful for the normal corporate security (forensic) analyst.

But if something is found, then a full acquisition, following proper procedures would be required.

I like it!

Email
Print
Share
- Slashdot
- Digg
- Stumble
- Reddit
- Newsvine

Post a comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Subject:

Comment: *

Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
Lines and paragraphs break automatically.

peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325

Join the conversation here

The Daily Tip

Quick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

*E-mail address:

*Verify E-mail:

*Job Title:

*Industry:

*Company Size:

*Country

* State:

I would like to receive offers via email from ITworld partners.

By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.

view all newsletters »

	iPhone for Programmers: An App-Driven Approach Everything you need to start developing great iPhone apps. Enter now!
	The Google Way Discover how Google's culture of innovation is reinventing business. Enter now!

P2V as a Part of Forensics

Ease integration of Unix, Linux and Windows-based computers