Responders will often encounter virtual servers and even workstations as part of an investigation. Virtualized systems can be acquired by simply exporting a paused virtual machine to a removable drive. In other instances, responders can make use of the snapshot feature of a virtual system. This creates a separate file that can be analyzed at the date and time a snapshot is taken. In either case, responders should make sure that the drive has been sanitized properly and that the proper documentation has been addressed.

To acquire the virtual machine, simply pause the system and then move the entire directory to the external media. (In some instances, this can even be accomplished remotely.) In Windows virtual platforms such as VMware, there are several files that make up the virtual image:

• .vmdk: This is the virtual disk image file. This is the logical volume where the virtual operating system and files reside. Obtaining this file is much like imaging the C drive on a physical system.
• .vmem: The .vmem file is the virtual memory file. This is the storage area for the virtual RAM or physical memory. This file can be exported and combined with an additional file for analysis using the methods that will be discussed in Chapter 8, Analyzing System Memory.
• .vmss: The VMware suspended state file saves the running configuration of a suspended virtual machine. This includes process and network connection data. This file is combined with the .vmem file to provide the system memory.
• .vmsn: This is the virtual snapshot state file. This file contains the state of the system when the snapshots were taken.

Incident responders can use these files in several ways. First, the .vmdk file can be mounted the same way as an image file can in various digital forensics software platforms. These will be discussed in Chapter 9, Analyzing System Storage. Second, the .vmsn file can be used to reconstruct the system by simply copying the file and working with the facsimile. From here, responders can look at the behavior of the system or extract evidence without impacting the original .vmsn file.

Finally, the running memory that is captured through the .vmem and .vmss files can be analyzed in much the same way you would analyze other memory captures. To obtain the proper forensic data, the two files must be combined. This can be done by utilizing the vmss2core.exe tool, which is included as part of the VMware suite of tools. To combine these files, the following command syntax needs to be used:

C:VirtualToolsvmss2core.exe -W "InfectedServer.vmss" "InfectedServer.vmem"

The preceding command will produce a memory dump in the directory containing the two files.

Although virtualization is common in large enterprises, it should not represent a significant challenge. In some ways, the ability to simply pause a system and extract all the necessary files makes extracting the necessary evidence faster.

Thus far, the focus has been on Windows tools for imaging. Another option available to incident responders is the use of Linux imaging tools. There are a variety of tools that provide write-blocking and imaging capabilities that are often open source.