Forensic Acquisition of a Virtual Machine with Access to the Host

Someone recently asked about an easy way to create a RAW image of virtual machine (VM) disks, so here is a quick how-to.

If you have access to the VM host, you could either copy and convert the virtual disks on the host using something like qemu-img, or if for some reason you cannot convert the virtual disks, you can image the VM from within the virtual environment. This how-to will go through relatively easy ways to image a live or offline virtual machine using the virtual environment with access to the host.

First, if the virtual machine cannot be shut down (live environment), you will make changes to the 'suspect' environment. If it is a suspect device, make sure your tools are on write-protected media. Verification of disk images won't work in a live environment since the disk is changing while imaging is taking place. If you are doing and offline acquisition for forensic purposes, make sure you are verifying the images once you create them.

If the VM is live and cannot be shut down:

• Fist check if the management interface allows devices to be attached to the VM; specifically USB/Firewire devices.
• If you cannot attach devices for whatever reason, then you will have to use a network share or a netcat tunnel to copy the image.
• Ensure your storage media is larger than the Virtual Machine's disk
• If it is a Windows environment, copy your imaging program like FTK Imager lite, or dd.exe from unxutils, to the network share/USB device. I also like chrysocome's dd since it lets you list devices.
• In the Virtual Machine, mount your share/USB device
• From the mounted device, you should be able to access and run the imaging tools you copied previously - ensure you output the image to your share/USB device.
• dd
• FTK Imager Lite

If the VM is offline or can be shut down:

• First check if you can boot the VM from a CD/USB device
• If yes, use a live CD like FCCU or Helix to boot the VM
• All we are really interested in is 1) an imaging program on the live CD and 2) USB or network support and 3) netcat installed.
• If no:
• Can you add CD/USB support to the VM?
• Can you copy the VM, and convert to a RAW image using qemu-img (part of qemu)?
• Boot the VM, and make an image in the live environment (go to the live imaging section)
• After you have booted the VM from a live CD...
• Using external storage to store the image:
• List the current disks - (fdisk -l) - and take note of the current suspect disks to image
• /dev/hda would be a physical disk, while /dev/hda1 would be partition 1 on disk 'a'
• Attach and mount an external storage disk
• Make a copy of the physical disk (usually something like /dev/sda) using an imaging program like dd or guymager.
• Make sure you are copying the image to your external disk!
• Using the network:
• Network share:
• List the current disks, and take note of the suspect disks to image
• Mount the network share
• Make a copy of the physical disk (usually something like /dev/sda) using an imaging program like dd or guymager.
• No network share:
• Set up a netcat tunnel between a server (any computer you control), and the suspect VM (client)
• Note: this connection is unencrypted!!!
• You can use ssh or cryptcat to for an encrypted tunnel, and bzip for compression and faster transfer speeds.

That's it. Pretty generic, but it should be enough to get anyone started. Please comment if you have any questions


Image: FreeDigitalPhotos.net