ForensicAnalysis·Chapter9 253 Frequently Asked Questions Q: What is different about imaging a VM (e.g., a production virtual server) from imaging a physical drive? A: We image a physical drive to ensure that information that may reside in slack space and unallocated space is available for forensic examination. The information in slack space and unallocated space may represent information from previous activity on the suspect's computer. It may contain information related to a case in which a suspect or malicious code may have attempted to delete. For a VM, the slack space and unallocated space investigators may be interested in is located in the image file and its representation associated with the VM. Copying the image file and associated VM files is sufficient to recreate the VM, with the exception being the case where tampering via the host computer is suspected. In that case the host becomes suspect and the slack and unallocated space of the physical drives of the host become the target of the investigation and would need to be acquired.