I have been asked to create a copy of a VM in such a way that the copy can be used as a piece of evidence in court.
A quick search in google only showed a couple of hits and surprisingly I would NOT accept any of those if I were the lawyer of the opposite party.
So here is the way I would do it - please review the procedure and tell me if this procedure is acceptable.
Note 1. md5sums of flat.vmdks created on the ESXi-shell are unreliable because they may vary depending on the type of provisioning.
1. power off VM
2. using the ESXi-shell create a filelist of all files in the VM-directory and create md5-checksums
md5sum * >> checksums-before-clone
3. boot the VM into a Linux LiveCD that has not been modified in any way and has a public downloadlink
4. inside Linux create md5sums for all devices such as
md5sum /dev/sda > /tmp/sda-md5sum.txt
md5sum /dev/sdb > /tmp/sdb-md5sum.txt
5. create dd-images for all devices such as
dd if=/dev/sda of=/somewhere/sda.dd bs=1M conv=notrunc,noerror
dd if=/dev/sdb of=/somewhere/sdb.dd bs=1M conv=notrunc,noerror
6. create md5sums for all diskimages such as
md5sum /somewhere/sda.dd > /somewhere/sda.md5
md5sum /somewhere/sdb.dd > /somewhere/sdb.md5
7. power off Linux LiveCD
8. compress all required files including:
9. move all files to the ESXi host that will be used in court
10. create new directory on target host
11. create empty new vmdks according to the descriptorfiles you collected on the source
12. build new VM using original vmx-file
13. boot new VM into Linux LiveCD and populate the new vmdks with the original content using dd again.
dd of=/dev/sda if=/somewhere/sda.dd bs=1M conv=notrunc,noerror
dd of=/dev/sdb if=/somewhere/sdb.dd bs=1M conv=notrunc,noerror
14. create new checksums for each device and compare them with the checksums from the source
15. if the checksums match - you can assume your clone is forensical sound.
As you may see the amount of work is impressive .....
If there is any known and established shortcut for this procedure - please let me know.