Imaging Virtual Machines

In the section “Virtual Machine Forensics” in “A Discussion of Virtual Machines Related to Forensics Analysis,” Shavers (2008) asks “Why Image a VM?” There are several reasons to image VMs.

First, VMs are files contained on physical drives. If the VM itself is the only item of interest, there may not be a need to acquire the entire drive. In certain situations, it may not even be possible to image the entire drive, such as in the case of a storage area network (SAN), or an ESXi server that may be hosting multiple VMs. Live acquisition has started to become a consideration and is incredibly important in cloud OS instances and some mobile systems, especially when national jurisdiction is crossed to the physical system. On the opposite end of the spectrum, if the virtual environment is similar to MojoPac, the entire environment will have to be captured because it is a contained XP environment and has its own registry as well as a folder for user documents. As discussed in Chapter 5, “Investigating Dead Virtual Environments” and as seen in Figure 7.11, there are several files associated with a virtual machine that are needed for the VM to function.