securityvmwarevirtualizationcomputer-forensics

What is the easiest way to create a raw disk image of a VMware guest?


I have a Vmware guest and i want to create a raw disk image of it so i can do further forensics on it, the reason I don't want to create the image in a live matter from inside the VM is that there might be some kernel rootkits there and so it might change the real output

so what is the best approach here to create a disk image of a Vmware guest? i know its possible using virtual box, but what about Vmware?


Solution

  • For forensic analysis of a virtual machine, I boot the relevant system from a live CD (e.g. Paladin, Deft, or Ubuntu). From the live system I create a forensic image of the VM hard disks in e01 or dd format . . .