3 Replies Latest reply on Nov 14, 2017 12:07 PM by continuum

    How to create a forensical sound copy of a powered off ESXi-VM ?

    continuum Guru
    vExpertCommunity WarriorsUser Moderators

      Hello all
      I have been asked to create a copy of a VM in such a way that the copy can be used as a piece of evidence in court.
      A quick search in google only showed a couple of hits and surprisingly I would NOT accept any of those if I were the lawyer of the opposite party.
      So here is the way I would do it - please review the procedure and tell me if this procedure is acceptable.
      Note 1. md5sums of flat.vmdks created on the ESXi-shell are unreliable because they may vary depending on the type of provisioning.
      1. power  off VM
      2. using the ESXi-shell create a filelist of all files in the VM-directory and create md5-checksums
      md5sum * >> checksums-before-clone
      3. boot the VM into a Linux LiveCD that has not been modified in any way and has a public downloadlink
      4. inside Linux create md5sums for all devices such as
      md5sum /dev/sda > /tmp/sda-md5sum.txt

      md5sum /dev/sdb > /tmp/sdb-md5sum.txt

      ....

      5. create dd-images for all devices such as
      dd if=/dev/sda of=/somewhere/sda.dd bs=1M conv=notrunc,noerror

      dd if=/dev/sdb of=/somewhere/sdb.dd bs=1M conv=notrunc,noerror

      ....

      6. create md5sums for all diskimages such as
      md5sum /somewhere/sda.dd > /somewhere/sda.md5

      md5sum /somewhere/sdb.dd > /somewhere/sdb.md5

      ...

      7. power off Linux LiveCD
      8. compress all required files including:
      nvram-file
      vmx-file
      vmdk-descriptorfiles
      all dd.images

      9. move all files to the ESXi host that will be used in court
      10. create new directory on target host
      11. create empty new vmdks according to the descriptorfiles  you collected on the source
      12.   build new VM using original vmx-file
      13. boot new VM into Linux LiveCD and populate the new vmdks with the original content using dd again.

      dd of=/dev/sda if=/somewhere/sda.dd bs=1M conv=notrunc,noerror

      dd of=/dev/sdb if=/somewhere/sdb.dd bs=1M conv=notrunc,noerror

      14. create new checksums for each device and compare them with the checksums from the source
      15. if the checksums match - you can assume your clone is forensical sound.

       

      As you may see the amount of work is impressive .....
      If there is any known and established shortcut for this procedure - please let me know.

       

      Regards

      Ulli

        • 1. Re: How to create a forensical sound copy of a powered off ESXi-VM ?
          a.p. Guru
          User ModeratorsCommunity WarriorsvExpert

          How about this?

           

          1. power off VM
          2. boot the VM into a Linux LiveCD that has not been modified in any way and has a public downloadlink
          3. inside Linux create md5sums for all devices such as
            md5sum /dev/sda > /tmp/sda-md5sum.txt
            md5sum /dev/sdb > /tmp/sdb-md5sum.txt
          4. power off Linux LiveCD
          5. export VM to OVA (which contains a signature), and create a checksum for the OVA once exported
          6. download required files including .vmx, .vmxf .nvram, ..., compress them and create a checksum

           

          move/import all files to the ESXi host (same version/build as the original one if possible) that will be used in court:

           

          1. verify checksums for OVA, and additional files
          2. import OVA
          3. remove imported VM from inventory, replace individual files (.vmx, .vmxf, nvram, ...), and add the VM back to the inventory
          4. boot new VM into Linux LiveCD
          5. create new checksums for each device and compare them with the checksums from the source
            if the checksums match - you can assume your clone is forensical sound.

           

          What I'm worried about is step 1 on the source. If the VM is still runnning, how can you prove that nothing has been modified before powering it off?

           

          André

          • 2. Re: How to create a forensical sound copy of a powered off ESXi-VM ?
            daphnissov Guru
            Community WarriorsvExpert

            Forgive me if this sounds too rudimentary, but since you are in control of the system in question, what would be wrong with going directly to exporting the VM as an OVF and getting hashes of each file, or at least the file that matters (VMDK)? Have you been told a process starting at that level would be unacceptable? At least from there you could have a transportable package and then prove immutability.

            • 3. Re: How to create a forensical sound copy of a powered off ESXi-VM ?
              continuum Guru
              User ModeratorsvExpertCommunity Warriors

              Hi Andre, hi Chip
              I do not claim to be an expert in forensics but according to everything I have heard so far every procedure that involves proprietory tools leaves a good chance for the lawyers of the opposite party to question the evidence.
              So I thought of a procedure that only uses methods that have been used in courts before.
              Of course that approach is way more time consuming - but it seems to be the safest approach.

              I also learned so far that md5sums are not good enough and should be replaced with sha256 checksums - thanks to Edward .

               

              To do: learn how to work with the vmss2core tool to handle running VMs.
              VMware Knowledge Base